bernie trudel cloud cto, cisco asia pacific · 2012. 7. 9. · service delivery models software as...
Post on 08-Oct-2020
0 Views
Preview:
TRANSCRIPT
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Bernie Trudel
Cloud CTO, Cisco Asia Pacific
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
Bernie Trudel
Cloud CTO, Cisco Asia Pacific
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• Explosion in data, services, and growth of internet usage
Broadband
Video, voice over IP
• Technology tipping pointMoore’s Law driving down cost
Warehouse scale data centers
Virtualization + automation
• Mobile and WirelessAnytime, any device
Smart, IP-connected devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Source: Cisco IBSG
Anywhere, Anyone, Any Service
IT Resources and
Services that are
abstracted from the
underlying infrastructure
and provided “On
Demand” and “At Scale”in a multitenant and
elastic environment
Source: The 451 Group ICE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Pro’s & Cons
Public Private Hybrid Community
Deployment Models
Service Delivery Models
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastucture
as a Service
(IaaS)
Essential Characteristics
On-
Demand
Self Service
Broad Network
Access
Resource
Pooling
Rapid ElasticityMeasured
Service
Visual Model of NIST’s
Definition of Cloud
Computing
Source: http://blogs.zdnet.com/Hinchcliffehttp://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
DMTF
OGF
ITU-T
CSA
SNIA
CCIF
IEEEIETF
ISOCCloudAudit
MEF
NCOICOCC
OCM
TMF
OASIS
ISO
Cloud Security Alliance – major players
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Data
OS & Applications
VMs/Containers
API’s
Core
connectivity
Abstraction
Hardware
Facilities
Consumer
Provider
Data
OS & Applications
Integration and
middleware
API’s
Core
connectivity
Abstraction
Hardware
Facilities
Provider
Applications
Data
Integration and
middleware
API’s
Core
connectivity
Abstraction
Hardware
Facilities
Provider
Meta
dataConte
nt
API’s
Presentation
modality
Presentation
Platform
Consumer
IaaS PaaS SaaS
Security Is Shared
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Data Location and Ownership
• Shared infrastructure means granular access control
• Jumping over the regulatory requirements bar
• Aligning security policies: cloud service and internal
• What security knowledge/skills/clearance for personnel
• What are the DR attributes for the cloud service?
• What CIA controls are in place for cloud service?
• Is security part of the negotiated Service Level Agreement?
• Security incident procedure: disclosure and resolution
• Contingencies for cloud service provider failure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Background checks, access monitoring
Vulnerability alerts, patching
Compliance requirements
Disaster recovery
IT Security
Operations
Infrastructure cloud security, plus
Secure connection to cloud services
Secure B2B communications
Data security
Platform as a
Service (PaaS)
Infrastructure and platform cloud security, plus
Access to administrative controls
App security, code reviews
Content monitoring, filtering, and data loss prevention (DLP)
Software as a
Service (SaaS)
Threat defense
Multitenancy security
Protection against distributed denial-of-service (DDoS) attacks
Change management, separation of duties (SoD)
Infrastructure as
a Service (IaaS)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers CustomersPartners
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Policy
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Home Office
AttackersCoffee
ShopCustomers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a ServiceX
as a ServiceSoftware
as a Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Logical separation
• Policy consistency
• Automation
• Authentication and access control
• Scalability and performance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
“In the Cloud”
Secure Cloud InfrastructurePrivate
Cloud
Virtualized
App Servers
In the Cloud: Security (products, solutions) instantiated as an operational capability deployed within Cloud Computing environments. Examples: Routers, Firewalls, IPS, AV, WAF, …
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Popular best practices for
securing cloud computing
Flagship research project
V2.1 released 12/2009
V3 research underway,
targeting Q3 2011 release
wiki.cloudsecurityalliance.org/
guidanceO
pera
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Guidance
>100k downloads:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Application
Software
Virtual
MachineAccess Core Peering
IP-NGN
Backbone
Storage
& SANComputevSwitch
Aggregation
& Services
Internet
Partners
CIMP
CIMP
Tenant “A”
Application 1
Tenant “B”
Application 1
Tenant “A”
Application 2
Tenant “B”
Application 2
Cloud
Infrastructure
Management
Platform
App 1
App 1
App 2
App 2
Embedded
Services
ACE
IDS
DDoS
SSLFW
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
IP-NGN
Validated CISCO design:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/landing_vmdc.html
Virtualized Multi-Tenant Data Center (VMDC 2.2)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
“For the Cloud”
Secure Cloud Access
Public
Cloud
Secure Cloud Infrastructure
For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Controls derived from guidance
Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP
Rated as applicable to S-P-I
Customer vs Provider role
Help bridge the “cloud gap” for IT & IT auditors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Consistent Identity-Aware
Policy from Any Device to
Data Center – Based on
Business Needs
Policy Distribution and
Intelligence Through the
Network
Security Group Tagging
Scales Context-Aware
Enforcement
POSTURE-BASED PERMISSIONS
1. Permit/Deny based on policy
2. Authorized devices tagged with policy
3. Policy tags enforced by the network
VPN
Data
Center
Virtual DC Machines
ALLOWED
DENIED
WHO
WHAT
WHERE
WHEN
HOW? ? ?
MACSec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Secure Cloud Infrastructure
“By the Cloud”
Cloud Security Services
Internet
Web
Secure Mobility
By the Cloud: Security services delivered by Cloud Computing services which are used by providers
Securing Cloud Access
Secure Cloud Infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Security as a Service Working Group (SecaaS)
1. Identity and Access Management
2. Data Loss Prevention
3. Web Security
4. Email Security
5. Security Assessments
6. Intrusion Management
7. Security Information and Event Management
8. Encryption
9. Business Continuity and Disaster Recovery
10. Network Security
Source: https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Cisco IronPort Email Security Services
Providing industry-leading
email security with choice
Cloud • Hybrid • Managed
Key Service Attributes
Dedicated infrastructure
Co-managed access
Centralized tracking & reporting
Email SaaS
Outbound Control:
Apply DLP and
encryption policies
3
Inbound Hygiene:Removes spam
and viruses
1
Pass Clean Email
2
Data Centers
Customer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Web SaaS
Cisco ScanSafe Web Security Services
Delivering market-leadingweb security & visibility
Key Service Attributes
Zero day malware protection
Multi-tenant infrastructure
On-demand capacity
Application
ControlsAnti-Malware Web Filters
-
Policy
Enforcement:
All outbound
traffic is
passed
through
defined policy
2
Cloud redirection:
Web traffic is forwarded
directly to the cloud1
Malware Protection:
Content analysis to detect
and block all malware 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Cisco ScanSafe Web Security and Filtering
• Cisco IronPort® Cloud, Managed, and Hybrid Email Security
• Cisco SIO:- Cisco SensorBase™- Threat Operations Center- Dynamic updates
• Cisco®ASA 5585-X with firewall and IPS; ASA Services Module
• Cisco Nexus® 1000V switch
• Cisco Virtual Security Gateway
• Cisco ASA1000V
• Secure SaaS access
• Cisco AnyConnect™
• Cisco TrustSec®
• Cisco Identity Services Engine
• VPN
Secure Cloud
Infrastructure
Cloud Security
Services
Secure Cloud Access
and Communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
“Security Guidance for Critical Areas of Focus in Cloud Computing” Whitepaper: Comprehensive guide on how to secure Cloud Architectures, how to govern Clouds and how to operate securely in a Cloud Environment: http://www.cloudsecurityalliance.org/csaguide.pdf
Cisco Cloud Security accelerates Cloud Adoption: Cisco Cloud Security Technology http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1066/white_paper_c11-674558.html
Creating Business Value with Effective Pervasive Cloud Security and Cloud Enablement Services: Cisco Cloud Security Serviceshttp://www.cisco.com/en/US/services/ps2961/ps10364/ps10370/ps11104/cisco_cloud_security_whitepaper_services.pdf
Cisco Confidential 25© 2010 Cisco and/or its affiliates. All rights reserved.
Thank-You!!
top related