Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cisco Public 1 © 2011 Cisco and/or its affiliates. All rights reserved.
Security in the Green Cloud
Smart and Green infrastructure symposium 2011 Prague May 19th 2011 Steinthor Bjarnason – [email protected]
Cisco Confidential 2 © 2010 Cisco and/or its affiliates. All rights reserved.
IT resources and services that are abstracted from the underlying infrastructure and provided “On-Demand” and “At
Scale” in a multi-tenant environment
WHAT IS CLOUD COMPUTING?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
complexity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee Shop Customers
Airport
Mobile User Partners
Platform as a Service
Infrastructure as a Service
X as a Service
Software as a Service
Service Providers
Attackers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Network
IT is in control Shared control “They” are in control
Network Network Network
Private Cloud (Iaas)
Hosted/Private Virtual Cloud
(IaaS) Public Cloud
(IaaS) Public Cloud
(SaaS)
Storage Storage Storage Storage
Server Server Server Server
VM VM VM VM
App App App App
Data Data Data Data
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Threat SPI Model Risks Example Abuse and Nefarious Use of Cloud Computing
IaaS PaaS SaaS Zeus Botnet, InfoStealertrojan horses, MSFT/Adobe exploit downloads
Insecure Application Programming Interfaces
IaaS PaaS SaaS Anonymous access, clear-text auth or transmission unknown service or API dependencies
Malicious Insiders IaaS PaaS SaaS Well known threats
Shared Technology Vulnerabilities
IaaS PaaS SaaS J Rutkowska’s Red and Blue Pill exploits Kortchinksy’sCloudBurst
Data Loss/Leakage IaaS PaaS SaaS Insufficient AAA, keys data store challenges, risk of association
Account, Service & Traffic Hijacking
IaaS PaaS SaaS New threats
Unknown Risk Profile IaaS PaaS SaaS IRS asked AMZ EC2 to perform a C&A
Source: Top Threats to Cloud Computing, Mar 2010 cloudsecurityalliiance.org
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• What is a Private Cloud? – It’s Private ;-) – You have control of everything – You decide the security policy – No need for total separation of resources (some exceptions apply) – Need to secure virtual machines and services
• Basically, its a Data Center on steroids with cool new Cloud technologies and capabilities added
• And we know how to solve this !
Private Cloud
Virtual Private Cloud
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
• What is a Public Cloud? – You are sharing a public infrastructure with others – You do not have control of the infrastructure – You do not decide the common security policy – You control access to the leased infrastructure (IaaS/PaaS) – You control access to your own services (IaaS/PaaS/SaaS) – You need to work together with the Cloud Provider to establish trust and control
• The customer CANNOT solve this on his own!
• Need to establish TRUST between the Cloud Providers(s) and the Customer
Public Cloud
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
• Federated identity Between Customer and Cloud Providers Between Cloud Providers
• Cloud Brokers Need to be able to access different Cloud Providers using common technologies
• Standards, common control matrix matrix and Compliance
The only way to establish trust
Cisco Confidential 12 © 2010 Cisco and/or its affiliates. All rights reserved.
Private and IaaS Cloud Solutions Integrated Computed Stacks - VMDC dcPoD Solutions - VPOD Data Center Interconnect Solutions
Cloud Security Solutions Security-as-a-Service: ScanSafe, Ironport Cloud Security Products: Nexus1000v, Virtual Security Gateway, VN-Link
Cisco Collaboration Cloud Based Solutions Private Cloud Collaboration Solution Hosted Collaboration Solution Partner Cloud Cisco WebEx Collaboration Cloud
Cisco Confidential 13 © 2010 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
DMTF
OGF ITU-T
CSA
SNIA
CCIF
IEEE IETF
ISOC CloudAudit
MEF
NCOIC
OCC
OCM
TMF
OASIS
ATIS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
" “Security Guidance for Critical Areas of Focus in Cloud Computing” Whitepaper: Comprehensive guide on how to secure Cloud Architectures, how to govern Clouds and how to operate securely in a Cloud Environment: http://www.cloudsecurityalliance.org/csaguide.pdf
" Also created the CSA “Top threats to Cloud Computing” document: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
" Subset of CSA corporate members:
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
• CSA CloudAudit (A6: Automated Audit, Assertion, Assessment and Assurance API) : Provide a common interface that allows Cloud providers to automate the Audit, Assertion, Assessment, and Assurance of their environments and allow authorized consumers of their services to do likewise via an open, extensible and secure API.
See http://groups.google.com/group/A6WG and http://www.CloudAudit.org
" CSA Controls Matrix: Provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
" CSA Consensus Assessment Initiative: The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
• ENISA Benefits, risks and recommendations
• PCI and Common Criteria
• IEEE, IETF
• Distributed Management Task Force (DMTF)
• The European Telecommunications Standards Institute (ETSI)
• National Institute of Standards and Technology (NIST)
• ISACA – COBIT
• ISO27001/2
• American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 70, 98
http://cloud-standards.org/wiki/index.php?title=Main_Page
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
• Cloud Security cannot be solved by any one organization
• The key is working together! Identifying issues and problems Create new technologies Create new standards and recommendations
• And this has to happen FAST as we are already seeing negative discussions about Public Cloud – all due to the lack of TRUST
Thank you.