Securing your Journey to the Cloud Kamal Sharma• Technical Consultant kamal_s@trendmicro.com Classification 9/15/2018

Next Generation Security Infrastructure How it Works ? Summary Agenda The Cloud Landscape Security Challenges Journey to the Cloud Next Generation Security Infrastructure How it Works ? Summary Classification 9/15/2018

The Benefits of Virtualization & Cloud Computing Reduce IT Capital Expense by 50% Reduce Administration overhead Reduce IT operational expense And more… Reduce Carbon Footprint Increase Flexibility Reduce IT Capital Expense by 50% Reduce Administration overhead Reduce IT operational expense Increase Flexibility Reduce Carbon Footprint And more… Classification 9/15/2018

Customer Cloud Journey Stage 1 - Private Cloud Stage 2 - 2011 Hybrid Cloud Stage 3 - 2012 Public Cloud 15% 30% 70% 85% Desktops Servers Secure The Cloud Workload Protect The Workload Data Consolidate Security Across DC & Cloud This depends where the cloud abstraction layer is relative to the user’s data center Three different deployments models: Public Cloud: cloud service provider hosts cloud environment and rents resources to the general public Think Amazon Amazon EC2, GoGrid, Rackspace, Savvis Private Cloud: either internal to the customer’s data center or hosted by another provider – but resources are dedicated to a single, defined entity Think Vmware vCloud, Rackspace, Hybrid Cloud: joining public and private clouds to take advantage the near infinite, instant-on resources offered by the public cloud without long procurement and provisioning cycles Think Eucalyptus, RightScale

Cloud Layers Three basic cloud layers: IaaS, PaaS, SaaS IaaS: is the cloud layer in which cloud consumers have the ability to provision virtual servers, storage, networks, and other fundamental computing resources PaaS: provides a development platform, sandbox and management system to develop, and in some cases, sell the applications that will be operated in the cloud. SaaS: capability for a consumer to use the provider’s applications running on a cloud infrastructure. IaaS: is the cloud layer in which cloud consumers have the ability to provision virtual servers, storage, networks, and other fundamental computing resources PaaS: provides a development platform, sandbox and management system to develop, and in some cases, sell the applications that will be operated in the cloud SaaS: capability for a consumer to use the provider’s applications running on a cloud infrastructure Trend Micro Confidential9/15/2018

Types of cloud computing & examples Applications Software-as-a-Service Cloud Software Development Platform-as-a-Service Cloud-based Infrastructure Infrastructure-as-a-Service This depends where the cloud abstraction layer is relative to the user’s data center Three different deployments models: Public Cloud: cloud service provider hosts cloud environment and rents resources to the general public Think Amazon Amazon EC2, GoGrid, Rackspace, Savvis Private Cloud: either internal to the customer’s data center or hosted by another provider – but resources are dedicated to a single, defined entity Think Vmware vCloud, Rackspace, Hybrid Cloud: joining public and private clouds to take advantage the near infinite, instant-on resources offered by the public cloud without long procurement and provisioning cycles Think Eucalyptus, RightScale Classification 9/15/2018

End-User (Enterprise) Who Has Control? Servers Virtualization & Private Cloud Public Cloud IaaS Public Cloud PaaS Public Cloud SaaS End-User (Enterprise) Service Provider Trend Micro Confidential 9/15/2018

“The number one concern about cloud services is security.” Frank Gens, IDC, Senior VP & Chief Analyst Key Challenges/Issues to the Cloud/On-demand Model “By far, the number one concern about cloud services is Security. With their businesses’ information and critical IT resources outside the firewall, customers worry about their vulnerability to attack.” Source: Source: IDC eXchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009

What is there to Worry ? Stage 1 - Private Cloud Stage 2 - 2011 Hybrid Cloud Stage 3 - 2012 Public Cloud 15% 30% 70% 85% Desktops Servers -Traditional Security Approach VM Sprawl / Cloning, V-Motion Inter VM Communication Resource Contention - Use of Encryption is rare Virtual volumes and servers are mobile Virtual volumes contain residual data Compliance Concern Rogue servers might access data

Security Challenges Along the Virtualization Journey Private Public Cloud Data destruction 11 Multi-tenancy 10 9 Diminished perimeter Data access & governance 8 Compliance/ Lack of audit trail 7 Complexity of Management 6 Resource Contention 5 Virtualization Adoption Rate Mixed trust level VMs 4 Instant-on gaps 3 Inter-VM attacks 2 Host controls under-deployed 1

How do we get there – a journey to the cloud Virtualization 3G Network Net Devices Cloud Infrastructure Cloud End Devices Hybrid Cloud Management Security That Fits Dynamic Data Center with Shared System, Share Storage Deep Security Office Scan, Titanium, Safe Sync Ubiquitous, Borderless Data Access, Data Everywhere Data Centric Protection Cloud Application Cloud Data Cloud Application Ownership of Data vs. Computing Confidentiality & Access Control Deep Security New Platform for New Apps. Example, Web Defacing, SQL Injection Secure Cloud

Next Generation Security Infrastructure Classification 9/15/2018

Mission Critical Servers Virtualization Virtualization Virtual Appliance Anti-malware Firewall IDS/IPS DMZ Firewall Web / Email IDS / IPS Internet Firewall Mission Critical Servers IDS / IPS Endpoints

Mission Critical Servers Public Cloud Computing Cloud Computing Virtual Appliance Agent-based protection Anti-malware Firewall IDS/IPS Integrity Monitoring Encryption Anti-malware Firewall IDS/IPS DMZ Firewall Web / Email IDS / IPS Internet Firewall Mission Critical Servers IDS / IPS Endpoints

Next Generation Security Cloud Computing Next Generation Security DMZ Firewall Web / Email IDS / IPS Internet Firewall Mission Critical Servers IDS / IPS Endpoints

How it Works ? Classification 9/15/2018

What is Deep Security? Server & application protection for: PHYSICAL VIRTUAL & PRIVATE CLOUD PUBLIC CLOUD Deep Packet Inspection Firewall Integrity Monitoring Log Inspection Malware Protection IDS / IPS Web App. Protection Application Control 9/15/2018

Intrusion Detection Prevention Trend Micro Deep Security Server & application protection Latest anti-malware module adds to existing set of advanced protection modules Anti-Malware Firewall Intrusion Detection Prevention Web app protection Log Inspection Integrity Monitoring

Trend Micro Deep Security Server & application protection 5 protection modules Deep Packet Inspection Detects and blocks known and zero-day attacks that target vulnerabilities IDS / IPS Shields web application vulnerabilities Web Application Protection Provides increased visibility into, or control over, applications accessing the network Application Control Reduces attack surface. Prevents DoS & detects reconnaissance scans Detects and blocks malware (web threats, viruses & worms, Trojans) Firewall Anti-Virus Optimizes the identification of important security events buried in log entries Detects malicious and unauthorized changes to directories, files, registry keys… Log Inspection Integrity Monitoring Protection is delivered via Agent and/or Virtual Appliance

Secure Cloud >> SecureCloud provides a data encryption layer within a machine image to decrypt customer data in real-time after the appropriate credentials have been validated. Likewise, SecureCloud encrypts customer data in real-time when putting the information back into data storage. SecureCloud provides and maintains your encryption keys. The virtual machine image does not store encryption or decryption keys. SecureCloud also provides other management capabilities such as limited reporting and auditing functions. 20

Trend Micro: Server Security Leadership IDC Market Analysis: Worldwide Corporate Server Security Market Share Trend Micro 22.9% All Others 77.1% Trend Micro fits into the new threat landscape (build) These products are generally more robust than desktop endpoint security and are available for a much wider set of operating systems (Windows, Unix, and Linux).  This category also includes products that are designed to protect hypervisors and virtual servers.” Source: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC

Securing Your Journey to the Cloud THANK YOU! Classification 9/15/2018

What’s the Solution? SecureCloud makes it possible for businesses to encrypt and control data in public and private cloud environments via simple policy-based key management. It gives businesses power over how and where data is accessed and greatly reduces the complexity of inherent in traditional key management solutions. For the Public Cloud: (Amazon.com or Terremark) Safely leverage operational and cost efficiencies of cloud computing Control access to data in shared public cloud environments Additional safety by authenticating virtual servers For the Private Cloud: (vCloud in customer’s data center) Segregation of sensitive data stored in internal shared storage Greater ability to achieve compliance with regulations and best practices Key Benefits Encryption makes data unreadable and unusable to those without the encryption keys, reducing risks of data theft, unauthorized data exposure or malicious manipulation Constant custody and control of encryption keys allows users to determine when and by whom data is decrypted.

Key Product Benefits (Continued) Secure Storage recycling Residual data left on storage devices is unreadable after volumes are terminated Auditing and logging functions Helps ensure compliance with regulations, policies and best practices Reduces work required for external or internal investigations Creates accountability and helps manage system resources Automated policy-based key management Determines which virtual servers access data Imposes security requirements and location constraints on VMs Reduces the likelihood of malware infection, system cloning and server modifications Secure storage recycling: Customers might have only a temporary need for cloud storage and volumes that once contained sensitive information will eventually be terminated. This creates a problem because the physical devices that supported these virtual volumes still contain remnants of customer data. These devices will be provisioned to different cloud users. Sophisticated administrators could access and read this sensitive information if the cloud vendor has not overwritten devices before provisioning them. Data encrypted by SecureCloud with AES is nearly impossible to decipher without the correct encryption key and will appear unintelligible to someone searching for lingering information. Audit and logging functions: Audit logging of events establishes user accountability and reduces the scope of any necessary forensic investigation. Audit features help companies keep in compliance with internal security policies, industry best practices and external regulations. System reports keep administrators informed of SecureCloud usage and administrative details. Automated policy-based key management: This is really the factor that sets SecureCloud apart from competitors. Encrypting information is easy and other key management solutions already exist. SecureCloud approaches key management and data access in a unique way. Virtual servers starting in the cloud must first authenticate to the SecureCloud key server with credentials that have been encrypted in the virtual machine’s kernel. Servers without these credentials will not be given encryption keys and will be unable to read data on secure volumes. Further, these credentials contain information about the security parameters associated with the respective server. These security parameters reduce the likelihood of malware infection, control geographic locations in which the server is allowed to operate and takes away an attackers ability to modify important system settings.

What is there to worry about? Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… Use of encryption is rare: Now only authorized servers can read data! Virtual volumes and servers are mobile: Policies only allow access in authorized areas! Rogue servers might access data: Yes – but the information is unreadable and safe! Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… Rich audit and alerting modules lacking: Now we have reports, alerts and audit trails! Encryption keys remain with vendor: No vendor lock-in since customer owns solution Customer decides where keys are stored! Virtual volumes contain residual data: Doesn’t matter – disks are unreadable! Classification 9/15/2018

SecureCloud Key Benefits SecureCloud is unique Not just encryption: unique in the way it manages keys and its environment Excellent compliment to Deep Security Industry standard encryption Makes data unreadable without encryption keys Greatly reduces the risks of data theft, unauthorized data disclosure or data modification Control of encryption keys Know exactly where your keys are at all times Vendor administrators with powerful rights unable to see information Not subjected to lock-in with cloud vendor’s encryption system Governments can no longer seize data without your knowledge SecureCloud is unique: While other whole disk encryption or key management solutions exist (e.g.: Vormetric or PGP/Symantec), no other product integrates with the virtual environment like SC. SecureCloud is not just encryption but a unique way to manage keys and control access to data by authenticating virtual machine access in public or private clouds. When combined with Deep Security, Trend Micro can provide customers with an overall cloud security solution. Deep Security can create a secure barrier for virtual environments while SecureCloud protects all that data stored within that barrier. Industry standard encryption: 128 or 256-bit AES encryption makes data unreadable and unusable to those without the encryption key. Rendering the data useless greatly reduces risk if the information is stolen or that the information will be revealed to unauthorized parties. It also reduces the risk that the data will be changed since one will not understand its structure or content. Control of encryption keys: Users determine where encryption keys are stored and who gets access to them. Our SaaS solution adds value to the customer by moving physical storage of keys away from the cloud infrastructure provider. This stops infrastructure administrators from accessing data or keys and gives customers the freedom to move data from one provider to another without the fear of vendor lock-in. Our on-premise solution gives customers even more control by keeping keys within their trusted environment and controlling custody at all times. (Downside: this produces yet another key server in the customer environment that must be managed, maintained and secured.) A secondary benefit comes from separating the custody of keys from the cloud infrastructure provider when we consider potentially invasive legislation like the US Patriot Act. Governance like this allows federal agencies (like the Federal Bureau of Investigation) to present vendors with subpoenas and seize data without informing or getting consent from data owners. Now, even though encrypted volumes can taken but they remain useless without the encryption keys. The intruding agencies must now inform and negotiate with the data owners to get access to useful data.

What is there to worry about? Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… Use of encryption is rare: Who can see your information? Virtual volumes and servers are mobile: Your data is mobile — has it moved? Rogue servers might access data: Who is attaching to your volumes? Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… Rich audit and alerting modules lacking: What happened when you weren’t looking? Encryption keys remain with vendor: Are you locked into a single security solution? Who has access to your keys? Virtual volumes contain residual data: Are your storage devices recycled securely? Classification 9/15/2018

9/15/2018

9/15/2018

9/15/2018