Upload
truongngoc
View
236
Download
0
Embed Size (px)
Citation preview
© 2016 Nokia1
Security in Cloud Environments
Security Product Manager
Joern Mewes ([email protected])
16-11-2016
© 2016 Nokia2
Cloud transformation happens in phases and will take 5+ yearsSteps into the cloud
Distributing and connecting across the datacenter architecture
Logically integrated cloud infrastructure, cloud-scaled
and optimized network services
Carrier grade clouds typically in silos following operator units
2020+2016+
Network cloud
NetworkCloud
IT & enterprise
Secure, Five 9’s, low latency, colossal data “Telco Cloud”
OSS/ BSS
Operator ITOSS/ BSS
enterprise cloud
Radio
Now
Source: IDC, Nokia analysis
© 2016 Nokia3
Nightmare or next hope?Cloud security is … different
Vivek Kundra, Executive Vice President, Industries, Salesforce.com, “Cloud computing is … far more secure than traditional computing, because
(cloud) companies … can attract and retain cyber-security personnel of a higher quality than many governmental agencies.”
John Chambers former CIO of Cisco"You'll have no idea what's in the … data center. … That is exciting to me as a network player… But it is a security nightmare and it can't be handled in traditional ways."
© 2016 Nokia4
Top 3 Security Risks in Cloud Environments
Virtualization Weakness
How to preserve Isolation ?
Dynamicity and Site motion
How to cope with constant and automated changes ?
Trust Gap
How to guarantee Trust and integrity?
© 2016 Nokia6
Analysts predict it will get much worse...
The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at hypervisor layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at hypervisor layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
Beyond application sandboxing, McAfee Labs predicts that 2015 will bring malware that can successfully exploit hypervisor vulnerabilities to break out of some security vendors' standalone sandbox systems.
Labs™ Report 2015
© 2016 Nokia7
Business agility requires a re-thinking of the way how security gets implemented
• Systems and services are launched and retired faster than security teams can identify, analyze, and track
• Physical boundaries between trusted and untrusted security domains do not exist anymore
• Security policies are enforced primarily by manually configuration and executed audits and processes
• „Classical“ perimeter security systems in front of the cloud:
– Are missing topology and network information of the cloud
– Cannot cope with the scaling requirements of the cloud
– Do not see inter-VM traffic
– Are usually not integrated in the cloud based orchestration processes
© 2016 Nokia8
Data and software integrity protection
MME
GW
HLRIMS
BSC
Radio Cloud OSSCloud
SDN Networks
Core Cloud
Data protection: • Cloud provider are seen as being responsible for data
protection and privacy• Shared data layer / bock storage systems need to consider
service specific requirements for data privacy• Number of open interfaces for data exchange increase
significantly• Autonomous VNF/service inter-communication requires a new
way to authenticate and authorize data-access
Software integrity protection: • software integrity takes on greater significance.• Software integrity comprises the whole lifecycle of
virtualized applications, which can be roughly divided into the supply chain, the boot/launch and the runtime phase
• Software integrity must be maintained across different operating systems, software versions and patch levels
© 2016 Nokia9
Cloud security is a layered approach
Virtual Infrastructure
Manger
Hypervisor
VNF
IMS GWHLR MME OneNDS
Infrastructure Compute Storage Networking
Software Defined Networking (SDN)
VNF Manager
CAM* FCAPS
Application / Network Management, deployment & monitoring
VMWare OpenStack
Cloud aware firewall: enforcement
points & VNF security functions
Security element manager:Security configuration & administration
Secure virtualized infrastructure / hypervisor hardening
Security orchestration & lifecycle managementCloud OrchestratorOSS / BSS Cloud Security Director
1 1
vFW
22
Security Element Manager
3
3
4
4
Physical Security Functions & SDN security functions5
55
© 2016 Nokia10
automate security processes within your cloudSecurity Orchestration
Security Orchestration
Agility & Automation
VNF and Hypervisor Hardening
Dynamic Security Policies
Security baseline checking andcompliance management
Trust Engine for Cloud
Security Incident Monitoring
Threat response
© 2016 Nokia11
Next generation security to support cloud computingCloud firewall requirements
• Virtualized Security VNFs purpose build for cloud environments
• Strict separation of control and data-plane
– Scalable data-plane for performance grow
• Full MANO integration meaning automated lifecycle management for:
– Deployment – HEAT Orchestration template (HOT)
– Healing
– High Availability
– Scaling-UP / Scaling-OUT
• Seamless SDN integration for automated policy changes
– Security becomes part of the network fabric
© 2016 Nokia12
Cloud firewall requirements
• High capacity due to support of
– CPU pinning and CPU isolation
– DPDK for fast packet processing
– SR-IOV for HW virtualization
– Direct PCI access from VM
– Intel Quick Assist – technology for crypto operations
• Flexible deployment model (pay ones, use everwhere in your cloud)
• No need for UTM anymore
– Standardized hardware, virtualization and MANO/SDN integration allow the deployment of use-case specific security safeguards from various vendors
© 2016 Nokia13
How Network Security gets implemented into CloudSecurity Service Chain
SDN
IoT
Mobiles
Others
WAF NATFWAnti DDoS IDS/IDP
Cloud Orchestrator Security Orchestrator