securing sensitive data in your hybrid cloud

Cloud Management Platform

Data Security in the CloudLeveraging RightScale and

Trend Micro SecureCloud

Sept 28, 2011

Watch the video of this webinar

http://www.rightscale.com/info_center/webinars/securing-sensitive-data-in-your-hybrid-cloud.php

# 2


Your Panel TodayPresenting•Uri Budnik, Director, ISV Partner Program, RightScale @uribudnik

•Phil Cox, Director, Security and Compliance, RightScale @sec_prof

•Dave Asprey, VP Cloud Security, Trend Micro @daveasprey

Q&A •Jonathan Curtin, Account Manager, RightScale

Please use the “Questions” window to ask questions any time!

# 3


Agenda• Introduction

• Data Security Concerns and Best Practices

• RightScale Platform and Dashboard Overview

• SecureCloud Deep Dive

• Q&A

# 4


Data Security• We will cover …

• Common data exposure vectors

• Security benefits of centralized management

• Unique security needs associated with hybrid and cross-cloud environments

# 5


Biggest real risks to data in the cloud?• The same things as when your data were not in the cloud.

• Poor application security leading to Injection

• Poor system configurations, leading to system compromised

• Poor application configuration leading to application compromise

• Poor user habits leading to compromised credentials, that are then used to access data

# 6


Common data exposure vectors in the cloud

In Process

At Rest

In Transit

Data is typically exposed in the following three states:


# 7

We must protect data “In Transit”

• Why?• You do not want the bad

guys to see or modify your data

• You can’t guarantee the path your data will take

• You may have regulatory or contractual requirements to do so

• Risk• Sniffing along the path

• Modification of existing data

• Injection of new data

• Common Solutions• Application Transport (SSL & TLS)

• VPN (SSL, IPSEC, PPTP, L2TP)

• App level data encryption (custom)

Map of Internet Traffic

# 8


We must protect data “At Rest”• Why? Same as previous: You do not want unauthorized

• Disclosure

• Modification

• Injection

• Risks• Intrusion into Instance/Guest exposes data on its filesystem

• Cloud provider access to ephemeral storage (e.g., EBS, SWIFT)

• Cloud provider access to other storage options (e.g., S3, CloudFiles)

• Common Solutions• Protection offered by running operating system (Access Control Lists)

• *Encryption (and Key Management)*

• SLA and Policies/Processes of the Cloud provider

# 9


We must protect data while “In Process”• Why? Same as previous: You do not want

unauthorized• Disclosure

• Modification

• Injection

• Risk• Data is in clear in the memory of the Instance

• Privileged users on a system can read memory

• Hypervisor has access to instance memory

• Common Solutions• Protect the system that is processing

• Protect the hypervisor running the Instance

• Limit administrative users

# 10


Where RightScale shines• RightScale can be used to ensure that poor system and application

configurations are not what cause you to lose your data

• Use RightScale to:• Require data to be transmitted securely

• Require data be stored securely

• Ensure systems are appropriately patched and configured to minimize exposures

• The core technologies are• RightImages

• ServerTemplates

• RightScripts

• Repo’s and Mirrors

• Security Motto: “Build it secure, keep it secure!”

# 11


Build it Secure

Use Trusted Images Script the install and configuration

TrustedRepository

KnownConfigurations

Start withMulti-Cloud

Images

Build withServerTemplates

Modify withRightScripts

Build fromFrozen Repos

What

How

# 12


Keep it Secure• What

• Update the Operating System

• Update the applications

• Validate the configuration

• How• You can use the same mechanism as in your enterprise

• *OR*

•• Use operational RightScripts to do it for you• *OR*

• Use a partner ISV that specializes in that service

# 13


Hybrid/cross cloud security concerns• Cloud functionality differences

• This is the biggest concern in a non-homogeneous environment

• Security features are different in scope and implementation for basically all different cloud orchestration technologies

• Identity and Access Management features differ

• Log levels and information differ

• Applying consistent builds throughout• Think of the term “security group”, then define what that means in all the clouds

you will use?

• How do you manage them consistently?

• Physical protections will differ from provider to provider• You will need to take this into consideration when looking at controls to

implement

# 14


RightScale Real Customers, Real Deployments, Real Benefits• Managed Cloud Deployments for 4 Years — globally

• More than 45,000 users; launched more than 3MM servers!

• Powering the largest production deployments on the cloud

# 15


What do we Mean by Cloud Computing?RightScale

# 16


RightScale Manages IaaS CloudsRightScale

http://aws.amazon.com/

# 17


Complete Systems Management

# 18


Scalable Web Applications

# 19


• Dynamic configuration

• Abstract role and behavior from cloud infrastructure

• Predictable deployment

• Cloud agnostic / portable

• Object-oriented programming for sysadmins

ServerTemplates

# 20


Parenthesis: What are ServerTemplates?

Custom MySQL 5.0.24 (CentOS 5.2)

Custom MySQL 5.0.24 (CentOS 5.4)

MySQL 5.0.36 (CentOS 5.4)

MySQL 5.0.36 (Ubuntu 8.10)

MySQL 5.0.36 (Ubuntu 8.10) 64bit

Frontend Apache 1.3 (Ubuntu 8.10)

Frontend Apache 2.0 (Ubuntu 9.10) - patched

CMS v1.0 (CentOS 5.4)

CMS v1.1 (CentOS 5.4)

My ASP appserver (windows 2008)

My ASP.net (windows 2008) – security update 1

My ASP.net (windows 2008) – security update 8

SharePoint v4 (windows 2003) – 32bit

SharePoint v4 (windows 2003) –64bit

SharePoint v4.5 (windows 2003) –64bit

…

Configuring serversthrough bundling Images:

A set of configuration directives that will install

and configure software on top of the base image

Configuring serverswith ServerTemplates:

CentOS 5.2

CentOS 5.4

Ubuntu 8.10

Ubuntu 9.10

Win 2003

Win 2007

Base ImageVery few and basic

# 21


• Integrated approach that puts together all the parts needed to architect single & multi-server deployments

VS.

ServerTemplates

# 22


What Are Cloud Security Concerns?

• Your data is mobile — has it moved?

• Who can see your information?

• Who is attaching to your volumes?

• Do you have visibility into who has accessed your data?

# 23


Trend Micro SecureCloud - How It Works

23

# 24


Policy-based Key Management in the Cloud

# 25


Working Together - ServerTemplates

• Dynamic configuration of environment.

• Predictable deployment. • Identity and integrity checking

of environment.• Data remains encrypted

throughout the cloud. • Key Management separate

from cloud provider.

# 26


SecureCloud Demo

# 27


Find Out More• Web Resources:

• TrendMicro.com/securecloud

• RightScale.com/webinars

• RightScale.com/whitepapers

• Blogs:• CloudSecurity.TrendMicro.com

• Blog.RightScale.com

• Follow us on Twitter• @daveasprey

• @uribudnik

• @sec_prof

http://www.trendmicro.com/securecloud

http://www.rightscale.com/info_center/webinars.php




http://www.rightscale.com/info_center/white-papers.php




# 28


Thank you!!! Contact Information

•SecureCloud Product Team• [email protected]

• [email protected]


•RightScale• [email protected]

• 1-866-720-0208



mailto:[email protected]






securing sensitive data in your hybrid cloud

Technology

cloud management platformwe

data use rightscale

vp cloud security

key management

swift cloud provider

crosscloud environments

poor application security

poor application configuration