©2012 Check Point Software Technologies Ltd. Cloud Security Tamir Zegman Architect.

©2012 Check Point Software Technologies Ltd.

Cloud Security

Tamir Zegman

Architect

2©2012 Check Point Software Technologies Ltd.

Security as a Service

Not the topic of this presentation

Many types of security services:– Mail Security (Postini)– Web Security (ZScaler)– DDoS (Prolexic)– Anti-Virus (VirusTotal)

Many security offerings rely on Cloud Services (e.g. signature updates, reputation services etc.)

3©2012 Check Point Software Technologies Ltd.

Cloud can mean many things:– IaaS (AWS EC2, Google Compute Engine)– PaaS (Facebook Apps, AWS BeanStalk)– SaaS (SalesForce, Facebook)– Private / Public / Community clouds– Enterprise / Consumer

4©2012 Check Point Software Technologies Ltd.

Public cloud - new Security concerns

Physical security

Data lifecycle

Foreign governments

Multi-tenants:– Hypervisor attacks– Network attacks:

– Sniffing– Spoofing– DDoS

5©2012 Check Point Software Technologies Ltd.

Security Built-in?

The big cloud providers are taking security into consideration:

– http://www.windowsazure.com/en-us/support/trust-center/security/

– http://aws.amazon.com/security/– https://trust.salesforce.com/trust/security/

Seems like economies of scale play in favor of both parties:

– The cloud provider is likely to have better security knowhow– Improved resiliency under attacks (DDoS & DR)

6©2012 Check Point Software Technologies Ltd.

Separation of Responsibilities

7©2012 Check Point Software Technologies Ltd.

Separation of Responsibilities

Customers can only manage security at the tiers they are responsible for

Customers must manage security at the tiers they are responsible for

Example:– In a PaaS Enviornment:

– The cloud provider is responsible for patching the OS layer– The customer needs to make sure there are no vulnerabilities

in his application code

8©2012 Check Point Software Technologies Ltd.

S3

A “Simple Storage Service”

Upload and download of data objects

Data in motion:– SSL/TLS

Data at rest:– Client side encryption + key management– Server side encryption

A simple service with little security implications

9©2012 Check Point Software Technologies Ltd.

SalesForce

The de-facto standard in CRM (customer relationship management)

Enjoy a big corporates install base

Stores very sensitive corporate data (list of customers, potential deals etc.)

Security concerns:– Authorization and access control– Data Loss Prevention

10©2012 Check Point Software Technologies Ltd.

Authentication to cloud Apps

Requirements (enterprise)– Strong authentication– Single sign on– Automatic User de-provisioning– Support office, remote and mobile users– Support multiple SaaS providers

Solutions:– SAML - for corporate – OpenID - mostly for consumer– OAuth - “machine to machine”

11©2012 Check Point Software Technologies Ltd.

SAML

source: Google

12©2012 Check Point Software Technologies Ltd.

Data at rest – SalesForce (and others)

Solution:– A proxy + tokenization/encryption service (e.g. CipherCloud)– Difficulty around ‘search’ functionality:

– compromise security – Homomorphic encryption?

– Fragile and limited

13©2012 Check Point Software Technologies Ltd.

Network architecture

Network architectures:– Blurred perimeter:– Limited network topologies– Multiple cloud providers - similar but different– Limited or no control over tiers managed by the cloud

provider– SDN

Overlay of security management:– – Cross vendor / region– Dynamically close/open ACLs– Dynamically close/open host FWs

14©2012 Check Point Software Technologies Ltd.

Question

Thank you