Upload
intelapac
View
1.886
Download
0
Embed Size (px)
Citation preview
Creating Cloud Confidence Greg Brown VP, CTO - Cloud and Data Center Solutions www.mcafee.com/networksecurity [email protected] August 2012
Can I Borrow $20?
August 28, 2012 2
How About $100,00?
And Now?
August 28, 2012 3
Should We Think About Data Center the Same Way?
Can We Apply the Security Here?
Challenges Loss of Physical Controls
• Fotostock
Challenges Loss of Physical Controls
• Fotostock
Challenges New Attack Surfaces
Data
Application
OS
Processor
BIOS
Hypervisor Provisioning Platform
Challenges New Attack Surfaces
Data
Application
OS
Processor
BIOS
Hypervisor Provisioning Platform
Data
Application
OS
PHYSICAL
Challenge Extending Compliance
VIRTUALIZED
CLOUD
Company A Company B
MFR ENG HR
MFR | ENG | HR
11
Building Foundation of Client to Cloud Security
User & Intelligent Devices
Secure the Devices Identity, device integrity & data
protection
Public/Private Clouds (Servers, Network, Storage)
Secure Cloud Datacenters Infrastructure & data protection,
audit/compliance
Private Cloud
Public Cloud
Secure the Connections Apps, data, traffic
Common Security Standards & Broad Industry Collaboration
Cloud Security Mission: Worry-Free Cloud Computing Make cloud security equal to or better than traditional best in class enterprise security
Hardware-enhanced security + software & services key to achieve mission
McAfee Confidential
12
Up and Down – Integrity Server Infrastructure
Endpoint Aware Integrity Client/cloud mutual trust
Real-time Integrity Continuous monitoring
Security Stack Integrity Security systems operational
VM Integrity Ensure all VMs are “known good”
Location & Asset Control Control workload location
Host Integrity Ensure server is “known good”
External Assessment and Reputation
Digital Certificates Validate web server is authentic
Will deliver on-going advancements to hardware & software security for greater controls & auditability
Intel Trusted Execution Technology (TXT)
Intel Virtualization Technology (VT)
MOVE, McAfee Application Control, & Change Control
McAfee SiteAdvisor Enterprise McAfee Cloud Secure
GTI
EMM/MMS, NG Endpoint Intel Identity Theft Protection (ITP)
SIA – Vendors
Extended Security Policy
13
Virtualized and Private Cloud Data Center
Public Cloud Data Center
Extending Security to the Virtual Cloud World
VMM
Sales
Company C
Company B
Company A
Sales
Mfg
HR
Intel Trusted Execution Technology is run: Server “known good”
McAfee ePO1
Intel Trusted Execution Technology is run:
“issue identified”
1 Integrating McAfee ePolicy Orchestrator (ePO) with Intel TXT requires custom integration work
Isolate, protect, control VMs Intel Virtualization Tech., Intel Trusted Execution Tech.,
McAfee MOVE AV*
Provide visibility & reporting Apply security policy at multiple control
points
Monitor workloads across cloud infrastructures
McAfee ePO, Intel TXT
*McAfee MOVE AV = McAfee Management of Optimized Virtualized Environments Anti-Virus McAfee Confidential
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Security Management
14
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Security Management
Blacklisting – Advanced Anti-Malware Protection
McAfee Virus Scan Enterprise
Whitelisting – Complete protection from malicious codes and applications
McAfee Application Control
System Control – Server configuration control and tracking against internal “gold standards”
McAfee Change Control
Virtualization – Advanced Anti-malware protection extended to the Virtual Machines
McAfee MOVE-AV
Comprehensive Security for Servers
15
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Reliable Real-Time Protection for Business-Critical Databases
Database discovery and comprehensive Vulnerability Assessment
McAfee Vulnerability Manager for Databases
Non-intrusive, real-time database visibility & protection across all threat vectors
McAfee Database Activity Monitoring
Patch databases without downtime
McAfee Virtual Patching for Databases
Security Management
16
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Industry leading next generation Network Protection Solutions
Protection of network connected devices against targeted attacks
McAfee Next Generation IPS
High-assurance strong next-generation firewall capabilities, including application visibility
McAfee Next Generation Firewall
Advanced threat response, behavioral analysis and access control solutions for the network
McAfee Network Threat Response, McAfee Network Access Control and McAfee Network Threat Behavior
Analysis
Security Management
17
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Comprehensive Security for Storage Devices
Continuous protection for storage devices and their data
Scan, detect and quarantine files on NAS storage devices (NetAPP,
EMC, Hitachi, Sharepoint, etc.)
McAfee Virus Scan Enterprise - Storage
Security Management
18
McAfee Data Center Security The Heart of a Flexible, Efficient, Secure Data Center
Unified Security Management and Powerful Threat Intelligence
19
Security Management
High-performance security information and event management (SIEM) solutions for complete visibility and situational awareness to protect critical information and
infrastructure
McAfee SIEM
Single Management Console for McAfee Security Products and over 130 partner integrated Products
McAfee ePO
Comprehensive threat intelligence from over 150 million sensors across the web, channeled into all products in
real time
McAfee Global Threat Intelligence
Connecting to the Cloud With Confidence
• Flexible deployment options – On-premise, Saas or virtual
• Protection and policies across Email and Web Channels
• Confidence to migrate data safely to public cloud
• Unify identity policies across SaaS and federated solutions
McAfee ePolicy Orchestrator
Global Threat Intelligence
Cloud Ecosystem
Identity Management
Web Security
Data Loss Prevention
Email Security
Enterprise Private Cloud Applications
Mobile Users
Enterprise Users
20
McAfee’s Tailored Data Protection Methodology
• Discover and Learn
• Assess Risk
• Define Effective Policies
• Apply Controls
• Monitor, Report and Audit
1
2
3
4
5
1
2
3
4
5
Find all your sensitive data wherever it may be
Ensure secure data handling procedures are in place
Create policies to protect data and test them for effectiveness
Restrict access to authorized people and limit transmission
Ensure successful data security through alerting and incident management
21
Cloud Identity Manager
Mobile
Laptop Access 100s of External SaaS Apps
User
Internal User
Any Device Any Time
Any Where
SSO Strong Auth Account Provisioning
McAfee Cloud Identity Manager
AD, LDAP, Database, SAML IdP, OpenID, etc.
PHYSICAL
Security and Cloud Adoption
• Sustained investment • Continuous Protection
VIRTUALIZED
CLOUD
• Unified Security Process
• Optimized Performance
• Enable Adoption • Ensure Compliance
IaaS PaaS
MFR ENG HR
MFR | ENG | HR
Usage Case Financial Transaction Clearinghouse
August 28, 2012 25
Financial Transaction Records
FW/DLP/…
Clearing House
Bot FW: Protocol Secure FW: Intended Destination
✔ ✔
Service Provider Financial Institution
There is no model to create awareness of the health of the system receiving the data. This is generally true of all systems outside the perimeter
Financial Transaction Clearinghouse
August 28, 2012 26
Financial Transaction Records
FW
Clearing House
✔
Data transmitted based on health measure of
service.
Healthy
McAfee is well positioned both in technology assets and in brand permission to become the standard for conveying system integrity across management domains.
Assessment
Financial Institution
FW: Protocol Secure FW: Intended Destination
✔ ✔
Trapezoid RSA Demo Enabling Private Cloud Adoption
27
Hypervisor Server
System Admin in finance builds new payroll application on virtual server
ePO is not aware of Hypervisor or physical sever risks ePO
Corporate Data Center
Provisions virtual sever to DC
Once the application server is built the the system admin turns it over to the DC operations team to deploy on the PRIVATE CLOUD infrastructure.
The system admin is blind to all of the underlying
infrastructure.
ePO has no visibility into the hypervisor or the infrastructure today.
Sample Usage Case Enabling Public Cloud Adoption
Hypervisor Server
Hypervisor Server
Safe Private Cloud Enabled
ePO
Corporate Data Center
Public Cloud Data Center
DC Ops Pushes virtual sever to Cloud Provider
Provisions virtual sever to DC
TRUSTED
Cloud Provider ePO
Safe Public Cloud Enabled
TRUSTED
1. TXT signals TRUSTED Hypervisor to ePO
2. ePO sends integrity to GTI 3. Customer ePO queries GTI for integrity
4. Payroll application reported compliant while running in
Public Cloud
Net Result: - CIO public cloud objectives
enabled - Cloud provider preferred over
others – Greater Value!
• Proliferation of Technology at The Gateway – Adoption of point solutions has increased operational costs
Cut Costs And Increase The Level of Content And Data Protection
Users and Data
Firewall
Proxy Anti- Virus
Web Exploit
Protection
URL Filter
SSL Inspection Instant Messaging Inspection
Cache
29 McAfee Web Gateway
Types of SSO Connectors
• SAML2 or SAML 1.1 federation SAML
• custom method supported by the target application Proprietary • agent needs to be installed on the target app. Java,
.NET, and PHP agents available today Agent
• username/password are captured during first login, and automated HTTP form post is performed in subsequent logins
HTTP-Post
Front-end Authentication into Cloud Identity Manager
• User store - Directory (AD / LDAP), Database, CAS Username/Password
• OTP (built-in) • Facial Recognition (through partner BioID) 2-factor authentication
• AD IWA • 3rd party IdM session (such as CA Siteminder) • Accept SAML assertion
First mile SSO
• Facebook • OpenID (Google, Yahoo, Paypal, etc.) • SAML (Salesforce)
Internet Identity Providers
Strong Authentication Features
Software OTP • Coverage across multiple devices
and delivery methods • Simple & fast to roll out with user
self enrollment – Mobile Token - Pledge – USB Key - YubiKey – Email – Runs on all platforms: iPhone,
BlackBerry, WinMobile, etc.
Embedded in Ultra Books
Silicon OTP • IPT - Secure ME layer in Intel chip • “hardens” software OTP • Attest that SSO came from corp issued
laptop
Deliver a more secure Cloud SSO by invoking strong auth from hardware or mobile software clients