© 2016 Nokia1

Security in Cloud Environments

Security Product Manager

Joern Mewes (joern.mewes@nokia.com)

16-11-2016

© 2016 Nokia2

Cloud transformation happens in phases and will take 5+ yearsSteps into the cloud

Distributing and connecting across the datacenter architecture

Logically integrated cloud infrastructure, cloud-scaled

and optimized network services

Carrier grade clouds typically in silos following operator units

2020+2016+

Network cloud

NetworkCloud

IT & enterprise

Secure, Five 9’s, low latency, colossal data “Telco Cloud”

OSS/ BSS

Operator ITOSS/ BSS

enterprise cloud

Radio

Now

Source: IDC, Nokia analysis

© 2016 Nokia3

Nightmare or next hope?Cloud security is … different

Vivek Kundra, Executive Vice President, Industries, Salesforce.com, “Cloud computing is … far more secure than traditional computing, because

(cloud) companies … can attract and retain cyber-security personnel of a higher quality than many governmental agencies.”

John Chambers former CIO of Cisco"You'll have no idea what's in the … data center. … That is exciting to me as a network player… But it is a security nightmare and it can't be handled in traditional ways."

© 2016 Nokia4

Top 3 Security Risks in Cloud Environments

Virtualization Weakness

How to preserve Isolation ?

Dynamicity and Site motion

How to cope with constant and automated changes ?

Trust Gap

How to guarantee Trust and integrity?

© 2016 Nokia5

Hypervisors are becoming the cloud's security Achilles heelThe threats are real

© 2016 Nokia6

Analysts predict it will get much worse...

The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at hypervisor layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.

The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at hypervisor layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.

Beyond application sandboxing, McAfee Labs predicts that 2015 will bring malware that can successfully exploit hypervisor vulnerabilities to break out of some security vendors' standalone sandbox systems.

Labs™ Report 2015

© 2016 Nokia7

Business agility requires a re-thinking of the way how security gets implemented

• Systems and services are launched and retired faster than security teams can identify, analyze, and track

• Physical boundaries between trusted and untrusted security domains do not exist anymore

• Security policies are enforced primarily by manually configuration and executed audits and processes

• „Classical“ perimeter security systems in front of the cloud:

– Are missing topology and network information of the cloud

– Cannot cope with the scaling requirements of the cloud

– Do not see inter-VM traffic

– Are usually not integrated in the cloud based orchestration processes

© 2016 Nokia8

Data and software integrity protection

MME

GW

HLRIMS

BSC

Radio Cloud OSSCloud

SDN Networks

Core Cloud

Data protection: • Cloud provider are seen as being responsible for data

protection and privacy• Shared data layer / bock storage systems need to consider

service specific requirements for data privacy• Number of open interfaces for data exchange increase

significantly• Autonomous VNF/service inter-communication requires a new

way to authenticate and authorize data-access

Software integrity protection: • software integrity takes on greater significance.• Software integrity comprises the whole lifecycle of

virtualized applications, which can be roughly divided into the supply chain, the boot/launch and the runtime phase

• Software integrity must be maintained across different operating systems, software versions and patch levels

© 2016 Nokia9

Cloud security is a layered approach

Virtual Infrastructure

Manger

Hypervisor

VNF

IMS GWHLR MME OneNDS

Infrastructure Compute Storage Networking

Software Defined Networking (SDN)

VNF Manager

CAM* FCAPS

Application / Network Management, deployment & monitoring

VMWare OpenStack

Cloud aware firewall: enforcement

points & VNF security functions

Security element manager:Security configuration & administration

Secure virtualized infrastructure / hypervisor hardening

Security orchestration & lifecycle managementCloud OrchestratorOSS / BSS Cloud Security Director

1 1

vFW

22

Security Element Manager

3

3

4

4

Physical Security Functions & SDN security functions5

55

© 2016 Nokia10

automate security processes within your cloudSecurity Orchestration

Security Orchestration

Agility & Automation

VNF and Hypervisor Hardening

Dynamic Security Policies

Security baseline checking andcompliance management

Trust Engine for Cloud

Security Incident Monitoring

Threat response

© 2016 Nokia11

Next generation security to support cloud computingCloud firewall requirements

• Virtualized Security VNFs purpose build for cloud environments

• Strict separation of control and data-plane

– Scalable data-plane for performance grow

• Full MANO integration meaning automated lifecycle management for:

– Deployment – HEAT Orchestration template (HOT)

– Healing

– High Availability

– Scaling-UP / Scaling-OUT

• Seamless SDN integration for automated policy changes

– Security becomes part of the network fabric

© 2016 Nokia12

Cloud firewall requirements

• High capacity due to support of

– CPU pinning and CPU isolation

– DPDK for fast packet processing

– SR-IOV for HW virtualization

– Direct PCI access from VM

– Intel Quick Assist – technology for crypto operations

• Flexible deployment model (pay ones, use everwhere in your cloud)

• No need for UTM anymore

– Standardized hardware, virtualization and MANO/SDN integration allow the deployment of use-case specific security safeguards from various vendors

© 2016 Nokia13

How Network Security gets implemented into CloudSecurity Service Chain

SDN

IoT

Mobiles

Others

WAF NATFWAnti DDoS IDS/IDP

Cloud Orchestrator Security Orchestrator