SlideShare uma empresa Scribd logo

VMWorld 2009 Presentation

Ahmed Sallam
Ahmed Sallam
1 de 31
Baixar para ler offline
TA3901 – Security and the Cloud Ahmed Sallam, Senior Technologist, Software Architecture & Strategy, Chief Software Architect, McAfee Ken Owens, Vice President Security and Virtualization Technology, Savvis
Security and Virtualization What The Risks and Opportunities Are Ahmed Sallam Senior Technologist, Software Architecture & Strategy Chief Software Architect
What The Session Is About • This secession examines two things: – Virtualization as a new system architecture layer: • Is it secured? • Is there malware targeting virtual environments? • Is it bad for security? • Can it be good for system security and how? • Quick look into VMsafe: More focus on VMsafe CPU/Memory – Securing the virtual infrastructure • Security consideration for cloud environment • Reference Architecture • How to define a SLA for Cloud Security? • How to evaluate the security offerings by cloud providers? Confidential McAfee Internal Use Only
Part 1: V12N SECURITY FROM A SYSTEM ARCHITECTURE PERSPECTIVE Confidential McAfee Internal Use Only
What Is Systems & Applications Virtualization? • Decoupling of operating systems from the hardware via a VMM • The hardware being: – CPU, memory, I/O (network, storage, graphics, audio, etc.) • Operating systems run concurrently on top of the same hardware • Core virtualization support in the processor – CPUs support I/O and memory virtualization – Reducing the functionality and size of the hypervisor (VMM) – Control access to CPU, memory and I/O resources from underneath the OS • Virtual images: – Entire computing environment in a file: memory, OS, applications, etc. • Hypervisor provisioning: (a) on the fly (b) persisted (c) TXT & TPM • Applications virtualization: – Decoupling of OS from applications via virtual application images – OS and applications in separate virtual image files – Virtual application and OS delivered on the fly • Virtual machines management, single unit of operations: – Snapshot, cloning, migration, powering on/off • Does any of the above impose newer security risks and/or challenges? Confidential McAfee Internal Use Only
Risk of New Security Attacks (1) • Malicious hypervisors (hyperjackers) attacks – TXT not present (older systems) and/or disabled – Malicious hypervisor injected on the fly (web surfing, exploitation, local) – Worse if hyperjacker boots first & support nesting of hypervisors • Malware attacking virtual environment from within – Malware can detect the virtual environment: • Vendor’s in-guest modules (processes, services, device drivers) • Changes to processor tables and behavior when virtualization is on – Attacking in-guest virtualization code – Infecting VM memory, registry and files to survive VM operations – Malicious hyper calls • Attacking the hypervisor (Virtual Machine Monitor): – Remote exploitations – Attacking the hypervisor host operating system Confidential McAfee Internal Use Only
Risk of New Security Attacks (2) • Attacking the management console application – Exploiting the management console – Tampering with management commands, reporting data (VM Rootkit), user interface, VM configuration, etc. • Malicious use of VM management and configuration APIs • Infecting VM file and memory images on disk – Virtual disk format is documented and public – Virtual disks files may not be protected: • Data is not encrypted • No access control policy • The host is infected with malware • Insider attacks: – Data theft and leakage of virtual memory and disk image files – Tampering with VM configuration and operations • Attacking the VM memory from the host: DMA attacks Confidential McAfee Internal Use Only
Virtualization Challenges Traditional Security • Security solutions not ready to a hierarchy of mobile and dynamic VMs belonging to the same parent: – VM OS security software machine identifier no longer unique – Multiple identical reporting and requests to the security cloud – Enterprise management console loosing track of VMs – Misclassification of VM security state: • History of infections (when, wheat, how, etc.) • History of patches deployment • Deployment of local AV signatures – Worse with proactive behavioral protection systems • Mobility of VMs allows malware to cross network boundaries • Isolation from physical network: – Cross VM network traffic not leaving the virtual switch – Network identity of the VM is not present – IPS & Firewall missing routed VMs network traffic Confidential McAfee Internal Use Only
Virtualization Opens New Avenues to Security • Hypervisor controls physical resources underneath the OS • Extending hypervisor to allow security software to control & secure: – Memory: read, write and execute – CPU: context switching, memory mapping, debugging – I/O devices: Network, Graphics, Disk, Removable Devices • Security software living outside the OS away from its enemy • Securing VM image files: – Encryption, access control, offline AV scanning, patches • Security as an extension to virtualization infrastructure: – Leveraging virtual storage to support black and white listing – Leveraging virtual network switch to add IPS / Firewall capabilities • Case example: VMSafe – Presenter privileged to be co-designer of VMSafe CPU / Memory – Two flavors: (Covered in next slides) • Memory & CPU security • Network security Confidential McAfee Internal Use Only
VMsafe CPU/Memory Dedicated Security VM • Protection of memory and processor operations Confidential McAfee Internal Use Only
VMSafe Network Filtering Enterprise Virtual Firewall / NIPS The “Virtual World” The “Virtual World” VMWARE ESX VMWARE ESX Web Servers Database Servers Web Servers Database Servers LAN 1 LAN 2 LAN 1 LAN 2 Vswitch vSwitch1 vSwitch2 Vswitch vNic 1 vNic2 All Traffic Entering/Leaving Secure Firewall Physical the Virutal Environment goes Virtual Appliance Physical NIC1 through the firewall as well NIC2 as Inter-LAN traffic vSwitch0 Physical NIC Physical Server Physical Server Physical Network Firewall Network Firewall inspects Inter-lan traffic as well (Virtualized or Not Virtualized) as inbound/outbound traffic Other Networks Other Networks Confidential McAfee Internal Use Only
Expected Growth of VMSafe • Protection over all virtualized devices Confidential McAfee Internal Use Only
VMsafe CPU/Memory Has Its Own Challenges • Performance due to VM context switching • Stability of guest OS due to triggers processing latency • Loss of guest OS context • Potential solution: using in-guest kernel mode security agent – VMsafe can protect the agent code – Agent relies on OS for event tracking & control – Malware may attack OS components used by the agent • Only Linux is supported as the OS inside protecting VM Confidential McAfee Internal Use Only
Short Note on Virtual Applications Security • Known challenges: – Application Virtualization Layer hiding applications’ operations entirely – AV/HIPS does not see virtual application file activities – Proactive behavioral analysis misses application operations – Mobility of applications virtual images allows malware to extend its reach • New opportunities for security: – Security deeply integrated into apps virtualization layer – Enforcing security policy aside from the OS Confidential McAfee Internal Use Only
Part 1 Conclusions • Virtualization imposes new security risks and challenges – New avenues for malware to infect corporate networks and infrastructure – Mobility of virtual images is a major security issue – Configuration and auditing of VMs is problematic – Challenges to legacy security systems • Virtualization provides new opportunities to security – Security underneath and on top of the OS – Security away from the enemy – Security controlling CPU and Memory – Security controlling I/O resources: storage, network, audio and graphics • Virtualizations and security: both need each other Confidential McAfee Internal Use Only
Ken Owens Vice President Security and Security and the Cloud Virtualization Technology September 2009 Confidential McAfee Internal Use Only
Part 2 SECURING THE VIRTUAL INFRASTRUCTURE Savvis Proprietary & Confidential – INTERNAL USE ONLY 18
“Be Careful Up There!” • Concerns about cloud computing security abound: – “The cloud is fraught with security risks…” InfoWorld – “Analysts warn that the cloud is becoming particularly attractive to cyber crooks.” – ComputerWeekly – “Corporate use of cloud services slowed by concerns about data security, reliability” – Computerworld – “Privacy, security issues darken cloud computing plans” – IDG – "Cloud computing sounds so sweet and wonderful and safe... we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mindset." – Ron Rivest, co-founder, RSA – “It is a security nightmare and it can't be handled in traditional ways." – John Chambers, CEO, Cisco Savvis Proprietary & Confidential – INTERNAL USE ONLY 19
Security Tops Cloud Concerns Source: IDC, 2009 Savvis Proprietary & Confidential – INTERNAL USE ONLY 20
Not All Clouds are the Same • Multiple models. Multiple vendors. Multiple policies – Each cloud provider takes a different approach to security – No official security industry-standard has been ratified – Most cloud providers (including Amazon EC2) do not allow vulnerability scanning – Many cloud providers are not forthcoming about their security architectures and policies – Compliance auditors are wary of the cloud, and are awaiting guidelines on audit testing procedures Savvis Proprietary & Confidential – INTERNAL USE ONLY 21
What the Industry Is Doing • Several initiatives are underway – DMTF ◦ The Distributed Management Task Force (DMTF), the organization bringing the IT industry together to collaborate on systems management standards development, validation, promotion and adoption, today announced that it has formed a group dedicated to addressing the need for open management standards for cloud computing. The "Open Cloud Standards Incubator" will work to develop a set of informational specifications for cloud resource management – Cloud Security Alliance ◦ A non-profit organization formed to promote the use of standardized practices for providing security assurance within cloud computing – Center for Internet Security ◦ A non-profit enterprise whose mission is to help organizations reduce risk resulting from inadequate technical security controls – PCI Security Standards Council ◦ Has created a special interest group (SIG) to help shape requirements for virtual- and cloud-based cardholder-data environments – NIST ◦ The National Institute of Standards and Technology has created a new team to determine the best way to provide security for agencies that want to adopt the emerging technology called cloud computing. Publication to be issued in 2009. – VMware ◦ Has issued guidelines for security VM configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 22
Security Design Considerations • Integrated Cloud Security – Cloud environments provide limited visibility to inter-VM traffic flows – Specific architecture and configuration decisions ◦ Physical Segmentation ◦ Integrated (vmSafe) Security • Cloud Burst Security – Security Policies – Baseline information • Compliance Concerns – Auditing events – VM Mobility • Defense in Depth – Continue to leverage proven security strategies Savvis Proprietary & Confidential – INTERNAL USE ONLY 23
Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 24
Reference Architecture 1. Security profile per compute profile – Corporate security policy and server tier firewall rules that are defined within a vApp need to be communicated to the service provider – This should include corporate server security patch levels, anti-virus status, and file level access restrictions 2. Security DMZ for vApp – The service provider needs to validate the patch level and security level prior to bringing into a vApp into their production environment 3. OS Management – It is important to understand security hardening the service provider performs around their library of OS’ and their patching policies – VM’s that are not at the correct patch level need to be updated to the correct path level through a DMZ for example. 4. Resource Management – The service provider needs to separate and isolate the resources each customer VM uses from other customers VM resources to prevent DDOS attacks Savvis Proprietary & Confidential – INTERNAL USE ONLY 25
Reference Architecture 5. Security Authentication, Authorization, and Auditing – Cloud service provider environments should provide tight integration with enterprise policies around individual and group access, authentication, and auditing (AAA) policies – This involves integration of corporate directories and group policies with the service providers to ensure adequate access policies are enforced. Service providers should offer stronger authentication methods, 2-factor hard or soft tokens or certificates to enterprises that are leveraging a cloud provider 6. Identity Management (SSO, Entitlements) – Cloud environments’ should require control over user access – Cloud providers must define a VM identity that ties each VM to a asset identity within the service provider infrastructure – Based upon this identity, service providers are able to assign user, role, and privilege access within the extended infrastructure to provide role- based access controls – Enterprises also want to prevent unauthorized cloning or copying of the data on a VM to a USB device or CD. Service providers can prevent the VM from being cloned or copied by utilizing a combination of the VM identity and server configuration management policies Savvis Proprietary & Confidential – INTERNAL USE ONLY 26
Reference Architecture 7. Security profile per network – In addition to the vApp having a compute security profile, there should also be a network security profile to ensure perimeter and web access security functionality – Enterprises need to ensure that service providers implement separate management networks and data networks per customer – Service providers should have a separate network for vMotiion and vmSafe. Enterprises should request service providers to encrypt all management traffic, including vMotion events – Enterprises should require encryption of their data packets via SSL/IPSec or management connectivity via SSL or SSH 8. Data Security – Enterprises should request service providers to provide assess paths to only the physical servers that must have access to maintain the desired functionality – Service providers should accomplish this through the use of zoning via SAN N-Port ID virtualization (NPIV), LUN masking, access lists, and permission configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 27
How to Define SLA for Security? • Security Policy SLAs – Firewall Rule Auditing – Firewall Change Request implementation SLA – Firewall log availability SLA • Patch Level SLAs – Time to patch SLAs – Remediation SLAs • Threat Management SLAs – Vulnerabilities against VM Asset Auditing – Threats detected and prevented SLAs • Availability SLAs Savvis Proprietary & Confidential – INTERNAL USE ONLY 28
How to Evaluate the Security Offering by a Cloud Partner? • The evaluation should be performed based on the following criteria: – Security profile per compute profile – Security DMZ per vApp – OS Management – Resource Management – Security profile per network – Data Security – Security Authentication, Authorization, and Auditing – Identity Management Savvis Proprietary & Confidential – INTERNAL USE ONLY 29
Part 2 Conclusions 1. Security tops the list of cloud concerns 2. Not all cloud providers security capabilities are the same 3. Define an acceptable level of risk 4. Define measurable parameters that enable monitoring and assessment of the level of risk 5. Evaluate cloud providers security offerings and controls – Security Capabilities – Measurable parameters (SLAs) – Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 30
Thank You. Savvis Proprietary & Confidential – INTERNAL USE ONLY © 2009 Savvis, Inc. All rights reserved. Savvis® is the registered trademark of Savvis Communications Corporation. 31

Recomendados

Windows server 8 hyper v networking (aidan finn)
Windows server 8 hyper v networking (aidan finn)Windows server 8 hyper v networking (aidan finn)
Windows server 8 hyper v networking (aidan finn)hypervnu
 
Windows Server 8 Hyper V Networking
Windows Server 8 Hyper V NetworkingWindows Server 8 Hyper V Networking
Windows Server 8 Hyper V NetworkingAidan Finn
 
SDN, Network Virtualization and the Software Defined Data Center – Brad Hedlund
SDN, Network Virtualization and the Software Defined Data Center – Brad HedlundSDN, Network Virtualization and the Software Defined Data Center – Brad Hedlund
SDN, Network Virtualization and the Software Defined Data Center – Brad HedlundChef Software, Inc.
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualizationDamian Parniewicz
 
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...Ian Choi
 
Network Virtualization: Delivering on the Promises of SDN
Network Virtualization: Delivering on the Promises of SDNNetwork Virtualization: Delivering on the Promises of SDN
Network Virtualization: Delivering on the Promises of SDNOpen Networking Summits
 
CloudStack and SDN
CloudStack and SDNCloudStack and SDN
CloudStack and SDNSebastien Goasguen
 
VMworld 2013: An Introduction to Network Virtualization
VMworld 2013: An Introduction to Network Virtualization VMworld 2013: An Introduction to Network Virtualization
VMworld 2013: An Introduction to Network Virtualization VMworld
 

Recomendados

Windows server 8 hyper v networking (aidan finn)
Windows server 8 hyper v networking (aidan finn)Windows server 8 hyper v networking (aidan finn)
Windows server 8 hyper v networking (aidan finn)hypervnu
 
Windows Server 8 Hyper V Networking
Windows Server 8 Hyper V NetworkingWindows Server 8 Hyper V Networking
Windows Server 8 Hyper V NetworkingAidan Finn
 
SDN, Network Virtualization and the Software Defined Data Center – Brad Hedlund
SDN, Network Virtualization and the Software Defined Data Center – Brad HedlundSDN, Network Virtualization and the Software Defined Data Center – Brad Hedlund
SDN, Network Virtualization and the Software Defined Data Center – Brad HedlundChef Software, Inc.
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualizationDamian Parniewicz
 
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastru...Ian Choi
 
Network Virtualization: Delivering on the Promises of SDN
Network Virtualization: Delivering on the Promises of SDNNetwork Virtualization: Delivering on the Promises of SDN
Network Virtualization: Delivering on the Promises of SDNOpen Networking Summits
 
CloudStack and SDN
CloudStack and SDNCloudStack and SDN
CloudStack and SDNSebastien Goasguen
 
VMworld 2013: An Introduction to Network Virtualization
VMworld 2013: An Introduction to Network Virtualization VMworld 2013: An Introduction to Network Virtualization
VMworld 2013: An Introduction to Network Virtualization VMworld
 
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...scarisbrick
 
Quantum - The Network Mechanics
Quantum - The Network MechanicsQuantum - The Network Mechanics
Quantum - The Network MechanicsKiran Murari
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructurelaurabeckcahoon
 
10 sdn-vir-6up
10 sdn-vir-6up10 sdn-vir-6up
10 sdn-vir-6upSachin Siddappa
 
Midokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiMidokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiDan Mihai Dumitriu
 
Software Defined Networking
Software Defined NetworkingSoftware Defined Networking
Software Defined NetworkingAbhijeet Singh Panwar
 
Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6Tony Antony
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for VirtualizationYoonje Choi
 
Extending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support UnikernelsExtending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support UnikernelsStefano Salsano
 
Cisco nexus 1000v
Cisco nexus 1000vCisco nexus 1000v
Cisco nexus 1000vikewu83
 
Deploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV InfrastructureDeploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV InfrastructureStefano Salsano
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualizationLennox Wu
 
Evolution of Network Virtualization
Evolution of Network VirtualizationEvolution of Network Virtualization
Evolution of Network VirtualizationPavan Hasabnis
 
Tuning VIM performance for unikernels
Tuning VIM performance for unikernelsTuning VIM performance for unikernels
Tuning VIM performance for unikernelsStefano Salsano
 
Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1Aakash Agarwal
 
Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdfPooja Patel
 
Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015SDN Hub
 
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...Stefano Salsano
 
Network Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspectsNetwork Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspectsdeshpandeamrut
 
Understanding and deploying Network Virtualization
Understanding and deploying Network VirtualizationUnderstanding and deploying Network Virtualization
Understanding and deploying Network VirtualizationSDN Hub
 
What is a virtual tap?
What is a virtual tap?What is a virtual tap?
What is a virtual tap?LiveAction Next Generation Network Management Software
 
Nova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute modelsNova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute modelsopenstackindia
 

Mais conteúdo relacionado

Mais procurados

The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...scarisbrick
 
Quantum - The Network Mechanics
Quantum - The Network MechanicsQuantum - The Network Mechanics
Quantum - The Network MechanicsKiran Murari
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructurelaurabeckcahoon
 
Midokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiMidokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiDan Mihai Dumitriu
 
Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6Tony Antony
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for VirtualizationYoonje Choi
 
Extending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support UnikernelsExtending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support UnikernelsStefano Salsano
 
Cisco nexus 1000v
Cisco nexus 1000vCisco nexus 1000v
Cisco nexus 1000vikewu83
 
Deploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV InfrastructureDeploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV InfrastructureStefano Salsano
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualizationLennox Wu
 
Evolution of Network Virtualization
Evolution of Network VirtualizationEvolution of Network Virtualization
Evolution of Network VirtualizationPavan Hasabnis
 
Tuning VIM performance for unikernels
Tuning VIM performance for unikernelsTuning VIM performance for unikernels
Tuning VIM performance for unikernelsStefano Salsano
 
Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1Aakash Agarwal
 
Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015SDN Hub
 
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...Stefano Salsano
 
Network Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspectsNetwork Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspectsdeshpandeamrut
 
Understanding and deploying Network Virtualization
Understanding and deploying Network VirtualizationUnderstanding and deploying Network Virtualization
Understanding and deploying Network VirtualizationSDN Hub
 

Mais procurados (20)

The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous M...
 
Quantum - The Network Mechanics
Quantum - The Network MechanicsQuantum - The Network Mechanics
Quantum - The Network Mechanics
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructure
 
10 sdn-vir-6up
10 sdn-vir-6up10 sdn-vir-6up
10 sdn-vir-6up
 
Midokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiMidokura OpenStack Meetup Taipei
Midokura OpenStack Meetup Taipei
 
Software Defined Networking
Software Defined NetworkingSoftware Defined Networking
Software Defined Networking
 
Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for Virtualization
 
Extending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support UnikernelsExtending ETSI VNF descriptors and OpenVIM to support Unikernels
Extending ETSI VNF descriptors and OpenVIM to support Unikernels
 
Cisco nexus 1000v
Cisco nexus 1000vCisco nexus 1000v
Cisco nexus 1000v
 
Deploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV InfrastructureDeploying of Unikernels in the NFV Infrastructure
Deploying of Unikernels in the NFV Infrastructure
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualization
 
Evolution of Network Virtualization
Evolution of Network VirtualizationEvolution of Network Virtualization
Evolution of Network Virtualization
 
Tuning VIM performance for unikernels
Tuning VIM performance for unikernelsTuning VIM performance for unikernels
Tuning VIM performance for unikernels
 
Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1Server And Hardware Virtualization_Aakash1.1
Server And Hardware Virtualization_Aakash1.1
 
Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdf
 
Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015
 
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
Superfluid NFV: VMs and Virtual Infrastructure Managers speed-up for instanta...
 
Network Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspectsNetwork Virtualization Architectural & Technological aspects
Network Virtualization Architectural & Technological aspects
 
Understanding and deploying Network Virtualization
Understanding and deploying Network VirtualizationUnderstanding and deploying Network Virtualization
Understanding and deploying Network Virtualization
 

Semelhante a VMWorld 2009 Presentation

Nova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute modelsNova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute modelsopenstackindia
 
Network policies
Network policiesNetwork policies
Network policiesshanj
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantumMiguel Lavalle
 
Am 04 track1--salvatore orlando--openstack-apac-2012-final
Am 04 track1--salvatore orlando--openstack-apac-2012-finalAm 04 track1--salvatore orlando--openstack-apac-2012-final
Am 04 track1--salvatore orlando--openstack-apac-2012-finalOpenCity Community
 
OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012Dan Wendlandt
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxOpenStack Foundation
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summitDan Wendlandt
 
Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Dan Wendlandt
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewDan Wendlandt
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Secure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrailSecure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrailPriti Desai
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)Dan Wendlandt
 
Network Virtualization with quantum
Network Virtualization with quantum Network Virtualization with quantum
Network Virtualization with quantum openstackindia
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsyfauser
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2Damir Bersinic
 

Semelhante a VMWorld 2009 Presentation (20)

What is a virtual tap?
What is a virtual tap?What is a virtual tap?
What is a virtual tap?
 
Nova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute modelsNova for Physicalization and Virtualization compute models
Nova for Physicalization and Virtualization compute models
 
Lawful Interception in Virtual Environments
Lawful Interception in Virtual EnvironmentsLawful Interception in Virtual Environments
Lawful Interception in Virtual Environments
 
Network policies
Network policiesNetwork policies
Network policies
 
Windows 8 Hyper-V: Availability
Windows 8 Hyper-V: AvailabilityWindows 8 Hyper-V: Availability
Windows 8 Hyper-V: Availability
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantum
 
Am 04 track1--salvatore orlando--openstack-apac-2012-final
Am 04 track1--salvatore orlando--openstack-apac-2012-finalAm 04 track1--salvatore orlando--openstack-apac-2012-final
Am 04 track1--salvatore orlando--openstack-apac-2012-final
 
OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptx
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summit
 
Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference
 
Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer Overview
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
Secure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrailSecure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrail
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)
 
Network Virtualization with quantum
Network Virtualization with quantum Network Virtualization with quantum
Network Virtualization with quantum
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetups
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 2
 

Mais de Ahmed Sallam

RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paperAhmed Sallam
 
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionHosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionAhmed Sallam
 
Hosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 editionHosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 editionAhmed Sallam
 
Hosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 EditionHosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 EditionAhmed Sallam
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtityAhmed Sallam
 
Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicAhmed Sallam
 
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...Ahmed Sallam
 
Sans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesSans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesAhmed Sallam
 

Mais de Ahmed Sallam (10)

RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallam
 
Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paper
 
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionHosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
 
Hosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 editionHosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 edition
 
Hosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 EditionHosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 Edition
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-public
 
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
 
Sans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesSans Mc Afee Pandel Slides
Sans Mc Afee Pandel Slides
 

VMWorld 2009 Presentation

  • 1. TA3901 – Security and the Cloud Ahmed Sallam, Senior Technologist, Software Architecture & Strategy, Chief Software Architect, McAfee Ken Owens, Vice President Security and Virtualization Technology, Savvis
  • 2. Security and Virtualization What The Risks and Opportunities Are Ahmed Sallam Senior Technologist, Software Architecture & Strategy Chief Software Architect
  • 3. What The Session Is About • This secession examines two things: – Virtualization as a new system architecture layer: • Is it secured? • Is there malware targeting virtual environments? • Is it bad for security? • Can it be good for system security and how? • Quick look into VMsafe: More focus on VMsafe CPU/Memory – Securing the virtual infrastructure • Security consideration for cloud environment • Reference Architecture • How to define a SLA for Cloud Security? • How to evaluate the security offerings by cloud providers? Confidential McAfee Internal Use Only
  • 4. Part 1: V12N SECURITY FROM A SYSTEM ARCHITECTURE PERSPECTIVE Confidential McAfee Internal Use Only
  • 5. What Is Systems & Applications Virtualization? • Decoupling of operating systems from the hardware via a VMM • The hardware being: – CPU, memory, I/O (network, storage, graphics, audio, etc.) • Operating systems run concurrently on top of the same hardware • Core virtualization support in the processor – CPUs support I/O and memory virtualization – Reducing the functionality and size of the hypervisor (VMM) – Control access to CPU, memory and I/O resources from underneath the OS • Virtual images: – Entire computing environment in a file: memory, OS, applications, etc. • Hypervisor provisioning: (a) on the fly (b) persisted (c) TXT & TPM • Applications virtualization: – Decoupling of OS from applications via virtual application images – OS and applications in separate virtual image files – Virtual application and OS delivered on the fly • Virtual machines management, single unit of operations: – Snapshot, cloning, migration, powering on/off • Does any of the above impose newer security risks and/or challenges? Confidential McAfee Internal Use Only
  • 6. Risk of New Security Attacks (1) • Malicious hypervisors (hyperjackers) attacks – TXT not present (older systems) and/or disabled – Malicious hypervisor injected on the fly (web surfing, exploitation, local) – Worse if hyperjacker boots first & support nesting of hypervisors • Malware attacking virtual environment from within – Malware can detect the virtual environment: • Vendor’s in-guest modules (processes, services, device drivers) • Changes to processor tables and behavior when virtualization is on – Attacking in-guest virtualization code – Infecting VM memory, registry and files to survive VM operations – Malicious hyper calls • Attacking the hypervisor (Virtual Machine Monitor): – Remote exploitations – Attacking the hypervisor host operating system Confidential McAfee Internal Use Only
  • 7. Risk of New Security Attacks (2) • Attacking the management console application – Exploiting the management console – Tampering with management commands, reporting data (VM Rootkit), user interface, VM configuration, etc. • Malicious use of VM management and configuration APIs • Infecting VM file and memory images on disk – Virtual disk format is documented and public – Virtual disks files may not be protected: • Data is not encrypted • No access control policy • The host is infected with malware • Insider attacks: – Data theft and leakage of virtual memory and disk image files – Tampering with VM configuration and operations • Attacking the VM memory from the host: DMA attacks Confidential McAfee Internal Use Only
  • 8. Virtualization Challenges Traditional Security • Security solutions not ready to a hierarchy of mobile and dynamic VMs belonging to the same parent: – VM OS security software machine identifier no longer unique – Multiple identical reporting and requests to the security cloud – Enterprise management console loosing track of VMs – Misclassification of VM security state: • History of infections (when, wheat, how, etc.) • History of patches deployment • Deployment of local AV signatures – Worse with proactive behavioral protection systems • Mobility of VMs allows malware to cross network boundaries • Isolation from physical network: – Cross VM network traffic not leaving the virtual switch – Network identity of the VM is not present – IPS & Firewall missing routed VMs network traffic Confidential McAfee Internal Use Only
  • 9. Virtualization Opens New Avenues to Security • Hypervisor controls physical resources underneath the OS • Extending hypervisor to allow security software to control & secure: – Memory: read, write and execute – CPU: context switching, memory mapping, debugging – I/O devices: Network, Graphics, Disk, Removable Devices • Security software living outside the OS away from its enemy • Securing VM image files: – Encryption, access control, offline AV scanning, patches • Security as an extension to virtualization infrastructure: – Leveraging virtual storage to support black and white listing – Leveraging virtual network switch to add IPS / Firewall capabilities • Case example: VMSafe – Presenter privileged to be co-designer of VMSafe CPU / Memory – Two flavors: (Covered in next slides) • Memory & CPU security • Network security Confidential McAfee Internal Use Only
  • 10. VMsafe CPU/Memory Dedicated Security VM • Protection of memory and processor operations Confidential McAfee Internal Use Only
  • 11. VMSafe Network Filtering Enterprise Virtual Firewall / NIPS The “Virtual World” The “Virtual World” VMWARE ESX VMWARE ESX Web Servers Database Servers Web Servers Database Servers LAN 1 LAN 2 LAN 1 LAN 2 Vswitch vSwitch1 vSwitch2 Vswitch vNic 1 vNic2 All Traffic Entering/Leaving Secure Firewall Physical the Virutal Environment goes Virtual Appliance Physical NIC1 through the firewall as well NIC2 as Inter-LAN traffic vSwitch0 Physical NIC Physical Server Physical Server Physical Network Firewall Network Firewall inspects Inter-lan traffic as well (Virtualized or Not Virtualized) as inbound/outbound traffic Other Networks Other Networks Confidential McAfee Internal Use Only
  • 12. Expected Growth of VMSafe • Protection over all virtualized devices Confidential McAfee Internal Use Only
  • 13. VMsafe CPU/Memory Has Its Own Challenges • Performance due to VM context switching • Stability of guest OS due to triggers processing latency • Loss of guest OS context • Potential solution: using in-guest kernel mode security agent – VMsafe can protect the agent code – Agent relies on OS for event tracking & control – Malware may attack OS components used by the agent • Only Linux is supported as the OS inside protecting VM Confidential McAfee Internal Use Only
  • 14. Short Note on Virtual Applications Security • Known challenges: – Application Virtualization Layer hiding applications’ operations entirely – AV/HIPS does not see virtual application file activities – Proactive behavioral analysis misses application operations – Mobility of applications virtual images allows malware to extend its reach • New opportunities for security: – Security deeply integrated into apps virtualization layer – Enforcing security policy aside from the OS Confidential McAfee Internal Use Only
  • 15. Part 1 Conclusions • Virtualization imposes new security risks and challenges – New avenues for malware to infect corporate networks and infrastructure – Mobility of virtual images is a major security issue – Configuration and auditing of VMs is problematic – Challenges to legacy security systems • Virtualization provides new opportunities to security – Security underneath and on top of the OS – Security away from the enemy – Security controlling CPU and Memory – Security controlling I/O resources: storage, network, audio and graphics • Virtualizations and security: both need each other Confidential McAfee Internal Use Only
  • 16.
  • 17. Ken Owens Vice President Security and Security and the Cloud Virtualization Technology September 2009 Confidential McAfee Internal Use Only
  • 18. Part 2 SECURING THE VIRTUAL INFRASTRUCTURE Savvis Proprietary & Confidential – INTERNAL USE ONLY 18
  • 19. “Be Careful Up There!” • Concerns about cloud computing security abound: – “The cloud is fraught with security risks…” InfoWorld – “Analysts warn that the cloud is becoming particularly attractive to cyber crooks.” – ComputerWeekly – “Corporate use of cloud services slowed by concerns about data security, reliability” – Computerworld – “Privacy, security issues darken cloud computing plans” – IDG – "Cloud computing sounds so sweet and wonderful and safe... we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mindset." – Ron Rivest, co-founder, RSA – “It is a security nightmare and it can't be handled in traditional ways." – John Chambers, CEO, Cisco Savvis Proprietary & Confidential – INTERNAL USE ONLY 19
  • 20. Security Tops Cloud Concerns Source: IDC, 2009 Savvis Proprietary & Confidential – INTERNAL USE ONLY 20
  • 21. Not All Clouds are the Same • Multiple models. Multiple vendors. Multiple policies – Each cloud provider takes a different approach to security – No official security industry-standard has been ratified – Most cloud providers (including Amazon EC2) do not allow vulnerability scanning – Many cloud providers are not forthcoming about their security architectures and policies – Compliance auditors are wary of the cloud, and are awaiting guidelines on audit testing procedures Savvis Proprietary & Confidential – INTERNAL USE ONLY 21
  • 22. What the Industry Is Doing • Several initiatives are underway – DMTF ◦ The Distributed Management Task Force (DMTF), the organization bringing the IT industry together to collaborate on systems management standards development, validation, promotion and adoption, today announced that it has formed a group dedicated to addressing the need for open management standards for cloud computing. The "Open Cloud Standards Incubator" will work to develop a set of informational specifications for cloud resource management – Cloud Security Alliance ◦ A non-profit organization formed to promote the use of standardized practices for providing security assurance within cloud computing – Center for Internet Security ◦ A non-profit enterprise whose mission is to help organizations reduce risk resulting from inadequate technical security controls – PCI Security Standards Council ◦ Has created a special interest group (SIG) to help shape requirements for virtual- and cloud-based cardholder-data environments – NIST ◦ The National Institute of Standards and Technology has created a new team to determine the best way to provide security for agencies that want to adopt the emerging technology called cloud computing. Publication to be issued in 2009. – VMware ◦ Has issued guidelines for security VM configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 22
  • 23. Security Design Considerations • Integrated Cloud Security – Cloud environments provide limited visibility to inter-VM traffic flows – Specific architecture and configuration decisions ◦ Physical Segmentation ◦ Integrated (vmSafe) Security • Cloud Burst Security – Security Policies – Baseline information • Compliance Concerns – Auditing events – VM Mobility • Defense in Depth – Continue to leverage proven security strategies Savvis Proprietary & Confidential – INTERNAL USE ONLY 23
  • 24. Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 24
  • 25. Reference Architecture 1. Security profile per compute profile – Corporate security policy and server tier firewall rules that are defined within a vApp need to be communicated to the service provider – This should include corporate server security patch levels, anti-virus status, and file level access restrictions 2. Security DMZ for vApp – The service provider needs to validate the patch level and security level prior to bringing into a vApp into their production environment 3. OS Management – It is important to understand security hardening the service provider performs around their library of OS’ and their patching policies – VM’s that are not at the correct patch level need to be updated to the correct path level through a DMZ for example. 4. Resource Management – The service provider needs to separate and isolate the resources each customer VM uses from other customers VM resources to prevent DDOS attacks Savvis Proprietary & Confidential – INTERNAL USE ONLY 25
  • 26. Reference Architecture 5. Security Authentication, Authorization, and Auditing – Cloud service provider environments should provide tight integration with enterprise policies around individual and group access, authentication, and auditing (AAA) policies – This involves integration of corporate directories and group policies with the service providers to ensure adequate access policies are enforced. Service providers should offer stronger authentication methods, 2-factor hard or soft tokens or certificates to enterprises that are leveraging a cloud provider 6. Identity Management (SSO, Entitlements) – Cloud environments’ should require control over user access – Cloud providers must define a VM identity that ties each VM to a asset identity within the service provider infrastructure – Based upon this identity, service providers are able to assign user, role, and privilege access within the extended infrastructure to provide role- based access controls – Enterprises also want to prevent unauthorized cloning or copying of the data on a VM to a USB device or CD. Service providers can prevent the VM from being cloned or copied by utilizing a combination of the VM identity and server configuration management policies Savvis Proprietary & Confidential – INTERNAL USE ONLY 26
  • 27. Reference Architecture 7. Security profile per network – In addition to the vApp having a compute security profile, there should also be a network security profile to ensure perimeter and web access security functionality – Enterprises need to ensure that service providers implement separate management networks and data networks per customer – Service providers should have a separate network for vMotiion and vmSafe. Enterprises should request service providers to encrypt all management traffic, including vMotion events – Enterprises should require encryption of their data packets via SSL/IPSec or management connectivity via SSL or SSH 8. Data Security – Enterprises should request service providers to provide assess paths to only the physical servers that must have access to maintain the desired functionality – Service providers should accomplish this through the use of zoning via SAN N-Port ID virtualization (NPIV), LUN masking, access lists, and permission configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 27
  • 28. How to Define SLA for Security? • Security Policy SLAs – Firewall Rule Auditing – Firewall Change Request implementation SLA – Firewall log availability SLA • Patch Level SLAs – Time to patch SLAs – Remediation SLAs • Threat Management SLAs – Vulnerabilities against VM Asset Auditing – Threats detected and prevented SLAs • Availability SLAs Savvis Proprietary & Confidential – INTERNAL USE ONLY 28
  • 29. How to Evaluate the Security Offering by a Cloud Partner? • The evaluation should be performed based on the following criteria: – Security profile per compute profile – Security DMZ per vApp – OS Management – Resource Management – Security profile per network – Data Security – Security Authentication, Authorization, and Auditing – Identity Management Savvis Proprietary & Confidential – INTERNAL USE ONLY 29
  • 30. Part 2 Conclusions 1. Security tops the list of cloud concerns 2. Not all cloud providers security capabilities are the same 3. Define an acceptable level of risk 4. Define measurable parameters that enable monitoring and assessment of the level of risk 5. Evaluate cloud providers security offerings and controls – Security Capabilities – Measurable parameters (SLAs) – Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 30
  • 31. Thank You. Savvis Proprietary & Confidential – INTERNAL USE ONLY © 2009 Savvis, Inc. All rights reserved. Savvis® is the registered trademark of Savvis Communications Corporation. 31