Trust: A Cloudy Concept Infrastructure Security in The Cloud Kartik Shahani Country Manager - India & SAARC RSA, The Security Division of EMC

2 Agenda Stages in the Journey to the Cloud Security Concerns – Trust and Risks – Challenges RSA’ Position to Secure Could Infrastructure Case Scenario Summary

3 Cloud Computing Private Cloud Cloud Computing Virtualized Data Center VirtualizationInformationFederation Internal cloudExternal cloud Delivering on-demand access to shared pools of data, applications, and hardware: Efficient ∙ Flexible ∙ Convenient ∙ Cost-effective

4 2 2 Virtual Enterprise Compliance Insider Risk Embedded Security Compliance Insider Risk Embedded Security 3 3 Internal Cloud Privileged User Control GRC Processes + Workflow Privileged User Control GRC Processes + Workflow 4 4 Private/Hybrid Cloud Multi-tenancy + Isolation Compliance Visibility Federation of Identity + Policy Multi-tenancy + Isolation Compliance Visibility Federation of Identity + Policy 1 1 Modern Enterprise Virtualization Tools VM Hardening Virtualization Tools VM Hardening Stages in the Journey to the Cloud

5 51% Security is the greatest concern surrounding cloud computing adoption. Gain visibility Maintain control Prove compliance

6 Physical Infrastructure APP OS APP OS Physical Infrastructure Trusted Zones for the Cloud Tenant #1 Physical Infrastructure Tenant #2 Cloud Provider Attackers APP OS APP OS APP OS APP OS Virtual Infrastructure APP OS APP OS Virtual Infrastructure Identity Information Identity

7 Physical Infrastructure Trusted Zones Key Capabilities Tenant #2 APP OS APP OS Virtual Infrastructure Physical Infrastructure Cloud Provider APP OS APP OS Virtual Infrastructure Tenant #1 Isolate information from cloud providers’ employees Isolate information among tenants Isolate infrastructure from Malware, Trojans and cybercriminals Segregate and control user access Control and isolate VM Federate identities with public clouds Identity federation Virtual infrastructure security Access Mgmt Cybercrime intelligence Strong authentication Data loss prevention Encryption & key mgmt Tokenization Enable end to end view of security events and compliance across infrastructures Security Info. & Event Mgmt Governance, Risk, and Compliance Anti-malware

8 Security Concerns Today, cloud environments mainly host non-sensitive data due to security concerns. If cloud computing is going to meet enterprise needs for confidentiality of customer data and compliance with legal directives, it will have to provide increased levels of security to support more sensitive enterprise applications.

9 The Risk of Cloud Computing When organizations move their data into the public cloud, new stake holders are introduced in the form of third party service providers, vendors, and contractors This loosens the controls IT has on data security

10 Challenges of Cloud Computing Control: Organizations will face reduced control of their data as more responsibility will shift to third parties. Regulation: Regulations govern the way data must be protected in many industries, meaning the cloud must have proper controls Interoperability: Today’s clouds must be able to communicate with each other and offer data portability Convenience: Those using the cloud want both convenient access and secure data protection, creating a difficult balancing act. Reporting: To meet many of today’s regulations, the ability to report where data is and how it is protected will be essential. Data Transfer: Business must find a way to transfer data into the cloud in a way that is both safe and cost effective.

RSA Protection in Action 200 Million+ online identities protected with RSA identification and protection technology 1 Billion+ applications shipped with RSA BSAFE ® encryption most widely deployed software in the world* 25+ year legacy in information security and risk management 34,000+ organizations protected by RSA technology 120,000+ online phishing attacks shut down by the RSA Anti-Fraud Command Center * Embedded in Microsoft, HP, Sun and IBM operating systems, Internet Explorer and Netscape browsers, Ericsson, Nokia, Motorola phones, major US government agencies and the list goes on 25+ Year legacy in information security 200 Million+ Identities protected 1 Billion+ Applications shipped with BSAFE® Encryption 34,000+ Organizations protected 120,000+ Phishing attacks shut down

12 Virtualization Enables More Effective Security by Pushing Enforcement Down the Stack Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today’s physical infrastructures Physical infrastructure APP OS APP OS APP OS APP OS vApp and VM layer Virtual and cloud infrastructure Today most security is enforced by the OS and application stack making it ineffective, inconsistent and complex

13 VMware vShield Zones and RSA DLP: Building a Content-Aware Trusted Zone Overview VMware vShield Zones provides isolation between groups of VMs in the virtual infrastructure Leverages the capabilities of vShield Zones to deploy DLP as a virtual application monitoring data traversing virtual networks Uses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter Customer Benefits Pervasive protection Persistent protection Improved scalability Physical Infrastructure VMware VSphere VMware vShield zones DLP APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS Virtual Infrastructure

14 Cloud Infrastructure: The Next Frontier of Cloud Security and Compliance

15 Problem Statement of Tenant When using the cloud, a tenant is not in physical control of their infrastructure. How do they: – Gain visibility into the Cloud’s IaaS? – Assess the actual security posture of the IaaS? – Trust those measurements of security? – Prove to auditors that the infrastructure they are running on is compliant?

16 Cloud Compliance Use Case A tenant wants to run a business critical application in the cloud Their requirements: – Follow best security practices: VMware hardening guidelines – Pass a PCI audit (they hold credit card data) – Be assured that they are booting from a secure root of trust (protection from inserted root kit and blue pill attacks)

17 RSA, VMware, and Intel’s Vision for Trusted Cloud Computing Infrastructure Advanced development proof of concept – Framework for measured, trusted cloud computing environment – “Bottoms up” automated security assessment Leverages technologies from EMC (RSA and Archer), VMware and Intel – Allows Cloud Service Provider to report on configuration of virtual infrastructure used by customer VMs – Ties to a verifiable measurement of trust in the hardware and hypervisor

18 Cloud Compliance Architecture

19 Archer GRC Platform and Dashboard

20 Benefits Tenants Fast, accurate and efficient auditing and compliance process Granular view of cloud providers’ performance against SLAs Customized, flexible provisioning of trusted computing services Finer grained policy control Service Providers Differentiated service offerings Fast, accurate and efficient customer compliance audits Automated, scalable process for on-board audits

RSA Capabilities Understand risks RSA Virtual Security Assessment Service Secure virtual environments SecurID Integration with vSphere administrator access Integration with VMware view user desktop access Authentication Manager 6.1 and 7.1 supported when run as virtual applications on VMware RSA Key Manager Encryption client will integrate with applications virtualized by VMware enVision Event Manager Supports vSphere as an event source EMC Proven Solution for Secure Exchange RSA SecurID, DLP and enVision used to secure a virtualized Exchange infrastructure Leverage virtual infrastructure & increase security Data Loss Prevention Integration with DLP and VMware vShield Zones Enable secure cloud computing RSA Access Manager & RSA Key Manager to secure access and data in the cloud Adaptive Authentication available as a cloud security service

22 Next Steps in Shared Vision Solutions offerings – Work with service providers to embed in cloud platforms – IaaS, PaaS, SaaS Cloud platforms – Embedding security in the virtualized infrastructure GRC automated IT control assessments – VCE / vBlock: Network, storage – Federation, cyber-intelligence, access management, encryption – Patch, vulnerability, configuration management

23 “For Terremark, demonstrating compliance on shared, virtualized platforms has been a manual, complex, and labor-intensive set of activities. As a VMware Vcloud ™ partner, when we can easily prove compliance, security and control on multi-tenant, virtualized infrastructure, it will be incredibly compelling to our customers and our own business. ” Chris Day, Chief Security Architect, Terremark Worldwide

24 Thank you!

25 Harden all hypervisors Set clear policies for co-residency and be equipped to enforce them Evaluate whether cloud vendors can deliver on their promise Assess cloud providers’ methods to attesting to infrastructure security Look for automated dashboard services for monitoring and compliance      Guidance for Ensuring Security In the Cloud

Cloud Security Essentials: Identity Security Requirements  Support of identity management tools for both users and infrastructure components  Strong authentication that goes beyond a simple username and password  Granular authorization such as role-based controls and IRM Customer Questions Technical Questions: Who Are My Neighbors?  Are there controls in terms of who else is using this cloud infrastructure?  Will my data be segregated so that others cannot access it?  Is there strong identity management both for customers and for employees? 26 Process/Policy Questions Is there good discipline over separation of data, processes and infrastructure?

Cloud Essentials: Information Security Requirements  Policy-based content protection  Granular data security and enforcement  Effective data classification  Information rights management  Data isolation  Resource lifecycle management Customer Questions Technical Questions: Information Sensitivity  What information will be going to the cloud?  Are there privacy or confidentiality issues?  Are there different levels of protection available for sensitive data? Information Mobility  Where physically will the information be? Are there legal/sovereignty issues?  Can I be sure I get it all back – and all copies are permanently deleted– if I stop using the cloud vendor or infrastructure? 27 Process/Policy Questions Will the cloud vendor outsource any of its functions? Can I control that?

Cloud Essentials: Infrastructure Security Requirements  Appropriate controls, log collection, and reporting to assure compliance with regulations  Inherent component-level security  Granular interface security at data “hand off” points Customer Questions Technical questions: Transparency, Accountability, Trust  Can I meet audit and compliance requirements for the information or business process?  Can I gain visibility into whether security controls, and other best practices, are being deployed? 28 Process/Policy Questions Can I get insight into hiring and training practices regarding privacy and security? Can I trust the cloud service provider?

RSA Positioning RSA’s Position With the right approach, organization can extend virtual technologies into environments with sensitive data and ultimately increase security RSA’s Approach An information-centric, risk-based approach security designed to help organizations Understand risks Secure virtual environments & virtualize security controls Leverage virtual infrastructure Enable secure cloud computing The Customer Benefit Accelerate the proliferation of virtualization and increase security