The presentation discussed enterprise security risks and requirements when projecting workloads to the cloud. It identified seven main risks, including insecure APIs, logical multi-tenancy issues, data protection, and lack of access controls. It noted that enterprises have direct control over some risks but little control over others like multi-tenancy and provider threats. The presentation explored cloud access models using brokers to provide a single entry point and normalize credentials and policies. It also described using a virtual gateway to secure access to private and public clouds through protocols, load balancing, and token generation.
ICT role in 21st century education and its challenges
Â
Projecting Enterprise Security Requirements on the Cloud
1. Projecting Enterprise Security
Requirements on the Cloud
Case Study-
Cloud
Presented by:
Billy Coxâ Director Cloud Computing Strategy, Intel
Blake Dournaeeâ Product Manager & Author- SOA Demystified, Intel
2. Topic Agenda
⢠Enterprise Risk Factors & Criteria
⢠What can Enterpise Control Enterprise
Requirements
⢠Emerging Standards & Models
⢠What Can be Done Today
⢠Summary of Intel Cloud Capabilities
3. Potential Risk- Illustrated
Amazon Ec2
Keys to the Castle
Basic Auth Enterprise
Credentials
Compromised For Access
Enterprise VM Images
5. Potential Risk- Illustrated
Virus replayed back
in Enterprise
Amazon Ec2
Data sent and lost to
unknown source
6. Enterprise Risks & Security Interests
Risk Enterprise Provider
Insecure, Porous APIs Major Risk Man in the middle, content threats, code injection, DoS attacks
Donât care. API security converges along with market price
Logical Multi-Tenancy Unknown Risk Virtual machine attacks, malicious code, comingled data
Donât care. Security of the multi-tenant architecture is a problem for [Insert Hypervisor Vendor
Name] to solve. Oh, and trust us that your data is separate from your neighbor
Data Protection and Major Risk Reduced confidentiality for private data stored in the clear at the cloud provider
Leakage
Opposite incentive. Clear text data allows me to provide increased functions based on search
Data Loss and Reliability Major Risk Unavailability or loss of critical enterprise data
Care a little. Infrastructure reliability is guaranteed according to my SLA, plus you get a refund if
we mess up âş
Audit and Monitoring Major Risk Rogue uses of cloud services in Enterprise
Care a little. I will provide basic monitoring of infrastructure but the rest is up to you
Cloud Provider Insider Unknown Risk Mismatched security practices at CSP creates a weak link for attackers
Threats
Donât care. We are secure enough. Just trust us.
Account Hacking, Access Major Risk Coarse access control at CSP increases the value of a stolen account
Control, and Authorization
Care a little. AAA mechanisms must be good enough to support my SaaS app. Itâs your job to
map to our way of handling identities.
7. Where does Control Lie?
Provider
Enterprise
Four of the seven risks are directly under the enterprise control
⢠Insecure, Porous APIs
⢠Data Protection and Leakage
⢠Audit and Monitoring
⢠Account Hacking, Access Control, and Authorization
Short of a boycott, the remaining 3 are largely out of controlâŚ
⢠Logical Multi-Tenancy
⢠Data Loss and Reliability
⢠Cloud Provider Insider Threats
11. Slide 10
KA3 Fix box titles
Kelly Anderson, 21/05/2010
12. Basic Model
Cloud Provider
Web Service Request
UDDI or Resource
Enterprise
Credentials
& Policies
User
User
Credentials
& Policies
IdM
Security Profile
Internal IdM
⢠Authentication token
⢠Customer access control policies
⢠Customer data protection policies
13. Cloud Access through a Broker
Cloud Service
Cloud Broker Provider
Broker Token
Web UDDI or
Service UDDI or Resource
Resource
Enterprise Request
Credentials Broker
& Policies Credentials
User Broker
User & Policies
Credentials
Credentials & Policies
& Policies
IdM
Security Security
Profile Profile
Internal IdM Internal IdM
External IdM
14. #1 â Broker as Management Entry Point
Cloud
Provider
Cloud Mgr Cloud Site 1
Enterprise
Consumer Request
Service Gateway
Cloud Site 2
IdM
Identity
Reference
Cloud Site 3
⢠Entry point for cloud management (not
data, only mgmt)
⢠Single point of entry and validation for
all sites and Cloud Consumers
⢠Consistent credentials validation
15. #2 âBroker as Outbound PEP
Dynamic
Enterprise Perimeter
Consumer
Private
Cloud Cloud Provider 1
User
User
Cloud Provider 2
User
UDDI or
Resource
⢠Cloud customer accesses multiple clouds
⢠Internal users donât want to see that
complexity
⢠Broker directs based in policy and converts
protocols as necessary
⢠Secures provider access credentials
17. Private Cloud Virtual Gateway Usage Model
Private
3. SOAP, REST or JSON
SAML Response
Cloud 1
Enterprise Service Virtualization
2. Virtualize, Load
Balance, Firewall,
Generate SAML Token
Portal & CRM App
Partner
Private
Cloud 2
IdM , Active API & Token Broker
Directory, ABAC
1. User AuthN/Auth-
SOAP/REST, Kerberos, Basic
Auth, Siteminder, X.509
Dynamic Enterprise
Perimeter
In VPDC, Service Gateway protects access to
Services, maps credentials, enforces ABAC,
brokers protocols & formats
18. CloudBurst Security Using Virtual Gateway
3. Local
Authentication
4. Mapped to an AWS
Credential in Request
for Resource
2. Locate
Resource(s) Amazon EC2
Enterprise Storage
Public Cloud
Private
IdM or Cloud
Active
Directory
UDDI or API & HSM
Resource
Force.com Apps
Portal or Web Public Cloud
Dynamic
Service Enterprise
Perimeter 5. Generate SAML
Request with Request
for Resource to Force
1. Request with
Credentials to Access
a Resource
Manage, secure, hide Cloud brokering complexity.
Convert formats. Provide access control
19. More Information on Intel SOA Expressway & Cloud
w
er brings ne
T his Intel pap
ud Security
detail to Clo
t practicesâ
Alliance bes vis
â Jim Rea
irector,
Executive D
ty Alliance
Cloud Securi
www.dynamicperimeter.com
20. Questions?
Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.