steve porter : cloud computing security
DESCRIPTION
A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 5th July 2012. Stephen Porter from Trend Mirco Limited was on the theme of cloud computing security. Copyright of this presentation is held by the author, Stephen Porter.TRANSCRIPT
Securing Your Journey to the Cloud
Trend MicroStephen Porter Alliance BDM
Data Center Evolution: Physical. Virtual. Cloud.
Control vs Responsibility?
Servers Virtualization & Private Cloud
Public CloudPaaS
Public CloudIaaS
Public CloudSaaS
%
Ent
erpr
ise
Responsibility
Control Gap
Amazon Web Services™ Customer Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
The cloud customer has responsibility for security and needs to plan for protection.
A New Model for Security – Securing the Computing ChainAll environments should be considered un-trusted
4
Users access app
Host defends
itself from attack
Image ensures data is always
encrypted and
managed
Encrypted Data
Encryption keys only controlled
by you
When this whole chain is secure
Components can move
DC1, LAN 1 Cloud 1, LAN 2
Data
Cloud, LAN 1
Data
DC2, LAN 2
Virtual “neighbours” don’t matterLocation doesn’t matter
Service provider “lock” goes away Shared storage ROI goes up
AdvancedTargetedThreats
EmpoweredEmployees
Re-PerimeterizationVirtualization, Cloud Consumerization & Mobility
Outside-in Perimeter Defense Isn’t Enough…
Source: Forrester
Reduce Noise
6
"The report of my death is an exaggeration.”Mark Twain, New York Journal, June 2, 1897
Stopping stuff on the outside from getting inside allows a focus on events on the inside that would otherwise be impossible
APT and Targeted Attack Profile
Social• Spear Phishing• Drive-by Downloads• Zero-day malware
Key Characteristics
Stealthy• Low profile• Masked activities• Requires specialized detection
Sophisticated• Exploits vulnerabilities• Remote control and backdoor• Uses credentials & privileges
Deep Discovery: Key Technologies
• Deep content inspection across 100’s of protocols & applications
• Smart Protection Network reputationand dynamic black listing
• Sandbox simulation and analysis
• Communication fingerprinting
• Multi-level rule-based event correlation
• And more… Driven by Trend Micro threat researchers and billions of daily events
Specialized Threat DetectionAcross the Attack Sequence
Malicious Content• Emails containing embedded
document exploits• Drive-by Downloads• Zero-day and known malware
Suspect Communication• C&C communication for any
type of malware & bots• Backdoor activity by attacker
Attack Behavior• Malware activity: propagation,
downloading, spamming . . .• Attacker activity: scan, brute
force, service exploitation . . .• Data exfiltration communication
Real-Time Inspection
Analyze
Deep Analysis
CorrelateSimulate
Actionable Intelligence
ThreatConnect
Watch List GeoPlottingAlerts, Reports,
Evidence Gathering
9
Visibility – Real-time DashboardsInsight – Risk-based AnalysisAction – Remediation Intelligence
Identify Attack Behavior & Reduce False Positives
Detect Malicious Content and Communication
Out of band network data feed of all network traffic
Physical Virtual Cloud
Manageability
Glut of security products
Less security
Higher TCO
Reduce Complexity
One Security Model is Possible across Physical, Virtual, and Cloud Environments
PLATFORM-SPECIFIC SECURITY RISKS
Integrated Security: Single Management Console
Performance & Threats
Traditional security degrades performance
New VM-based threats
Increase Efficiency
Visibility & Threats
Less visibility
More external risks
Deliver Agility
Consolidate Physical Security REDUCE COMPLEXITY
One Server Security Platform
REDUCE COMPLEXITY
Firewall HIPS / Virtual Patching
Web Application Protection
Antivirus Integrity Monitoring
Log Inspection
AdvancedReporting Module
Single ManagementConsole
Software Agent Based Solution
Server and DesktopVirtualization Security
INCREASE EFFICIENCY
Challenge: Complexity of ManagementVIRTUALIZATION SECURITY
VM sprawl inhibits compliance
Patch agents
Rollout patterns
Provisioning new VMs
Reconfiguring agents
Cloned
Challenge: Instant-on GapsVIRTUALIZATION SECURITY
Dormant Active Reactivated without dated security
Reactivated and cloned VMs can have out-of-date security
Challenge: Dynamic movement Load Balancing or V-Motion
VIRTUALIZATION SECURITY
VMs moving between hosts can cause manual intervention and Introduce risk
Challenge: Resource ContentionVIRTUALIZATION SECURITY
Typical Security
Console 09:00am Virus Definition Updates
Configuration Storm
Automatic security scans overburden the system
3:00am Integrity Scan
Security Zone
vShield App and Zones
Application protection from network based threats
vShield Security
VMware vSphere + vCenter
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the virtual datacenter
Endpoint = VM
vShield Endpoint
Enables offloaded SecurityFIM, anti-virus, IDS/IPS …
Virtual Datacenter 1 Virtual Datacenter 2
DMZ PCI compliant
GPG13 compliant
Web ViewVMwarevShield
VMwarevShield
VMware vShield Manager
Fitting into the VMware Ecosystem
VIRTUALIZATION SECURITY
vSphere Virtual Environment
Integrates with vCenter
Trend Micro Deep Security
Security Virtual Machine
Log Inspection
Agent-based
Other VMware APIs
IDS / IPS
Web Application Protection
Application Control
Firewall
Agentless
Agentless
vShieldEndpoint
Antivirus
Integrity Monitoring
Secure the lifecycle of the VM VIRTUALIZATION SECURITY
Moving VM’s
Restarted VM
Self Service new VMs
Reconfiguring VM - Clones
Relevant Deep Security
Controls FIMDPIFirewallAV
FIMDPIFirewallAV
FIMDPIFirewallAV
FIMDPIFirewallAV
FIMDPIFirewallAV
Recommendation Scan
vCenter
• Jan 2011 results of testing conducted by AV-Test.org
• Threats prevented at each layer (of total threats that reached that layer)
• 33% • 65 / 200
• 53% • 72 / 135
• 19% • 12/ 65
• 200 threats • 135 threats • 65 threats • 51 threats
• End-to-End• 75%• (149 of 200)• average of all enterprise products
97% of threats blocked at the first layer of defense
21
Trend Micro Microsoft Sophos McAfee Symantec
ExposureLayer
97% 2% 63% 1% 0%(194 of 200) (3 of 200) (126 of 200) (2 of 200) (0 of 200)
InfectionLayer
67% 68% 19% 50% 54%(4 of 6) (134 of 197) (14 of 74) (99 of 198) (108 of 200)
DynamicLayer
100% 6% 23% 25% 16%(2 of 2) (4 of 63) (14 of 60) (25 of 99) (15 of 92)
All Layers 100% 71% 77% 63% 62%(200 of 200) (141 of 200) (154 of 200) (126 of 200) (123 of 200)
Integrated Management - vCenter
Deep Security 8.0VM Lifecycle • Creation• Configuration• Deployment• Dynamic update• V-Motion• Restart
vCenter
Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011; Saving estimate based on VMware ROI calculations
3X higher VDI VM consolidation ratios
Increased ROI with Deep SecurityExample: Agentless Antivirus
VIRTUALIZATION SECURITY
Traditional AV
Agentless AV
0 10 20 30 40 50 60 70 80
VM servers per host
75
25
3-year Savings on 1000 VDI VMs = $539,600
Cloud Deploymentsand Security
DELIVER AGILITY
Protect my data
25
Inside-out Security
Smart
Context aware
Self-Secured Workload
Local Threat Intelligence
When Timeline Aware
Who Identity Aware
Where Location Aware
What Content Aware
User-defined Access Policies
Encryption
DATAINSIDE-OUT SECURITY
When data is moved, unsecured data remnants can remain
Challenge: Data DestructionCLOUD SECURITY
100110111000101
100110111000101
10011 000101
Sensitive Research Results
• Unreadable for unauthorized users
• Control of when and where data is accessed
• Server validation
• Custody of keys
Data SecurityEncryption
with Policy-based Key Management
Server & App Security Modular Protection
• Self-defending VM security
• Agentless and agent-based
• One management portal for all modules, all deployments
vSphere & vCloud
Integration ensures servers have up-to-date security before encryption keys are released
What is the Solution? Data ProtectionCLOUD SECURITY
VM VM VM VMVM VM VM VMVM VM VM VM
VMware vCloud
VMware vSphere
Encryption throughout your cloud journey—data protection for virtual & cloud environments
Enterprise Key
Key Service Console
Trend Micro SecureCloud
Data Center Private Cloud Public Cloud
Fitting Encryption into a VMware EcosystemCLOUD SECURITY
Test Test
Deep Security / Secure Cloud Example
Classification 04/11/2023
29
Vmware Vsphere ESX
CustomerCustomer
Customer 1 Customer 2
Unix/Win
Server
Encrypted Volumes on SAN, NAS, Cloud Service …
PolicyServer
Key Service
Specialized Protectionfor Physical, Virtual, and Cloud
Physical Virtual Cloud
TREND MICRO DEEP SECURITY
Only fully integrated server security platform
First hypervisor-integrated agentless antivirus
First agentless file integrity monitoring (FIM)
Only solution in its category to be EAL4+and FIPS certified
Only solution to offer agentless:AntivirusIntegrity monitoringIntrusion detection & preventionWeb application protection Firewall
2011 Technology Alliance Partner of the YearTREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER
Improves Securityby providing the most secure virtualization
infrastructure, with APIs, and certification programs
Improves Virtualizationby providing security solutions architected to fully
exploit the VMware platform
2008 2009 2011
Feb: Join VMsafe program
RSA: Trend Micro VMsafe demo, announces
Coordinated approach & Virtual pricing
RSA: Trend Micro announces virtual appliance
2010:>100 customers >$1M revenue
VMworld: Announce Deep Security 8w/ Agentless FIM
1000 Agentless customers
VMworld: Trend virtsec customer, case study,
webinar, video
May: Trend acquires
Third Brigade
July:CPVM
GA
Nov: Deep Security 7with virtual appliance
RSA: Trend Micro Demos Agentless
2010
Q4: Joined EPSEC vShield
Program
VMworld: Announce
Deep Security 7.5
Sale of DS 7.5 Before GA
Dec: Deep Security 7.5w/ Agentless Antivirus
RSA: Other vendors
“announce” Agentless