Boost Fertility New Invention Ups Success Rates.pdf
Who owns security in the cloud
1. Who Owns Security in the Cloud?
Dave Asprey • VP Cloud Security
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 1
2. Cloud Computing in the 21st Century
Cloud computing accounts Infrastructure as a Service
for unparalleled benefits in… (IaaS)
• Simplified, pay-per-use IT
• Efficiencies Outsourced networking,
storage, server, and
• Cost savings operational elements
• Scalability • Offers greater autonomy than
Software as a Service (SaaS)
for more security controls
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 2
3. Cloud Computing Challenges
Numerous new compliance issues
Potential areas of data security risk
Invalidates traditional approaches
to security
Where does security responsibility
and accountability lie?
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 3
4. Why use the Cloud?
Public Cloud Benefits Private Cloud Benefits
• OPEX (Operating Expense vs. CAPEX
(Capital expense)
• Avoids expenditure on hardware,
• Increases flexibility
software and other infrastructure
services
• Improves responsiveness
• Firms dynamically scale according to
to internal customers’ needs
their computing needs in real-time
• Improves business agility
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 4
5. Perimeter Security Isn’t Dead
TWO SCENARIOS TO
SECURING THE CLOUD
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 5
6. Perimeter Security
Firewalls, intrusion prevention,
Traditional perimeter standard security functionality
security models
and the cloud
Additional security levels required in the cloud
Perimeter security now Extend firms perimeter into the cloud
becoming part of overall
security architecture
within the cloud Extend cloud inside firms perimeter
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 6
7. Extending your Perimeter to the Cloud:
Scenario #1
Approach Benefits
• Create an IPSec VPN tunnel • Simplified, pay-per-use IT
to your public cloud Outsourced networking,
provider’s servers storage, server, and
• Enterprise-grade security in operational elements
the public cloud server • Offers greater autonomy than
• Security software and Software as a Service (SaaS)
virtual appliances for more security controls
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 7
8. Scenario #1
Risks Mitigation
• May introduce risks associated with the • Maintain access logs
security of the secured cloud to your • Data encryption should be standard
architecture
• Cloud and internal servers should
• Creates additional perimeter monitor for suspicious traffic
to secure
• Add an extra DMZ and firewall
• Cloud servers subjected to
new threats • Security on cloud servers
• Not given cloud provider’s physical • IDS/IPS bi-directional firewall etc.
or admin access logs • With critical data in the cloud
• Shared storage • Look for strict adherence to
• Public cloud providers are not as security best practices
strict on security • Examine your provider’s SLAs and
• Reimbursement for Data breach security policy
• ISO 27001 and SAS70 II
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 8
9. Extending the Cloud into the Enterprise:
Scenario #2
Approach
• Cloud extends inside your
perimeter
• Involves agreeing to
• an IaaS public cloud provider
• Or cloud-based MSSP installing a
cloud node on site.
Benefits
• Increasingly popular among
larger enterprises
• Well understood model
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 9
10. Scenario #2
Risks
• Lack of visibility into physical
and/or access logs remain
• Liability for negligence
• Reimbursement for cost
of service only
• Providers have access to your
network and application data
• Must be trusted
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 10
11. How to Manage the Gaps in your
Cloud Security Policies?
Secure your cloud servers as you secure
internal servers
– IDS/IPS, DLP tools
– bi-directional firewall
– Encryption
Vital to understand how much network monitoring and
access your provider allows
Encryption of data is important
Accelerated speed in which servers are created in the
private cloud
Must be properly managed by IT
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 11
12. Securing the Cloud Successfully
Store encryption keys in a separate location
Enterprises
Not accessible to the cloud provider
Deploy all security tool in the cloud
Be transparent regarding…
security policies
Cloud providers
procedures
network traffic
Clarify SLAs so…
customers are clear on security features
Private cloud Create a central authorization process
environments
Be prepared
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc.
13. Thank you
To read more on Securing Your Journey to the Cloud, visit
www.cloudjourney.com
Trend Micro Confidential 7/25/2011 Copyright 2011 Trend Micro Inc. 13