Business Technology Briefing:

Realities of the Secure Cloud

Dean Coza

Director, Product Management Security

Vmware

Gabe Kazarian

Global Product Manager Trusted Cloud and Hosting

CSC

Gabe Kazarian, CSC

Global Product Manager Trusted Cloud and Hosting

Dean Coza, VMWare

Director Product Management Security

22 June 2011

Realities of the Secure Cloud

© CSC 2010 3

• Align infrastructure

with business need

• Use what you need, only

when you need it

• Refocus IT staff on

business value

• Free up capital for strategic

investments

• Shift from CAPEX to OPEX to

improve ROI

• Manage IT sprawl and contain

the infrastructure

• Break down IT barriers to create new products

• Mitigate risk and improve ROI for new initiatives

• Get started without IT capital or lead times

• Accelerate cycle time

• Expand and contract resources

as needed

• Relieve constraints based on IT’s capacity to deliver

Become More

Agile Innovate

Be More Cost Effective

Preserve Capital

IaaS Addresses Business Imperatives

© CSC 2010 4

Security and Compliance Concerns in Detail…..

Infrastructure

Team

Security

operations

Team

Compliance Officer

Both Security and Proof of Compliance are Required

to Build Trust in Your Cloud

How do I verify that confidential & regulated data is secure in the cloud? How do I implement compliance audits for resources in the cloud?

How can I manage security policies across virtual desktops, servers and networks?

I have too many VLANs for segmenting traffic, and securing applications. I can’t keep up

© CSC 2010 5

*Optional service

CSC Trusted Cloud ― Defense-in-Depth Security Framework

Access Control

•Authentication, authorization, and access

•Antispoofing

•CSC Audit Log Assurance*

•Key shield encryption*

•Secure VLANs

•Virtual and network perimeter firewalls

Data Integrity*

• Scheduled and ad hoc security scanning

• Security incident response 24x7

• Annual SAS 70 Type II review

• Antivirus services

• Vulnerability scanning for compliance

Logical Security

•Client data isolated

•Client separation via firewalls

•Hypervisor isolation for network adapters

•ITIL standards

•Network intrusion detection

Physical Security

• Access-controlled Tier 2/3 data centers

• Servers in secure suites or cages

• Video surveillance monitored 24x7

• Personnel background checks

• Multifactor authentication

• Separation of staff duties

© CSC 2010 6

CSC Addresses Challenges of Cloud Adoption

Challenges Solution

Security

Risk associated with high profile enterprise or LOB applications with compliance requirements

Implement a private cloud billed as a service on premises behind your firewall

Availability

Inability to meet availability

requirements and protect against

disruption to business operations

Select a cloud capable of supporting

production, mission critical workloads

Gain the ability to match workloads

to the right level of service required

Integration

Gaining the elasticity of cloud with required security

Use a hybrid cloud approach to meet the desired cost and security profile

Execution

Lack of the right mix of skills and resources to deploy and manage cloud environments

Select a supplier with the experience and capabilities to deploy and manage your cloud from the OS layer through the entire application stack

© CSC 2010 7

CSC Cloud Deployment Models — IaaS CloudCompute

Off Premises

Virtual Private • Dedicated Access

• At CSC data centers

• Capacity: projection-based

• Requires minimum commitment for 3 months

• Standard rate card applies

On Premises

Private • Behind client firewall

• Capacity: projection-based

• Minimum capacity commitment and annual term

• Standard rate card applies over minimum

Off Premises

Public • Leveraged

• At CSC data centers

• Capacity: virtually unlimited

• Standard rate card applies

1 2 3 Biz Cloud

© CSC 2010 8

Ugly Truth – Current Enterprise Data Center Security & Networking

vSphere

Users

Sites

Backend

Services

- Network Segmentation, Firewalls, IDS/IPS

- Server A/V Agents

- App | data | identity aware security, compliance

- DMZ firewall, NAT, IPAM, VR

- Site and user VPNs

- Web load balancers

- Desktop A/V Agents

- DLP, FIM, white listing

DMZ

Web

View

© CSC 2010 9

Goal 1. Virtualize Security Infrastructure

Apps / DB Tier DMZ

Users

Sites

Web Servers

1. Virtualize and consolidate security functions into the hypervisor

2. Leads to a much simplified, agile architecture

© CSC 2010 10

Goal 2. Secure vApps simplify Cloud Deployments

Users

Sites

Secure IaaS

Secure vApp

© CSC 2010 11

Dramatically Simplified vApp Protection in Virtual Environments

Enclave: Organizational network (department)

Integrated “Air gap” (DMZ, PCI) 1. Allow Enclave to Enclave

Sub-enclave: VDI desktops belonging to same

Organizational network or “trust zone’ 1. Allow Sub-enclave to Enclave

2. Deny Sub-enclave to Sub-enclave

Advanced Protection: Change VM vNIC membership from

enclave to Quarantine or Monitoring 1. Deny All/All

2. Allow access by Incident Response

• Monitoring Zone is a reusable container

Micro Segmentation: Leverage built in containers

1. Deny Web server access to DBs

Leverage vApp net flows 1. Allow identified applications

DLP

& IDS

Elastic Logical Trust

Zones VMs are assigned to enclaves

and sub-enclaves

Built-in logical containers to

improve security posture

Eliminate time consuming and

complex network security

management

Advanced Dynamic

Zones Improved visibility and control

Bus logic

Web

DBs

Better protection FW rule reduction Opex Savings

VDI

1 2

4 3

© CSC 2010 12

vShield Endpoint Offload Anti-virus Processing for Endpoints

Benefits

• Improve performance by offloading anti-virus functions in tandem with AV partners

• Improve VM performance by eliminating anti-virus storms

• Reduce risk by eliminating agents susceptible to attacks and enforced remediation

• Satisfy audit requirements with detailed logging of AV tasks

© CSC 2010 13

Clouds Come in Different Shapes and Sizes

Need: Creation of private cloud services to in-source Amazon workloads and provide compliant IaaS services to internal customers

Solution: On-premises private cloud based on Vblock, full DR and backup

at the compute and network layer. Solution includes orchestration,

provisioning portal and standard service catalog.

Pharmaceutical Company

Need: Move application from Amazon to a high availability cloud. Create a private cloud for projects to support new application development and virtualization project.

Solution: Off- premises private cloud in CSC Newark Datacenter with hybrid integration to existing applications architecture. Standardization of the Service catalog and configurations for OS and application stack.

Educational Testing Company - ETS

© CSC 2010 14

Clouds Come in Different Shapes and Sizes

Need: Testing environment for SAP

Solution: Rapid deployment of testing environment to help enforced

standard configurations in the user community. Template based SAP

testing environment

Vanity Fair Corporation

Need: Rogue public cloud usage poses compliance and security issues

Large Aircraft Manufacturer

Solution: Select a provider of Trusted Clouds that will provide the service

on an “hourly rate” card for off premise private and public cloud

infrastructure, with development and test functionality

Need: Rapid application modernization

Solution: An on-demand development and test delivery mechanism

with guaranteed SLA and security/compliance reporting

Blackboard Student Services

CSC Proprietary and Confidential

Thank You