Cloud Security is a Shared Responsibility

Allan MacPhee, Trend Micro

November 28, 2012

Agenda

• Security and the cloud

• Who is responsible for cloud security?

• How is security in the cloud different?

• Trend Micro securing your journey to the cloud

• Best practices & recommendations

Cloud customer adoption survey …

Source: Ponemon – Security of cloud computing providers

10 / 11 concerns raised were related to security

Data protection was the

#1 concern

What customers tell us …

• Data sovereignty – Concerns over ownership of data

• Who owns the data? customer, provider, government?

• Data privacy concerns > other tenants, attacks against my data …

– Will my data leave the country?

– If I terminate a cloud server, do copies of my data still exist in the cloud?

– US Patriot Act

• Could USA law enforcement gain access to my systems and data?

What customers tell us …

• Multi-tenancy Concerns – Risk of configuration errors leading to data exposure

– How can I protect my cloud servers from attack?

– Will I even know my cloud servers are being attacked?

• Compliance – How can I use the cloud and still meet internal and external compliance

requirements?

– Who is responsible for cloud security?

Who is responsible for cloud security?

Source: Ponemon – Security of cloud computing providers

So what is your CSP responsible for?

• CSP responsibilities 1. Physical security

2. Personnel security

3. Infrastructure security

4. Operational security

• Certification of the service offering x SAS 70/SSAE 16 Type 1 SOC 1

SSAE 16 Type 2 SOC 1

PCI DSS Service Provider certification

Why AWS is a good choice …

Certifications Publishes a Service Organization Controls 1 (SOC1), Type 2

report

Registered with CSA Security, Trust & Assurance Registry (STAR)

Level 1 validated service provider under the PCI DSS

Service – EC2,VPC, dedicated instances and GovCloud offerings

– Advanced authentication services: MFA, IAM roles, roles for EC2

– Allows penetration tests per PCI DSS v2.0 requirements

As a customer, what are my responsibilities?

• Protect instances from being compromised

– Security principles don’t change

Cloud Servers require protection

Data confidentiality

The Need Preferred Security Control

Block OS & App vulnerability exploits Patching & vulnerability shielding

Block malicious software Anti-malware

Control server communication Firewall & Web Reputation Services

Detect suspicious network traffic IDS/IPS Deep Packet Inspection

Detect unauthorized system changes Integrity Monitoring

Encryption

• How security works in the cloud is drastically different!

Instance Location

Challenge:

• Understanding where servers are running

• How to verify that it is a server you own and trust is

attempting to access sensitive data

Security requirement:

• Awareness that servers are running in the cloud for starters!

• Confirm the identity & location of servers running in the cloud

• Detect and block access from rogue servers

• Apply the appropriate security controls based upon location

Scale & Automation

Challenge:

• Cloud applications dynamically scale up & down as

capacity requirements change

Security requirement:

• Automate protection of new instances w/o requiring

administrative actions

• Gracefully deal with instances that have been terminated,

avoid “orphaned servers”

• Integrate and support cloud management tools such as

RightScale, Chef, Puppet, et.

Cloud Compatibility

Challenge:

• Supporting large scale, distributed and even distinct

cloud environments or vendors

Security requirement:

• Security that is intelligent and flexible to deal with

– Multiple environments & AWS regions /AZ’s

– Non-persistent IP addresses & host names

– Firewall routing, VPCs, private/public IP’s, ELBs, etc.

– Storage options: ephemeral, EBS, AWS storage

gateways, S3, RDS

Trend Micro Global 500 Penetration

Trend Micro protects

100% of the top 10

automotive companies.

Trend Micro protects

96% of the top 50

global corporations.

Trend Micro protects

100% of the top 10

telecom companies.

Trend Micro protects

80% of the top

10 banks.

Trend Micro protects

90% of the top

10 oil companies.

In calculating the above data, the percentage use of Trend Micro products include usage by parent

companies and/or usage by any of their subsidiaries of any Trend Micro product or service.

Source: http://money.cnn.com/magazines/fortune/global500/2011/index.html

• 48 of the top 50 Global Corporations

• 10 of the top 10 Automotive companies

• 10 of the top 10 Telecom companies

• 8 of the top 10 Banks

• 9 of the top 10 Oil companies

Trust Trend Micro security solutions*

12/6/2012 13

Securing the cloud with Trend Micro

12/6/2012 14 Confidential | Copyright 2012 Trend Micro Inc.

Optimized for AWS

• AWS Inventory

synchronization

• Multi-tenant support

• AWS cloud encryption

• RightScale, Chef, Puppet

automation scripts

• Location awareness

• Support compliance

requirements (PCI, HIPAA)

Deep Security Demo

Best Practices & Recommendations

Be proactive & create a cloud plan

• Interview LOB’s to understand their needs and

expectations

• Identify services / application cloud candidates

• Plan for the worst case

• Think of security as an enabler

• Don’t say No, say how?

Thank You

Questions?