tech insights 2011 sea - security from the ground up to the cloud
TRANSCRIPT
Security from the Ground Up to the Cloud…
Esmaeil SarabadaniSystems and Security ConsultantRedynamics Asia Sdn. Bhd.
What will be covered…
• An overview on Public and Private Clouds and their building blocks
• Cloud security concerns• Cloud Defense-in-Depth approach• Security in the cloud virtualized environment• Data and network traffic isolation in the cloud• Control and ownership of the data in the
cloud• Questions to ask before moving to the cloud
What is the cloud?!!
• It’s nothing supernatural.• It’s been with you for a
long time.• It’s used for social
activities, entertainment, business and so more.
• It brings more:• Availability • Reliability• Scalability • Affordability• Security
Public CloudPrivate Cloud
• Everything is hosted by a cloud service provider.
• You will have to pay for the cloud service you are using.
• Security and data protection is guaranteed.
• You will have to follow the cloud service providers’ policies.
• Everything is hosted on premise.
• You will have to pay only once for the licenses and the implementation.
• Security and data protection is all under your responsibility.
• You will not have to follow any cloud service providers’ policies.
Whatever…
Microsoft Public cloud vs. Private Cloud
Microsoft Cloud Building Blocks
Compute / Network / Storage
Hyper-V Based Hypervisor
System Center Virtual Machine Manager
Admin / Tenant Interfaces
Auth
N, A
uthZ
, Aud
iting
Cloud Security Concerns
• Protecting the virtualized environment
• Data isolation• Firewall configuration• Complexity• Hypervisor security issues• The geographical location
of data• Complicated audit and
forensics
Cloud Defense-in-Depth Approach
Data
Application
Host
Network
Perimeter
Layer Defenses
• Windows Security Model for Access Control and Auditing• System Center Data Protection Manager for Data Availability
• User Identification and Authorization• Application-Layer Malware Protection
• Host Boundaries Enforced by External Hypervisors• Host Malware Protection
• VLAN and Packet Filters in Network Fabric• Host Firewall to Supplement & Integrate IPSec Isolation
• Control Access to portals / Services using UAG• Controlled Egress Filtering using TMG
Data Isolation and Hypervisor
Physical Hardware
Hypervisor
Root VM Guest VM Guest VM Guest VM
No Access
HackedHealthy
HealthyHealthy
Hypervisor
CPUNICStorage
Ring -1
Ring 0
Ring 3
Kernel
DriversServer Core
VirtualizationStack
Root Partition Guest Partitions
Guest Applications
Guest OS
Hypervisor:• Isolation Boundary between
partitions.• Only 600 KB in size
Root Partition:• Mediates all access to
hypervisor• Server core minimizes attack
surface• ~50% less patching required
Guest Partitions:• Guests cannot interfere with
each other• Dedicated VMBUS Channel
VMBus
Virtualization Architecture
DEMOData Isolation
Where is my data located?
Choose where to store your data …
DEMOThe Location of Data
Network Security
How DDoS attacks are detected and stopped in Microsoft public cloud network …
Hackers
Hypervisors
VM VM VM VM VM VM VM VM VM
Microsoft Public Cloud
Network Traffic Isolation
• Hosts and VMs support 802.1Q (VLAN Tagging)• Each assigned VLAN ID• Enforced across network
fabric• Firewalls permit inter-
VLAN traffic as per policy
• Isolates:• Host from guests• Mgmt. traffic from guest
traffic
Pu
blic/P
rivate
Clo
ud
Hypervisor Hypervisor Hypervisor
Network Traffic Isolation
This is to prevent and stop the attacks coming from the inside and from the other VMs.
DEMONetwork Traffic Isolation
Virtualization Security Benefits
Isolation
Roll-Back
Abstraction
Portability
Deployment
• Limits security exposure.• Reduce spread of risks.
• Quickly recover from security breaches.
• Limited direct access to hardware.
• Back-ups and disaster recovery.• Can switch to standby VMs.
• Ability to divide workloads.• Custom Guest OS security settings.
Q: Will I lose control ?!!
Q: Am I putting all my eggs in one basket?!!
Q: Will I lose ownership of my data?!!
Questions to ask before moving to cloud…
• Encryption• Storage• Data transfer limits• Web access• File size limits• Auditing policies• Government
involvement
Cloud Audit Policies
• What data does my provider log?
• Which logs do I have control over?
• How long do providers keep logs?
• What data does my provider give to me upon request?
• Which Law Enforcement Agency has jurisdiction over my data?
Q&AQuestions & Answers
Resources
Email: [email protected]
Blog: http://esihere.wordpress.com/
Useful websites: http://technet.microsoft.com/ http://www.insecuremag.com/http://technet.microsoft.com/en-us/edge/ff524488
Twitter: http://www.twitter.com/esmaeils
Win Cool Prizes!!!Required slide
Complete the Tech Insights contests and stand a chance to win many cool prizes…
Look in your conference bags NOW!!
We value your feedback!Required slide
Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift