How Data Encryption Can Be Used for Disaster Recovery in Public Clouds
Glynn Stokes - Trend Micro
Disaster Recovery in Public Clouds
Copyright 2011 Trend Micro Inc.
Why the Cloud MattersWhy the Cloud Matters
Speed & Business Impact
Expertise & PerformanceExpertise & Performance
Massive Cost Reduction
Copyright 2011 Trend Micro Inc.
AgendaAgenda
Cloud Computing Evolution
Security Challenges in the Cloud
A N A hit t f D t C t S itA New Architecture for Data Centre Security
Copyright 2011 Trend Micro Inc.
Different types of CloudsDifferent types of Clouds
Shared Resources Ability to charge for resources used
Virtualisation
Server Under Desk 19” Rack Computer Room
Copyright 2011 Trend Micro Inc.Classification 5/24/2011 4
The Evolving Data Centre
Stage 1Consolidation
Stage 2Expansion & Desktop
Stage 3Private > Public Cloud
g
85%
Servers
Cost-efficiency + Quality of Service + Business Agility
70%
15%
30%
15%
Desktops
Datacenters are evolving to drive down costs
Copyright 2011 Trend Micro Inc.
and increase business flexibility
Security Challenges Along the Journey to the Cloud
IT Production Business Production ITaaS
Data destruction
Multi-tenancy 10
11
Diminished perimeter
Data access & governance 8
9
71% of enterprises cite increases 71% of enterprises cite increases
Complexity of Management
Compliance/ Lack of audit trail
6
7in complexity in the effort needed in complexity in the effort needed to secure the business amid these to secure the business amid these
Resource Contention
Mixed trust level VMs
3
4
5
Instant on gaps
changes is major challenge.changes is major challenge.
1
2
3
Inter-VM attacks
Instant-on gaps
Host controls under deployed
Copyright 2011 Trend Micro Inc.
1Host controls under-deployed
Substance Emerging from Cloud Hypeg g y
Public Cloud for Backup & StoragePublic Cloud for Backup & StorageUsing public cloud services, GE reduced backup costs by 40% to 60%,
created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009)
Pharmaceutical R&D and The Cloud“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific
collaboration and computations … because they empower many subsets of users.”collaboration and computations … because they empower many subsets of users. SearchCIO.com, 30 July 2009
Gartner Top 10 Strategic Technologies in 2010“Cl d C ti O i ti h ld thi k b t h t h th l d i t f“Cloud Computing. Organizations should think about how to approach the cloud in terms of
using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009
Cloud Computing & Security“CISOs and Security Architects: Don't let operations-led projects lower your security profile.
Engage in a discussion of the issues now, not after the fact.” Neil MacDonald Gartner (Gartner Data Center Conference December 2009)
Copyright 2011 Trend Micro Inc.
Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009)
AgendaAgenda
Cloud Computing Evolution
Security Challenges in the Cloud
A N A hit t f D t C t S itA New Architecture for Data Centre Security
Copyright 2011 Trend Micro Inc.
Cloud Computing CompromisesCloud Computing Compromises
Google Gmail hacked by attacks originating in China (Financial Times)
Jan 2010:
Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service
k (Th R i )
Oct 2009:
Salesforce.com security breached.
attack (The Register)
Oct 2007: yRepeatedly hacked (Washington Post)
Enterprise security challenges continue in the cloud
Copyright 2011 Trend Micro Inc.
“The number one concern about cloud services is security.”
Frank Gens, IDC, Senior VP & Chief Analyst
Key Challenges/Issues to the Cloud/On-demand Model
Source: Source: IDC eXchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009
Who Has Control?Who Has Control?
S Vi t li ti & P bli Cl dP bli Cl d P bli Cl dServers Virtualization & Private Cloud
Public CloudPaaS
Public CloudIaaS
Public CloudSaaS
End User (Enterprise) Service ProviderEnd-User (Enterprise) Service Provider
Copyright 2011 Trend Micro Inc.
Amazon Web Services™ Customer AgreementAmazon Web Services Customer Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so given the nature of the Internet Accordinglywe will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We stronglyprotection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content and (c) keep your Applications or any software that youarchive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion destruction or loss of any of Your Content or Applicationsdeletion, destruction or loss of any of Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
The cloud customer has responsibility for security and needs to plan for protection.
Copyright 2011 Trend Micro Inc.
Why Backup to the Cloud?Why Backup to the Cloud?
Copyright 2011 Trend Micro Inc.
AgendaAgenda
Cloud Computing Evolution
Security Challenges in the Cloud
A N A hi f D C S iA New Architecture for Data Centre Security
Copyright 2011 Trend Micro Inc.
Problem #1
“Outside-in” approach and rapid virtualization have created less secure application environmentscreated less secure application environments
Virtualization & Cloud Computing & p gCreate New Security Challenges
Inter-VMInter VM attacks PCI Mobility Cloud Computing
Hypervisor
Copyright 2011 Trend Micro Inc.
Security Challenges of Virtualization
Stage 1Server Consolidation
Stage 2Expansion & Desktop
Stage 3Private > Public Cloud
Servers85%
Desktops70%
30%Inter-VM attacksInstant ON gaps
Inter-VM attacksInstant-ON gaps
Mixed Trust Level VMs
Instant-ON gapsMixed Trust Level VMs
Resource ContentionMaintaining Compliance
15%Inter-VM attacksInstant-ON gaps
Resource ContentionMaintaining Compliance
g pService Provider
(in)SecurityMulti-tenancy
Problem #2
Data protection is the most pressing concern, but data is mobile distributed and unprotecteddata is mobile, distributed and unprotected.
Gartner recommends that any data leaving the data center be encrypted, which includes … cloud services.“E i T h l A l i St D t S it ” G t 25 N b 2009“Emerging Technology Analysis: Storage Data Security,” Gartner, 25 November 2009
18
Challenge of Securing DataChallenge of Securing Data
CloudData CentrePerimeter
CloudData Centre
Co
mp
any
Co
mp
any
Co
mp
any
Co
mp
any
Co
mp
any
Co
mp
any 1
Ap
p 2
Ap
p 1
Ap
p 3
Ap
p 1
Ap
p 2
Ap
p 3
Ap
p 4
Ap
p 5
Ap
p n
2 3 4 5 n
…
HypervisorHypervisor
Strong perimeter security
No shared CPUWeak perimeter security
Shared CPUNo shared network
No shared storageShared network
Shared storage
Copyright 2011 Trend Micro Inc.
Data Security Challenges in the CloudData Security Challenges in the Cloud
E ti l d
Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…
Encryption rarely used:- Who can see your information?
Storage volumes and servers are mobile: - Where is your data? Has it moved?Where is your data? Has it moved?
Rogue servers might access data: - Who is attaching to your storage?
Audit and alerting modules lacking:
Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…Audit and alerting modules lacking:
- What happened when you weren’t looking?
Encryption keys tied to vendor:- Are you locked into a single security solution?
Visa #: 4456 8732…
y g yWho has access to your keys?
Storage volumes contain residual data:- Are your storage devices recycled securely?
Data Protection for the CloudData Protection for the Cloud
Copyright 2011 Trend Micro Inc. 21
Policy-based Key Management in the CloudPolicy-based Key Management in the Cloud
Identity Integrity
“Is it mine?”
• Embedded keys
“Is it okay?”
• FirewallEmbedded keys• Location• Start-up time
Firewall• AV• Self integrity check
• etc • etc
Auto or Manual rules based key approval
Copyright 2011 Trend Micro Inc.
Challenges for Public Cloud:g
Multiple customers on The Private Security AnswerThe Private Security Answer1)1) A selfA self defending hostdefending host
Shared network inside the firewall
one physical server –potential for attacks via the hypervisor
Doesn’t matter – the
1)1) A selfA self--defending hostdefending host2)2) Encrypted Encrypted datadata
the firewall edge of my virtual machine is protectedDoesn’t matter – treat
the LAN as public
InternetShared StorageShared
FirewallShared firewall –Lowest common denominator less fine
Shared storage – is t t ti
Virtual Servers
denominator – less fine grained control
customer segmentation secure against attack?
Easily copied machine images – who else has your server?Doesn’t matter – treat
the LAN as publicDoesn’t matter – They
Doesn’t matter – My data is encrypted
Copyright 2011 Trend Micro Inc.
ycan start my server but only I can unlock my data
A New Security Architecture For A New EraA New Security Architecture For A New EraAll environments should be considered untrusted
Users access appUsers access app
Public CloudDatacenter Public CloudDatacenter • Facilitates movement between datacenter & cloud
• Delivers control, security and compliance through encryptionA id i id l k iHost defends
itself from attack• Avoids service provider lock-in• Enables secure storage recycling
Data encrypted within the server
Encryption keys
Encrypted D t
controlled by you
D tD tD t
Copyright 2011 Trend Micro Inc.
Data DataDataData
The Data Centre Is ChangingThe Data Centre Is Changing
Have your security strategies changed accordingly?
1. Improve Server Defences (supplement with IDS/IPS, FW, Application security)- Implement full audit and monitoring of virtualized environments
2. Use available virtualisation APIs for higher levels of it ith i l tisecurity with simpler operations
3. Add virtualisation-aware agents where needed
4. Implement enterprise managed encryption to secure data in the cloud
Copyright 2011 Trend Micro Inc. 25
Thank youThank you
Copyright 2011 Trend Micro Inc.Trend Micro Confidential 5/24/2011 26
Top Related