C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-694080-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Javier Liendo, CSE Security jaliendo@cisco.com Mexico City May 15th, 2012

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Cloud Security – What’s changed?

• Cloud Threats – What are new threats specific to cloud?

• Cisco Cloud Security

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

1. Cloud Software as a Service (SaaS) Use provider’s applications over a network

2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud

3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other

fundamental computing resources

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Private cloud Enterprise owned or leased, may reside on or off premise

Community cloud Shared infrastructure for specific community with common concerns/goals

Public cloud Sold to the public, mega-scale infrastructure

Hybrid cloud Composition of two or more clouds

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cisco Confidential 6

Network

IT is in control Shared control “They” are in control

Network Network Network

Private Cloud (Iaas)

Hosted/Private Virtual Cloud

(IaaS) Public Cloud

(IaaS) Public Cloud

(SaaS)

Storage Storage Storage Storage

Server Server Server Server

VM VM VM VM

App App App App

Data Data Data Data

Security

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Old New

Protect the Perimeter Protect the Data (and Application)

Protect the Hypervisor

Place it in the right security zone

VMs in motion need to move with

‘attached’ security policy

Zones are static Zones are dynamic and on the move!

Machine to machine traffic can be seen on ‘the wire’

Virtualization means machine to

machine traffic never leaves the host

Trust the ‘insider’ Pervasive Distrust

Dedicated is secure Any shared resources need security

scrutiny

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Economics

Agility

Experience

Security

Cisco Confidential 8

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Cisco Confidential 9

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers Customers Partners

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Cisco Confidential 10

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee

Shop Customers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a Service X

as a Service Software

as a Service

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Cisco Confidential 11

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee

Shop Customers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a Service X

as a Service Software

as a Service

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Cloud Customer

Private Cloud

Public Cloud

1

2

VDC1

VDC2

vPC

Internet

• Threat defense • Secure multitenancy • Secure communications

• Policy management • Access control • Threat defense • DLP

3

• Secure multitenancy • Separation of duties • Data protection

IPsec/SSL

Campus

IPsec/SSL

Cisco VSG

Cisco ASA

5585-X

Cisco UCS™

Virtualization Hypervisor

Cisco AnyConnect™

Cisco ASA 1000V

VMs

Active Directory

Cisco Identity Services Engine

Cisco IronPort® Email

Cisco® ScanSafe Web Security

Cisco Security Intelligence Operations (SIO)

Cisco TrustSec®

Cisco VXI

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

• Cisco ScanSafe Web Security and Filtering

• Cisco IronPort® Cloud, Managed, and Hybrid Email Security

• Cisco SIO

• Cisco ASA 5585; ASA SM; ASA1000V

• Cisco Nexus® 1000V switch

• Cisco Virtual Security Gateway

• Secure Cloud Discovery Service

• Security PDI

• IT-GRC Services

Secure Cloud Infrastructure

Cloud Security as a Service

Related AS Security

Services • Secure SaaS access

• Cisco AnyConnect™

• Cisco TrustSec®

• Cisco Identity Services Engine

• VPN

Secure Cloud Access

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

• Cloud Security – What’s changed?

• Cloud Threats – What are new threats specific to cloud?

• Cisco Cloud Security

C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Thank you. Thank you.