A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 5th July 2012. Stephen Porter from Trend Mirco Limited was on the theme of cloud computing security. Copyright of this presentation is held by the author, Stephen Porter.
What Are The Drone Anti-jamming Systems Technology?
Steve Porter : cloud Computing Security
1. Securing Your Journey to the Cloud
Trend Micro
Stephen Porter Alliance BDM
Data Center Evolution:
Physical. Virtual. Cloud.
2. Control vs Responsibility?
Servers Virtualization &
Private Cloud
Public Cloud
PaaS
Public Cloud
IaaS
Public Cloud
SaaS
%
Enterprise
Responsibility
Control Gap
3. Amazon Web Services™ Customer Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that
we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you
acknowledge that you bear sole responsibility for adequate security, protection
and backup of Your Content and Applications. We strongly encourage you,
where available and appropriate, to (a) use encryption technology to protect
Your Content from unauthorized access, (b) routinely archive Your Content, and
(c) keep your Applications or any software that you use or run with our Services
current with the latest security patches or updates. We will have no liability to
you for any unauthorized access or use, corruption, deletion, destruction or loss
of any of Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
The cloud customer has responsibility for security and
needs to plan for protection.
4. A New Model for Security –
Securing the Computing Chain
All environments should be considered un-trusted
4
Users
access app
Host
defends
itself from
attack
Image
ensures
data is
always
encrypted
and
managed
Encrypted
Data
Encryption
keys only
controlled
by you
When this whole chain is secure
Components can move
DC1, LAN 1 Cloud 1, LAN 2
Data
Cloud, LAN 1
Data
DC2, LAN 2
Virtual “neighbours” don’t matterLocation doesn’t matter
Service provider “lock” goes away Shared storage ROI goes up
8. Deep Discovery:
Key Technologies
• Deep content inspection
across 100’s of protocols
& applications
• Smart Protection Network reputation
and dynamic black listing
• Sandbox simulation and analysis
• Communication fingerprinting
• Multi-level rule-based event correlation
• And more… Driven by Trend Micro threat
researchers and billions of daily events
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Suspect Communication
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Attack Behavior
• Malware activity:
propagation, downloading, spam
ming . . .
• Attacker activity: scan, brute
force, service exploitation . . .
• Data exfiltration communication
9. Real-Time Inspection
Analyze
Deep Analysis
CorrelateSimulate
Actionable Intelligence
Threat
Connect
Watch List GeoPlotting
Alerts, Reports,
Evidence Gathering
9
Visibility
– Real-time Dashboards
Insight
– Risk-based Analysis
Action
– Remediation Intelligence
Identify Attack Behavior
& Reduce False
Positives
Detect Malicious Content
and Communication
Out of band network data
feed of all network traffic
10. Physical Virtual Cloud
Manageability
Glut of security products
Less security
Higher TCO
Reduce Complexity
One Security Model is Possible
across Physical, Virtual, and Cloud Environments
PLATFORM-SPECIFIC SECURITY RISKS
Integrated Security: Single Management Console
Performance & Threats
Traditional security
degrades performance
New VM-based threats
Increase Efficiency
Visibility & Threats
Less visibility
More external risks
Deliver Agility
16. Challenge: Dynamic movement
Load Balancing or V-Motion
VIRTUALIZATION SECURITY
VMs moving between hosts can
cause manual intervention and
Introduce risk
18. Security Zone
vShield App and
Zones
Application protection from
network based threats
vShield Security
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the
virtual datacenter
Endpoint = VM
vShield Endpoint
Enables offloaded Security
FIM, anti-virus, IDS/IPS …
Virtual Datacenter 1 Virtual Datacenter 2
DMZ PCI
compliant
GPG13
compliant
Web View
VMware
vShield
VMware
vShield
VMware vShield Manager
19. Fitting into the VMware Ecosystem
VIRTUALIZATION SECURITY
vSphere Virtual Environment
Integrates with
vCenter
Trend Micro Deep Security
Security
Virtual
Machine
Log Inspection
Agent-based
Other
VMware
APIs
IDS / IPS
Web Application Protection
Application Control
Firewall
Agentless
Agentless
vShield
Endpoint
Antivirus
Integrity Monitoring
20. Secure the lifecycle of the VM
VIRTUALIZATION SECURITY
Moving
VM’s
Restarted
VM
Self Service
new VMs
Reconfiguring
VM - Clones
Relevant Deep
Security
ControlsFIM
DPI
Firewall
AV
FIM
DPI
Firewall
AV
FIM
DPI
Firewall
AV
FIM
DPI
Firewall
AV
FIM
DPI
Firewall
AV
Recommendation
Scan
vCenter
21. •Jan 2011 results of testing conducted by AV-Test.org
•Threats prevented at each layer (of total threats that reached that layer)
•33%
•65 / 200
•53%
•72 / 135
•19%
•12/ 65
•200 threats •135 threats •65 threats •51 threats
•End-to-End
•75%
•(149 of 200)•average of all enterprise products
97% of threats blocked at the first layer of defense
21
Trend
Micro
Microsoft Sophos McAfee Symantec
Exposure
Layer
97% 2% 63% 1% 0%
(194 of 200) (3 of 200) (126 of 200) (2 of 200) (0 of 200)
Infection
Layer
67% 68% 19% 50% 54%
(4 of 6) (134 of 197) (14 of 74) (99 of 198) (108 of 200)
Dynamic
Layer
100% 6% 23% 25% 16%
(2 of 2) (4 of 63) (14 of 60) (25 of 99) (15 of 92)
All Layers 100% 71% 77% 63% 62%
(200 of 200) (141 of 200) (154 of 200) (126 of 200) (123 of 200)
23. Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011; Saving estimate based on VMware ROI calculations
3X higher VDI VM consolidation ratios
Increased ROI with Deep Security
Example: Agentless Antivirus
VIRTUALIZATION SECURITY
0 10 20 30 40 50 60 70 80
Traditional AV
Agentless AV
VM servers per host
75
25
3-year Savings on 1000 VDI VMs = $539,600
25. Protect my data
2
Inside-out Security
Smart
Context aware
Self-Secured Workload
Local Threat Intelligence
When Timeline Aware
Who Identity Aware
Where Location Aware
What Content Aware
User-defined Access Policies
Encryption
DATAINSIDE-OUT SECURITY
26. When data is moved, unsecured data remnants can remain
Challenge: Data Destruction
CLOUD SECURITY
10011
01110
00101
10011
01110
00101
10011
0
00101
27. Sensitive Research Results
• Unreadable for unauthorized
users
• Control of when and
where data is accessed
• Server validation
• Custody of keys
Data Security
Encryption
with Policy-based
Key Management
Server & App Security
Modular Protection
• Self-defending VM security
• Agentless and agent-based
• One management portal for
all modules, all deployments
vSphere & vCloud
Integration ensures servers have up-to-date security before
encryption keys are released
What is the Solution? Data Protection
CLOUD SECURITY
28. VM VM VM VMVM VM VM VMVM VM VM VM
VMware vCloud
VMware
vSphere
Encryption throughout your cloud journey—data protection for
virtual & cloud environments
Enterprise Key
Key Service
Console
Trend Micro
SecureCloud
Data Center Private Cloud Public Cloud
Fitting Encryption into a VMware Ecosystem
CLOUD SECURITY
29. Test
Deep Security / Secure Cloud Example
Classification 7/26/2013 29
Vmware Vsphere
ESX
Customer
Customer 1 Customer 2
Unix/
Win
Server
Encrypted Volumes on SAN, NAS, Cloud Service …
Policy
Server
Key
Service
30. Specialized Protection
for Physical, Virtual, and Cloud
Physical Virtual Cloud
TREND MICRO DEEP SECURITY
Only fully integrated server security platform
First hypervisor-integrated agentless antivirus
First agentless file integrity monitoring (FIM)
Only solution in its category to be EAL4+
and FIPS certified
31. 2011 Technology Alliance Partner of the Year
TREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER
Improves Security
by providing the most secure virtualization
infrastructure, with APIs, and certification programs
Improves Virtualization
by providing security solutions architected to fully
exploit the VMware platform
2008 2009 2011
Feb: Join
VMsafe program
RSA: Trend Micro VMsafe
demo, announces
Coordinated approach &
Virtual pricing
RSA: Trend Micro
announces virtual appliance
2010:
>100 customers
>$1M revenue
VMworld: Announce
Deep Security 8
w/ Agentless FIM
1000 Agentless
customers
VMworld: Trend virtsec
customer, case
study, webinar, video
May: Trend
acquires
Third Brigade
July:
CPVM
GA
Nov: Deep Security 7
with virtual appliance
RSA: Trend Micro
Demos Agentless
2010
Q4: Joined
EPSEC vShield
Program
VMworld:
Announce
Deep Security 7.5
Sale of DS 7.5
Before GA
Dec: Deep Security 7.5
w/ Agentless Antivirus
RSA: Other
vendors
“announce”
Agentless
Notes de l'éditeur
The outside-in approach is still important, but, alone, is not sufficient in today’s evolving data center. Disgruntled employees are already within the perimeter. Advanced Persistent Threats are unique attacks that will not be stopped by many traditional perimeter defenses. And the changing nature of IT is causing deperimeterization with new technologies like virtualization, cloud computing, and consumerization. New security approaches must be added to the traditional outside-in protection.
Let’s take a look at a typical attack scenario… APT and targeted attacks typically follow a multi-step scenario employing means that are: Social – Targeting and attacking specific people with social engineering and advanced malwareSophisticated – Exploiting vulnerabilities, using backdoor controls, stealing and using valid credentialsand Stealthy – Executed in a series of low profile moves that are undetectable to standard security or buried among thousands of other event logs collected every day.The attack starts with intelligence gathering to create and execute a socially engineered employee infection, then network infiltration, lateral movement across the organization, and finally data discovery and exfiltration – all the while, command & control communication and backdoor controls are executed via remote control.
To provide this unique detection, Deep Discovery uses a set of specialized threat engines, reputation services, and correlation rules including:The widest analysis of content inspectionSmart Protection Network reputation and blacklistingSandbox simulation and analysisCommunication fingerprintingMulti-level rule-based event correlation to reduce false positives and detect “low and slow” activity over timeAnd much more… all powered by over 1000 global threat researchers and the billions of daily events processed by Trend Micro Smart Protection Network(Use appendix slide for a deeper dive on how detection works)
Deep Discovery uses a multi-level detection scheme to perform initial detection, then simulation and correlation, and ultimately, a final cross-correlation to discover “low and slow” and other evasive activities discernable only over an extended period. (Specializeddetection and correlation engines provide the most accurate and up-to-date protection aided by global threat intelligence fromTrend Micro Smart Protection Network and dedicated Threat Researchers.) The result is a high detection rate, low false positives,and in-depth incident reporting information designed to speed the containment of an attack.Let’s now look at how this detection and analysis information is made available to the security specialist.
Each of these platforms has unique security concerns. With physical machines, the manageability of various security solutions can be an issue.There can be a glut of security products—either through excessive layering or overly specialized products. This increases hardware and software costs. Also, management across the different products can be difficult – causing security gaps. And collectively these issues create a higher Total Cost of Ownership.The solution is to reduce complexity by consolidating security vendors and correlating protection.[click]With virtualization, the risks pertain to both performance and threats specific to virtual environments. There is a concern that security will reduce performance, which reduces the ROI of a virtual infrastructure. Also there are unique virtual machine attacks, such as inter-VM threats. Here the solution is increased efficiency—security that optimizes performance while also defending against traditional as well as virtualization-specific threats. [click]With cloud services, the risks pertain to less visibility and cloud-specific threats. Companies are concerned about having less visibility into their applications and data. And they are concerned about increased external threats, especially in multi-tenant environments.For the cloud, businesses need security that allows them to use the cloud to deliver IT agility. Data must be able to safely migrate from on-premise data centers to private clouds to public clouds so organizations can make the best use of resources. [click]As we’ll see later, all of these concerns can be addressed. And through protection that is provided in an integrated security solution all managed through one console. With cross-platform security, you’ll stay protected as your data center and virtual or cloud deployments evolve, allowing you to leverage the benefits of each platform while defending against the threats unique to each environment.
Now we’ll step through each platform individually, starting with physical servers and endpoints. Regardless of how your business evolves, you’ll still need dedicated physical servers. They give you the highest level of visibility and control, provide dedicated computing resources, and support specialty hardware and software. Today, the security that is needed for physical machines is relatively well known. The issue is more, how do I deploy effective protection while reducing management. Integrating security onto one platform reduces the glut of security products which in turn reduces management and costs.
As you can see here, an integrated approach to server security includes a Firewall, HIPS and Virtual Patching, Web Application Protection, Antivirus, File Integrity Monitoring, and Log Inspection. [click]To reduce complexity, all of these capabilities should be integrated into one solution and should be managed through one console with advanced reporting capabilities. Here we’re talking about how to reduce complexity with your physical server security. But when this protection is provided in a cross-platform solution, your security can also travel with you as your business evolves to use virtualization and the cloud.
The next platform we’ll discuss is virtualization. Most companies are virtualizing their data centers. In a recent survey by Trend Micro, 59% of respondents had server virtualization in production or trial, and 52% had desktop virtualization in As the foundation to the cloud, businesses should deploy virtualization security that protects their data center virtual machines as well as their virtual machines that are moved to private and public cloud environments. In the next few slides, we will discuss virtualization security challenges and the solutions to address these challenges, using virtualization-aware security.
The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
I’d now like to highlight a couple of additional virtualization challenges. The next one we’ll discuss today is inter-VM attacks and blind spots. [click]When a threat penetrates a virtual machine, the threat can then spread to other virtual machines on the same host. Traditional security such as hardware-based firewalls might protect the host, but not the guest virtual machines. And cross-VM communication might not leave the host to be routed through other forms of security, creating a blind spot. [click]For the solution, protection must be applied on an individual virtual machine level, not host level, to ensure security. And integration with the virtualization platform, such as VMware, provide the ability to communicate with the guest virtual machines. Also, virtual patching ensures that VMs stay secure until patches can be deployed.
As you heard VMware released last year vShield. vShield Endpoint is a set of API ….. Which today are only completed with Trend’s Agentless Anti Virus solution
VMware controls more than half of the virtualization market. Virtualization security must fit into the VMware ecosystem to effectively support enterprise virtualization efforts. Here we demonstrate the different VM-security aspects and how they can fit into a VMware infrastructure.[click]The pairing of agent-less antivirus and agentless integrity monitoring with vShield Endpoint enables massive reduction in memory footprint for security on virtual hosts by eliminating security agents from the guest virtual machines and centralizing those functions on a dedicated security virtual machine. [click]Protection such as intrusion detection and prevention, web application protection, application control, and firewall can be integrated with VMware using VMsafe APIs, integrating security with VMware vSphere environments. Again this can be an agent-less option.[click]And finally, log inspection which optimizes the identification of important security events buried in log entries, can be applied through agent-based protection on each VM. [click]These elements can be integrated and centrally managed with VMware vCenter Server. Together, these provide comprehensive, integrated virtual server and desktop security.
The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
Key items to note:Symantec has no web threat protection (blocking the source), therefore all detection comes at the endpoint, using up valuable bandwidth (to download the file) and resources (to scan the file). Microsoft is similarOverall, OfficeScan scored 16% better protection than next competitor.
I mentioned that the agentless approach began with agentless antivirus. Trend Micro’s agentless antivirus solution was available starting in 2010, so there’s been an opportunity to test its success. In an independent study by Tolly Enterprises, Trend Micro agentless antivirus was tested against leading traditional antivirus solutions that do not use a dedicated security virtual appliance and agentless antivirus, and the results were striking. Trend Micro’s agentless antivirus achieved 3 times higher VDI VM consolidation ratios—and similar results also extended to server virtualization as well. The VDI results translate into saving almost $540,000 every 3 years for each 1000 virtual desktops.
Now we’ll cover the final platform, cloud computing. Cloud computing is usually built on virtualization. So, all of the previous challenges and solutions we discussed in the previous section on virtualization apply to the cloud. But cloud computing also introduces its own challenges as well as solutions. Let’s take a look.
The final cloud computing challenge we’ll discuss today is data destruction. As I mentioned before, cloud data can move to make the best use of resources. [click]But when data is moved, sometimes remnants remain if the data in the previous location is not completely shredded. These remaining data remnants can create a security concern. [click]Again encryption is the solution because any remaining data remnants are unreadable if accessed by unauthorized users.
So what is the solution? Cloud protection should include self-defending VM security that travels with the virtual machine into a cloud infrastructure. This allows businesses to transfer a complete security stack into the cloud and retain control. And this cloud security should be provided in a modular infrastructure with both agentless and agent-based options so it can be customized to your individual cloud deployment needs. The security should be provided on one platform that is managed through a single console—across your physical, virtual, and cloud deployments, including private, public, and hybrid clouds. [click]Another method of protecting data in the cloud is encryption with policy-based key management. The solution should start with industry-standard encryption that renders your data unreadable to outsiders. Even if your data is moved and residual data is left behind, the data in the recycled devices is obscured. It is critical to have this encryption accessed through policy-based key management to specify when and where your data is accessed. And through policies, identity- and integrity-based validation rules specify which servers have access to decryption keys.An encryption solution should also give the option to access keys through a SaaS or on-site virtual appliance with customer control over the keys to support a clear separation of duties and to avoid vendor lock-in. An encryption solution with policy-based key management allows even heavily regulated companies to leverage the flexibility and cost savings of the public cloud while ensuring their data stays secure. [click]These two solution elements can be integrated with a context approach to security. For example, encryption policies can specify that encryption keys will not be released unless the requesting server has up-to-date security, ensuring that the data stays protected when accessed by self-defending VM security. [click]And this security should work with multiple cloud platforms—allowing you to create the right cloud environment for your business.
Earlier we reviewed how the Trend Micro server security platform with modular security integrates with a VMware ecosystem. Here we see how Trend Micro’s cloud data encryption solution—SecureCloud—supports a VMware environment.Here we see the VMware ecosystem with vSphere which creates a virtualization platform and vCloud that provides technologies to support private and public clouds. vCloud Director provides a management portal into these cloud technologies.[click]Trend Micro SecureCloud leverages information from vSphere and vCloud to provide native support for these environments. [click]Then SecureCloud can provide encryption capabilities in VMware virtual, private, and public cloud environments. [click]This gives companies encryption support today and as their data centers evolve.
As we’ve discussed here, Trend Micro’s server security platform provides specialized protection across physical, virtual, and cloud. [Briefly step through points on slide.]
Trend Micro was VMware’s 2011 Technology Alliance Partner of the Year. This timeline helps highlight some of our achievements in our partnership with VMware, starting back in 2008. [Highlight a couple of key points from the timeline—do not cover it all.]