Oded Tsur - Ca Cloud Security
description
Transcript of Oded Tsur - Ca Cloud Security
WHEN TITLE
IS NOT A QUESTION
NO ‘WE CAN’
WHEN TITLE
IS NOT A QUESTION
NO ‘WE CAN’
Security management to, for, and from the cloud
CA’s Cloud Security Capabilities & Strategy
Oded Tsur CISSP Sr. Solution strategist
Cloud - Next Wave of IT Architectures
2 Copyright © 2010 CA. All rights reserved.
Many Have Adopted Some Cloud Services Some Have Adopted Many Cloud Services
3 Copyright © 2010 CA. All rights reserved.
Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
Why Adopting the Cloud? To Save $ & Time
4 Copyright © 2010 CA. All rights reserved.
Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
Who is Responsible For Security?
5 Copyright © 2010 CA. All rights reserved.
Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
Do You know Your Cloud Services?
6 Copyright © 2010 CA. All rights reserved.
Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
IAM is #1 Area of Focus for Migration
7 Copyright © 2010 CA. All rights reserved.
Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010 http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
What is the Cloud?
IaaS
Hybrid Cloud
Private Cloud
PaaS
Public Cloud SaaS
8 Copyright © 2010 CA. All rights reserved.
Identity & Access Management - Defined
- REDUCED IDENTITIES - Easier administration - Reduced Costs - Improved auditing for easier
compliance
CENTRALIZED ADMINISTRATION ˉ Reduced admin costs ˉ Consistent admin across platforms ˉ Automation of IT processes
MANY USERS MANY IDENTITIES MANY ADMINS
MANY APPLICATIONS - Single Sign-on - User self-service
- Centralized Security - Easier app dev
Security Policy
10 Copyright © 2010 CA. All rights reserved.
Un Structured Physical Boundaries
11
— VM Mobility beyond the server room − VMs can be copied, or cloned − Machine memory is accessible from the host − Disc space can be accessed from storage
— Challenging Physical Security − Copying a VM = Stealing a server from the server room − The virtual DC is distributed – Not a mainframe
The 4th Dimension - Time
12
— What happens when we revert to snapshot? − LOST Audit Events − LOST configuration − LOST Security Policy
— Am I Still Compliant with my Policy?
Cloud Model Drives Security Implications Control .vs. Visibility
Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009
13 Copyright © 2010 CA. All rights reserved.
Private Clouds are a Modern
Form of Dedicated IT?
Cloud Model Drives Security Implications
Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009 14 Copyright © 2010 CA. All rights reserved.
How do I manage my user’s SaaS accounts & their
access?
How do I collect & analyze SaaS security logs?
Cloud Model Drives Security Implications
Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009 15 Copyright © 2010 CA. All rights reserved.
How do I define & enforce access policies in PaaS
applications without creating more security
silos?
Cloud Model Drives Security Implications
Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009 16 Copyright © 2010 CA. All rights reserved.
How do I control privileged users in IaaS…both theirs & ours?
Cloud Model Drives Security Implications
Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009 17 Copyright © 2010 CA. All rights reserved.
IAM & Trust Before Cloud
— Trust established between the user & enterprise − Or between user & each application when applications are silo-ed
— IAM is deployed on-premise
Enterprise
User
In-‐house Applica4ons
Corporate Directory “Iden4ty Provider”
Public
Remote user
IAM
18 Copyright © 2010 CA. All rights reserved.
Cloud Adoption & IAM
Extend Enterprise Security To the Cloud
Security For Cloud Providers
Security From the Cloud
1
2
3
Trust Models Will Need to Change
19 Copyright © 2010 CA. All rights reserved.
q Enterprises will use more SaaS applications & Cloud services q Trust model will be between user & enterprise q The On-Premise IAM system “extends” out to the Cloud Ø Provisioning and SSO to SaaS Applications
Ø Cloud Web Services for Mashing Applications
Ø Access Governance (certification & attestation) extends to Cloud
Ø Log Collection of Cloud applications
1
Enterprise LAN
User
Corporate Directory “Identity Provider”
Dir
Public
Remote user
Dir
Dir
IAM
Extend Enterprise Security to the Cloud
20 Copyright © 2010 CA. All rights reserved.
1 Extend Enterprise Security to the Cloud
Need to… Provision users to SaaS Applications (SFDC, Google, etc)
SSO (SAML-based) & Access Control to SaaS Applications Access Control to Cloud-based Web Services for building mashed applications Log access to SaaS Applications Control information while using SaaS Applications
21 Copyright © 2010 CA. All rights reserved.
1 Extend Enterprise Security to the Cloud
Need to… Solution Provision users to SaaS Applications (SFDC, Google, etc)
CA Identity Manager
SSO (SAML-based) & Access Control to SaaS Applications
CA SiteMinder CA Federation Manager
Access Control to Cloud-based Web Services for building mashed applications
CA SOA Security Manager
Log access to SaaS Applications CA Enterprise Log Manager
Control information while using SaaS Applications
CA DLP
22 Copyright © 2010 CA. All rights reserved.
q Enterprises providing private clouds & Organizations providing public clouds
q Security improvements needed to become more trusted Ø Need to provide effective security controls
Ø Need to prove their controls through real time reporting
Ø Increase transparency of policies
IAM
Hardware
Hyper Visor
App 1 App 2 App 3
Enterprise Private Cloud
IAM
Hardware
Hyper Visor
App 1 Customer 1
App 1 Customer 2
App 2 Customer n
Public Cloud
App 3
App 3
App 3
App 3 App 3
2 Security to enable Cloud Providers
23 Copyright © 2010 CA. All rights reserved.
Entire CA IAM Solution for the Cloud
Control Identities
Control Access
Control Information
The control you need to confidently drive business forward
Focus
Products § CA Role & Compliance Mgr § CA Identity Manager § CA Enterprise Log Manager
§ CA Access Control § CA SiteMinder § CA Federation Manager § CA SOA Security Manager
§ CA DLP
Content Aware Identity and Access Management
24 Copyright © 2010 CA. All rights reserved.
Find, classify and control how information is used based on content and identity
Control access to systems & applications across physical, virtual & cloud environments
Manage and govern identities and what they can access based on their role
2
2 Security to enable Cloud Providers Support Virtualization & extend control to the hypervisor
— Support Virtualization − Secure Virtual Machines − Log Collection from Virtual Machines − Secure Privileged Partitions
— Manage Complexity − Deployment (Security encapsulation) − Automation − Extend Policy Management
— Repeatable Compliance − Control Identities, Access and Information − Transparency of Access and Logs − Cloud-Provider specific compliance requirements (eg. SAS-70)
25 Copyright © 2010 CA. All rights reserved.
Corporate Directory “Identity Provider”
q Eventually even user Identity (proofing, authentication, authorization/SSO, provisioning…) can be managed by a Cloud Service
q Trust will be very different Ø User to Cloud security service
Enterprise
User Dir
Cloud IM Service
IAM App
In-house Applications
Public
Remote user
3
“Identity ProvideR”
Dir
Dir
Security from the Cloud Identity Services from the Cloud
26 Copyright © 2010 CA. All rights reserved.
Cloud Adoption & IAM
Extend Enterprise Security To the Cloud
Security For Cloud Providers
Security From the Cloud
1
2
3
27 Copyright © 2010 CA. All rights reserved.
TITLE
IS A QUESTION
‘WE CAN’ ANSWER IN BOX
TITLE
IS A QUESTION
‘WE CAN’ ANSWER IN BOX
TITLE
IS A QUESTION
‘WE CAN’ ANSWER IN BOX
TITLE
IS A QUESTION
‘WE CAN’ ANSWER IN BOX
Q&A