©2012 Check Point Software Technologies Ltd. Cloud Security Tamir Zegman Architect
Dec 24, 2015
2©2012 Check Point Software Technologies Ltd.
Security as a Service
Not the topic of this presentation
Many types of security services:– Mail Security (Postini)– Web Security (ZScaler)– DDoS (Prolexic)– Anti-Virus (VirusTotal)
Many security offerings rely on Cloud Services (e.g. signature updates, reputation services etc.)
3©2012 Check Point Software Technologies Ltd.
Cloud can mean many things:– IaaS (AWS EC2, Google Compute Engine)– PaaS (Facebook Apps, AWS BeanStalk)– SaaS (SalesForce, Facebook)– Private / Public / Community clouds– Enterprise / Consumer
4©2012 Check Point Software Technologies Ltd.
Public cloud - new Security concerns
Physical security
Data lifecycle
Foreign governments
Multi-tenants:– Hypervisor attacks– Network attacks:
– Sniffing– Spoofing– DDoS
5©2012 Check Point Software Technologies Ltd.
Security Built-in?
The big cloud providers are taking security into consideration:
– http://www.windowsazure.com/en-us/support/trust-center/security/
– http://aws.amazon.com/security/– https://trust.salesforce.com/trust/security/
Seems like economies of scale play in favor of both parties:
– The cloud provider is likely to have better security knowhow– Improved resiliency under attacks (DDoS & DR)
7©2012 Check Point Software Technologies Ltd.
Separation of Responsibilities
Customers can only manage security at the tiers they are responsible for
Customers must manage security at the tiers they are responsible for
Example:– In a PaaS Enviornment:
– The cloud provider is responsible for patching the OS layer– The customer needs to make sure there are no vulnerabilities
in his application code
8©2012 Check Point Software Technologies Ltd.
S3
A “Simple Storage Service”
Upload and download of data objects
Data in motion:– SSL/TLS
Data at rest:– Client side encryption + key management– Server side encryption
A simple service with little security implications
9©2012 Check Point Software Technologies Ltd.
SalesForce
The de-facto standard in CRM (customer relationship management)
Enjoy a big corporates install base
Stores very sensitive corporate data (list of customers, potential deals etc.)
Security concerns:– Authorization and access control– Data Loss Prevention
10©2012 Check Point Software Technologies Ltd.
Authentication to cloud Apps
Requirements (enterprise)– Strong authentication– Single sign on– Automatic User de-provisioning– Support office, remote and mobile users– Support multiple SaaS providers
Solutions:– SAML - for corporate – OpenID - mostly for consumer– OAuth - “machine to machine”
12©2012 Check Point Software Technologies Ltd.
Data at rest – SalesForce (and others)
Solution:– A proxy + tokenization/encryption service (e.g. CipherCloud)– Difficulty around ‘search’ functionality:
– compromise security – Homomorphic encryption?
– Fragile and limited
13©2012 Check Point Software Technologies Ltd.
Network architecture
Network architectures:– Blurred perimeter:– Limited network topologies– Multiple cloud providers - similar but different– Limited or no control over tiers managed by the cloud
provider– SDN
Overlay of security management:– – Cross vendor / region– Dynamically close/open ACLs– Dynamically close/open host FWs