Top Banner
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cloud Security Ravi Varanasi Technology Director, Cloud Security Office of CTO [email protected] 408-526-7468
47

Cloud Security | GSF 2012 | Session 4-2

Oct 21, 2014

Download

Technology

Paradigm shift in Cloud Security. Learn why you should be using it.
The goal is to build a trusted enterprise and a SP cloud to enable seamless enterprise adoption.
By: Ravi Varanasi
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Cloud Security | GSF 2012 | Session 4-2

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Cloud SecurityRavi Varanasi

Technology Director, Cloud Security

Office of CTO

[email protected]

408-526-7468

Page 2: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Old New

Protect the PerimeterProtect the Data, App, Hypervisor

Place it in the right security zoneVMs should move with ‘attached’security policy

Zones are staticZones are dynamic and on the move

Machine to machine traffic can be seen on ‘the wire’

Virtualization challenges this.

Trust the ‘insider’ Pervasive Distrust

Dedicated � SecureShared resources with instantiations

Page 3: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Role of network in Cloud Security

Sees All Traffic

Routes All RequestsSources All Data

Controls All Flows

Handles All Devices

Touches All Users

Shapes All Streams

Page 4: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

A. Loss of control & visibility

B. Disruption of service

C. Information security

D. Company data isolation

E. Compliance

Page 5: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

Branch Office

EnterpriseData Center

Internet

Cisco Systems © 2011 Confidential

MPLS

Private CloudDC-Interconnect

VDC

DC-2

Use case-1: Private Cloud

SP Virtual Private Cloud / Public Cloud

Use case-2: Public/Hybrid CloudUse case-4:

Intelligent branch connectivity

Saas Apps

Use case-3: Connectivity to SaaS apps

Page 6: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66

Hosted DC, VDC, VPC

Cisco Systems © 2011 Confidential

Provider network

CPE PE

WAN Opt, QoS, FW, VPNAccess Control

WAN Opt, QoS, Edge-FW, NAC, Ent-Identity

Service Cloud build out

Virtual platform on PE

OrCloud Platform

IPS, Zone FW, Access control, AppFW, Web Security, WAN Opt

WAN Opt

PE services, CPE services and current

trends

Page 7: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Trusted CloudTrusted Cloud

Data-in-flight securityData-at-rest securityDLP from SaaS apps

DC Interconnect: Secure OTV, VPLSSecure connectivity @Unified I/O

Anyconnect, Thin client lock down in VDI/VXI

Admission controlWeb Application Security

VM provisioning, Ease of configFederated ID to SaaS apps

Location based policiesExtension of ID params to application

LISP, Location extensions to ISEMeta data, ID based location policies

Situational awarenessInfrastructure Management

Compliance reportsConfig vulnerability assessment

Audit trailsPhysical inventory tracking

Policy enforcement framework for ID, Data protection, audit, security

App-based controls

Hypervisor SecurityNetwork value-add in VM � VM isolation

VPATH to stitch VMsVLAN, VRF based isolation at VPATH

VNLink

Operational SecuritySAS 70 Type II audits

PCI, CC, ENISA, CSA, NIST, FedRAMP, HIPAA

Building Trusted Clouds: Tenets to focus on

Page 8: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

SaaS

PaaS

IaaS

XaaS Security needs- FISMA act 2002- NIST SP 800-53- FIPS 199, 200- Data Protection

DB ops @SaaS provider to meet confidentiality, compliance, integrity, availability needs

Page 9: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

CMovement to Cloud

Data CenterConsolidation

ServerConsolidation

DC -InterconnectOTV, LISP

Secure OTVLocation based PolicyTraffic Shaping/SLAData-in-flight, at-rest

securitySite-to-site VPN, FW

Multi-tenant VM security

Virtualization

StorageConsolidation

DesktopVirtualization Internet-of-

things

I/O interconnect

NASObject-oriented

Block

Data-at-rest securityPersistent key storage

Visibility, monitoring data copies, access logs

Security while preserving dedupe, replication etc.

VM->VM securityFW, In-Mem-Forensics

Network richness in Hypervisor (Ex: VPath)

L3-L7 based policyMulti-tenant w/HW ctrl

Hypervisor-independence

Thin-client lock-downRestricted local copy

Context-aware VMotion

Integrated thin-client

Drivers for Cloud usage

Cloud Security Network Value-add

Page 10: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1010

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 11: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

A. Loss of control & visibility

B. Disruption of service

C. Information security

D. Company data isolation

E. Compliance

Page 12: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Security Market & Solution RequirementsGoal: Building trusted enterprise and SP clouds to enable seamless enterprise adoption

1. Secure connectivity of DC to Cloud, Cloud to Cloud, End-point to Cloud-app2. Central control for:

1. Configuration of infrastructure elements2. Policy: resource access, applications

3. Auto-provisioning of cloud security services with measurable consumption4. Data-in-flight security: DLP, encryption (client to app, app to ‘infra’)5. Data-at-rest security6. Compliance with industry standards, customer standards, and regulations7. Visibility: asset tracking, application/device/VM state, role-based audit trail8. Secure the physical infrastructure (network, compute, storage, NOC)9. Multi-tenancy: customer-centric resource and network isolation

Page 13: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1313

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 14: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1414

Private CloudDC-Interconnect

Cisco Systems © 2011 Confidential

FirewallFirewall

LoadLoadBalancerBalancer

VLAN/VRFVLAN/VRF MgmtMgmt

. . ControlControl

VPN VPN

termination termination

(L2, L3)(L2, L3)

Storage

DatabaseDatabaseWebWeb

Stora

ge

Storage

ApplicationApplication

VDC

DC-2

Storage

Movement to private cloud1. Web tier moves to VDC

• DC-Interconnect, L2 network extensions: Solutions• Overlay transport virtualization: OTV• VxLAN, VLAN• Secure OTV traffic• FW for OTV traffic, Web App Firewall

• VM Provisioning & Mobility• Nexus 1000v, VPATH

• Presence at L2 extension end-points• Virtual infrastructure services container

• Extension of network services to VDC: vFW, vWAAS• Zone+Edge FW• Connect virtual and physical stacks

2. App tier moves to VDC

VDI, VXI: Availability, DR, 802.1x, TrustSec• Anyconnect client

Page 15: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1515

SP Virtual Private Cloud / Public Cloud

Private CloudDC-Interconnect

Cisco Systems © 2011 Confidential

Storage

DatabaseDatabaseWebWeb

Stora

ge

Storage

ApplicationApplication

VDC

DC-2

Storage

EnterpriseEnterprise

VPC

• Cloud bursting of front-end web service• Bestbuy.com on Black Friday, IRS on April 15 th

• Work load migration to Public, Hybrid cloud• Expedia: Web front end to find an airline deal• Connectivity to enterprise controlled App and DB fo r actual ticketing

• VMotion of Web tier for DR, availability

Stora

geStorage

AppAppWebWeb

Branch Office

• Scalable VPN• Extension of network services

Page 16: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

• Customer RequirementSecure movement of vApps across cloud infrastructure

• Solution: VXLANMillions of dedicated LAN segments

Security at Scale

• VXLAN is network friendlyEfficient load sharing of links (port channel)

Supports NAT; better security controls

• Leverage multicast network for broadcast / unknown unicast traffic

VXLAN IETF Draft: http://datatracker.ietf.org/doc/draft-mahalingam-dutt-dcops-vxlan/

WebVM

DBVM

vApp1

AppVM

vApp2 WebVM

DBVM

AppVM

Duplicate MAC & IP Addresses

Nexus 1000V & vCD Nexus 1000V & vCD Submitted to IETFSupport by Cisco, Vmware,

RedHat, Citrix, others…

Submitted to IETFSupport by Cisco, Vmware,

RedHat, Citrix, others…

Page 17: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1717Cisco Systems © 2011 Confidential

Use Case 2: Web/App tiers ���� VPC: Cloud Security solutions

L2 extensions, segmentation

Cisco virtual router with security stack at VPC edg e• Secure isolation within cloud provider’s network• Feature parity, similar network stack at Ent, Branch and VPC

Information security• Data-in-flight security: Location based, secure VM connectivity• Data-at-rest security: Cisco MDS

Multi-tenancy• VPATH solution at Hypervisor level• Separation: VxLAN, VLAN seg, VRF; Isolation: VPC-edge firewall, access control

Virtual Firewall : Combined Zone + Edge firewall, XACML configuration

Compliance needs: Visibility, Asset tracking

Location based controls

Admission control, Centralized Identity and policy control

Hypervisor agnostic stack: Enable movement between clouds

Page 18: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1818

The Network Yesterday

The Network Today

Branch OfficeCorp HQ/ Data Center

Service Provider Network

Internet

ISRASR 1k

Private Cloud

Easy/ DM VPN

MPLS/ GETOTV, IPSec

ASA 5500

Home/ Remote User

AnyConnect (IPSec/ SSL)

Branch Office ISRLL, FR, ATM, MetroE,…

IPSec, DM, SSL, ..

L2 Access

L3 Access

SP-Managed VPN

Non-SP-Managed VPN

WAN Edge

Internet Edge

The Network Tomorrow? VPC in Public Cloud?

Public Cloud

VPC

IPSec

DC Interconnect

Page 19: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919

Cloud

VPC #1

VPC #2

Customer HQ/ DC #1

ASR 1kASA 5500

Customer #2

SP Network

ISR

Site-to-Site L3 Access

Home/ Remote User

Customer #1 ISR

Dedicated L2 Access

SP Managed Customer/ Cloud Provider Managed

Customer Managed

ASR9k

Customer HQ/ DC #2

ASR 1k ASA 5500

MPLS VPN/ GET VPN

Build/ Acquire Multi-tenant Cloud?

..

Remote L3 Access

Page 20: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

• L2 connectivity and L3 address mobility between DC and VPC

• Transparent on-boarding of existing business applications to VPC

Data CenterData Center

Cloud Provider

VPCVPC

CSR 1000v

L2 over WAN

LISP protocol

Internet

Enterprise

LISP VM Mobility

LISP Tunnel Router

• L2 over WANEoMPLS over GRE

• AddressingNAT/PAT

VRF-Lite

• Transport ServicesLISP for VM Mobility

Multicast

Page 21: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2121

Connectivity Traffic Redirection Integrated Services

Programmable Manageability Licensing Elasticity

ASR @Data Center

CSR @

CloudISR @ Branch

CSR vWAAS CSRCSRFWFW

VPNVPNNATNAT QoSQoS

BGPBGP

AVCAVC

RAM

Throughput

1GB/1Gbps

4GB/ 2Gbps

..

CSR REST/ XMLREST/ XML

OpenStackOpenStack Cloud Portal

Cloud PortalVNMCVNMC

Page 22: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2222

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 23: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 232323

Proposal for VPath positioning: Importance & Strate gy

• Cisco’s network value-add in Hypervisor

• VM � VM stitching, security. Service chaining with SIA, SGT tags

• Ensure multi-tenancy with connectivity to hardware

• Local fast switching decisions for crypto, H-QoS, Regex lookups

• Connect virtual and physical stacks

• Enforce segmentation,

vSphere

NexusNexus1000V1000VVEMVEM

vSphere vSphere

Nexus1000V VEM

NexusNexus1000V1000VVEMVEM

VMVM VMVM VMVM VMVM VMVM VMVM VMVM VSVSNN

VSVSNN

VSVSNN

VSVSNN

vPath vPath vPath

Strategic Cisco’s network intelligence present in Hypervisor!- Controls data-in-flight, inter-VM traffic- Subjects VMotion to Geo-policies- Preserves network experience while connecting cloud deployments

Page 24: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2424

• Phase 1: Virtual VPN Appliance- Site-to-Site VPN : DMVPN, Easy VPN, IPSec- Routing : BGP, EIGRP, OSPF, MPLS- Network Management : SNMP, Syslog- Access Control : ACL, AAA- Virtualization Platform : VMware vSphere- Basic Licensing : Static Capacity (Up to 150 Tunnels), Annual Subscription

Virtual Router based on IOS-XE, runs on a virtualiz ed server (e.g. UCS)

• Phase 1.1- WAN Opt Support- Public Cloud Virtualization : Citrix Xen Support- More Manageability : VNMC/ LineSider Overdrive; OpenStack Integration- Advanced Licensing : Site Licensing - More IOS-XE Features : Flex VPN (includes IPv6 Support), AnyConnect (IPSec), L3 FW, HSRP

• Phase 2- More Security : GETVPN, L7 Firewall (K2 - Visibility, Web Security), AnyConnect (SSL) - More Networking : NAT, QoS, NetFlow, OTV, LISP- More Virtualization Platforms : Red Hat KVM, Microsoft Hyper-V

Page 25: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2525

Branch Office

EnterpriseData Center

Cisco Systems © 2011 Confidential

Private CloudDC-

Interconnect

VDC

DC-2

VPC/Public Cloud

StorageNAS, SAN, OBJ

Cloud StorageEMC, ATMOS, Amazon EC2,

Hadoop

Customer demands, compliance needs for Cloud Securi ty• All storage-bound data *must* be encrypted before it leaves campus edge, enterprise• All key material must remain within (or within complete control) of enterprise.

Problem• Storage vendors apply efficiency protocols like De-Dupe, Thin Provisioning at last mile before storing it.• Lack of key material breaks storage protocols. NetApp, EMC recognize need for pre-processing stack.

Solution• Pre-process storage protocols on VM’s on branch routers/UCS • Generated pre-process hash appended to encrypted data at B.Router will help.• Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls

Network’s value-add• Cloud Security pulls storage pre-processing requirements into network. • Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls, visibility, audit reports.

Page 26: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2626

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 27: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2727

Page 28: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

• Cryptography is a fundamental underpinning of nearly all security products, solutions and architectures

• Strongest, most efficient commercial cryptographyElliptic Curve, AES-GCM, etc

• The age of the Mobile Device (BYOD)Low power Endpoint evolution driving need for more efficient, stronger crypto

• Higher data throughputs driving scalability needsCurrent cryptographic implementations WILL NOT scale to 10G,40G and 100

Page 29: Cloud Security | GSF 2012 | Session 4-2

Cisco Confidential 29© 2010 Cisco and/or its affiliates. All rights reserved.

� Crypto running on VM

� Interface to HSM

� FIPS boundary around HSM

� Based on OpenSSL

� Enhanced with FECC (RFC6090)

� Protocol(s)TLS

� Algorithm Interfaces:OpenSSL EVP

� Algorithms:Ex: AES-GCM

FIPS-Validated Crypto Module (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1668)

AES / TDESRSA / DSA /

ECDSA / ECDH

SHA-1 / SHA-2

AES / TDESRSA / DSA /

ECDSA / ECDH

SHA-1 / SHA-2

DES / RC4MD5

All other crypto

DES / RC4MD5

All other crypto

FIPS 140-2Validated

LibcryptoLibcrypto

LibsslTLS 1.0 / SSL 3.0 / SSL 2.0

LibsslTLS 1.0 / SSL 3.0 / SSL 2.0

OpenSSL Application s_client / s_server

OpenSSL Application s_client / s_server

SSHSSH SRTPSRTP Apache / Tomcat

Apache / Tomcat

Custom ApplicationsCustom ApplicationsModular crypto

Page 30: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

• Scalable in-line performance• Data center edge security policies• Flexible deployment options

• Firewall to secure your cloud• Tenant-edge to VM-specific policies• Automated, policy-based provisioning

VIRTUAL & CLOUDPHYSICAL

PHYSICAL APPLIANCES AND MODULESMulti-scale™ data center-class ASA devices

CLOUD FIREWALLEnhanced cloud security

Cisco ASA 5585-x

ASA SM for Catalyst 6500

Cisco Virtual Security Gateway

(VSG)

Cisco ASA 1000V

New!New!

Page 31: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3131Cisco Systems © 2011 Confidential

Web Web

frontfront--end end

SF.comSF.com

Branch Office

Public CloudPublic Cloud

Web Web

frontfront--end end

ADP.comADP.com

EnterpriseDC, Private Cloud VDC

SF.com hosted CloudSF.com hosted Cloud

ADP hosted CloudADP hosted Cloud

SF DB tierSF DB tier

SF App tierSF App tier

ADP DB tierADP DB tier

ADP app tierADP app tier

SaaS applications All tiers – Web, App, DB under 3 rd party control

Options for enterprise• Export ID to multiple partners• Ex: Current Cisco IT: ID to ADP (Payroll), Connexa (CPC), Infosys (HR functions) + ….• Maintain ID for each session• Update ID at an ID-store, IdP and let them Federate /SSO.

SF.com ID needsFirst, Last nameRoleLocationDownload privileges

ADP ID needsFirst, Last nameDate-of-birthSSN

Trusted ID store

Enterprise ID

Federated IDAttrib-Key-Value pair

Page 32: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3232Cisco Systems © 2011 Confidential

Web Web

frontfront--end end

SF.comSF.com

Branch Office

Public CloudPublic Cloud

Web Web

frontfront--end end

ADP.comADP.com

EnterpriseDC, Private Cloud VDC

SF.com hosted CloudSF.com hosted Cloud

ADP hosted CloudADP hosted Cloud

SF DB tierSF DB tier

SF App tierSF App tier

ADP DB tierADP DB tier

ADP app tierADP app tier

Requirement Function Solution

Identity Cloud Service must authenticate end user, enterprise ID

• Extensible ID definition.• Generic attributes: User, role, ToD, App• Network attributes: Location, Device, Posture• Customer attributes

Federated Identity

Ent ID to trusted providers for federation to SaaS

• SAML tokens, SAML assertions

DLP Split tunneling ScanSafe, IronPort front-end for SaaS accessScansafe implementation of DLP based on ID & Policy

Page 33: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

Visibility | Centralized Enforcement

Cisco IronPort Web Security Appliance/SaaS Gateway

User DirectoryAnyConnect Secure Mobility Client

Home Office

Corporate Office

Branch Office

No Direct Access

Securing SaaS Access

Page 34: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

Prevent Data Loss

Business Pipeline

Web Security Challenges

Social Networking

Webmail

Apps

Hotmail

Block Malware

Control Web Traffic

Page 35: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

Scansafe: Expanded Footprint

2X

2X

Current DatacentersBangaloreChicagoCopenhagenDallasFrankfurtHong KongJohannesburgLondonMiamiNew YorkParisSan Jose

Sao PauloSingaporeSydneyTokyoTorontoVancouverZurich

Planned DatacentersDubaiMexico

Page 36: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

Job Sites

Instant Message

P2P

Streaming Media

Human Resource

No FileTransfer

All

Business-related Content

Facebook Lunch Hour ??

Full Context Awareness

Time

Object

Application

Location

Identity

Compliance

Page 37: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

Security from the cloud: Secure mobility

WSA

ASA

On-Premise

AnyConnect Client

Redirect to Premise or Cloud

Cloud

Mobile User

Page 38: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3838

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 39: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

Cisco ISE for Advanced Policy Management

Policy: Who, What, Where, When, and How?

Identity Profiling

VLAN 10

VLAN 20

Wireless LAN Controller

DHCP

RADIUS

SNMP

NetFlow

HTTP

DNS

Cisco ®

ISE

Unified Access Management

IEEE 802.1x EAP User Authentication

1

HQ

2:38 p.m.

Profiling to Identify Device

2

6

Full or Partial Access Granted

PersonalAsset

Company Asset

3

Posture of the Device

PolicyDecision

4

5

Enforce Policy in the Network

CorporateResources

Internet Only

Page 40: Cloud Security | GSF 2012 | Session 4-2

Cisco Confidential 40© 2010 Cisco and/or its affiliates. All rights reserved.

Principle IdentityServiceCredential Mgmt Service

Profile Mgmt

CCO Look UpTool

Delegated Admin

Single Sign On Identity Provider

Registration

Service Provider

Provisioning

Localization

Profile Admin

Audit &Reporting

Role Mgmt

User Group Mgmt

Access Admin

Audit &Reporting

Login

Coarse Grain AuthZ

Global Logout

Fine Grain Access

Policy Mgmt

IT Services, Tool& Apps

Business Functionalities

FederationIdentity Mgmt.

DelegatedAdmin

Access Mgmt

Identity Provisioning

AttributeAuthority

OnRamp

Audit &Reporting

Provisioning

Audit &Reporting

Page 41: Cloud Security | GSF 2012 | Session 4-2

Cisco Confidential 41© 2010 Cisco and/or its affiliates. All rights reserved.

KnowledgeSomething user

knows

TokenSomething user has

BiometricsSomething user inherits

Page 42: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4242

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 43: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

Page 44: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

Compliance-as-a-service Compliance check list for cloud deployments

Advanced services Guidance to deploy secure cloud solutions that will meet the compliance controls specified

(PCI, HIPPA, etc.)

Focus is on assessment• Security best practices• Internal mandates• External mandates (PCI, SOX, …)

Current focus on • VBlocks• Nexus 1KV, Nexus 7K• ASA, WSA• ISR, ASR, Virtual router

Visibility“Composition of cloud assets”

Tracking“Where are the assets”

Analysis“Regulatory, Policy

adherence”

Device, App, VM visibilityOS versionConfig VisibilityAsset info, Audit trailsInventory tracking

Geo locationDevice config chg’s• Who, when, whatLifecycle aspectsSupport contracts

PCI, HIPAA, SOX, NIST, ISO, CC, ENISACapability rulesNew configuration rulesPolicy stickiness

Page 45: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4545

VM

pro

visi

onin

gC

entr

al M

anag

emen

t

CSPC VisibilityTracking

Page 46: Cloud Security | GSF 2012 | Session 4-2

Thank you.

Page 47: Cloud Security | GSF 2012 | Session 4-2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4747