tech insights 2011 sea - security from the ground up to the cloud
TRANSCRIPT
![Page 1: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/1.jpg)
![Page 2: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/2.jpg)
Security from the Ground Up to the Cloud…
Esmaeil SarabadaniSystems and Security ConsultantRedynamics Asia Sdn. Bhd.
![Page 3: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/3.jpg)
What will be covered…
• An overview on Public and Private Clouds and their building blocks
• Cloud security concerns• Cloud Defense-in-Depth approach• Security in the cloud virtualized environment• Data and network traffic isolation in the cloud• Control and ownership of the data in the
cloud• Questions to ask before moving to the cloud
![Page 4: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/4.jpg)
What is the cloud?!!
• It’s nothing supernatural.• It’s been with you for a
long time.• It’s used for social
activities, entertainment, business and so more.
• It brings more:• Availability • Reliability• Scalability • Affordability• Security
![Page 5: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/5.jpg)
Public CloudPrivate Cloud
• Everything is hosted by a cloud service provider.
• You will have to pay for the cloud service you are using.
• Security and data protection is guaranteed.
• You will have to follow the cloud service providers’ policies.
• Everything is hosted on premise.
• You will have to pay only once for the licenses and the implementation.
• Security and data protection is all under your responsibility.
• You will not have to follow any cloud service providers’ policies.
Whatever…
![Page 6: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/6.jpg)
Microsoft Public cloud vs. Private Cloud
![Page 7: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/7.jpg)
Microsoft Cloud Building Blocks
Compute / Network / Storage
Hyper-V Based Hypervisor
System Center Virtual Machine Manager
Admin / Tenant Interfaces
Auth
N, A
uthZ
, Aud
iting
![Page 8: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/8.jpg)
Cloud Security Concerns
• Protecting the virtualized environment
• Data isolation• Firewall configuration• Complexity• Hypervisor security issues• The geographical location
of data• Complicated audit and
forensics
![Page 9: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/9.jpg)
Cloud Defense-in-Depth Approach
Data
Application
Host
Network
Perimeter
Layer Defenses
• Windows Security Model for Access Control and Auditing• System Center Data Protection Manager for Data Availability
• User Identification and Authorization• Application-Layer Malware Protection
• Host Boundaries Enforced by External Hypervisors• Host Malware Protection
• VLAN and Packet Filters in Network Fabric• Host Firewall to Supplement & Integrate IPSec Isolation
• Control Access to portals / Services using UAG• Controlled Egress Filtering using TMG
![Page 10: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/10.jpg)
Data Isolation and Hypervisor
Physical Hardware
Hypervisor
Root VM Guest VM Guest VM Guest VM
No Access
HackedHealthy
HealthyHealthy
![Page 11: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/11.jpg)
Hypervisor
CPUNICStorage
Ring -1
Ring 0
Ring 3
Kernel
DriversServer Core
VirtualizationStack
Root Partition Guest Partitions
Guest Applications
Guest OS
Hypervisor:• Isolation Boundary between
partitions.• Only 600 KB in size
Root Partition:• Mediates all access to
hypervisor• Server core minimizes attack
surface• ~50% less patching required
Guest Partitions:• Guests cannot interfere with
each other• Dedicated VMBUS Channel
VMBus
Virtualization Architecture
![Page 12: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/12.jpg)
DEMOData Isolation
![Page 13: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/13.jpg)
Where is my data located?
Choose where to store your data …
![Page 14: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/14.jpg)
DEMOThe Location of Data
![Page 15: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/15.jpg)
Network Security
How DDoS attacks are detected and stopped in Microsoft public cloud network …
Hackers
Hypervisors
VM VM VM VM VM VM VM VM VM
Microsoft Public Cloud
![Page 16: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/16.jpg)
Network Traffic Isolation
• Hosts and VMs support 802.1Q (VLAN Tagging)• Each assigned VLAN ID• Enforced across network
fabric• Firewalls permit inter-
VLAN traffic as per policy
• Isolates:• Host from guests• Mgmt. traffic from guest
traffic
![Page 17: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/17.jpg)
Pu
blic/P
rivate
Clo
ud
Hypervisor Hypervisor Hypervisor
Network Traffic Isolation
This is to prevent and stop the attacks coming from the inside and from the other VMs.
![Page 18: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/18.jpg)
DEMONetwork Traffic Isolation
![Page 19: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/19.jpg)
Virtualization Security Benefits
Isolation
Roll-Back
Abstraction
Portability
Deployment
• Limits security exposure.• Reduce spread of risks.
• Quickly recover from security breaches.
• Limited direct access to hardware.
• Back-ups and disaster recovery.• Can switch to standby VMs.
• Ability to divide workloads.• Custom Guest OS security settings.
![Page 20: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/20.jpg)
Q: Will I lose control ?!!
![Page 21: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/21.jpg)
Q: Am I putting all my eggs in one basket?!!
![Page 22: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/22.jpg)
Q: Will I lose ownership of my data?!!
![Page 23: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/23.jpg)
Questions to ask before moving to cloud…
• Encryption• Storage• Data transfer limits• Web access• File size limits• Auditing policies• Government
involvement
![Page 24: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/24.jpg)
Cloud Audit Policies
• What data does my provider log?
• Which logs do I have control over?
• How long do providers keep logs?
• What data does my provider give to me upon request?
• Which Law Enforcement Agency has jurisdiction over my data?
![Page 25: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/25.jpg)
Q&AQuestions & Answers
![Page 26: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/26.jpg)
Resources
Email: [email protected]
Blog: http://esihere.wordpress.com/
Useful websites: http://technet.microsoft.com/ http://www.insecuremag.com/http://technet.microsoft.com/en-us/edge/ff524488
Twitter: http://www.twitter.com/esmaeils
![Page 27: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/27.jpg)
Win Cool Prizes!!!Required slide
Complete the Tech Insights contests and stand a chance to win many cool prizes…
Look in your conference bags NOW!!
![Page 28: Tech insights 2011 SEA - Security from the Ground up to the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022062513/55527f98b4c905b4598b4e1a/html5/thumbnails/28.jpg)
We value your feedback!Required slide
Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift