intel cloud summit: greg brown mcafee
TRANSCRIPT
![Page 1: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/1.jpg)
Creating Cloud Confidence Greg Brown VP, CTO - Cloud and Data Center Solutions www.mcafee.com/networksecurity [email protected] August 2012
![Page 2: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/2.jpg)
Can I Borrow $20?
August 28, 2012 2
How About $100,00?
![Page 3: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/3.jpg)
And Now?
August 28, 2012 3
![Page 4: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/4.jpg)
Should We Think About Data Center the Same Way?
![Page 5: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/5.jpg)
Can We Apply the Security Here?
![Page 6: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/6.jpg)
Challenges Loss of Physical Controls
• Fotostock
![Page 7: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/7.jpg)
Challenges Loss of Physical Controls
• Fotostock
![Page 8: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/8.jpg)
Challenges New Attack Surfaces
Data
Application
OS
Processor
BIOS
Hypervisor Provisioning Platform
![Page 9: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/9.jpg)
Challenges New Attack Surfaces
Data
Application
OS
Processor
BIOS
Hypervisor Provisioning Platform
Data
Application
OS
![Page 10: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/10.jpg)
PHYSICAL
Challenge Extending Compliance
VIRTUALIZED
CLOUD
Company A Company B
MFR ENG HR
MFR | ENG | HR
![Page 11: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/11.jpg)
11
Building Foundation of Client to Cloud Security
User & Intelligent Devices
Secure the Devices Identity, device integrity & data
protection
Public/Private Clouds (Servers, Network, Storage)
Secure Cloud Datacenters Infrastructure & data protection,
audit/compliance
Private Cloud
Public Cloud
Secure the Connections Apps, data, traffic
Common Security Standards & Broad Industry Collaboration
Cloud Security Mission: Worry-Free Cloud Computing Make cloud security equal to or better than traditional best in class enterprise security
Hardware-enhanced security + software & services key to achieve mission
McAfee Confidential
![Page 12: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/12.jpg)
12
Up and Down – Integrity Server Infrastructure
Endpoint Aware Integrity Client/cloud mutual trust
Real-time Integrity Continuous monitoring
Security Stack Integrity Security systems operational
VM Integrity Ensure all VMs are “known good”
Location & Asset Control Control workload location
Host Integrity Ensure server is “known good”
External Assessment and Reputation
Digital Certificates Validate web server is authentic
Will deliver on-going advancements to hardware & software security for greater controls & auditability
Intel Trusted Execution Technology (TXT)
Intel Virtualization Technology (VT)
MOVE, McAfee Application Control, & Change Control
McAfee SiteAdvisor Enterprise McAfee Cloud Secure
GTI
EMM/MMS, NG Endpoint Intel Identity Theft Protection (ITP)
SIA – Vendors
![Page 13: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/13.jpg)
Extended Security Policy
13
Virtualized and Private Cloud Data Center
Public Cloud Data Center
Extending Security to the Virtual Cloud World
VMM
Sales
Company C
Company B
Company A
Sales
Mfg
HR
Intel Trusted Execution Technology is run: Server “known good”
McAfee ePO1
Intel Trusted Execution Technology is run:
“issue identified”
1 Integrating McAfee ePolicy Orchestrator (ePO) with Intel TXT requires custom integration work
Isolate, protect, control VMs Intel Virtualization Tech., Intel Trusted Execution Tech.,
McAfee MOVE AV*
Provide visibility & reporting Apply security policy at multiple control
points
Monitor workloads across cloud infrastructures
McAfee ePO, Intel TXT
*McAfee MOVE AV = McAfee Management of Optimized Virtualized Environments Anti-Virus McAfee Confidential
![Page 14: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/14.jpg)
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Security Management
14
![Page 15: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/15.jpg)
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Security Management
Blacklisting – Advanced Anti-Malware Protection
McAfee Virus Scan Enterprise
Whitelisting – Complete protection from malicious codes and applications
McAfee Application Control
System Control – Server configuration control and tracking against internal “gold standards”
McAfee Change Control
Virtualization – Advanced Anti-malware protection extended to the Virtual Machines
McAfee MOVE-AV
Comprehensive Security for Servers
15
![Page 16: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/16.jpg)
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Reliable Real-Time Protection for Business-Critical Databases
Database discovery and comprehensive Vulnerability Assessment
McAfee Vulnerability Manager for Databases
Non-intrusive, real-time database visibility & protection across all threat vectors
McAfee Database Activity Monitoring
Patch databases without downtime
McAfee Virtual Patching for Databases
Security Management
16
![Page 17: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/17.jpg)
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Industry leading next generation Network Protection Solutions
Protection of network connected devices against targeted attacks
McAfee Next Generation IPS
High-assurance strong next-generation firewall capabilities, including application visibility
McAfee Next Generation Firewall
Advanced threat response, behavioral analysis and access control solutions for the network
McAfee Network Threat Response, McAfee Network Access Control and McAfee Network Threat Behavior
Analysis
Security Management
17
![Page 18: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/18.jpg)
McAfee Datacenter Security The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Comprehensive Security for Storage Devices
Continuous protection for storage devices and their data
Scan, detect and quarantine files on NAS storage devices (NetAPP,
EMC, Hitachi, Sharepoint, etc.)
McAfee Virus Scan Enterprise - Storage
Security Management
18
![Page 19: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/19.jpg)
McAfee Data Center Security The Heart of a Flexible, Efficient, Secure Data Center
Unified Security Management and Powerful Threat Intelligence
19
Security Management
High-performance security information and event management (SIEM) solutions for complete visibility and situational awareness to protect critical information and
infrastructure
McAfee SIEM
Single Management Console for McAfee Security Products and over 130 partner integrated Products
McAfee ePO
Comprehensive threat intelligence from over 150 million sensors across the web, channeled into all products in
real time
McAfee Global Threat Intelligence
![Page 20: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/20.jpg)
Connecting to the Cloud With Confidence
• Flexible deployment options – On-premise, Saas or virtual
• Protection and policies across Email and Web Channels
• Confidence to migrate data safely to public cloud
• Unify identity policies across SaaS and federated solutions
McAfee ePolicy Orchestrator
Global Threat Intelligence
Cloud Ecosystem
Identity Management
Web Security
Data Loss Prevention
Email Security
Enterprise Private Cloud Applications
Mobile Users
Enterprise Users
20
![Page 21: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/21.jpg)
McAfee’s Tailored Data Protection Methodology
• Discover and Learn
• Assess Risk
• Define Effective Policies
• Apply Controls
• Monitor, Report and Audit
1
2
3
4
5
1
2
3
4
5
Find all your sensitive data wherever it may be
Ensure secure data handling procedures are in place
Create policies to protect data and test them for effectiveness
Restrict access to authorized people and limit transmission
Ensure successful data security through alerting and incident management
21
![Page 22: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/22.jpg)
Cloud Identity Manager
Mobile
Laptop Access 100s of External SaaS Apps
User
Internal User
Any Device Any Time
Any Where
SSO Strong Auth Account Provisioning
McAfee Cloud Identity Manager
AD, LDAP, Database, SAML IdP, OpenID, etc.
![Page 23: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/23.jpg)
PHYSICAL
Security and Cloud Adoption
• Sustained investment • Continuous Protection
VIRTUALIZED
CLOUD
• Unified Security Process
• Optimized Performance
• Enable Adoption • Ensure Compliance
IaaS PaaS
MFR ENG HR
MFR | ENG | HR
![Page 24: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/24.jpg)
![Page 25: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/25.jpg)
Usage Case Financial Transaction Clearinghouse
August 28, 2012 25
Financial Transaction Records
FW/DLP/…
Clearing House
Bot FW: Protocol Secure FW: Intended Destination
✔ ✔
Service Provider Financial Institution
There is no model to create awareness of the health of the system receiving the data. This is generally true of all systems outside the perimeter
![Page 26: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/26.jpg)
Financial Transaction Clearinghouse
August 28, 2012 26
Financial Transaction Records
FW
Clearing House
✔
Data transmitted based on health measure of
service.
Healthy
McAfee is well positioned both in technology assets and in brand permission to become the standard for conveying system integrity across management domains.
Assessment
Financial Institution
FW: Protocol Secure FW: Intended Destination
✔ ✔
![Page 27: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/27.jpg)
Trapezoid RSA Demo Enabling Private Cloud Adoption
27
Hypervisor Server
System Admin in finance builds new payroll application on virtual server
ePO is not aware of Hypervisor or physical sever risks ePO
Corporate Data Center
Provisions virtual sever to DC
Once the application server is built the the system admin turns it over to the DC operations team to deploy on the PRIVATE CLOUD infrastructure.
The system admin is blind to all of the underlying
infrastructure.
ePO has no visibility into the hypervisor or the infrastructure today.
![Page 28: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/28.jpg)
Sample Usage Case Enabling Public Cloud Adoption
Hypervisor Server
Hypervisor Server
Safe Private Cloud Enabled
ePO
Corporate Data Center
Public Cloud Data Center
DC Ops Pushes virtual sever to Cloud Provider
Provisions virtual sever to DC
TRUSTED
Cloud Provider ePO
Safe Public Cloud Enabled
TRUSTED
1. TXT signals TRUSTED Hypervisor to ePO
2. ePO sends integrity to GTI 3. Customer ePO queries GTI for integrity
4. Payroll application reported compliant while running in
Public Cloud
Net Result: - CIO public cloud objectives
enabled - Cloud provider preferred over
others – Greater Value!
![Page 29: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/29.jpg)
• Proliferation of Technology at The Gateway – Adoption of point solutions has increased operational costs
Cut Costs And Increase The Level of Content And Data Protection
Users and Data
Firewall
Proxy Anti- Virus
Web Exploit
Protection
URL Filter
SSL Inspection Instant Messaging Inspection
Cache
29 McAfee Web Gateway
![Page 30: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/30.jpg)
Types of SSO Connectors
• SAML2 or SAML 1.1 federation SAML
• custom method supported by the target application Proprietary • agent needs to be installed on the target app. Java,
.NET, and PHP agents available today Agent
• username/password are captured during first login, and automated HTTP form post is performed in subsequent logins
HTTP-Post
![Page 31: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/31.jpg)
Front-end Authentication into Cloud Identity Manager
• User store - Directory (AD / LDAP), Database, CAS Username/Password
• OTP (built-in) • Facial Recognition (through partner BioID) 2-factor authentication
• AD IWA • 3rd party IdM session (such as CA Siteminder) • Accept SAML assertion
First mile SSO
• Facebook • OpenID (Google, Yahoo, Paypal, etc.) • SAML (Salesforce)
Internet Identity Providers
![Page 32: Intel Cloud Summit: Greg Brown McAfee](https://reader033.vdocuments.site/reader033/viewer/2022052505/554d31ceb4c905c5208b5686/html5/thumbnails/32.jpg)
Strong Authentication Features
Software OTP • Coverage across multiple devices
and delivery methods • Simple & fast to roll out with user
self enrollment – Mobile Token - Pledge – USB Key - YubiKey – Email – Runs on all platforms: iPhone,
BlackBerry, WinMobile, etc.
Embedded in Ultra Books
Silicon OTP • IPT - Secure ME layer in Intel chip • “hardens” software OTP • Attest that SSO came from corp issued
laptop
Deliver a more secure Cloud SSO by invoking strong auth from hardware or mobile software clients