Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud:Can You Trust What You Can’t Touch?

Rob Johnson

Security Architect, Cloud Engineering

Unisys Corp.

Page 2

Security in the Cloud: Agenda

• Introductions

• What is Cloud Computing, and what are the risks?

• Cloud Security Architecture

• Multi-Tenancy Considerations

• Wrap-up

Page 3

Security in the Cloud: Introductions

• Who am I?

– Rob Johnson, Distinguished Engineer, Unisys Corp.

– 30 years doing I/O, networking, and security

• Who is Unisys?

– 130+ year heritage

– Provides technology, services, and solutions to the world’s largest enterprises

• Who are You?

Page 4

Security in the Cloud: What is Cloud Computing?

• National Institute of Standards and Technology (NIST): http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

– Essential Characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service

– Service Models: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)

– Deployment Models: Private cloud, Community cloud, Public cloud, Hybrid cloud

– On/off Premise

• Security controls being defined by industry: FedRAMP, PCI DSS v2.0, etc.

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

Page 5

Security in the Cloud: What are the Risks?

• #1 Loss of control of assets (applications and data)

– Where are they?

– How many copies are there?

– Who can access them?

• #2 Compliance

– Regulatory Audits: PCI DSS v2, HIPAA, COBIT, FedRAMP, etc.

– Jurisdictional Boundaries: Patriot Act, Data locality regulations

• #3 Provider Transparency

– Process visibility

– Audit, logging, and Incident Event Management (IEM)

Page 6

Cloud Computing: Service Models

• Software as a Service (SaaS):– Complete application environment supplied and

managed by the Cloud Provider, not tenant

• Platform as a Service (PaaS)– Provider supplies an application development

and execution environment.

– Tenant can secure data and inter-process communication.

• Infrastructure as a Service (IaaS)– Provider supplies the infrastructure components

(compute, network, storage), but little else.

– Tenant runs a virtual data center.

Infrastructure as a Service

Platform as a Service

Software as a Service

Page 7

Security in the Cloud: Cloud Security Architecture

• Service Models wrapped in Access Planes

Provider Administration

End

Use

r A

cces

s

Tenant Administration




Intr

a-C

loud

Acc

ess

Page 8

Cloud Security Architecture: Access Planes


– Provider Administration:Controls and manages the service components

• IaaS: Hypervisors, vSwitches, vFirewalls, storage vLUNs, etc.

• PaaS: VMs for hosting applications, web services, storage containers, load balancers, etc.

• SaaS: Application suites, databases, identity management, etc.


End

Use

r A

cces

s





Intr

a-C

loud

Acc

ess

Page 9



– Provider Administration

– Tenant Administration:Manages per-Tenant components

• IaaS: VMs, vFirewalls, vLUNs

• PaaS: Applications, object stores

• SaaS: Users, application data objects


End

Use

r A

cces

s





Intr

a-C

loud

Acc

ess

Page 10




– Tenant Administration

– End User Access• IaaS: VM console (RDP,

rsh, etc.)

• PaaS: Distributed apps (SOA, webapps), test/dev, etc.

• SaaS: Application presentation


End

Use

r A

cces

s





Intr

a-C

loud

Acc

ess

Page 11




– Tenant Administration

– End User Access

– Intra-Cloud Access• Service-to-service

• Intra-tenant

• Web services


End

Use

r A

cces

s





Intr

a-C

loud

Acc

ess

Page 12

Security in the Cloud: Multi-Tenancy Considerations

• Isolation and Containment: Tenants Share Physical Resources

• Identity and Access Management:“Who are you, and why do they keep sending you here?”

• Transparency:“Where are my assets, and who is doing what to them?”

Page 13



– Data in Process• Memory

• Processors and caches

• NICs

• HBAs

• etc.

Memory

Hardware Resources (CPUs, NICs, HBAs)

Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Page 14



– Data in Process

– Data in Motion• Cloud Intranet

– VLANs and Firewalls

– Cryptographic Communities of Interest

─ IPsec─ SSL─ Unisys Stealth

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Page 15



– Data in Process

– Data in Motion• Cloud Intranet

• Extranet / Internet

– Tenant DMZs

– Site-to-site VPNs

– Remote users

– Web access

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ

Firewall Intrusion Detection Anti-virus

Tenant DMZ


Tenant DMZ


Internet

Page 16



– Data in Process

– Data in Motion

– Data at Rest• Network Attached Storage

(NAS)

– Per-tenant file servers

– Access Control Lists (ACLs)

– Encrypted File Systems

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ


Tenant DMZ


Tenant DMZ


Internet

Page 17



– Data in Process

– Data in Motion


(NAS)

• Storage Area Network (SAN)

– Virtualized LUNs

– Encryption / Authentication

– Replication / Dispersal

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ


Tenant DMZ


Tenant DMZ


Internet

Page 18



– Data in Process

– Data in Motion


(NAS)

• Storage Area Network (SAN)

• PaaS storage objects & containers

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ


Tenant DMZ


Tenant DMZ


Internet

Page 19



• Identity & Access Management:“Who are you, and why do they keep sending you here?”

– Identification: Who are you?

– Authentication: Prove you are who you say you are.

– Authorization: What are you allowed to do / what is your role?

– Validation: Double-check before executing

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ


Tenant DMZ


Tenant DMZ


Internet

Active Directory

Active Directory

Page 20



• Identity & Access Management:“Who are you, and why do they keep sending you here?”

• Transparency:“Where are my assets, and who is doing what to them?”

– Accountability: All actions are securely audited

– Chargeability: Pay-for-play

– SLAs: Availability, scalability,performance, etc.

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Memory


Hypervisor

VM-1a

VM-1b

VM-2a

VM-2b

VM-3a

Tenant DMZ


Tenant DMZ


Tenant DMZ


Internet

Active Directory

Active Directory

Page 21

Security in the Cloud: Wrap-up

• Cloud Computing = losing control of assets (data, applications)

• Secure Cloud Computing = regaining control through identity management, secure networking, secure storage, and provider transparency

Questions?

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Documents

cloud provider

cloud computing

public cloud

community cloud

private cloud

access planes service

service saas

service iaas provider