rsa approach for securing the cloud

RSA Approach for Securing the Cloud

Bernard MontelDirecteur Technique RSA FranceJuillet 2010

2

Security is at the center of EMC’s private cloud strategy

Trusted

Control

Reliable

Secure

Flexible

Dynamic

On-demand

Efficient

PrivateCloud

CloudComputing

Virtualized Data Center

Security

VirtualizationInformation

Federation

Internal cloud External cloud

3

The Journey to the Cloud and its Security Implications

• Introduce new platform and management components in IT ecosystem

Virtualize non critical

systems

• Dissociate application from IT physical infrastructure

Virtualize mission critical

applications

• Make IT available as a service• Convergence of IT admin

roles (storage, network, system, V.I.)

Create internal clouds

• Externalize IT physical infrastructure

Expand to external clouds

New attack surfaces needs to be locked down

Security policies need to centered on identity and information, not infrastructure

Compliance and security need visibility into the virtual infrastructure

Need new perimeters enforced within the virtual infrastructure aligned with policies

Security management is converging with Virtual infrastructure amanagement

Need evidence of compliance from cloud providers

Need to federate identity and policies across clouds

Need multi-tenancy and isolation built in the cloud infrastructure

Information in physical infrastructure needs to be isolated from service providers admins

Journey to the Cloud Security Journey

4

Cloud’s Emerging Security Challenges

Defining Trusted Zones

Surpassing Physical Infrastructure Security

Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09

“Yes, in all cases”

24%“In some cases,

but there are gaps”

43%“No, security is brought in after

the fact”

22%“The business moves ahead

without security”

11%

QuestionDoes your IT security address the risks associated

with virtualization and private cloud before they are implemented?

Why is this bad?Restricted potential value

Increased potential for data breaches

QuestionDoes your IT security address the risks associated

with virtualization and private cloud before they are implemented?

5

Internal Employees

Adoption of Cloud Computing is Expanding the Enterprise Attack Surface

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabase

Privileged UsersContractors Privileged Users Privileged Users

Partner Entry Points

Channels

Customers

Partner Entry Points

Partners

Channels

Remote Employees

Channels

VPN

Apps/DB StorageFS/CMSNetworkEndpoint

IP Sent to non trusted user Stolen IP App, DB or Encryption

Key Hack Fraud Stolen Credentials

Endpoint theft/loss

Network LeakEmail-IM-HTTP-

FTP-etc.

PrivilegedUser Breach

InappropriateAccess

Privileged UsersTapes lost or stolen

Data LeakVia USB/Print

Public Infrastructure Access Hack

UnintentionalDistribution

(Semi) Trusted User Misuse

Discarded disk exploited

Attacks are Now Targeting the Extended Enterprise

7

60% of Fortune 500 contaminated by a Trojan over a one month period (August 2009)

Public clouds increase corporations’ attack surface by

exposing critical corporate applications to attackers

• Trojan attacks targeted at stealing login names and passwords are on the rise

• Corporate espionage is expanding driving attackers

interest beyond financial institutions

Source: RSA Anti-Fraud Command Center

Physical Infrastructure Physical Infrastructure

APP

OS

APP

OS

Traditional Computing: The Network Security Perimeter is Aligned with Policy Boundaries

8

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

Enterprise #1 Enterprise #2

Attackers

IdentityInfor-

mationInfor-

mationIdentity

Physical Infrastructure

APP

OS

APP

OS


Private Clouds demand a Policy-aware “Trusted Zone” for Data, VM and Identities

9

Tenant #1


Tenant #2Cloud Provider

Attackers

APP

OS

APP

OS

APP

OS

APP

OSVirtual

InfrastructureAPP

OS

APP

OS

Virtual Infrastructure

Identity

Information Information

Identity

10





Trusted Zones Key Capabilities

Tenant #2

APP

OS

APP

OS



Cloud Provider

APP

OS

APP

OS


Tenant #1

Isolate information from cloud providers’ employees

Isolate information

between tenants

Isolate infrastructure

from Trojans and cybercriminals

Segregate and control user

access

Control and isolate VM in

the virtual infrastructure

Federate identities

with public clouds

Identity federation

Virtual network security

Access Mgmt

Cybercrime intelligence

Strong authentication

Data loss prevention

Encryption & key mgmt

Tokenization

Enable end to end view of security events and compliance across infrastructures

Security Info. & Event Mgmt GRC


Creating “Trusted Zones” for cloud applications

12

Protect against cybercriminals

– Use cybercrime intelligence

– Implement strong authenticationEnforce trust policies

– VM-level:• Group VMs into trusted zones• Control VM provisioning policies

– Data level• Avoid data leakage between tenants• Control data in the cloud provider infrastructure

– Identity level: Manage user access within a trusted zone and across trusted zones

Managing policy compliance across physical, virtual and cloud infrastructures

Tenant #2

APP

OS

APP

OS



Cloud Provider

APP

OS

APP

OS


Tenant #1

Dark CloudDark Cloud

StolenFiles

Repository

Hacker ForumDiscussion

BotnetHerders

MalwareInfection Point

TrojanMothership

StolenCredentialsDatabase

eFraudNetwork

Corp 1

Corp 2

Corp 3Corp 4

Corp 5

Corp 6

Corp 7

Corporate

Provide Cybercrime Intelligence and Strong Authentication Based on Feeds from the Dark Cloud

First level of defense: Cybercrime intelligenceSecond level of defense: Strong authentication


Creating “Trusted Zones”

14








Tenant #2

APP

OS

APP

OS



Cloud Provider

APP

OS

APP

OS


Tenant #1

Virtualization Enables More Effective Security by Pushing Enforcement Down the Stack

Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today’s physical infrastructures

Physical infrastructure

APP

OS

APP

OS

APP

OS

APP

OS

vApp and VM layer

Virtual and cloudinfrastructure

Today most security is enforced by the OS and application stack making it ineffective, inconsistent and complex

VMware vShield Zones and RSA DLP: Building a Content-Aware Trusted Zone

16

OverviewVMware vShield Zones provides isolation between groups of VMs in the virtual infrastructureLeverages the capabilities of vShield Zones to deploy DLP as a virtual application monitoring data traversing virtual networksUses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter

Customer BenefitsPervasive protectionPersistent protectionImproved scalability


VMware VSphere

VMware vShield zones

DLP DLP DLP DLP

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS


Internal storage Cloud

Scan data

Proof of Concept: RSA Data Loss Prevention with EMC Atmos

Concept demonstrated at EMC World 2009Atmos metadata update based on DLP policySensitive data never leaves customer sites or is only sent to trusted external cloud sitesBuild content-aware private storage clouds

External Storage Cloud

Client App

EMC Atmos Online

EMC Atmos

DLP

Update metadata

Federate data securely

Store data


Creating “Trusted Zones”

18








Tenant #2

APP

OS

APP

OS



Cloud Provider

APP

OS

APP

OS


Tenant #1

Monitoring and Managing Corporate Policy Compliance

19

Across virtual, physical, internal and external infrastructures

Tenant #2

APP

OS

APP

OS



Cloud Provider

APP

OS

APP

OS


Tenant #1

EMCIONIX

VMwarevCenter

Virtual infrastructure management

GRC

End-to-end compliance

reporting

Security configuration and vulnerability management

for physical and virtual infrastructures

RSAenVision

End-to-end security event management

20




Surpassing Physical Security in Action: Virtual Desktop

21

RSA SecurID strong authentication for user access

to virtual desktops

RSA Data Loss Prevention Endpoint prevents data loss

at the virtual desktop

RSA enVision event monitoring and a centralized dashboard

RSA SecurID strong authentication for

administrative access to ESX

EMC IONIX ensures a secure configuration and patch level for all virtual

desktops

Hosted virtual desktops are isolated from the dark cloud contamination by the enterprise perimeter

VMware View Manager

RSA is Uniquely Positioned to be the Leader in Securing the Cloud

Hosted by RSA, e.g., Adaptive Authentication, eFraudNetwork

Delivered by MSSP or other cloud providers

Delivering RSA products as

cloud services

Securing the virtual datacenterFederation between internal and external cloudsSecurity-aware cloud infrastructures

Securing the private cloud Strong authentication

Access managementIdentity protectionCybercrime monitoring

Securing the public

cloud

Thank you!

rsa approach for securing the cloud

Documents

cloud security strategy3

security implications

level of security

security threats

security need visibility

cloud providersneed

private cloud rsa approach

physical infrastructureexpand