View
207
Download
0
Category
Tags:
Preview:
Citation preview
Cloud Security is a Shared Responsibility
Allan MacPhee, Trend Micro
November 28, 2012
Agenda
• Security and the cloud
• Who is responsible for cloud security?
• How is security in the cloud different?
• Trend Micro securing your journey to the cloud
• Best practices & recommendations
Cloud customer adoption survey …
Source: Ponemon – Security of cloud computing providers
10 / 11 concerns raised were related to security
Data protection was the
#1 concern
What customers tell us …
• Data sovereignty – Concerns over ownership of data
• Who owns the data? customer, provider, government?
• Data privacy concerns > other tenants, attacks against my data …
– Will my data leave the country?
– If I terminate a cloud server, do copies of my data still exist in the cloud?
– US Patriot Act
• Could USA law enforcement gain access to my systems and data?
What customers tell us …
• Multi-tenancy Concerns – Risk of configuration errors leading to data exposure
– How can I protect my cloud servers from attack?
– Will I even know my cloud servers are being attacked?
• Compliance – How can I use the cloud and still meet internal and external compliance
requirements?
– Who is responsible for cloud security?
Who is responsible for cloud security?
Source: Ponemon – Security of cloud computing providers
So what is your CSP responsible for?
• CSP responsibilities 1. Physical security
2. Personnel security
3. Infrastructure security
4. Operational security
• Certification of the service offering x SAS 70/SSAE 16 Type 1 SOC 1
SSAE 16 Type 2 SOC 1
PCI DSS Service Provider certification
Why AWS is a good choice …
Certifications Publishes a Service Organization Controls 1 (SOC1), Type 2
report
Registered with CSA Security, Trust & Assurance Registry (STAR)
Level 1 validated service provider under the PCI DSS
Service – EC2,VPC, dedicated instances and GovCloud offerings
– Advanced authentication services: MFA, IAM roles, roles for EC2
– Allows penetration tests per PCI DSS v2.0 requirements
As a customer, what are my responsibilities?
• Protect instances from being compromised
– Security principles don’t change
Cloud Servers require protection
Data confidentiality
The Need Preferred Security Control
Block OS & App vulnerability exploits Patching & vulnerability shielding
Block malicious software Anti-malware
Control server communication Firewall & Web Reputation Services
Detect suspicious network traffic IDS/IPS Deep Packet Inspection
Detect unauthorized system changes Integrity Monitoring
Encryption
• How security works in the cloud is drastically different!
Instance Location
Challenge:
• Understanding where servers are running
• How to verify that it is a server you own and trust is
attempting to access sensitive data
Security requirement:
• Awareness that servers are running in the cloud for starters!
• Confirm the identity & location of servers running in the cloud
• Detect and block access from rogue servers
• Apply the appropriate security controls based upon location
Scale & Automation
Challenge:
• Cloud applications dynamically scale up & down as
capacity requirements change
Security requirement:
• Automate protection of new instances w/o requiring
administrative actions
• Gracefully deal with instances that have been terminated,
avoid “orphaned servers”
• Integrate and support cloud management tools such as
RightScale, Chef, Puppet, et.
Cloud Compatibility
Challenge:
• Supporting large scale, distributed and even distinct
cloud environments or vendors
Security requirement:
• Security that is intelligent and flexible to deal with
– Multiple environments & AWS regions /AZ’s
– Non-persistent IP addresses & host names
– Firewall routing, VPCs, private/public IP’s, ELBs, etc.
– Storage options: ephemeral, EBS, AWS storage
gateways, S3, RDS
Trend Micro Global 500 Penetration
Trend Micro protects
100% of the top 10
automotive companies.
Trend Micro protects
96% of the top 50
global corporations.
Trend Micro protects
100% of the top 10
telecom companies.
Trend Micro protects
80% of the top
10 banks.
Trend Micro protects
90% of the top
10 oil companies.
In calculating the above data, the percentage use of Trend Micro products include usage by parent
companies and/or usage by any of their subsidiaries of any Trend Micro product or service.
Source: http://money.cnn.com/magazines/fortune/global500/2011/index.html
• 48 of the top 50 Global Corporations
• 10 of the top 10 Automotive companies
• 10 of the top 10 Telecom companies
• 8 of the top 10 Banks
• 9 of the top 10 Oil companies
Trust Trend Micro security solutions*
12/6/2012 13
Securing the cloud with Trend Micro
12/6/2012 14 Confidential | Copyright 2012 Trend Micro Inc.
Optimized for AWS
• AWS Inventory
synchronization
• Multi-tenant support
• AWS cloud encryption
• RightScale, Chef, Puppet
automation scripts
• Location awareness
• Support compliance
requirements (PCI, HIPAA)
Deep Security Demo
Best Practices & Recommendations
Be proactive & create a cloud plan
• Interview LOB’s to understand their needs and
expectations
• Identify services / application cloud candidates
• Plan for the worst case
• Think of security as an enabler
• Don’t say No, say how?
Thank You
Questions?
Recommended