cisco cloud security for public & private cloud cloud security for public & private cloud...
TRANSCRIPT
Cisco Cloud Security for
Public & Private CloudVillayat Muhammad : Technical Leader
BRKSEC-2016
Security Challenges
Agenda
Design and Integration
Compliance Guidance
Cloud Data Center Security Challenges
Complexity
• Too many different security components
• No easy way of collecting data and
correlate
• Integration is a nightmare
• Virtualization in a multi-tenant Data
Center
Compliance
• Growing Regulatory Requirements: PCI,
HIPAA, FISMA
• Little to No Guidance On How to Meet
New Standards
• Huge non-compliance fines
Visibility
• Need to know complete context
• Utilize global intelligence with data
analytics
• Behavioral analysis and forensic
investigations
NetFlow
&
Context
Awareness
Intrusion
Prevention
&
Detection
Intelligent logging
&
monitoring
PCI-DSS
HIPAA
FISMA
Threat
DefenseSIEM
Compliance
GuidanceVisibility
Session’s Key Focus Area
Secure Data Center Model
Before During After
Network Endpoint Mobile Virtual Cloud
See it and control it Intelligent and context aware Retrospective security
Discover environment
Implement access policy
Harden network and asset
Achieve compliance
Firewall Tenant segmentation
Security zoning Vulnerability
management Patch
management
Detect Block Prevent
Intrusion prevention
Cyberthreat defense Antivirus
Antimalware
Determine scope Contain
Remediate
Intrusion detection SIEM log
management Forensics
Analysis
Threat-Centric Attack Continuum
Events
Actions
Process
Attack Vectors
Cloud Secure Data Center for the Service Provider Portfolio
Cisco Cloud Secure Data Center for the Service Provider Solution Portfolio
Secure Architecture
Converged Infrastructure
Compute
Storage
Flexpod, Vblock
Virtualization
Infrastructure Automation
Tenant Isolation
High Availability
Physical & Virtual Firewall
Industry Standard Compliance
PCI Compliance
HIPAA Compliance
FISMA Compliance
Cyber Threat Managementwith NextGen IPS
NextGen IPS
FireSIGHT Mgmt Center
User Context
Application Control
URL Filtering
SPERO Fingerprint
Advanced Malware Protection, Operational Intelligence and Log Management
FirePower Advance Malware Protection (AMP)
Cisco Threat Defense
NetFlow Generator (NGA)
NetFLow
NSEL (Network Security Event Logging)
Security Information & Event Monitoring (SIEM)
Splunk
Design And Integration
Cisco Cloud Secure Data Center Design Pillars
Capability Agile Architecture Complete Protection
Provides baseline guidance
for achieving PCI, HIPAA, and
FISMA compliance
Provides faster time to market
Reduces operation complexity
Integrates with offerings of
technology partners
Highly available and redundant
Security performance matched
to network performance
Asymmetrical traffic flows
Tenant segmentation
Integrated virtual and physical
appliances
North-south protection
East-west protection
Forensic
Reputation-based protection
Event correlation and
monitoring
N7K
Aggregation
N7K
Aggregation
Front-End VRF
Protected VRF
ASA Firewall
Context per Tenant
Tow
ard
s
MP
LS
Clo
ud
Tow
ard
s
Tenant serv
er
Outside Tenant
VLAN
Inside tenant
VLAN
Segmentation
Per-Tenant Isolation
• VRF-lite provides per-tenant isolation at L3
Tagging provides ID-Based Segmentations
• VLAN IDs and the 802.1q tag
Segmentation for Compute, Storage, and Applications
• Compute Separation (vNICs, VLANs, Port Profiles)
• Storage Separation (VSAN, LUN Masking)
• Application (Intra-tenant security zoning and firewalling)
Unwanted Network Access Control using Firewall
Internet
WAN Cloud
Data
Cente
r R
esourc
es
High Speed Inspection
N7K
Aggregation
N7K
Aggregation
Outside VRF
Inside VRF
ASA Firewall
Context per Tenant
Tow
ard
s
MP
LS
Clo
ud
Tow
ard
s
Tenant serv
er
Outside Tenant
VLAN
Inside tenant
VLAN
Next Gen IPS
Inside tenant
VLAN
Tenant Segmentation with FirePOWER IPS
In-line IPS Insertion
• Provides seamless integration
High Speed line rate Inspection
High Speed Inspection by FirePOWER IPS
Internet
WAN Cloud
Data
Cente
r R
esourc
es
123.45.67.89
Johnson-PC
OS: Windows 7
hostname: laptop1
User: jsmith
IP: 12.134.56.78
12.122.13.62SQL
High Speed Inspection
FireSIGHT Management Cloud Connectivity
Da
ta C
ente
r
Ed
ge
FirePOWER
AMP CLOUD
Enterprise
Traffic
AS
A F
IRE
WA
LL
File
Info
rmation
Malware
Disposition Lookup
Malware
Information
FireSIGHT Management Center
Threat Intelligence and Dynamic Malware Analysis
• AMP for Networks is built on the largest collection of real-time threat intelligence and dynamic malware analytics supplied by Cisco Collective Security Intelligence and the Talos Security Intelligence and Research Group. Organizations benefit from:
• 1.1 million incoming malware samples per day
• 100 terabytes of data per day
• 13 billion web requests
• 600 engineers, technicians, and researchers
• 24-hour operations
IPS Integration
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
VMDC Data Center Reference Architecture
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Design Option: IPS Insertion – Access
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Design Option: IPS Insertion – WAN Edge
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Design Option: Single IPS Insertion – Aggregation
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Best Practice Design: Dual IPS Insertion –Aggregation
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
Gold Container
Tenant 1 - 200
Copper
Container
Tenant 201 - 240
Policy – Copper
Policy – Gold
FirePOWER IPS
Container based IPS Policies
End to End Visibility
Question ?
What percentage of attacks were not discovered for weeks and months ?
59%
of attacks not
contained for
weeks or months
after discovery
85%
of attacks not
discovered for
weeks or months
60%
of attacks begin
exfiltrating data
within hours
85%
of attacks begin
compromising their
target within
minutes
Detection Is Critical to Response and Recovery
Source : Verizon Breach Report 2014
Visibility Challenges
• Often very difficult
to find
• Attacks are
hidden by day-to-
day operations
• No single system
provides all data
to decipher an
attack
• Attacks can span
devices,
individuals, time,
etc.
• Multiple data
sources required –
identity, reputation,
vulnerability, device
type, etc.
• Analysts collect and
assemble contextual
information from a
variety of sources
Breached, but How,
Where and Who ?Disparate Data
SourcesContext is Critical
Cisco® FirePOWER NGIPS
Traffic analysis and monitoring, security threat detection,
intrusion monitoring over time, and display and
examination of malware using network file trajectories.
Cisco NetFlow/NSEL
Line-rate Cisco NetFlow using Cisco NetFlow Generation
Appliance (NGA) and NSEL per-context records from
firewall.
Cisco Cyber Threat Defense
Centralized threat monitoring and detailed forensics, using
network device telemetry, real-time data correlation,
visualization, and reporting to provide complete visibility
across the whole data center.
Splunk
Intelligent centralized log monitoring, Operational Analytics
and Cross-tier Operational Visibility
End-to-End Visibility
How Cisco Cyber Threat Defense Helps
How they got in and what devices were affected
Provides greater visibility into threats
Deep inspection of abnormal behavior
Identifies suspicious network traffic patterns
Who, what, when, where, and how
Provides contextual information
Uses the intelligence in the network
Network sees every user, device, and packet
CTD Architecture: Virtual Flow Collector
StealthWatch
Management
Console
Flow
StealthWatch
FlowCollector
Cisco ASA Firewall,
NetFlow/sFlow-enabled Cisco
Routers and Switches
Unified
Security
Monitoring
Virtual
Flow Exporting Layer – Enables flow export from
infrastructure to respective StealthWatch
FlowCollector
Flow Collecting Layer
Management/Reporting Layer – Consists of
a single SMC (redundant SMC available) to
centralize management and reporting
Virtual
Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information
• Flow action such as Create, Denied or Tear Down will be reported in the NSEL record from ASA to CTD
How CTD Use NSEL
• CTD is able to map the global IP address of a client to a local inside address.
• This technique can help analyzing the clients in a over lapping IP Multi-tenant environment
Mapping of NATted IP (Global to Local) of a Client
CTD Behavioral Algorithm
• Results of the Behavioral Analysis of a denied data flow indicates that the target was the Web Server.
CTD in a Multi-tenant Cloud Data Center
• In a multi-tenant over lapping deployment model, separate FlowCollector needed per tenant.
• Each FlowCollector placed in a separate domain in the SMC management station
• Tenant specific NSEL records are exported from each ASA context
• Use a separate FlowCollector to collect NetFlow from NGA. NGA exports aggregated traffic from the Ingress Aggregation layer.
• Appropriate ports need to enable on the ASA firewall to ensure communication and operation of various CTD components
SIEM Integration
Security Event and Information Management (SEIM)
• Correlate data from network components and security devices
• Reduce false positive
• Alert on possible threats
• Provide visualizations and canned reports that reflect security metrics
Intelligent Logging and Monitoring with Splunk
• Incident Investigation and Forensic
• Help in Compliance Reporting
• Real time monitoring of known threats
• Real time monitoring of unknown threats
Splunk as SIEM
Real-time
Machine
Data
Data
Cen
ter
Com
po
nents
Splunk Key BenefitsTraditional SIEMSplunk
• Single product, UI, data store
• Software-only; install on commodity hardware
• Quick deployment + ease-of-use = fast time-to-value
• Can index any data type
• All original/raw data indexed and searchable
• Big data architecture enables scale and speed
• Flexible search and reporting enables better/faster threat investigations and detection
• Open platform with API, SDKs, Apps
• Use cases beyond security/compliance
• Each ASA context configured as a Syslog exporter to enable ASA event tracking on a per tenant basis
• CTD and FirePOWER configured to export Syslog records to Splunk
• FirePOWER can send Syslog messages for Intrusion, Malware and connection events on a per-tenant basis
• Splunk can aggregate security and Syslog events from network and security devices to provide a unified view of events
Splunk Deployment Best Practice
Compliance Guidance
There are different regulatory compliance laws for different market verticals:
• PCI DSS – For credit card data and processors
• HIPAA and related privacy laws –For health care segment
• FISMA and related government regulations – For government agencies and their service providers
Industry Standard Regulatory Compliance Guidance
Question ?
COST OF COMPLIANCE IS HIGHER THAN COST OF
NON-COMPLIANCE ?
Cost of Compliance
• Technologies
• Audits (Internal & External)
• Remediation
• Training
• Management
• Implementation or Enforcement
• There are other areas such as, physical security, policies and planning that may incur cost in terms of human resources.
Cost of Non-Compliance
• Significant Fines and Fees
• Reputation of the Service Provider
• Loss of Production for end Customers
• Revenue Impact
• Customer Relationship
• Litigation or Arbitration Settlement
PCI DSS 3.0 Guidance
• Organizations are required to comply with PCI DSS 3.0 by Jan 1, 2015.
• Primary focus is on the infrastructure
• Scoping of the network is the key
• Tools available to facilitate are ASA, IPS, CTD, Splunk, ACE, NGA
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Compliance Scoping Example (Open Ended)
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
ICS
Nexus 1000
UCS blade chassis
UCS 62xx
IP/MPLS
N70xx
N70xx
N55xx
ASA
Load-BalancerLoad-Balancer
Aggregation
Aggregation’
WAN Edge
INSIDE VRF
OUTSIDE VRF
Compliance Scoping Example (Specific Network Area)
Management PoD
CTD
NGA
Net
Flo
w
ACS
Spanned Data
PCI DSS 3.0 RequirementsGoals PCI DSS 3.0 Requirements
Build and Maintain a Secure
Network
1. Install and maintain a firewall configurations to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Card Holder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need to know
8. Assign unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Network
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security
Policy
12. Maintain a policy that addresses information security for all personnel
PCI DSS 3.0 Control Mapping
PCI DSS 3.0
Requirements
Total Controls Controls Directly or Assist by
Cloud Security Architecture
Architecture Components
Requirement 1 37 37 ACS, ASA, Splunk, BMC
Requirement 2 30 13 Splunk, IPS, BMC
Requirement 3 44 Not Applicable Not Applicable
Requirement 4 11 Not Applicable Not Applicable
Requirement 5 11 Not Applicable Not Applicable
Requirement 6 44 4 IPS, Cloud Security Release process
Requirement 7 10 9 ACS
Requirement 8 43 34 ACS, ASA
Requirement 9 45 Not Applicable Not Applicable
Requirement 10 41 38 Splunk, NTP, N7K, N5K, ASA
Requirement 11 32 5 IPS, Splunk
Requirement 12 47 Not Applicable Not Applicable
HIPAA Guidance
• The Cisco Cloud Security architecture is primarily focused on HIPAA part 164 –Security and Privacy.
• HIPAA subpart C – Security Standards for the protection of Electronic Protected Health Record Information (164.3xx)
• There are many controls under each HIPAA rule. For example under 164.312 rule, there are more than 20 controls.
Four Major Categories For Securing PHI Data
• Four Major categories that reduce the risk of losing control over PHI data.
• Segmentation (VRF, VLAN, VSAN, ACL)
• Identity and Access Management (ACS)
• Logging, Auditing and Monitoring (Splunk, CTD, NGIPS)
• Encryption and Decryption (SSL VPN)
HIPAA Control Mapping HIPAA RULES Cloud Security Facilitate or Directly Support Cloud Security Architecture
Components
164.310(b) YES N7K, N5K, ASA, IPS, FI, UCS, ACS, NGA, CTD,
Splunk, Storage, Server Blades
164.31-(d)(1) YES Server Blades, ESXi, VMware
164.312(a)(1) YES ACS
164.312(a)(2)(i) YES ACS
164.312(a)(2)(ii) YES ACS, Splunk
164.312(b) YES Splunk
164.312(c)(1) YES ACS
164.312(c)(2) YES Splunk, IPS
164.304 YES ACS
164.312(d) YES ACS
164.312(e)(1) YES ASA, SSl, VPN
164.312(e)(2)(i) YES ASA, VPN
164.312(e)(2)(ii) YES ASA, VPN
• What is it?• Federal Information Security Management Act (FISMA)
• United States legislation (not an agency program)
• Defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats
• What’s it’s purpose?• Assigns responsibilities to various agencies to ensure the security of data
• Requires annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels
• Who manages it?• Individual agencies
• NOTE: Federal agencies are required to adhere to FISMA, but many state/local governments and higher educational institutions follow FISMA guidance and recommendations
FISMA
FISMA: Focus on People, Process & Tools
FISMA looks at
85% you don’t
see that has to
work well or
your security
suffers
The 15% You See!
Reporting and Ongoing
Management
Operational
Workflows
Infrastructure Security Incident
ManagementRisk Analysis
Accountability
System Security
Personnel Skills
Certification & Authorization
Security Policies
Planning and Preparation
Integrated
CommunicationsPhysical Access Controls
Security Operations First Responders
Communications Video Surveillance
Access Mobility
• Current standard is on Revision 4 and applies solely within the United States.
• Many common requirements are shared by International Standards
• Controls not apply to Cloud Security such as, training and awareness for information security personnel
• Tools available to facilitate FISMA compliance:
• ASA Firewall, FirePOWER NGIPS, CTD, ACS and Splunk
FISMA Compliance
FISMA Control Mapping
FISMA
Control
Section Title Total
Controls
Controls Facilitated by
Cloud Security
Product Mapping
AC Access Control 35 19 ACS, IPS, N7K, N5K, ASA, CTD,
Splunk
AT Awareness & Training 5 0 Not Applicable
AU Audit & Accounting 17 10 ACS, Splunk, CTD, IPS
CA Security Assessment &
Authorization
10 2 ASA, IPS, Splunk
CM Configuration Management 19 7 ASA, IPS, BMC management tool
CP Contingency Planning 23 4 MDS, NetApp
IA Identification &
Authentication
22 13 ACS, ASA, All products with
password complexity
IR Incident Response 12 2 Splunk, CTD, IPS
MA Maintenance 10 0 Not Applicable
FISMA Control Mapping cont...
FISMA
Control
Section Title Total
Controls
Controls Facilitated by
Cloud Security
Product Mapping
MP Media Protection 9 1 NetApp
PE Physical & Environment
Protection
20 0 Not Applicable
PL Planning 6 0 Not Applicable
PS Personnel Security 8 1 Splunk
RA Risk Assessment 7 1 ACS
SA System & Services Acquisition 14 1 Cloud Security & VMDC
documentation
SC System & Communication
Protection
27 17 ACS, N7K, N5K, IPS, ASA,
NetApp
SI System & Information Integrity 21 8 Splunk, IPS
Cisco Cloud Security Key Takeaways
• Implement consistent application,
content, and access controls
• Accelerate threat detection and
response to prevent advanced
malware and APTs
• Leverage network intelligence and
context to consistently enforce
policies for users, devices and
applications - across the network
and into the cloud
• Comply with regulatory requirements
such as FISMA, HIPAA, and PCI
Cisco VMDC Information
Design Guide:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_
Center/VMDC/Cloud_Security/1-0/DG/ICSecurity.html
Security Blog:http://blogs.cisco.com/sp/cisco-cloud-security-for-
public-and-private-cloud-a-secure-and-compliant-cloud-data-
center
Cisco® Cloud Security Design Guide & Blog
[email protected] (internal)
[email protected] (external)
[email protected] (request requirements)
Cisco VMDC aliases
www.cisco.com/go/vmdc
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker @villayatm
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you