Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Bernie Trudel

Cloud CTO, Cisco Asia Pacific

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.

Bernie Trudel

Cloud CTO, Cisco Asia Pacific

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

• Explosion in data, services, and growth of internet usage

Broadband

Video, voice over IP

• Technology tipping pointMoore’s Law driving down cost

Warehouse scale data centers

Virtualization + automation

• Mobile and WirelessAnytime, any device

Smart, IP-connected devices

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Source: Cisco IBSG

Anywhere, Anyone, Any Service

IT Resources and

Services that are

abstracted from the

underlying infrastructure

and provided “On

Demand” and “At Scale”in a multitenant and

elastic environment

Source: The 451 Group ICE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Pro’s & Cons

Public Private Hybrid Community

Deployment Models

Service Delivery Models

Software as a

Service (SaaS)

Platform as a

Service (PaaS)

Infrastucture

as a Service

(IaaS)

Essential Characteristics

On-

Demand

Self Service

Broad Network

Access

Resource

Pooling

Rapid ElasticityMeasured

Service

Visual Model of NIST’s

Definition of Cloud

Computing

Source: http://blogs.zdnet.com/Hinchcliffehttp://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

DMTF

OGF

ITU-T

CSA

SNIA

CCIF

IEEEIETF

ISOCCloudAudit

MEF

NCOICOCC

OCM

TMF

OASIS

ISO

Cloud Security Alliance – major players

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Data

OS & Applications

VMs/Containers

API’s

Core

connectivity

Abstraction

Hardware

Facilities

Consumer

Provider

Data

OS & Applications

Integration and

middleware

API’s

Core

connectivity

Abstraction

Hardware

Facilities

Provider

Applications

Data

Integration and

middleware

API’s

Core

connectivity

Abstraction

Hardware

Facilities

Provider

Meta

dataConte

nt

API’s

Presentation

modality

Presentation

Platform

Consumer

IaaS PaaS SaaS

Security Is Shared

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

• Data Location and Ownership

• Shared infrastructure means granular access control

• Jumping over the regulatory requirements bar

• Aligning security policies: cloud service and internal

• What security knowledge/skills/clearance for personnel

• What are the DR attributes for the cloud service?

• What CIA controls are in place for cloud service?

• Is security part of the negotiated Service Level Agreement?

• Security incident procedure: disclosure and resolution

• Contingencies for cloud service provider failure

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Background checks, access monitoring

Vulnerability alerts, patching

Compliance requirements

Disaster recovery

IT Security

Operations

Infrastructure cloud security, plus

Secure connection to cloud services

Secure B2B communications

Data security

Platform as a

Service (PaaS)

Infrastructure and platform cloud security, plus

Access to administrative controls

App security, code reviews

Content monitoring, filtering, and data loss prevention (DLP)

Software as a

Service (SaaS)

Threat defense

Multitenancy security

Protection against distributed denial-of-service (DDoS) attacks

Change management, separation of duties (SoD)

Infrastructure as

a Service (IaaS)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy

Attackers CustomersPartners

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Policy

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Home Office

AttackersCoffee

ShopCustomers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a ServiceX

as a ServiceSoftware

as a Service

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

• Logical separation

• Policy consistency

• Automation

• Authentication and access control

• Scalability and performance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

“In the Cloud”

Secure Cloud InfrastructurePrivate

Cloud

Virtualized

App Servers

In the Cloud: Security (products, solutions) instantiated as an operational capability deployed within Cloud Computing environments. Examples: Routers, Firewalls, IPS, AV, WAF, …

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Popular best practices for

securing cloud computing

Flagship research project

V2.1 released 12/2009

V3 research underway,

targeting Q3 2011 release

wiki.cloudsecurityalliance.org/

guidanceO

pera

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d

Guidance

>100k downloads:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Application

Software

Virtual

MachineAccess Core Peering

IP-NGN

Backbone

Storage

& SANComputevSwitch

Aggregation

& Services

Internet

Partners

CIMP

CIMP

Tenant “A”

Application 1

Tenant “B”

Application 1

Tenant “A”

Application 2

Tenant “B”

Application 2

Cloud

Infrastructure

Management

Platform

App 1

App 1

App 2

App 2

Embedded

Services

ACE

IDS

DDoS

SSLFW

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

IP-NGN

Validated CISCO design:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/landing_vmdc.html

Virtualized Multi-Tenant Data Center (VMDC 2.2)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

“For the Cloud”

Secure Cloud Access

Public

Cloud

Secure Cloud Infrastructure

For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Controls derived from guidance

Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP

Rated as applicable to S-P-I

Customer vs Provider role

Help bridge the “cloud gap” for IT & IT auditors

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Consistent Identity-Aware

Policy from Any Device to

Data Center – Based on

Business Needs

Policy Distribution and

Intelligence Through the

Network

Security Group Tagging

Scales Context-Aware

Enforcement

POSTURE-BASED PERMISSIONS

1. Permit/Deny based on policy

2. Authorized devices tagged with policy

3. Policy tags enforced by the network

VPN

Data

Center

Virtual DC Machines

ALLOWED

DENIED

WHO

WHAT

WHERE

WHEN

HOW? ? ?

MACSec

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Secure Cloud Infrastructure

“By the Cloud”

Cloud Security Services

Internet

Email

Web

Secure Mobility

By the Cloud: Security services delivered by Cloud Computing services which are used by providers

Securing Cloud Access

Secure Cloud Infrastructure

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

Security as a Service Working Group (SecaaS)

1. Identity and Access Management

2. Data Loss Prevention

3. Web Security

4. Email Security

5. Security Assessments

6. Intrusion Management

7. Security Information and Event Management

8. Encryption

9. Business Continuity and Disaster Recovery

10. Network Security

Source: https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

Cisco IronPort Email Security Services

Providing industry-leading

email security with choice

Cloud • Hybrid • Managed

Key Service Attributes

Dedicated infrastructure

Co-managed access

Centralized tracking & reporting

Email SaaS

Outbound Control:

Apply DLP and

encryption policies

3

Inbound Hygiene:Removes spam

and viruses

1

Pass Clean Email

2

Data Centers

Customer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Web SaaS

Cisco ScanSafe Web Security Services

Delivering market-leadingweb security & visibility

Key Service Attributes

Zero day malware protection

Multi-tenant infrastructure

On-demand capacity

Application

ControlsAnti-Malware Web Filters

-

Policy

Enforcement:

All outbound

traffic is

passed

through

defined policy

2

Cloud redirection:

Web traffic is forwarded

directly to the cloud1

Malware Protection:

Content analysis to detect

and block all malware 3

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

• Cisco ScanSafe Web Security and Filtering

• Cisco IronPort® Cloud, Managed, and Hybrid Email Security

• Cisco SIO:- Cisco SensorBase™- Threat Operations Center- Dynamic updates

• Cisco®ASA 5585-X with firewall and IPS; ASA Services Module

• Cisco Nexus® 1000V switch

• Cisco Virtual Security Gateway

• Cisco ASA1000V

• Secure SaaS access

• Cisco AnyConnect™

• Cisco TrustSec®

• Cisco Identity Services Engine

• VPN

Secure Cloud

Infrastructure

Cloud Security

Services

Secure Cloud Access

and Communications

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

“Security Guidance for Critical Areas of Focus in Cloud Computing” Whitepaper: Comprehensive guide on how to secure Cloud Architectures, how to govern Clouds and how to operate securely in a Cloud Environment: http://www.cloudsecurityalliance.org/csaguide.pdf

Cisco Cloud Security accelerates Cloud Adoption: Cisco Cloud Security Technology http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1066/white_paper_c11-674558.html

Creating Business Value with Effective Pervasive Cloud Security and Cloud Enablement Services: Cisco Cloud Security Serviceshttp://www.cisco.com/en/US/services/ps2961/ps10364/ps10370/ps11104/cisco_cloud_security_whitepaper_services.pdf

Cisco Confidential 25© 2010 Cisco and/or its affiliates. All rights reserved.

Thank-You!!