Intel Cloud Summit: Greg Brown McAfee

Creating Cloud Confidence Greg Brown VP, CTO - Cloud and Data Center Solutions www.mcafee.com/networksecurity [email protected] August 2012

Can I Borrow $20?

August 28, 2012 2

How About $100,00?

And Now?

August 28, 2012 3

Should We Think About Data Center the Same Way?

Can We Apply the Security Here?

Challenges Loss of Physical Controls

• Fotostock

Challenges Loss of Physical Controls

• Fotostock

Challenges New Attack Surfaces

Data

Application

OS

Processor

BIOS

Hypervisor Provisioning Platform

Challenges New Attack Surfaces

Data

Application

OS

Processor

BIOS

Hypervisor Provisioning Platform

Data

Application

OS

PHYSICAL

Challenge Extending Compliance

VIRTUALIZED

CLOUD

Company A Company B

MFR ENG HR

MFR | ENG | HR

11

Building Foundation of Client to Cloud Security

User & Intelligent Devices

Secure the Devices Identity, device integrity & data

protection

Public/Private Clouds (Servers, Network, Storage)

Secure Cloud Datacenters Infrastructure & data protection,

audit/compliance

Private Cloud

Public Cloud

Secure the Connections Apps, data, traffic

Common Security Standards & Broad Industry Collaboration

Cloud Security Mission: Worry-Free Cloud Computing Make cloud security equal to or better than traditional best in class enterprise security

Hardware-enhanced security + software & services key to achieve mission

McAfee Confidential

12

Up and Down – Integrity Server Infrastructure

Endpoint Aware Integrity Client/cloud mutual trust

Real-time Integrity Continuous monitoring

Security Stack Integrity Security systems operational

VM Integrity Ensure all VMs are “known good”

Location & Asset Control Control workload location

Host Integrity Ensure server is “known good”

External Assessment and Reputation

Digital Certificates Validate web server is authentic

Will deliver on-going advancements to hardware & software security for greater controls & auditability

Intel Trusted Execution Technology (TXT)

Intel Virtualization Technology (VT)

MOVE, McAfee Application Control, & Change Control

McAfee SiteAdvisor Enterprise McAfee Cloud Secure

GTI

EMM/MMS, NG Endpoint Intel Identity Theft Protection (ITP)

SIA – Vendors

Extended Security Policy

13

Virtualized and Private Cloud Data Center

Public Cloud Data Center

Extending Security to the Virtual Cloud World

VMM

Sales

Company C

Company B

Company A

Sales

Mfg

HR

Intel Trusted Execution Technology is run: Server “known good”

McAfee ePO1

Intel Trusted Execution Technology is run:

“issue identified”

1 Integrating McAfee ePolicy Orchestrator (ePO) with Intel TXT requires custom integration work

Isolate, protect, control VMs Intel Virtualization Tech., Intel Trusted Execution Tech.,

McAfee MOVE AV*

Provide visibility & reporting Apply security policy at multiple control

points

Monitor workloads across cloud infrastructures

McAfee ePO, Intel TXT

*McAfee MOVE AV = McAfee Management of Optimized Virtualized Environments Anti-Virus McAfee Confidential

McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center

Security Management

14


Security Management

Blacklisting – Advanced Anti-Malware Protection

McAfee Virus Scan Enterprise

Whitelisting – Complete protection from malicious codes and applications

McAfee Application Control

System Control – Server configuration control and tracking against internal “gold standards”

McAfee Change Control

Virtualization – Advanced Anti-malware protection extended to the Virtual Machines

McAfee MOVE-AV

Comprehensive Security for Servers

15


Reliable Real-Time Protection for Business-Critical Databases

Database discovery and comprehensive Vulnerability Assessment

McAfee Vulnerability Manager for Databases

Non-intrusive, real-time database visibility & protection across all threat vectors

McAfee Database Activity Monitoring

Patch databases without downtime

McAfee Virtual Patching for Databases

Security Management

16


Industry leading next generation Network Protection Solutions

Protection of network connected devices against targeted attacks

McAfee Next Generation IPS

High-assurance strong next-generation firewall capabilities, including application visibility

McAfee Next Generation Firewall

Advanced threat response, behavioral analysis and access control solutions for the network

McAfee Network Threat Response, McAfee Network Access Control and McAfee Network Threat Behavior

Analysis

Security Management

17


Comprehensive Security for Storage Devices

Continuous protection for storage devices and their data

Scan, detect and quarantine files on NAS storage devices (NetAPP,

EMC, Hitachi, Sharepoint, etc.)

McAfee Virus Scan Enterprise - Storage

Security Management

18

McAfee Data Center Security The Heart of a Flexible, Efficient, Secure Data Center

Unified Security Management and Powerful Threat Intelligence

19

Security Management

High-performance security information and event management (SIEM) solutions for complete visibility and situational awareness to protect critical information and

infrastructure

McAfee SIEM

Single Management Console for McAfee Security Products and over 130 partner integrated Products

McAfee ePO

Comprehensive threat intelligence from over 150 million sensors across the web, channeled into all products in

real time

McAfee Global Threat Intelligence

Connecting to the Cloud With Confidence

• Flexible deployment options – On-premise, Saas or virtual

• Protection and policies across Email and Web Channels

• Confidence to migrate data safely to public cloud

• Unify identity policies across SaaS and federated solutions

McAfee ePolicy Orchestrator

Global Threat Intelligence

Cloud Ecosystem

Identity Management

Web Security

Data Loss Prevention

Email Security

Enterprise Private Cloud Applications

Mobile Users

Enterprise Users

20

McAfee’s Tailored Data Protection Methodology

• Discover and Learn

• Assess Risk

• Define Effective Policies

• Apply Controls

• Monitor, Report and Audit

1

2

3

4

5

1

2

3

4

5

Find all your sensitive data wherever it may be

Ensure secure data handling procedures are in place

Create policies to protect data and test them for effectiveness

Restrict access to authorized people and limit transmission

Ensure successful data security through alerting and incident management

21

Cloud Identity Manager

Mobile

Laptop Access 100s of External SaaS Apps

User

Internal User

Any Device Any Time

Any Where

SSO Strong Auth Account Provisioning

McAfee Cloud Identity Manager

AD, LDAP, Database, SAML IdP, OpenID, etc.

PHYSICAL

Security and Cloud Adoption

• Sustained investment • Continuous Protection

VIRTUALIZED

CLOUD

• Unified Security Process

• Optimized Performance

• Enable Adoption • Ensure Compliance

IaaS PaaS

MFR ENG HR

MFR | ENG | HR

Usage Case Financial Transaction Clearinghouse

August 28, 2012 25

Financial Transaction Records

FW/DLP/…

Clearing House

Bot FW: Protocol Secure FW: Intended Destination

✔ ✔

Service Provider Financial Institution

There is no model to create awareness of the health of the system receiving the data. This is generally true of all systems outside the perimeter

Financial Transaction Clearinghouse

August 28, 2012 26

Financial Transaction Records

FW

Clearing House

✔

Data transmitted based on health measure of

service.

Healthy

McAfee is well positioned both in technology assets and in brand permission to become the standard for conveying system integrity across management domains.

Assessment

Financial Institution

FW: Protocol Secure FW: Intended Destination

✔ ✔

Trapezoid RSA Demo Enabling Private Cloud Adoption

27

Hypervisor Server

System Admin in finance builds new payroll application on virtual server

ePO is not aware of Hypervisor or physical sever risks ePO

Corporate Data Center

Provisions virtual sever to DC

Once the application server is built the the system admin turns it over to the DC operations team to deploy on the PRIVATE CLOUD infrastructure.

The system admin is blind to all of the underlying

infrastructure.

ePO has no visibility into the hypervisor or the infrastructure today.

Sample Usage Case Enabling Public Cloud Adoption

Hypervisor Server

Hypervisor Server

Safe Private Cloud Enabled

ePO

Corporate Data Center

Public Cloud Data Center

DC Ops Pushes virtual sever to Cloud Provider

Provisions virtual sever to DC

TRUSTED

Cloud Provider ePO

Safe Public Cloud Enabled

TRUSTED

1. TXT signals TRUSTED Hypervisor to ePO

2. ePO sends integrity to GTI 3. Customer ePO queries GTI for integrity

4. Payroll application reported compliant while running in

Public Cloud

Net Result: - CIO public cloud objectives

enabled - Cloud provider preferred over

others – Greater Value!

• Proliferation of Technology at The Gateway – Adoption of point solutions has increased operational costs

Cut Costs And Increase The Level of Content And Data Protection

Users and Data

Firewall

Proxy Anti- Virus

Web Exploit

Protection

URL Filter

SSL Inspection Instant Messaging Inspection

Cache

29 McAfee Web Gateway

Types of SSO Connectors

• SAML2 or SAML 1.1 federation SAML

• custom method supported by the target application Proprietary • agent needs to be installed on the target app. Java,

.NET, and PHP agents available today Agent

• username/password are captured during first login, and automated HTTP form post is performed in subsequent logins

HTTP-Post

Front-end Authentication into Cloud Identity Manager

• User store - Directory (AD / LDAP), Database, CAS Username/Password

• OTP (built-in) • Facial Recognition (through partner BioID) 2-factor authentication

• AD IWA • 3rd party IdM session (such as CA Siteminder) • Accept SAML assertion

First mile SSO

• Facebook • OpenID (Google, Yahoo, Paypal, etc.) • SAML (Salesforce)

Internet Identity Providers

Strong Authentication Features

Software OTP • Coverage across multiple devices

and delivery methods • Simple & fast to roll out with user

self enrollment – Mobile Token - Pledge – USB Key - YubiKey – Email – Runs on all platforms: iPhone,

BlackBerry, WinMobile, etc.

Embedded in Ultra Books

Silicon OTP • IPT - Secure ME layer in Intel chip • “hardens” software OTP • Attest that SSO came from corp issued

laptop

Deliver a more secure Cloud SSO by invoking strong auth from hardware or mobile software clients