business technology briefing: realities of the secure cloud · business technology briefing:...
TRANSCRIPT
Business Technology Briefing:
Realities of the Secure Cloud
Dean Coza
Director, Product Management Security
Vmware
Gabe Kazarian
Global Product Manager Trusted Cloud and Hosting
CSC
Gabe Kazarian, CSC
Global Product Manager Trusted Cloud and Hosting
Dean Coza, VMWare
Director Product Management Security
22 June 2011
Realities of the Secure Cloud
© CSC 2010 3
• Align infrastructure
with business need
• Use what you need, only
when you need it
• Refocus IT staff on
business value
• Free up capital for strategic
investments
• Shift from CAPEX to OPEX to
improve ROI
• Manage IT sprawl and contain
the infrastructure
• Break down IT barriers to create new products
• Mitigate risk and improve ROI for new initiatives
• Get started without IT capital or lead times
• Accelerate cycle time
• Expand and contract resources
as needed
• Relieve constraints based on IT’s capacity to deliver
Become More
Agile Innovate
Be More Cost Effective
Preserve Capital
IaaS Addresses Business Imperatives
© CSC 2010 4
Security and Compliance Concerns in Detail…..
Infrastructure
Team
Security
operations
Team
Compliance Officer
Both Security and Proof of Compliance are Required
to Build Trust in Your Cloud
How do I verify that confidential & regulated data is secure in the cloud? How do I implement compliance audits for resources in the cloud?
How can I manage security policies across virtual desktops, servers and networks?
I have too many VLANs for segmenting traffic, and securing applications. I can’t keep up
© CSC 2010 5
*Optional service
CSC Trusted Cloud ― Defense-in-Depth Security Framework
Access Control
•Authentication, authorization, and access
•Antispoofing
•CSC Audit Log Assurance*
•Key shield encryption*
•Secure VLANs
•Virtual and network perimeter firewalls
Data Integrity*
• Scheduled and ad hoc security scanning
• Security incident response 24x7
• Annual SAS 70 Type II review
• Antivirus services
• Vulnerability scanning for compliance
Logical Security
•Client data isolated
•Client separation via firewalls
•Hypervisor isolation for network adapters
•ITIL standards
•Network intrusion detection
Physical Security
• Access-controlled Tier 2/3 data centers
• Servers in secure suites or cages
• Video surveillance monitored 24x7
• Personnel background checks
• Multifactor authentication
• Separation of staff duties
© CSC 2010 6
CSC Addresses Challenges of Cloud Adoption
Challenges Solution
Security
Risk associated with high profile enterprise or LOB applications with compliance requirements
Implement a private cloud billed as a service on premises behind your firewall
Availability
Inability to meet availability
requirements and protect against
disruption to business operations
Select a cloud capable of supporting
production, mission critical workloads
Gain the ability to match workloads
to the right level of service required
Integration
Gaining the elasticity of cloud with required security
Use a hybrid cloud approach to meet the desired cost and security profile
Execution
Lack of the right mix of skills and resources to deploy and manage cloud environments
Select a supplier with the experience and capabilities to deploy and manage your cloud from the OS layer through the entire application stack
© CSC 2010 7
CSC Cloud Deployment Models — IaaS CloudCompute
Off Premises
Virtual Private • Dedicated Access
• At CSC data centers
• Capacity: projection-based
• Requires minimum commitment for 3 months
• Standard rate card applies
On Premises
Private • Behind client firewall
• Capacity: projection-based
• Minimum capacity commitment and annual term
• Standard rate card applies over minimum
Off Premises
Public • Leveraged
• At CSC data centers
• Capacity: virtually unlimited
• Standard rate card applies
1 2 3 Biz Cloud
© CSC 2010 8
Ugly Truth – Current Enterprise Data Center Security & Networking
vSphere
Users
Sites
Backend
Services
- Network Segmentation, Firewalls, IDS/IPS
- Server A/V Agents
- App | data | identity aware security, compliance
- DMZ firewall, NAT, IPAM, VR
- Site and user VPNs
- Web load balancers
- Desktop A/V Agents
- DLP, FIM, white listing
DMZ
Web
View
© CSC 2010 9
Goal 1. Virtualize Security Infrastructure
Apps / DB Tier DMZ
Users
Sites
Web Servers
1. Virtualize and consolidate security functions into the hypervisor
2. Leads to a much simplified, agile architecture
© CSC 2010 10
Goal 2. Secure vApps simplify Cloud Deployments
Users
Sites
Secure IaaS
Secure vApp
© CSC 2010 11
Dramatically Simplified vApp Protection in Virtual Environments
Enclave: Organizational network (department)
Integrated “Air gap” (DMZ, PCI) 1. Allow Enclave to Enclave
Sub-enclave: VDI desktops belonging to same
Organizational network or “trust zone’ 1. Allow Sub-enclave to Enclave
2. Deny Sub-enclave to Sub-enclave
Advanced Protection: Change VM vNIC membership from
enclave to Quarantine or Monitoring 1. Deny All/All
2. Allow access by Incident Response
• Monitoring Zone is a reusable container
Micro Segmentation: Leverage built in containers
1. Deny Web server access to DBs
Leverage vApp net flows 1. Allow identified applications
DLP
& IDS
Elastic Logical Trust
Zones VMs are assigned to enclaves
and sub-enclaves
Built-in logical containers to
improve security posture
Eliminate time consuming and
complex network security
management
Advanced Dynamic
Zones Improved visibility and control
Bus logic
Web
DBs
Better protection FW rule reduction Opex Savings
VDI
1 2
4 3
© CSC 2010 12
vShield Endpoint Offload Anti-virus Processing for Endpoints
Benefits
• Improve performance by offloading anti-virus functions in tandem with AV partners
• Improve VM performance by eliminating anti-virus storms
• Reduce risk by eliminating agents susceptible to attacks and enforced remediation
• Satisfy audit requirements with detailed logging of AV tasks
© CSC 2010 13
Clouds Come in Different Shapes and Sizes
Need: Creation of private cloud services to in-source Amazon workloads and provide compliant IaaS services to internal customers
Solution: On-premises private cloud based on Vblock, full DR and backup
at the compute and network layer. Solution includes orchestration,
provisioning portal and standard service catalog.
Pharmaceutical Company
Need: Move application from Amazon to a high availability cloud. Create a private cloud for projects to support new application development and virtualization project.
Solution: Off- premises private cloud in CSC Newark Datacenter with hybrid integration to existing applications architecture. Standardization of the Service catalog and configurations for OS and application stack.
Educational Testing Company - ETS
© CSC 2010 14
Clouds Come in Different Shapes and Sizes
Need: Testing environment for SAP
Solution: Rapid deployment of testing environment to help enforced
standard configurations in the user community. Template based SAP
testing environment
Vanity Fair Corporation
Need: Rogue public cloud usage poses compliance and security issues
Large Aircraft Manufacturer
Solution: Select a provider of Trusted Clouds that will provide the service
on an “hourly rate” card for off premise private and public cloud
infrastructure, with development and test functionality
Need: Rapid application modernization
Solution: An on-demand development and test delivery mechanism
with guaranteed SLA and security/compliance reporting
Blackboard Student Services
CSC Proprietary and Confidential
Thank You