WSO2's API Vision: Unifying Control, Empowering Developers
Securing your Cloud Environment
1. Securing your Cloud Environment
1
Confidential | Copyright 2012 Trend Micro Inc.
Jon Noble
Director, Strategic Alliances & Partnerships
Jon_Noble@trendmicro.co.uk
2. Agenda
• Securing your cloud environment
– (The boring half)
• Why, Who and What…
– (Hopefully the less boring half!)
Source: https://www.flickr.com/photos/flissphil/
4. DC Secure Zone
Software agent based, multiple
solutions required.
4
Network Security
Physical Appliance based
Physical Segregation with Multiple Solutions
for :- Datacentre, Internal, Hosted Svc, Security
FW
DPI
web
Firewall
IDS/IPS
Web Reputation
FW
DPI
web
FW
DPI
web
FW
DPI
web
FW
DPI
web
FW
DPI
web
FW
DPI
web
Traditional Security
Internal trust model
Dynamic Virtual Security
Self defending whatever location
Security Controls specific to the workload:- IDS/IPS, AV, FW,
Log Inspection, File Integrity and web reputation.
5. Traditional security has little meaning in a borderless
Software Defined Data Center
Insufficient visibility into East-West traffic & inter-VM attacks Static policies cannot keep up with dynamic workloads
Service provisioning is slow, complex & error-prone
Disparate security solutions and lack of uniform policies across
clouds creates an operational nightmare
6. Security for the Cloud World..
Copyright 2014 Trend Micro Inc. 6Source: https://www.flickr.com/photos/fdecomite/
7. Any Hypervisor or Cloud Environment
Agent Based Protection
Physical Machines
Single Console & Policy Set across all
physical, virtual and cloud environments
8. Agentless Protection
8
Leverage
VMWare APIs to
provide agentless
security
Reduced
CPU/Memory/Storage
Usage
Deep Security
Virtual Appliance
scans network /
file access at
Hypervisor Level
Instant-On
Protection
ESX/
NSX
SAN
9. Ideals for Cloud Security
• Build a protection ‘bubble’ around every machine
– Use same controls that used to be done at the perimeter
– AV / Firewall / IDS&IPS / Virtual Patching / Web Reputation
– Linux is just as vulnerable as windows!
• Supplement with host based technologies
– Log Inspection, Integrity Monitoring, Data Encryption
• Utilize Hypervisor features if possible (ESX / NSX)
• Utilize Cloud context awareness if possible (AWS / Azure etc)
• Utilize any in built security controls (access groups, firewalls, 2
factor authentication etc)
• Feed all logs and events to a SIEM
10. Challenges for Cloud Security
• Context Awareness
– Where is my workload? Which DC / Zone / Public Cloud
Provider? Does it have the right policy?
• Management
– Multiple solutions can require multiple consoles
– Many ‘traditional’ security solutions don’t fit in a virtualised /
cloud environment
– Consider a single solution that offers multiple functionalities
– Ensuring Security components are auto-configured in on-
demand environments
11. Payment Card Industry (PCI)
Protected Health Information (PHI)
Personally Identifiable Information (PII)
Intellectual Property (IP)
NEW THREATS CREATED EVERY
SECOND
90% ORGANIZATIONS HAVE
ACTIVE MALWARE
55%2 NOT EVEN AWARE OF
INTRUSIONS
COMMERCIAL EXPLOIT KITS
USED BY VIRTUALLY ALL
EASTERN EUROPEAN CYBERCRIMINALS
AVERAGE
INSURANCE PAYOUT
FROM DATA BREACH
$3.7M
Why you need to care….
13. So I got compromised… What Happens
Next?
• It depends on the attacker…
• Individuals will probably just poke around / cause
havoc / launch attacks from your machine...
• Hacktivists will probably release details and go
public...
• Organised Criminals will steal as much data as
possible to sell on the ‘Deep Web’…
14. What they are looking for…
Confidential | Copyright 2015 Trend Micro Inc.
Source:
http://krebsonsecurity.com/2012/10/the-
scrap-value-of-a-hacked-pc-revisited/
18. Confidential | Copyright 2015 Trend Micro Inc.Confidential | Copyright 2015 Trend Micro Inc.
Surface Web
• i.e. Clearnet
• What conventional
search engines can
index
• What Standard Web
browsers can access
Surface
Web