1 / 14

Cloud Security

Cloud Security. Tamir Zegman Architect. Security as a Service. Not the topic of this presentation Many types of security services: Mail Security ( Postini ) Web Security ( ZScaler ) DDoS ( Prolexic ) Anti-Virus ( VirusTotal )

perry-avery
Download Presentation

Cloud Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Security Tamir Zegman Architect

  2. Security as a Service • Not the topic of this presentation • Many types of security services: • Mail Security (Postini) • Web Security (ZScaler) • DDoS (Prolexic) • Anti-Virus (VirusTotal) • Many security offerings rely on Cloud Services (e.g. signature updates, reputation services etc.)

  3. Cloud can mean many things: • IaaS (AWS EC2, Google Compute Engine) • PaaS (Facebook Apps, AWS BeanStalk) • SaaS (SalesForce, Facebook) • Private / Public / Community clouds • Enterprise / Consumer

  4. Public cloud - new Security concerns • Physical security • Data lifecycle • Foreign governments • Multi-tenants: • Hypervisor attacks • Network attacks: • Sniffing • Spoofing • DDoS

  5. Security Built-in? • The big cloud providers are taking security into consideration: • http://www.windowsazure.com/en-us/support/trust-center/security/ • http://aws.amazon.com/security/ • https://trust.salesforce.com/trust/security/ • Seems like economies of scale play in favor of both parties: • The cloud provider is likely to have better security knowhow • Improved resiliency under attacks (DDoS & DR)

  6. Separation of Responsibilities

  7. Separation of Responsibilities • Customers can only manage security at the tiers they are responsible for • Customers must manage security at the tiers they are responsible for • Example: • In a PaaSEnviornment: • The cloud provider is responsible for patching the OS layer • The customer needs to make sure there are no vulnerabilities in his application code

  8. S3 • A “Simple Storage Service” • Upload and download of data objects • Data in motion: • SSL/TLS • Data at rest: • Client side encryption + key management • Server side encryption • A simple service with little security implications

  9. SalesForce • The de-facto standard in CRM (customer relationship management) • Enjoy a big corporates install base • Stores very sensitive corporate data (list of customers, potential deals etc.) • Security concerns: • Authorization and access control • Data Loss Prevention

  10. Authentication to cloud Apps • Requirements (enterprise) • Strong authentication • Single sign on • Automatic User de-provisioning • Support office, remote and mobile users • Support multiple SaaS providers • Solutions: • SAML - for corporate • OpenID- mostly for consumer • OAuth - “machine to machine”

  11. SAML • source: Google

  12. Data at rest – SalesForce (and others) • Solution: • A proxy + tokenization/encryption service (e.g. CipherCloud) • Difficulty around ‘search’ functionality: • compromise security • Homomorphicencryption? • Fragile and limited

  13. Network architecture • Network architectures: • Blurred perimeter: • Limited network topologies • Multiple cloud providers - similar but different • Limited or no control over tiers managed by the cloud provider • SDN • Overlay of security management: • Cross vendor / region • Dynamically close/open ACLs • Dynamically close/open host FWs

  14. Question • Thank you

More Related