Security from the Ground Up to the Cloud…

Esmaeil SarabadaniSystems and Security ConsultantRedynamics Asia Sdn. Bhd.

What will be covered…

• An overview on Public and Private Clouds and their building blocks

• Cloud security concerns• Cloud Defense-in-Depth approach• Security in the cloud virtualized environment• Data and network traffic isolation in the cloud• Control and ownership of the data in the

cloud• Questions to ask before moving to the cloud

What is the cloud?!!

• It’s nothing supernatural.• It’s been with you for a

long time.• It’s used for social

activities, entertainment, business and so more.

• It brings more:• Availability • Reliability• Scalability • Affordability• Security

Public CloudPrivate Cloud

• Everything is hosted by a cloud service provider.

• You will have to pay for the cloud service you are using.

• Security and data protection is guaranteed.

• You will have to follow the cloud service providers’ policies.

• Everything is hosted on premise.

• You will have to pay only once for the licenses and the implementation.

• Security and data protection is all under your responsibility.

• You will not have to follow any cloud service providers’ policies.

Whatever…

Microsoft Public cloud vs. Private Cloud

Microsoft Cloud Building Blocks

Compute / Network / Storage

Hyper-V Based Hypervisor

System Center Virtual Machine Manager

Admin / Tenant Interfaces

Auth

N, A

uthZ

, Aud

iting

Cloud Security Concerns

• Protecting the virtualized environment

• Data isolation• Firewall configuration• Complexity• Hypervisor security issues• The geographical location

of data• Complicated audit and

forensics

Cloud Defense-in-Depth Approach

Data

Application

Host

Network

Perimeter

Layer Defenses

• Windows Security Model for Access Control and Auditing• System Center Data Protection Manager for Data Availability

• User Identification and Authorization• Application-Layer Malware Protection

• Host Boundaries Enforced by External Hypervisors• Host Malware Protection

• VLAN and Packet Filters in Network Fabric• Host Firewall to Supplement & Integrate IPSec Isolation

• Control Access to portals / Services using UAG• Controlled Egress Filtering using TMG

Data Isolation and Hypervisor

Physical Hardware

Hypervisor

Root VM Guest VM Guest VM Guest VM

No Access

HackedHealthy

HealthyHealthy

Hypervisor

CPUNICStorage

Ring -1

Ring 0

Ring 3

Kernel

DriversServer Core

VirtualizationStack

Root Partition Guest Partitions

Guest Applications

Guest OS

Hypervisor:• Isolation Boundary between

partitions.• Only 600 KB in size

Root Partition:• Mediates all access to

hypervisor• Server core minimizes attack

surface• ~50% less patching required

Guest Partitions:• Guests cannot interfere with

each other• Dedicated VMBUS Channel

VMBus

Virtualization Architecture

DEMOData Isolation

Where is my data located?

Choose where to store your data …

DEMOThe Location of Data

Network Security

How DDoS attacks are detected and stopped in Microsoft public cloud network …

Hackers

Hypervisors

VM VM VM VM VM VM VM VM VM

Microsoft Public Cloud

Network Traffic Isolation

• Hosts and VMs support 802.1Q (VLAN Tagging)• Each assigned VLAN ID• Enforced across network

fabric• Firewalls permit inter-

VLAN traffic as per policy

• Isolates:• Host from guests• Mgmt. traffic from guest

traffic

Pu

blic/P

rivate

Clo

ud

Hypervisor Hypervisor Hypervisor

Network Traffic Isolation

This is to prevent and stop the attacks coming from the inside and from the other VMs.

DEMONetwork Traffic Isolation

Virtualization Security Benefits

Isolation

Roll-Back

Abstraction

Portability

Deployment

• Limits security exposure.• Reduce spread of risks.

• Quickly recover from security breaches.

• Limited direct access to hardware.

• Back-ups and disaster recovery.• Can switch to standby VMs.

• Ability to divide workloads.• Custom Guest OS security settings.

Q: Will I lose control ?!!

Q: Am I putting all my eggs in one basket?!!

Q: Will I lose ownership of my data?!!

Questions to ask before moving to cloud…

• Encryption• Storage• Data transfer limits• Web access• File size limits• Auditing policies• Government

involvement

Cloud Audit Policies

• What data does my provider log?

• Which logs do I have control over?

• How long do providers keep logs?

• What data does my provider give to me upon request?

• Which Law Enforcement Agency has jurisdiction over my data?

Q&AQuestions & Answers

Resources

Email: e.sarabadani@gmail.com

Blog: http://esihere.wordpress.com/

Useful websites: http://technet.microsoft.com/ http://www.insecuremag.com/http://technet.microsoft.com/en-us/edge/ff524488

Twitter: http://www.twitter.com/esmaeils

Win Cool Prizes!!!Required slide

Complete the Tech Insights contests and stand a chance to win many cool prizes…

Look in your conference bags NOW!!

We value your feedback!Required slide

Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift