oded tsur - ca cloud security

WHEN TITLE

IS NOT A QUESTION

NO ‘WE CAN’

WHEN TITLE

IS NOT A QUESTION

NO ‘WE CAN’

Security management to, for, and from the cloud

CA’s Cloud Security Capabilities & Strategy

Oded Tsur CISSP Sr. Solution strategist

Cloud - Next Wave of IT Architectures

2 Copyright © 2010 CA. All rights reserved.

Many Have Adopted Some Cloud Services Some Have Adopted Many Cloud Services


Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf

Why Adopting the Cloud? To Save $ & Time



Who is Responsible For Security?



Do You know Your Cloud Services?



IAM is #1 Area of Focus for Migration



What is the Cloud?

IaaS

Hybrid Cloud

Private Cloud

PaaS

Public Cloud SaaS


Identity & Access Management - Defined

- REDUCED IDENTITIES -  Easier administration -  Reduced Costs -  Improved auditing for easier

compliance

CENTRALIZED ADMINISTRATION ˉ Reduced admin costs ˉ Consistent admin across platforms ˉ Automation of IT processes

MANY USERS MANY IDENTITIES MANY ADMINS

MANY APPLICATIONS -  Single Sign-on -  User self-service

-  Centralized Security -  Easier app dev

Security Policy

Un Structured Physical Boundaries

11

— VM Mobility beyond the server room − VMs can be copied, or cloned − Machine memory is accessible from the host − Disc space can be accessed from storage

— Challenging Physical Security − Copying a VM = Stealing a server from the server room − The virtual DC is distributed – Not a mainframe

The 4th Dimension - Time

12

— What happens when we revert to snapshot? − LOST Audit Events − LOST configuration − LOST Security Policy

— Am I Still Compliant with my Policy?

Cloud Model Drives Security Implications Control .vs. Visibility

Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009


Private Clouds are a Modern

Form of Dedicated IT?

Cloud Model Drives Security Implications

Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009 14 Copyright © 2010 CA. All rights reserved.

How do I manage my user’s SaaS accounts & their

access?

How do I collect & analyze SaaS security logs?



How do I define & enforce access policies in PaaS

applications without creating more security

silos?



How do I control privileged users in IaaS…both theirs & ours?



IAM & Trust Before Cloud

— Trust established between the user & enterprise − Or between user & each application when applications are silo-ed

— IAM is deployed on-premise

Enterprise

User

In-‐house Applica4ons

Corporate Directory “Iden4ty Provider”

Public

Remote user

IAM


Cloud Adoption & IAM

Extend Enterprise Security To the Cloud

Security For Cloud Providers

Security From the Cloud

1

2

3

Trust Models Will Need to Change


q  Enterprises will use more SaaS applications & Cloud services q  Trust model will be between user & enterprise q  The On-Premise IAM system “extends” out to the Cloud Ø  Provisioning and SSO to SaaS Applications

Ø  Cloud Web Services for Mashing Applications

Ø  Access Governance (certification & attestation) extends to Cloud

Ø  Log Collection of Cloud applications

1

Enterprise LAN

User

Corporate Directory “Identity Provider”

Dir

Public

Remote user

Dir

Dir

IAM

Extend Enterprise Security to the Cloud


1 Extend Enterprise Security to the Cloud

Need to… Provision users to SaaS Applications (SFDC, Google, etc)

SSO (SAML-based) & Access Control to SaaS Applications Access Control to Cloud-based Web Services for building mashed applications Log access to SaaS Applications Control information while using SaaS Applications


1 Extend Enterprise Security to the Cloud

Need to… Solution Provision users to SaaS Applications (SFDC, Google, etc)

CA Identity Manager

SSO (SAML-based) & Access Control to SaaS Applications

CA SiteMinder CA Federation Manager

Access Control to Cloud-based Web Services for building mashed applications

CA SOA Security Manager

Log access to SaaS Applications CA Enterprise Log Manager

Control information while using SaaS Applications

CA DLP


q  Enterprises providing private clouds & Organizations providing public clouds

q  Security improvements needed to become more trusted Ø  Need to provide effective security controls

Ø  Need to prove their controls through real time reporting

Ø  Increase transparency of policies

IAM

Hardware

Hyper Visor

App 1 App 2 App 3

Enterprise Private Cloud

IAM

Hardware

Hyper Visor

App 1 Customer 1

App 1 Customer 2

App 2 Customer n

Public Cloud

App 3

App 3

App 3

App 3 App 3

2 Security to enable Cloud Providers


Entire CA IAM Solution for the Cloud

Control Identities

Control Access

Control Information

The control you need to confidently drive business forward

Focus

Products § CA Role & Compliance Mgr § CA Identity Manager § CA Enterprise Log Manager

§ CA Access Control § CA SiteMinder § CA Federation Manager § CA SOA Security Manager

§ CA DLP

Content Aware Identity and Access Management


Find, classify and control how information is used based on content and identity

Control access to systems & applications across physical, virtual & cloud environments

Manage and govern identities and what they can access based on their role

2

2 Security to enable Cloud Providers Support Virtualization & extend control to the hypervisor

— Support Virtualization −  Secure Virtual Machines −  Log Collection from Virtual Machines −  Secure Privileged Partitions

— Manage Complexity −  Deployment (Security encapsulation) −  Automation −  Extend Policy Management

— Repeatable Compliance −  Control Identities, Access and Information −  Transparency of Access and Logs −  Cloud-Provider specific compliance requirements (eg. SAS-70)


Corporate Directory “Identity Provider”

q  Eventually even user Identity (proofing, authentication, authorization/SSO, provisioning…) can be managed by a Cloud Service

q  Trust will be very different Ø User to Cloud security service

Enterprise

User Dir

Cloud IM Service

IAM App

In-house Applications

Public

Remote user

3

“Identity ProvideR”

Dir

Dir

Security from the Cloud Identity Services from the Cloud


Cloud Adoption & IAM

Extend Enterprise Security To the Cloud

Security For Cloud Providers

Security From the Cloud

1

2

3


TITLE

IS A QUESTION

‘WE CAN’ ANSWER IN BOX

TITLE

IS A QUESTION


TITLE

IS A QUESTION


TITLE

IS A QUESTION


Q&A

[email protected]

oded tsur - ca cloud security

Documents