250 likes | 465 Views
Security in the Cloud: Can You Trust What You Can’t Touch?. Rob Johnson Security Architect, Cloud Engineering Unisys Corp. Security in the Cloud: Agenda. Introductions What is Cloud Computing, and what are the risks? Cloud Security Architecture Multi-Tenancy Considerations Wrap-up.
E N D
Security in the Cloud:Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Security in the Cloud: Agenda • Introductions • What is Cloud Computing, and what are the risks? • Cloud Security Architecture • Multi-Tenancy Considerations • Wrap-up
Security in the Cloud: Introductions • Who am I? • Rob Johnson, Distinguished Engineer, Unisys Corp. • 30 years doing I/O, networking, and security • Who is Unisys? • 130+ year heritage • Provides technology, services, and solutions to the world’s largest enterprises • Who are You?
Security in the Cloud: What is Cloud Computing? • National Institute of Standards and Technology (NIST): http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc • Essential Characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service • Service Models: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) • Deployment Models: Private cloud, Community cloud, Public cloud, Hybrid cloud • On/off Premise • Security controls being defined by industry: FedRAMP, PCI DSS v2.0, etc.
Security in the Cloud: What are the Risks? • #1 Loss of control of assets (applications and data) • Where are they? • How many copies are there? • Who can access them? • #2 Compliance • Regulatory Audits: PCI DSS v2, HIPAA, COBIT, FedRAMP, etc. • Jurisdictional Boundaries: Patriot Act, Data locality regulations • #3 Provider Transparency • Process visibility • Audit, logging, and Incident Event Management (IEM)
Cloud Computing: Service Models • Software as a Service (SaaS): • Complete application environment supplied and managed by the Cloud Provider, not tenant • Platform as a Service (PaaS) • Provider supplies an application development and execution environment. • Tenant can secure data and inter-process communication. • Infrastructure as a Service (IaaS) • Provider supplies the infrastructure components (compute, network, storage), but little else. • Tenant runs a virtual data center.
Security in the Cloud: Cloud Security Architecture • Service Models wrapped in Access Planes
Cloud Security Architecture: Access Planes • Service Models wrapped in Access Planes • Provider Administration:Controls and manages the service components • IaaS: Hypervisors, vSwitches, vFirewalls, storage vLUNs, etc. • PaaS: VMs for hosting applications, web services, storage containers, load balancers, etc. • SaaS: Application suites, databases, identity management, etc.
Cloud Security Architecture: Access Planes • Service Models wrapped in Access Planes • Provider Administration • Tenant Administration:Manages per-Tenant components • IaaS: VMs, vFirewalls, vLUNs • PaaS: Applications, object stores • SaaS: Users, application data objects
Cloud Security Architecture: Access Planes • Service Models wrapped in Access Planes • Provider Administration • Tenant Administration • End User Access • IaaS: VM console (RDP, rsh, etc.) • PaaS: Distributed apps (SOA, webapps), test/dev, etc. • SaaS: Application presentation
Cloud Security Architecture: Access Planes • Service Models wrapped in Access Planes • Provider Administration • Tenant Administration • End User Access • Intra-Cloud Access • Service-to-service • Intra-tenant • Web services
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Identity and Access Management:“Who are you, and why do they keep sending you here?” • Transparency:“Where are my assets, and who is doing what to them?”
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Memory • Processors and caches • NICs • HBAs • etc.
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Data in Motion • Cloud Intranet • VLANsand Firewalls • Cryptographic Communities of Interest • IPsec • SSL • Unisys Stealth
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Data in Motion • Cloud Intranet • Extranet / Internet • Tenant DMZs • Site-to-site VPNs • Remote users • Web access
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Data in Motion • Data at Rest • Network Attached Storage (NAS) • Per-tenant file servers • Access Control Lists (ACLs) • Encrypted File Systems
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Data in Motion • Data at Rest • Network Attached Storage (NAS) • Storage Area Network (SAN) • Virtualized LUNs • Encryption / Authentication • Replication / Dispersal
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Data in Process • Data in Motion • Data at Rest • Network Attached Storage (NAS) • Storage Area Network (SAN) • PaaS storage objects & containers
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Identity & Access Management:“Who are you, and why do they keep sending you here?” • Identification: Who are you? • Authentication: Prove you are who you say you are. • Authorization: What are you allowed to do / what is your role? • Validation: Double-check before executing
Security in the Cloud: Multi-Tenancy Considerations • Isolation and Containment: Tenants Share Physical Resources • Identity & Access Management:“Who are you, and why do they keep sending you here?” • Transparency:“Where are my assets, and who is doing what to them?” • Accountability: All actions are securely audited • Chargeability: Pay-for-play • SLAs: Availability, scalability,performance, etc.
Security in the Cloud: Wrap-up • Cloud Computing = losing control of assets (data, applications) • Secure Cloud Computing = regaining control through identity management, secure networking, secure storage, and provider transparency Questions?