Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cloud Security Ravi Varanasi Technology Director, Cloud Security Office of CTO [email protected] 408-526-7468
Oct 21, 2014
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Cloud SecurityRavi Varanasi
Technology Director, Cloud Security
Office of CTO
408-526-7468
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Old New
Protect the PerimeterProtect the Data, App, Hypervisor
Place it in the right security zoneVMs should move with ‘attached’security policy
Zones are staticZones are dynamic and on the move
Machine to machine traffic can be seen on ‘the wire’
Virtualization challenges this.
Trust the ‘insider’ Pervasive Distrust
Dedicated � SecureShared resources with instantiations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Role of network in Cloud Security
Sees All Traffic
Routes All RequestsSources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
A. Loss of control & visibility
B. Disruption of service
C. Information security
D. Company data isolation
E. Compliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Branch Office
EnterpriseData Center
Internet
Cisco Systems © 2011 Confidential
MPLS
Private CloudDC-Interconnect
VDC
DC-2
Use case-1: Private Cloud
SP Virtual Private Cloud / Public Cloud
Use case-2: Public/Hybrid CloudUse case-4:
Intelligent branch connectivity
Saas Apps
Use case-3: Connectivity to SaaS apps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Hosted DC, VDC, VPC
Cisco Systems © 2011 Confidential
Provider network
CPE PE
WAN Opt, QoS, FW, VPNAccess Control
WAN Opt, QoS, Edge-FW, NAC, Ent-Identity
Service Cloud build out
Virtual platform on PE
OrCloud Platform
IPS, Zone FW, Access control, AppFW, Web Security, WAN Opt
WAN Opt
PE services, CPE services and current
trends
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Trusted CloudTrusted Cloud
Data-in-flight securityData-at-rest securityDLP from SaaS apps
DC Interconnect: Secure OTV, VPLSSecure connectivity @Unified I/O
Anyconnect, Thin client lock down in VDI/VXI
Admission controlWeb Application Security
VM provisioning, Ease of configFederated ID to SaaS apps
Location based policiesExtension of ID params to application
LISP, Location extensions to ISEMeta data, ID based location policies
Situational awarenessInfrastructure Management
Compliance reportsConfig vulnerability assessment
Audit trailsPhysical inventory tracking
Policy enforcement framework for ID, Data protection, audit, security
App-based controls
Hypervisor SecurityNetwork value-add in VM � VM isolation
VPATH to stitch VMsVLAN, VRF based isolation at VPATH
VNLink
Operational SecuritySAS 70 Type II audits
PCI, CC, ENISA, CSA, NIST, FedRAMP, HIPAA
Building Trusted Clouds: Tenets to focus on
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
SaaS
PaaS
IaaS
XaaS Security needs- FISMA act 2002- NIST SP 800-53- FIPS 199, 200- Data Protection
DB ops @SaaS provider to meet confidentiality, compliance, integrity, availability needs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
CMovement to Cloud
Data CenterConsolidation
ServerConsolidation
DC -InterconnectOTV, LISP
Secure OTVLocation based PolicyTraffic Shaping/SLAData-in-flight, at-rest
securitySite-to-site VPN, FW
Multi-tenant VM security
Virtualization
StorageConsolidation
DesktopVirtualization Internet-of-
things
I/O interconnect
NASObject-oriented
Block
Data-at-rest securityPersistent key storage
Visibility, monitoring data copies, access logs
Security while preserving dedupe, replication etc.
VM->VM securityFW, In-Mem-Forensics
Network richness in Hypervisor (Ex: VPath)
L3-L7 based policyMulti-tenant w/HW ctrl
Hypervisor-independence
Thin-client lock-downRestricted local copy
Context-aware VMotion
Integrated thin-client
Drivers for Cloud usage
Cloud Security Network Value-add
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1010
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
A. Loss of control & visibility
B. Disruption of service
C. Information security
D. Company data isolation
E. Compliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Security Market & Solution RequirementsGoal: Building trusted enterprise and SP clouds to enable seamless enterprise adoption
1. Secure connectivity of DC to Cloud, Cloud to Cloud, End-point to Cloud-app2. Central control for:
1. Configuration of infrastructure elements2. Policy: resource access, applications
3. Auto-provisioning of cloud security services with measurable consumption4. Data-in-flight security: DLP, encryption (client to app, app to ‘infra’)5. Data-at-rest security6. Compliance with industry standards, customer standards, and regulations7. Visibility: asset tracking, application/device/VM state, role-based audit trail8. Secure the physical infrastructure (network, compute, storage, NOC)9. Multi-tenancy: customer-centric resource and network isolation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1313
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1414
Private CloudDC-Interconnect
Cisco Systems © 2011 Confidential
FirewallFirewall
LoadLoadBalancerBalancer
VLAN/VRFVLAN/VRF MgmtMgmt
. . ControlControl
VPN VPN
termination termination
(L2, L3)(L2, L3)
Storage
DatabaseDatabaseWebWeb
Stora
ge
Storage
ApplicationApplication
VDC
DC-2
Storage
Movement to private cloud1. Web tier moves to VDC
• DC-Interconnect, L2 network extensions: Solutions• Overlay transport virtualization: OTV• VxLAN, VLAN• Secure OTV traffic• FW for OTV traffic, Web App Firewall
• VM Provisioning & Mobility• Nexus 1000v, VPATH
• Presence at L2 extension end-points• Virtual infrastructure services container
• Extension of network services to VDC: vFW, vWAAS• Zone+Edge FW• Connect virtual and physical stacks
2. App tier moves to VDC
VDI, VXI: Availability, DR, 802.1x, TrustSec• Anyconnect client
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1515
SP Virtual Private Cloud / Public Cloud
Private CloudDC-Interconnect
Cisco Systems © 2011 Confidential
Storage
DatabaseDatabaseWebWeb
Stora
ge
Storage
ApplicationApplication
VDC
DC-2
Storage
EnterpriseEnterprise
VPC
• Cloud bursting of front-end web service• Bestbuy.com on Black Friday, IRS on April 15 th
• Work load migration to Public, Hybrid cloud• Expedia: Web front end to find an airline deal• Connectivity to enterprise controlled App and DB fo r actual ticketing
• VMotion of Web tier for DR, availability
Stora
geStorage
AppAppWebWeb
Branch Office
• Scalable VPN• Extension of network services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Customer RequirementSecure movement of vApps across cloud infrastructure
• Solution: VXLANMillions of dedicated LAN segments
Security at Scale
• VXLAN is network friendlyEfficient load sharing of links (port channel)
Supports NAT; better security controls
• Leverage multicast network for broadcast / unknown unicast traffic
VXLAN IETF Draft: http://datatracker.ietf.org/doc/draft-mahalingam-dutt-dcops-vxlan/
WebVM
DBVM
vApp1
AppVM
vApp2 WebVM
DBVM
AppVM
Duplicate MAC & IP Addresses
Nexus 1000V & vCD Nexus 1000V & vCD Submitted to IETFSupport by Cisco, Vmware,
RedHat, Citrix, others…
Submitted to IETFSupport by Cisco, Vmware,
RedHat, Citrix, others…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1717Cisco Systems © 2011 Confidential
Use Case 2: Web/App tiers ���� VPC: Cloud Security solutions
L2 extensions, segmentation
Cisco virtual router with security stack at VPC edg e• Secure isolation within cloud provider’s network• Feature parity, similar network stack at Ent, Branch and VPC
Information security• Data-in-flight security: Location based, secure VM connectivity• Data-at-rest security: Cisco MDS
Multi-tenancy• VPATH solution at Hypervisor level• Separation: VxLAN, VLAN seg, VRF; Isolation: VPC-edge firewall, access control
Virtual Firewall : Combined Zone + Edge firewall, XACML configuration
Compliance needs: Visibility, Asset tracking
Location based controls
Admission control, Centralized Identity and policy control
Hypervisor agnostic stack: Enable movement between clouds
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1818
The Network Yesterday
The Network Today
Branch OfficeCorp HQ/ Data Center
Service Provider Network
Internet
ISRASR 1k
Private Cloud
Easy/ DM VPN
MPLS/ GETOTV, IPSec
ASA 5500
Home/ Remote User
AnyConnect (IPSec/ SSL)
Branch Office ISRLL, FR, ATM, MetroE,…
IPSec, DM, SSL, ..
L2 Access
L3 Access
SP-Managed VPN
Non-SP-Managed VPN
WAN Edge
Internet Edge
The Network Tomorrow? VPC in Public Cloud?
Public Cloud
VPC
IPSec
DC Interconnect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919
Cloud
VPC #1
VPC #2
Customer HQ/ DC #1
ASR 1kASA 5500
Customer #2
SP Network
ISR
Site-to-Site L3 Access
Home/ Remote User
Customer #1 ISR
Dedicated L2 Access
SP Managed Customer/ Cloud Provider Managed
Customer Managed
ASR9k
Customer HQ/ DC #2
ASR 1k ASA 5500
MPLS VPN/ GET VPN
Build/ Acquire Multi-tenant Cloud?
..
Remote L3 Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• L2 connectivity and L3 address mobility between DC and VPC
• Transparent on-boarding of existing business applications to VPC
Data CenterData Center
Cloud Provider
VPCVPC
CSR 1000v
L2 over WAN
LISP protocol
Internet
Enterprise
LISP VM Mobility
LISP Tunnel Router
• L2 over WANEoMPLS over GRE
• AddressingNAT/PAT
VRF-Lite
• Transport ServicesLISP for VM Mobility
Multicast
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2121
Connectivity Traffic Redirection Integrated Services
Programmable Manageability Licensing Elasticity
ASR @Data Center
CSR @
CloudISR @ Branch
CSR vWAAS CSRCSRFWFW
VPNVPNNATNAT QoSQoS
BGPBGP
AVCAVC
RAM
Throughput
1GB/1Gbps
4GB/ 2Gbps
..
CSR REST/ XMLREST/ XML
OpenStackOpenStack Cloud Portal
Cloud PortalVNMCVNMC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2222
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 232323
Proposal for VPath positioning: Importance & Strate gy
• Cisco’s network value-add in Hypervisor
• VM � VM stitching, security. Service chaining with SIA, SGT tags
• Ensure multi-tenancy with connectivity to hardware
• Local fast switching decisions for crypto, H-QoS, Regex lookups
• Connect virtual and physical stacks
• Enforce segmentation,
vSphere
NexusNexus1000V1000VVEMVEM
vSphere vSphere
Nexus1000V VEM
NexusNexus1000V1000VVEMVEM
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VSVSNN
VSVSNN
VSVSNN
VSVSNN
vPath vPath vPath
Strategic Cisco’s network intelligence present in Hypervisor!- Controls data-in-flight, inter-VM traffic- Subjects VMotion to Geo-policies- Preserves network experience while connecting cloud deployments
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2424
• Phase 1: Virtual VPN Appliance- Site-to-Site VPN : DMVPN, Easy VPN, IPSec- Routing : BGP, EIGRP, OSPF, MPLS- Network Management : SNMP, Syslog- Access Control : ACL, AAA- Virtualization Platform : VMware vSphere- Basic Licensing : Static Capacity (Up to 150 Tunnels), Annual Subscription
Virtual Router based on IOS-XE, runs on a virtualiz ed server (e.g. UCS)
• Phase 1.1- WAN Opt Support- Public Cloud Virtualization : Citrix Xen Support- More Manageability : VNMC/ LineSider Overdrive; OpenStack Integration- Advanced Licensing : Site Licensing - More IOS-XE Features : Flex VPN (includes IPv6 Support), AnyConnect (IPSec), L3 FW, HSRP
• Phase 2- More Security : GETVPN, L7 Firewall (K2 - Visibility, Web Security), AnyConnect (SSL) - More Networking : NAT, QoS, NetFlow, OTV, LISP- More Virtualization Platforms : Red Hat KVM, Microsoft Hyper-V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2525
Branch Office
EnterpriseData Center
Cisco Systems © 2011 Confidential
Private CloudDC-
Interconnect
VDC
DC-2
VPC/Public Cloud
StorageNAS, SAN, OBJ
Cloud StorageEMC, ATMOS, Amazon EC2,
Hadoop
Customer demands, compliance needs for Cloud Securi ty• All storage-bound data *must* be encrypted before it leaves campus edge, enterprise• All key material must remain within (or within complete control) of enterprise.
Problem• Storage vendors apply efficiency protocols like De-Dupe, Thin Provisioning at last mile before storing it.• Lack of key material breaks storage protocols. NetApp, EMC recognize need for pre-processing stack.
Solution• Pre-process storage protocols on VM’s on branch routers/UCS • Generated pre-process hash appended to encrypted data at B.Router will help.• Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls
Network’s value-add• Cloud Security pulls storage pre-processing requirements into network. • Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls, visibility, audit reports.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2626
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2727
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Cryptography is a fundamental underpinning of nearly all security products, solutions and architectures
• Strongest, most efficient commercial cryptographyElliptic Curve, AES-GCM, etc
• The age of the Mobile Device (BYOD)Low power Endpoint evolution driving need for more efficient, stronger crypto
• Higher data throughputs driving scalability needsCurrent cryptographic implementations WILL NOT scale to 10G,40G and 100
Cisco Confidential 29© 2010 Cisco and/or its affiliates. All rights reserved.
� Crypto running on VM
� Interface to HSM
� FIPS boundary around HSM
� Based on OpenSSL
� Enhanced with FECC (RFC6090)
� Protocol(s)TLS
� Algorithm Interfaces:OpenSSL EVP
� Algorithms:Ex: AES-GCM
FIPS-Validated Crypto Module (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1668)
AES / TDESRSA / DSA /
ECDSA / ECDH
SHA-1 / SHA-2
AES / TDESRSA / DSA /
ECDSA / ECDH
SHA-1 / SHA-2
DES / RC4MD5
All other crypto
DES / RC4MD5
All other crypto
FIPS 140-2Validated
LibcryptoLibcrypto
LibsslTLS 1.0 / SSL 3.0 / SSL 2.0
LibsslTLS 1.0 / SSL 3.0 / SSL 2.0
OpenSSL Application s_client / s_server
OpenSSL Application s_client / s_server
SSHSSH SRTPSRTP Apache / Tomcat
Apache / Tomcat
Custom ApplicationsCustom ApplicationsModular crypto
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• Scalable in-line performance• Data center edge security policies• Flexible deployment options
• Firewall to secure your cloud• Tenant-edge to VM-specific policies• Automated, policy-based provisioning
VIRTUAL & CLOUDPHYSICAL
PHYSICAL APPLIANCES AND MODULESMulti-scale™ data center-class ASA devices
CLOUD FIREWALLEnhanced cloud security
Cisco ASA 5585-x
ASA SM for Catalyst 6500
Cisco Virtual Security Gateway
(VSG)
Cisco ASA 1000V
New!New!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3131Cisco Systems © 2011 Confidential
Web Web
frontfront--end end
SF.comSF.com
Branch Office
Public CloudPublic Cloud
Web Web
frontfront--end end
ADP.comADP.com
EnterpriseDC, Private Cloud VDC
SF.com hosted CloudSF.com hosted Cloud
ADP hosted CloudADP hosted Cloud
SF DB tierSF DB tier
SF App tierSF App tier
ADP DB tierADP DB tier
ADP app tierADP app tier
SaaS applications All tiers – Web, App, DB under 3 rd party control
Options for enterprise• Export ID to multiple partners• Ex: Current Cisco IT: ID to ADP (Payroll), Connexa (CPC), Infosys (HR functions) + ….• Maintain ID for each session• Update ID at an ID-store, IdP and let them Federate /SSO.
SF.com ID needsFirst, Last nameRoleLocationDownload privileges
ADP ID needsFirst, Last nameDate-of-birthSSN
Trusted ID store
Enterprise ID
Federated IDAttrib-Key-Value pair
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3232Cisco Systems © 2011 Confidential
Web Web
frontfront--end end
SF.comSF.com
Branch Office
Public CloudPublic Cloud
Web Web
frontfront--end end
ADP.comADP.com
EnterpriseDC, Private Cloud VDC
SF.com hosted CloudSF.com hosted Cloud
ADP hosted CloudADP hosted Cloud
SF DB tierSF DB tier
SF App tierSF App tier
ADP DB tierADP DB tier
ADP app tierADP app tier
Requirement Function Solution
Identity Cloud Service must authenticate end user, enterprise ID
• Extensible ID definition.• Generic attributes: User, role, ToD, App• Network attributes: Location, Device, Posture• Customer attributes
Federated Identity
Ent ID to trusted providers for federation to SaaS
• SAML tokens, SAML assertions
DLP Split tunneling ScanSafe, IronPort front-end for SaaS accessScansafe implementation of DLP based on ID & Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Visibility | Centralized Enforcement
Cisco IronPort Web Security Appliance/SaaS Gateway
User DirectoryAnyConnect Secure Mobility Client
Home Office
Corporate Office
Branch Office
No Direct Access
Securing SaaS Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Prevent Data Loss
Business Pipeline
Web Security Challenges
Social Networking
Webmail
Apps
Hotmail
Block Malware
Control Web Traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Scansafe: Expanded Footprint
2X
2X
Current DatacentersBangaloreChicagoCopenhagenDallasFrankfurtHong KongJohannesburgLondonMiamiNew YorkParisSan Jose
Sao PauloSingaporeSydneyTokyoTorontoVancouverZurich
Planned DatacentersDubaiMexico
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Job Sites
Instant Message
P2P
Streaming Media
Human Resource
No FileTransfer
All
Business-related Content
Facebook Lunch Hour ??
Full Context Awareness
Time
Object
Application
Location
Identity
Compliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Security from the cloud: Secure mobility
WSA
ASA
On-Premise
AnyConnect Client
Redirect to Premise or Cloud
Cloud
Mobile User
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3838
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Cisco ISE for Advanced Policy Management
Policy: Who, What, Where, When, and How?
Identity Profiling
VLAN 10
VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NetFlow
HTTP
DNS
Cisco ®
ISE
Unified Access Management
IEEE 802.1x EAP User Authentication
1
HQ
2:38 p.m.
Profiling to Identify Device
2
6
Full or Partial Access Granted
PersonalAsset
Company Asset
3
Posture of the Device
PolicyDecision
4
5
Enforce Policy in the Network
CorporateResources
Internet Only
Cisco Confidential 40© 2010 Cisco and/or its affiliates. All rights reserved.
Principle IdentityServiceCredential Mgmt Service
Profile Mgmt
CCO Look UpTool
Delegated Admin
Single Sign On Identity Provider
Registration
Service Provider
Provisioning
Localization
Profile Admin
Audit &Reporting
Role Mgmt
User Group Mgmt
Access Admin
Audit &Reporting
Login
Coarse Grain AuthZ
Global Logout
Fine Grain Access
Policy Mgmt
IT Services, Tool& Apps
Business Functionalities
FederationIdentity Mgmt.
DelegatedAdmin
Access Mgmt
Identity Provisioning
AttributeAuthority
OnRamp
Audit &Reporting
Provisioning
Audit &Reporting
Cisco Confidential 41© 2010 Cisco and/or its affiliates. All rights reserved.
KnowledgeSomething user
knows
TokenSomething user has
BiometricsSomething user inherits
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4242
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Compliance-as-a-service Compliance check list for cloud deployments
Advanced services Guidance to deploy secure cloud solutions that will meet the compliance controls specified
(PCI, HIPPA, etc.)
Focus is on assessment• Security best practices• Internal mandates• External mandates (PCI, SOX, …)
Current focus on • VBlocks• Nexus 1KV, Nexus 7K• ASA, WSA• ISR, ASR, Virtual router
Visibility“Composition of cloud assets”
Tracking“Where are the assets”
Analysis“Regulatory, Policy
adherence”
Device, App, VM visibilityOS versionConfig VisibilityAsset info, Audit trailsInventory tracking
Geo locationDevice config chg’s• Who, when, whatLifecycle aspectsSupport contracts
PCI, HIPAA, SOX, NIST, ISO, CC, ENISACapability rulesNew configuration rulesPolicy stickiness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4545
VM
pro
visi
onin
gC
entr
al M
anag
emen
t
CSPC VisibilityTracking
Thank you.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4747