ElasticBox Ravi-Top 3 Imperatives for Cloud-Ready Enterprise
Web-Cloud Security GSF 2011 Ravi Varasani 1-5
20
1 Government Solutions Forum 2011 Cloud Security Ravi Varanasi [email protected] March 01, 2011 Click to buy NOW! P D F - X C h a n g e w w w . d o c u - t r a c k . c o m Click to buy NOW! P D F - X C h a n g e w w w . d o c u - t r a c k . c o m
-
Upload
cisco-public-sector -
Category
Technology
-
view
214 -
download
4
description
Cloud Security
Transcript of Web-Cloud Security GSF 2011 Ravi Varasani 1-5
1
Government Solutions Forum2011
Cloud Security
Ravi [email protected]
March 01, 2011
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Cloud: Architectural Tenets
Massive ScalabilityMulti-TenancyIndependent ScalingRapid DevelopmentAvailabilityPerformanceSecurity and Manageability
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Factors that encourage enterprise cloud usage
Agility/Scalability – on demand capacityFlexibility to respond to business requirements
Automation Efficiency & Streamlined AdministrationCapEx to OpEx [Lower Infrastructure Costs, Budget control]Datacenter Consolidation
Different from virtualization which is fuelled by server consolidation
Disaster recovery: Storage, fault-tolerant compute offloadHelps reduce vendor lock-in, HA within multiple sites/providersHosted cloud apps for all standard services – Email,Collaboration, Salesforce.com, Identity aggregationTesting, QA: Cloud based QA services for scalability,performance testing. Third party certification as cloud service.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
Same Challenges - Increasing Complexity
Scalability, Availability,Performance, Security
and Manageability
Across Non-IT-ControlledEnvironments
Scalability Location
Device
Application
Performance
Security
Manageability
Availability
Cost of Ownership
Then : Linear : Multi-DimensionalNow
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
“Cloud First Policy” of US Govt.Reproduced from “25 point plan to reform Federal IT” by Vivek Kundra, United States CIO
Published Dec 09, 2010
Beginning immediately, Federal Govt. will shift to a “Cloud First” policy.The three-part strategy on cloud technology will revolve around usingcommercial cloud technologies where feasible, launching privategovernment clouds, and utilizing regional clouds with state and localgovernments where appropriate.Cloud computing brings a wide range of benefits:
•• Economical: Cloud computing is a pay-as-you-go approach to IT, in whicha low initial investment is required to begin, and additional investment isneeded only as system use increases.•• Flexible: IT departments that anticipate fluctuations in user demand nolonger need to scramble for additional hardware and software. With cloudcomputing, they can add or subtract capacity quickly and easily.•• Fast: Cloud computing eliminates long procurement and certificationprocesses, while providing a near-limitless selection of services.
Govt contract vehicles for IaaS solutionsWithin the next six months, after completing security certification, GSA will make acommon set of contract vehicles for cloud-based Infrastructure-as-a-Servicesolutions available government-wide.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
77 Resilienceand disasterrecovery
Self-healing systems canautomatically re-directworkloads seamlessly in theevent of failure
88Newsources ofinsight
Access to and reporting onall information in the Cloud,not just at the endpoints
Chargeabilityand metering
66 Usage-based pricing of Cloudservices
Policy management aroundrisk, security, trust, privacy,control, services, andcompliance
55 Security,risk andpolicy
Network Differentiation to derive fundamentalbenefits of cloud
33 Resource-awareness
Resource-aware services forimproved user experiences
44 SLAManagement
Managing QoS agreementswithin the Cloud for betterallocation of resources andservice levels
End-usercontextawareness
22
End-user context consists of:• Physical location• Presence• Device-awareness• Identity
Cloud connects resourcesseamlessly – within the datacenter, between data centers,and to the end-user
11 Connectivity
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
IT Production Business Production ITaaS
Data destruction
Diminished perimeter
Compliance / Lack of audit trail
Multi-tenancy
Data access & governance
Resource contention
Mixed trust level VMs
Data confidentiality & integrity
1
2
3
4
5
6
7
8
9
10
11
12
Security Challenges along the Virtualization pathCourtesy: VMWare, Trend Micro
Inter-VM attacks
Instant-on gaps
Host controls under-deployed
Complexity of Management
08-31
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
Cloud Security concerns from Federal Customers
FISMA’s definition: Three security objectives – to preserve in cloud security arch:Confidentiality: Authorized restrictions on info access and disclosure.Integrity: Guarding against modification, destructionAvailability: Timely access to and use of information.
Resource Exhaustion: Over or under provisioning of cloud resources
Isolation Failure: Failure in effectively separating storage, memory and routing
Management Interface compromise: Remote access and browser vulnerabilities.
Intercepting data in Transit: Data sniffing, spoofing and man-in-the middle attacks.
Data Leakage on Up/Down links
Insecure or Ineffective Deletion: Improper deletion of data with a previous provider whilemigrating to a new provider.
“Cloud Busting”: Compromise core of the cloud i.e. service engine (hypervisor) vulnerabilities.
Conflicts between customer hardening procedures and cloud environment: Customers withvulnerable client environments join to increase the attack surface.
Availability (access disruption to systems): VM allocation for a tenant fails to meet sudden surgein sales.
Multi-Trust: Breach of SLA of one tenant due to actions of the other.
Auditability: Compromised auditable record of usage or lack there of.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
CMovementto Cloud
Data CenterConsolidation
ServerConsolidation
DC -InterconnectOTV, LISP
Secure OTVLocation based PolicyTraffic Shaping/SLAData-in-flight, at-rest
securitySite-to-site VPN, FW
Multi-tenant VM security
Virtualization
StorageConsolidation
DesktopVirtualizationInternet-of-
things
I/O interconnect
NASObject-oriented
Block
Data-at-rest securityPersistent key storage
Visibility, monitoring datacopies, access logs
Security while preservingd-dup, replication etc.
VM->VM securityFW, In-Mem-Forensics
Network richness inHypervisor (Ex: VPath)
L3-L7 based policyMulti-tenant w/HW ctrl
Hypervisor-independence
Thin-client lock-downRestricted local copy
Context-aware VMotion
Integrated thin-client
Drivers for Cloud usage
Cloud SecurityNetwork Value-add
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
Cloud SecurityProblem statement
Barriers to proliferation of cloud services: Privacy, Control,Compliance, Reliability, QoS.
Principle benefits of Cloud Computing are derived from heavyautomation. Security solutions are *not* heavy on automation.
Scale can enable performance and HA, but management (securityspecific) and correlation suffers non-linearly.
Physical stacks (and their security functions) are disconnected fromthe virtual stacks (and their security functions).
Our focus:• Make Cisco the enabler and provider of Trusted Cloud services via applicationintelligence in network.• Enable security automation and scale, drive compelling policy-driven securitymanagement, and provide integration of interoperable security capabilities acrosscloud stacks.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
Barriers to cloud adoption: security, privacy fears
27%
28%
30%
31%
31%
42%
44%
45%
50%
52%
57%
0% 10% 20% 30% 40% 50% 60%
Unclear scheme in the pay per use model (n=62)
Contract lock-in with a cloud provider for the use of cloud-basedinfrastructure/storage resources (n=65)
Vendor sustainability/financial health (n=71)
Interoperability between computing in the cloud platforms (n=74)
Manageability to the extend of monitoring the performance/availability (n=86)
Employee resistance (n=73)
Reliability/Availability of cloud platforms (n=96)
Lack of measurable business benefits (n=88)
Migrating existing data and applications into the cloud could be costly anddifficult (n=126)
Regulatory compliance / corporate governance (n=90)
Virtualization security (n=107)
Percent of respondents
Barriers to cloud adoption (Percentage of those who ranked each issues either 1 or 2 out of 12)
Base: Organizations that already deployed or plan to deploy PaaS or IaaSwithin 24 months
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
Enterprise Barriers to entry
“Trust is at the core of what is preventing cloud computing from reaching its“Trust is at the core of what is preventing cloud computing from reaching itsgreatest potential. The majority of IT decision makers remain underwhelmedgreatest potential. The majority of IT decision makers remain underwhelmedwith the cloud's currentwith the cloud's current securitysecurity, control and service assurance levels.”, control and service assurance levels.”
““instead of fulfilling its promise of radically improving the operating model ofinstead of fulfilling its promise of radically improving the operating model ofthe $3 trillionthe $3 trillion--aa--year IT market, cloud computing finds itself relegated to a nearyear IT market, cloud computing finds itself relegated to a near$10 billion market of non$10 billion market of non--mission critical, "one and done" compute tasksmission critical, "one and done" compute tasks. The. Thechallenge for the industry and buyers alike is to make the leap of faithchallenge for the industry and buyers alike is to make the leap of faithpossible.”possible.”
http://www.forbes.com/2010/06/02/internethttp://www.forbes.com/2010/06/02/internet--virtualizationvirtualization--multitenancymultitenancy--technologytechnology--cloudcloud--computingcomputing--1010--tata.html?partner=yahootixtata.html?partner=yahootix
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
Enterprise Barriers to entry
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
Cisco Cloud Architecture
SaaSCloud
Providers
SaaSCloud
ProvidersScanSafeScanSafeIronPortIronPort
WebexWebexSalesForce.SalesForce.comcom
OtherOther
Data Center/Virtualization
Private CloudPrivate Cloud
OtherEnterprise Apps
CollaborationCollaboration
Cloud Ready Borderless Networks
Data Center & IP NGN
Public CloudPublic Cloud
IaaSSolution
IaaSSolution
HostedCollaboration
HostedCollaboration
Cloud Ready IP NGN
Unified Service DeliveryHybrid Cloud
Enterprise / Public Sector Service Provider
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
Better Security: Connecting Virtual and Physical stacks
Virtual ASA/Virtual Firewall
New Services Enabled (V V)
Auto-tunedIPS
VirtualPatching
VMApplication
ControlAgentless
AV
Traditional Services Virtualized (P V)
RemoteAccess
SecureConnectivity
IPS/Anti-Threat
AccessControl
Nexus 1000V (multi hypervisor capable)
vPATH
Enhance the Physical Win the Virtual
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
Nexus 1000V
Nexus 1000V VSMvCentervCenter
vSphere
NexusNexus1000V1000VVEMVEM
vSphere
NexusNexus1000V1000VVEMVEM
Defined PoliciesDefined PoliciesWEB AppsWEB AppsHRHRDBDBDMZDMZ
Defined PoliciesDefined PoliciesWEB AppsWEB AppsHRHRDBDBDMZDMZ
VM Connection PolicyVM Connection Policy•• Defined in the networkDefined in the network•• Applied in Virtual CenterApplied in Virtual Center•• Linked to VM UUIDLinked to VM UUID
VM Connection PolicyVM Connection Policy•• Defined in the networkDefined in the network•• Applied in Virtual CenterApplied in Virtual Center•• Linked to VM UUIDLinked to VM UUID
Faster VM Deployment
PolicyPolicy--BasedBasedVM ConnectivityVM Connectivity
PolicyPolicy--BasedBasedVM ConnectivityVM Connectivity
Mobility of Network &Mobility of Network &Security PropertiesSecurity Properties
Mobility of Network &Mobility of Network &Security PropertiesSecurity Properties
NonNon--DisruptiveDisruptiveOperational ModelOperational Model
NonNon--DisruptiveDisruptiveOperational ModelOperational Model
Cisco VNCisco VN--Link: Virtual Network LinkLink: Virtual Network LinkCisco VNCisco VN--Link: Virtual Network LinkLink: Virtual Network Link
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Diverse EndpointSupport for Greater
Flexibility
AuthenticationDynamic Access Policy
FW ACL’sLayer 2 security
Always-on IntelligentConnections for Seamless
Experience andPerformance
Choice
Security
Experience
Acceptable Use
Access Control
Data Loss Prevention
Threat Prevention
Intranet
Corporate FileSharing
Access Granted
Cisco AnyConnectAlways On Connectivity for Seamless User Experience
ASA VPN Gateway
AnyConnect Client
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
AppServer
DatabaseServer
WebServer
Physical Security Device
Virtual Contexts
Secure Virtualized Data Center
AppServer
DatabaseServer
WebServer
Hypervisor
Physical Security Device
Virtual ContextsVIRTUAL SECURITY
AppServer
DatabaseServer
WebServer
Hypervisor
VirtualSecurityGateway
Nexus1000v
Connect Physical Securityto Virtual Machines withservice chaining
2Secure PhysicalInfrastructure1 Embed Security in
the Virtual Switch & withVirtual Security Gateways
3
Service Chaining
Physical Security Device
Virtual Security
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
IaaS Cloud Services
Internet
Partners
App 1
App 1
App 2
App 2
App.Software
VirtualMachine VSwitch Access Services Core/Agg
.Peering/
IPCo
-NGNStorage& SAN Compute
ACE
FW
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
IP-NGN
App 2
reBackbone
L2 Aggre-gation Access Endpoints/
CPE
BroadbandWireless, 3GWiFi, 802.11EthernetFTTHLeased LineATM, FR
Service Delivery Data Center: Core: Aggregation/Access: CPE:
Policy Plane – Interface to CCN
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
