Contenu connexe
Similaire à Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Similaire à Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing (20)
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
- 1. Cloud Security & Control: A
Multi-Layer Approach to
Secure Cloud Computing
John Rowell
Chief Technology Officer
OpSource
Twitter: @johnrowell
Paul Sathis
Director, Cloud Computing,
Intel Americas
Intel Corporation
Twitter: @paulinthehouse
- 2. Legal Disclaimers
Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain
platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS
update. Software applications may not be compatible with all operating systems. Please check with your application vendor.
Intel® TXT requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an
Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit
http://www.intel.com/technology/security. In addition, Intel TXT requires that the original equipment manufacturer provides TPM functionality, which requires a TPM-
supported BIOS. TPM functionality must be initialized and may not be available in all countries.
Intel ® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. For
availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-
instructions-aes-ni/
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor series, not across different processor
sequences. See http://www.intel.com/products/processor_number for details. Intel products are not intended for use in medical, life saving, life sustaining, critical
control or safety systems, or in nuclear facility applications. All dates and products specified are for planning purposes only and are subject to change without notice
On Slide 4, the sources are as follows:
1)Source: http://www.theregister.co.uk/2009/06/08/webhost_attack/
2)Source: http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240
On Slide 10, the sources are as follows:
3)World-record virtualization performance claim based on all published VMmark* 1.x results on http://www.ideasinternational.com/Benchmark-Top-Ten/VMmark-1-x. Top-ranked Fujitsu
PRIMERGY* RX600 S5 uses four Intel® Xeon® processor X7560 (24M cache, 2.26GHz, 6.40GT/s Intel QPI). Software and workloads used in performance tests may have been optimized for
performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, and
functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated
purchases, including the performance of that product when combined with other products.
4)No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization
Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the
system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security
5)Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on
select Intel® Xeon® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-
standard-instructions-aes-ni/
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 3. VOTE
• With regards to cloud computing, I am most concerned about the
following issue:
− Compliance
− Multi-tenancy
− Audit
− Data Protection
− All of the above
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 4. Security in the Cloud
Virtualization vs. Security
Benefits Needs
“Webhost hack wipes out
data for 100,000 sites
New security requirements Vaserv suspects zero-day
for cloud & virtualization: virtualization vuln” —The Register1
“IT ops, security pros at odds
• Abstraction of physical hardware
over virtualization risks
• Multi-tenancy movement IT pros upbeat about virtualization,
whereas security experts harbor
implicitly require audit & security doubts about the security role the
hypervisor can play” —IDG News Service2
Cloud & Virtualization Break Many Traditional
Perimeter-oriented Security Techniques
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 5. Cloud 2015 Vision
FEDERATED AUTOMATED
Share data IT can focus
securely across more on
public and innovation and
private clouds less on
management
CLIENT AWARE
Optimizing services
based on device
capability
Desktops Laptops Netbooks Personal Devices Smartphones Smart TVs Embedded
Open & Interoperable Solutions Essential
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 6. From Vision to Action
Helping Cloud Service Providers on Path to Cloud 2015
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
6 notice. * Other brands and names maybe claimed as the property of others.
- 7. Intel Platform Technologies
Intelligence Built-in for Cloud Computing Demands
Compute
Intel® Xeon® processors E7 & 7500
Series with Hardware-based Security
Result:
Helps Provider Meet Service Level Agreements
Performance for Workload agility
Simpler & Lower Cost
Network Storage
10Gb Ethernet with Open platforms and
built-in support for performance
unified fabric breakthroughs (SSDs)
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 8. Cloud Security Services
Enhanced by Intel-based Technology
Encrypt in the Cloud Trust the Cloud
Use encryption to protect data Establish a trusted foundation
Connect to the Cloud Audit the Cloud
Establish / verify identities & federate Build higher assurance into audit
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 9. Intel-based Technology
Establishing Foundation for More Secure Clouds
Encrypt
Intel® AES-NI
Isolate Comply
Intel® VT & Intel® TXT Intel® TXT
VM 1 VM 2
VM 1 VM 1 VM 2
VMM
Intel® TXT ?? VMM
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
9 notice. * Other brands and names maybe claimed as the property of others.
- 10. Great Collaboration with OpSource
Cloud Services Powered by Intel® Xeon® processor 7500 &
E7 Series
− Intel Xeon processor E7 series delivers world-record virtualization
performance while delivering higher VM densities than any other industry-
standard server in the market today3
State of the Art Hardware-based Security Technology
− Working with Intel on hardware-based security such as Intel® Trusted
Execution Technology4 that can be used to verify the trustworthiness
of a platform
Foundation for High Reliability
− Intel Xeon processor E7 series delivers extraordinary server reliability
with automatic detection and correction of errors and interconnect error
detection and recovery
− Helps Opsource deliver on high-availability and cloud performance claims
With Intel technology, OpSource can enhance security,
meet demanding customer requirements
& drive competitive prices
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.
- 11. Cloud Security & Control: A Multi-Layer Approach to Secure
Cloud Computing
9/14/2011
John Rowell, CTO
Slide 11 © 2011 OpSource, Inc. All rights reserved.
- 12. OpSource: Enterprise Cloud and Managed Hosting
• OpSource provides Enterprise Cloud
and Managed Hosting Services
• Solutions for Enterprise, SaaS, Service
Providers (Telecom and Cloud Platforms)
• A Dimension Data Company
• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore
• Unmatched Industry Experience
– SaaS Hosting and Scaling Software-Oriented Architectures (SOA)
– High Performance, Secure Cloud Computing
Slide 12 © 2011 OpSource, Inc. All rights reserved.
- 13. Polls Show Security as Top Concern about Public Cloud
• 64% of IT Bosses express concerns about whether corporate data would be
secure inside cloud service providers' datacenters – Forrester Research
• 56% of CFOs had not invested in public cloud services because of fears over the
security of sensitive data - SunGard Availability Services Poll
Gartner 2009 Poll
Slide 13 © 2011 OpSource, Inc. All rights reserved.
- 14. Security is a Challenge for Utility Cloud Platforms
Slide 14 © 2011 OpSource, Inc. All rights reserved.
- 15. Defense-in-Depth Security Applied to the Cloud
Defense in depth is a best practice in which multiple layers of
security controls (defense) are implemented to provide redundancy
in the event a security control fails or a vulnerability is exploited.
Layers of Defense
IDS / IPS
Segmentation
- VLAN
- Firewall
Authentication and Access
Control
Data Encryption
Incident Response
Physical Data Center Security
Monitoring and Tuning
Slide 15 © 2011 OpSource, Inc. All rights reserved.
- 16. Defense #1: Intrusion Detection System
• Fully-managed Intrusion Detection System (IDS) utilizing
signature, protocol and anomaly based inspection methods
Slide 16 © 2011 OpSource, Inc. All rights reserved.
- 17. Defense #2: Network Segmentation Provides Security Controls
• Customer Controlled Network
Configuration – configurable Layer 2
VLANs:
– Provide segmentation of public and
private IP space
– NAT and VIP functions expose only
those IP addresses you want made
public
• Customizable ACL-based firewall
rules allow control of access into
each network VLAN:
– Build multi-tier network architectures to
separate data tiers from front-end web
tiers to provide an additional layer of
firewall rules to protect data
Slide 17 © 2011 OpSource, Inc. All rights reserved.
- 18. Defense #3: Authentication and Access Controls
• VPN access for administration of all
servers
• Unique username and password for
multiple administrators
• Role-based permissions allow cloud
administrators to create sub-admins to
manage only certain resources, such as
servers, storage or networks
• Audit logs and reporting
Slide 18 © 2011 OpSource, Inc. All rights reserved.
- 19. Defense #3 (con’t): Authentication and Access Controls
• Intel® TXT establishes a “hardware root of trust” that can be used to
verify the trustworthiness of a platform4
• Applications for cloud computing
• Base migration and workload placement decisions on the trustworthiness
of the infrastructure
• Control cloud workloads
Slide 19 © 2011 OpSource, Inc. All rights reserved.
- 20. Defense #4: Data Reliability & Security
• The Intel® Xeon® processor E7 family offers an extensive and
robust set of RAS features in silicon to provide error detection,
correction, containment, and recovery in all processors, memory,
and I/O data paths
• VPN Access
• Data stored with 256-bit encryption at rest and 128-bit SSL
encryption while in transit
• Working with Intel on utilizing Intel® Advanced Encryption
Standard - New Instructions to reduce the performance penalties
usually experienced with pervasive encryption5
Slide 20 © 2011 OpSource, Inc. All rights reserved.
- 21. Defense #5: 24x7 Incident Response
• Incident Response Teams handle reports of security incidents. An
OSIRT will escalate the incident to law enforcement and/or
executive management as prescribed in security policies
24 x 7
x 365
Slide 21 © 2011 OpSource, Inc. All rights reserved.
- 22. Defense #6: Datacenters – The Physical Security of the
Cloud
• Meet or Exceed Tier III Standards (highest commercially available
datacenter rating)
• All areas within facility are monitored with CCTV and onsite guards
24x7x365 surveillance and audit logs
• Multiple layers of biometric two-factor authentication restricts
access
Slide 22 © 2011 OpSource, Inc. All rights reserved.
- 23. Defense #7: Monitoring and Tuning
• Edge-to-edge security, visibility and carrier-class threat
management and remediation utilizing industry leading Arbor
Networks Peakflow
• Compares real-time network traffic against baseline definitions of
normal network behavior, immediately flagging all anomalies due
to security hazards such as:
– Denial of Service (DoS) attacks
– Distributed Denial of Service (DDoS) attacks
– Worms or botnets
Slide 23 © 2011 OpSource, Inc. All rights reserved.
- 24. OpSource’s Approach to Ensuring Security
• Defense in depth is a best practice Layers of Defense
with multiple layers of security IDS / IPS
controls Segmentation
- VLAN
– Cisco hardware-based networking - Firewall
– As part of best practice, intelligent Authentication and Access
servers are needed to secure clouds Control
– Intel technology helps provide Data Encryption
foundation for Trust, Security, & Incident Response
Compliance with Intel® TXT and Physical Data Center Security
Intel® AES-NI
Monitoring and Tuning
– Increases confidence that your data
in the cloud is safe and secure
Slide 24 © 2011 OpSource, Inc. All rights reserved.
- 25. Setup a Cloud Network to Secure Your Environment
Slide 25 © 2011 OpSource, Inc. All rights reserved.
- 26. Setup and Manage Cloud Servers
Network: Cisco-based firewall,
VLAN, VPN and load balancing
included
User Management: Role-based
user controls; activity and usage
reporting
Support: 24x7 phone support
included; Managed Services
Flexibility: 1-8 CPU, 1-64GB
RAM, 50GB-2.5TB local disk
Hybrid: Ability to deploy
dedicated and cloud servers
Slide 26 © 2011 OpSource, Inc. All rights reserved.
- 27. Compliance Enhances Trust
• Yearly certification and compliance audits to ensure security
HIPAA
Business
Associate
Slide 27 © 2011 OpSource, Inc. All rights reserved.
- 28. VOTE
• Learning about how OpSource secures their cloud solution,
including the use of Intel Technology has
− Significantly increased my level of interest in OpSource’s Cloud
Solutions
− Slightly increased my level of interest in OpSource’s Cloud Solutions
− Has not changed my level of interest in OpSource’s Cloud Solutions
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.