Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

Cloud Security & Control: A
Multi-Layer Approach to
Secure Cloud Computing

John Rowell
Chief Technology Officer
OpSource
Twitter: @johnrowell

Paul Sathis
Director, Cloud Computing,
Intel Americas
Intel Corporation
Twitter: @paulinthehouse

Legal Disclaimers
Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain
platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS
update. Software applications may not be compatible with all operating systems. Please check with your application vendor.
Intel® TXT requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an
Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit
http://www.intel.com/technology/security. In addition, Intel TXT requires that the original equipment manufacturer provides TPM functionality, which requires a TPM-
supported BIOS. TPM functionality must be initialized and may not be available in all countries.
Intel ® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. For
availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-
instructions-aes-ni/
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor series, not across different processor
sequences. See http://www.intel.com/products/processor_number for details. Intel products are not intended for use in medical, life saving, life sustaining, critical
control or safety systems, or in nuclear facility applications. All dates and products specified are for planning purposes only and are subject to change without notice
On Slide 4, the sources are as follows:

1)Source: http://www.theregister.co.uk/2009/06/08/webhost_attack/

2)Source: http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240

On Slide 10, the sources are as follows:
3)World-record virtualization performance claim based on all published VMmark* 1.x results on http://www.ideasinternational.com/Benchmark-Top-Ten/VMmark-1-x. Top-ranked Fujitsu
PRIMERGY* RX600 S5 uses four Intel® Xeon® processor X7560 (24M cache, 2.26GHz, 6.40GT/s Intel QPI). Software and workloads used in performance tests may have been optimized for
performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, and
functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated
purchases, including the performance of that product when combined with other products.

4)No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization
Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the
system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security

5)Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on
select Intel® Xeon® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-
standard-instructions-aes-ni/

Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries. All dates and products specified are for planning purposes only and are subject to change without
notice. * Other brands and names maybe claimed as the property of others.

VOTE
• With regards to cloud computing, I am most concerned about the
following issue:
− Compliance
− Multi-tenancy
− Audit
− Data Protection
− All of the above


Security in the Cloud
Virtualization vs. Security
Benefits Needs

“Webhost hack wipes out
data for 100,000 sites
New security requirements Vaserv suspects zero-day
for cloud & virtualization: virtualization vuln” —The Register1
“IT ops, security pros at odds
• Abstraction of physical hardware
over virtualization risks
• Multi-tenancy movement IT pros upbeat about virtualization,
whereas security experts harbor
implicitly require audit & security doubts about the security role the
hypervisor can play” —IDG News Service2

Cloud & Virtualization Break Many Traditional
Perimeter-oriented Security Techniques

Cloud 2015 Vision
FEDERATED AUTOMATED
Share data IT can focus
securely across more on
public and innovation and
private clouds less on
management

CLIENT AWARE
Optimizing services
based on device
capability

Desktops Laptops Netbooks Personal Devices Smartphones Smart TVs Embedded

Open & Interoperable Solutions Essential

From Vision to Action

Helping Cloud Service Providers on Path to Cloud 2015

6 notice. * Other brands and names maybe claimed as the property of others.

Intel Platform Technologies
Intelligence Built-in for Cloud Computing Demands

Compute
Intel® Xeon® processors E7 & 7500
Series with Hardware-based Security

Result:
Helps Provider Meet Service Level Agreements
Performance for Workload agility
Simpler & Lower Cost

Network Storage
10Gb Ethernet with Open platforms and
built-in support for performance
unified fabric breakthroughs (SSDs)


Cloud Security Services
Enhanced by Intel-based Technology

Encrypt in the Cloud Trust the Cloud
Use encryption to protect data Establish a trusted foundation

Connect to the Cloud Audit the Cloud
Establish / verify identities & federate Build higher assurance into audit


Intel-based Technology
Establishing Foundation for More Secure Clouds

Encrypt
Intel® AES-NI

Isolate Comply
Intel® VT & Intel® TXT Intel® TXT

VM 1 VM 2
VM 1 VM 1 VM 2
VMM

Intel® TXT ?? VMM

9 notice. * Other brands and names maybe claimed as the property of others.

Great Collaboration with OpSource
Cloud Services Powered by Intel® Xeon® processor 7500 &
E7 Series
− Intel Xeon processor E7 series delivers world-record virtualization
performance while delivering higher VM densities than any other industry-
standard server in the market today3

State of the Art Hardware-based Security Technology
− Working with Intel on hardware-based security such as Intel® Trusted
Execution Technology4 that can be used to verify the trustworthiness
of a platform

Foundation for High Reliability
− Intel Xeon processor E7 series delivers extraordinary server reliability
with automatic detection and correction of errors and interconnect error
detection and recovery
− Helps Opsource deliver on high-availability and cloud performance claims

With Intel technology, OpSource can enhance security,
meet demanding customer requirements
& drive competitive prices

Cloud Security & Control: A Multi-Layer Approach to Secure
Cloud Computing

9/14/2011
John Rowell, CTO

Slide 11 © 2011 OpSource, Inc. All rights reserved.

OpSource: Enterprise Cloud and Managed Hosting

• OpSource provides Enterprise Cloud
and Managed Hosting Services

• Solutions for Enterprise, SaaS, Service
Providers (Telecom and Cloud Platforms)

• A Dimension Data Company

• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore

• Unmatched Industry Experience
– SaaS Hosting and Scaling Software-Oriented Architectures (SOA)
– High Performance, Secure Cloud Computing


Polls Show Security as Top Concern about Public Cloud

• 64% of IT Bosses express concerns about whether corporate data would be
secure inside cloud service providers' datacenters – Forrester Research

• 56% of CFOs had not invested in public cloud services because of fears over the
security of sensitive data - SunGard Availability Services Poll

Gartner 2009 Poll


Security is a Challenge for Utility Cloud Platforms


Defense-in-Depth Security Applied to the Cloud

Defense in depth is a best practice in which multiple layers of
security controls (defense) are implemented to provide redundancy
in the event a security control fails or a vulnerability is exploited.

Layers of Defense
IDS / IPS
Segmentation
- VLAN
- Firewall
Authentication and Access
Control
Data Encryption
Incident Response
Physical Data Center Security
Monitoring and Tuning


Defense #1: Intrusion Detection System

• Fully-managed Intrusion Detection System (IDS) utilizing
signature, protocol and anomaly based inspection methods


Defense #2: Network Segmentation Provides Security Controls

• Customer Controlled Network
Configuration – configurable Layer 2
VLANs:
– Provide segmentation of public and
private IP space
– NAT and VIP functions expose only
those IP addresses you want made
public
• Customizable ACL-based firewall
rules allow control of access into
each network VLAN:
– Build multi-tier network architectures to
separate data tiers from front-end web
tiers to provide an additional layer of
firewall rules to protect data


Defense #3: Authentication and Access Controls

• VPN access for administration of all
servers
• Unique username and password for
multiple administrators
• Role-based permissions allow cloud
administrators to create sub-admins to
manage only certain resources, such as
servers, storage or networks
• Audit logs and reporting


Defense #3 (con’t): Authentication and Access Controls

• Intel® TXT establishes a “hardware root of trust” that can be used to
verify the trustworthiness of a platform4

• Applications for cloud computing
• Base migration and workload placement decisions on the trustworthiness
of the infrastructure
• Control cloud workloads


Defense #4: Data Reliability & Security

• The Intel® Xeon® processor E7 family offers an extensive and
robust set of RAS features in silicon to provide error detection,
correction, containment, and recovery in all processors, memory,
and I/O data paths

• VPN Access

• Data stored with 256-bit encryption at rest and 128-bit SSL
encryption while in transit

• Working with Intel on utilizing Intel® Advanced Encryption
Standard - New Instructions to reduce the performance penalties
usually experienced with pervasive encryption5


Defense #5: 24x7 Incident Response

• Incident Response Teams handle reports of security incidents. An
OSIRT will escalate the incident to law enforcement and/or
executive management as prescribed in security policies

24 x 7
x 365


Defense #6: Datacenters – The Physical Security of the
Cloud

• Meet or Exceed Tier III Standards (highest commercially available
datacenter rating)
• All areas within facility are monitored with CCTV and onsite guards
24x7x365 surveillance and audit logs
• Multiple layers of biometric two-factor authentication restricts
access


Defense #7: Monitoring and Tuning

• Edge-to-edge security, visibility and carrier-class threat
management and remediation utilizing industry leading Arbor
Networks Peakflow

• Compares real-time network traffic against baseline definitions of
normal network behavior, immediately flagging all anomalies due
to security hazards such as:
– Denial of Service (DoS) attacks
– Distributed Denial of Service (DDoS) attacks
– Worms or botnets


OpSource’s Approach to Ensuring Security

• Defense in depth is a best practice Layers of Defense
with multiple layers of security IDS / IPS
controls Segmentation
- VLAN
– Cisco hardware-based networking - Firewall
– As part of best practice, intelligent Authentication and Access
servers are needed to secure clouds Control
– Intel technology helps provide Data Encryption
foundation for Trust, Security, & Incident Response
Compliance with Intel® TXT and Physical Data Center Security
Intel® AES-NI
Monitoring and Tuning
– Increases confidence that your data
in the cloud is safe and secure


Setup a Cloud Network to Secure Your Environment


Setup and Manage Cloud Servers

Network: Cisco-based firewall,
VLAN, VPN and load balancing
included

User Management: Role-based
user controls; activity and usage
reporting

Support: 24x7 phone support
included; Managed Services

Flexibility: 1-8 CPU, 1-64GB
RAM, 50GB-2.5TB local disk

Hybrid: Ability to deploy
dedicated and cloud servers


Compliance Enhances Trust

• Yearly certification and compliance audits to ensure security

HIPAA
Business
Associate


VOTE
• Learning about how OpSource secures their cloud solution,
including the use of Intel Technology has
− Significantly increased my level of interest in OpSource’s Cloud
Solutions
− Slightly increased my level of interest in OpSource’s Cloud Solutions
− Has not changed my level of interest in OpSource’s Cloud Solutions


Continue Conversation

John Rowell
Chief Technology Officer
OpSource
Twitter: @johnrowell

Paul Sathis
Director, Cloud Computing,
Intel Americas
Intel Corporation
Twitter: @paulinthehouse

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

Similaire à Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing (20)

Plus de OpSource

Plus de OpSource (20)

Dernier

Dernier (20)

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing