Security in the Green Cloud v1.1 - Cisco · Private and IaaS Cloud Solutions Integrated Computed Stacks - VMDC dcPoD Solutions - VPOD Data Center Interconnect Solutions Cloud Security

Cisco Public 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Security in the Green Cloud

Smart and Green infrastructure symposium 2011 Prague May 19th 2011 Steinthor Bjarnason – [email protected]

Cisco Confidential 2 © 2010 Cisco and/or its affiliates. All rights reserved.

IT resources and services that are abstracted from the underlying infrastructure and provided “On-Demand” and “At

Scale” in a multi-tenant environment

WHAT IS CLOUD COMPUTING?

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3


complexity


Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee Shop Customers

Airport

Mobile User Partners

Platform as a Service

Infrastructure as a Service

X as a Service

Software as a Service

Service Providers

Attackers


Network

IT is in control Shared control “They” are in control

Network Network Network

Private Cloud (Iaas)

Hosted/Private Virtual Cloud

(IaaS) Public Cloud

(IaaS) Public Cloud

(SaaS)

Storage Storage Storage Storage

Server Server Server Server

VM VM VM VM

App App App App

Data Data Data Data



Threat SPI Model Risks Example Abuse and Nefarious Use of Cloud Computing

IaaS PaaS SaaS Zeus Botnet, InfoStealertrojan horses, MSFT/Adobe exploit downloads

Insecure Application Programming Interfaces

IaaS PaaS SaaS Anonymous access, clear-text auth or transmission unknown service or API dependencies

Malicious Insiders IaaS PaaS SaaS Well known threats

Shared Technology Vulnerabilities

IaaS PaaS SaaS J Rutkowska’s Red and Blue Pill exploits Kortchinksy’sCloudBurst

Data Loss/Leakage IaaS PaaS SaaS Insufficient AAA, keys data store challenges, risk of association

Account, Service & Traffic Hijacking

IaaS PaaS SaaS New threats

Unknown Risk Profile IaaS PaaS SaaS IRS asked AMZ EC2 to perform a C&A

Source: Top Threats to Cloud Computing, Mar 2010 cloudsecurityalliiance.org


•  What is a Private Cloud? –  It’s Private ;-) –  You have control of everything –  You decide the security policy –  No need for total separation of resources (some exceptions apply) –  Need to secure virtual machines and services

•  Basically, its a Data Center on steroids with cool new Cloud technologies and capabilities added

•  And we know how to solve this !

Private Cloud

Virtual Private Cloud


•  What is a Public Cloud? –  You are sharing a public infrastructure with others –  You do not have control of the infrastructure –  You do not decide the common security policy –  You control access to the leased infrastructure (IaaS/PaaS) –  You control access to your own services (IaaS/PaaS/SaaS) –  You need to work together with the Cloud Provider to establish trust and control

•  The customer CANNOT solve this on his own!

•  Need to establish TRUST between the Cloud Providers(s) and the Customer

Public Cloud


•  Federated identity Between Customer and Cloud Providers Between Cloud Providers

•  Cloud Brokers Need to be able to access different Cloud Providers using common technologies

•  Standards, common control matrix matrix and Compliance

The only way to establish trust


Private and IaaS Cloud Solutions Integrated Computed Stacks - VMDC dcPoD Solutions - VPOD Data Center Interconnect Solutions

Cloud Security Solutions Security-as-a-Service: ScanSafe, Ironport Cloud Security Products: Nexus1000v, Virtual Security Gateway, VN-Link

Cisco Collaboration Cloud Based Solutions Private Cloud Collaboration Solution Hosted Collaboration Solution Partner Cloud Cisco WebEx Collaboration Cloud



DMTF

OGF ITU-T

CSA

SNIA

CCIF

IEEE IETF

ISOC CloudAudit

MEF

NCOIC

OCC

OCM

TMF

OASIS

ATIS


"  “Security Guidance for Critical Areas of Focus in Cloud Computing” Whitepaper: Comprehensive guide on how to secure Cloud Architectures, how to govern Clouds and how to operate securely in a Cloud Environment: http://www.cloudsecurityalliance.org/csaguide.pdf

"  Also created the CSA “Top threats to Cloud Computing” document: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

"  Subset of CSA corporate members:


•  CSA CloudAudit (A6: Automated Audit, Assertion, Assessment and Assurance API) : Provide a common interface that allows Cloud providers to automate the Audit, Assertion, Assessment, and Assurance of their environments and allow authorized consumers of their services to do likewise via an open, extensible and secure API.

See http://groups.google.com/group/A6WG and http://www.CloudAudit.org

"  CSA Controls Matrix: Provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

"  CSA Consensus Assessment Initiative: The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments


•  ENISA Benefits, risks and recommendations

•  PCI and Common Criteria

•  IEEE, IETF

•  Distributed Management Task Force (DMTF)

•  The European Telecommunications Standards Institute (ETSI)

•  National Institute of Standards and Technology (NIST)

•  ISACA – COBIT

•  ISO27001/2

•  American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 70, 98

http://cloud-standards.org/wiki/index.php?title=Main_Page


•  Cloud Security cannot be solved by any one organization

•  The key is working together! Identifying issues and problems Create new technologies Create new standards and recommendations

•  And this has to happen FAST as we are already seeing negative discussions about Public Cloud – all due to the lack of TRUST

Thank you.

Documents

Security in the Green Cloud v1.1 - Cisco · Private and IaaS Cloud Solutions Integrated Computed Stacks - VMDC dcPoD Solutions - VPOD Data Center Interconnect Solutions Cloud Security