Best Practices for Cloud Security
0 likes794 views
Virtualization and cloud computing provide business benefits like scalability, efficiency and elasticity but also introduce security challenges. Key security risks in virtualized environments include issues with the hypervisor, shared infrastructure vulnerabilities, and operational problems with access controls and application hardening. To balance security and business needs, a "protect to enable" strategy uses granular trust zones like high, medium and low trust environments that apply controls proportionate to asset risk and value. Lessons learned are that a holistic risk view is needed, virtualization security is still maturing, and applications introduced must be hardened.
More Related Content
Similar to Best Practices for Cloud Security (20)
Best Practices for Cloud Security
- 1. Virtualization Security to Enable the Private Cloud
- 2. Virtualization and Cloud: Business Drivers • Scalable • Multi-Tenancy • Efficiency • Elastic • Self-Service Landscape of cloud security may change based on the cloud implementation 2 Copyright © 2012, Intel Corporation. All rights reserved.
- 3. Virtualization Challenge Server Virtualization Increases efficiency Concentrates our assets OPTIMIZATION CHALLENGE Efficiency Controls Asset Density 3 Copyright © 2012, Intel Corporation. All rights reserved.
- 4. Virtualization Security Challenges: Key Risks Technology: Hypervisor integrity, multi-tenancy Infrastructure: Shared resources, management interfaces, automation and support code Operational: Separation of duties, administrative access, path to production, image protection and life-cycle Application: Code quality, development practices, application characterization, pre-existing vulnerabilities 4 Copyright © 2012, Intel Corporation. All rights reserved.
- 5. Security Challenges: Controls Security is a balancing act between business needs and risk • Key controls • Careful trust segmentation • Application risk reviews • Identity and access controls • Proper classified data handling • Security event and incident logging Intel IT’s “Protect to Enable” Security Strategy 5 Copyright © 2012, Intel Corporation. All rights reserved.
- 6. Security Challenges: Implementation Based on risks and controls how do we virtualize? Trust: Resistance to Compromise • How much do we Trust an application or server? • How much do we Trust the virtual environment? Consequence: Impact of Compromise • How much Risk can a server or application accept? • How much Risk does a virtual environment assume? 6 Copyright © 2012, Intel Corporation. All rights reserved.
- 7. Security Challenges: Implementation Granular Trust Environments High Trust Zone (HTZ): Secured virtual environment, highest controls, managed risk Medium Trust Zone (e.g. DMZ): Secured virtual environment, high controls, managed risk Low Trust Zone (LTZ): General virtual environment, low controls, varying risk Granular Trust Environments allow for balance of risk versus controls 7 Copyright © 2012, Intel Corporation. All rights reserved.
- 8. High Trust Zone: Need and Concept • Controls relative to Risk Posture – Limited logical access, extra physical separation, more extensive monitoring, better vetting of applications • Solution – Create a trust zone for virtual servers and apps that require greater protection • Delivers – Granular Trust Enablement – Levels of controls are proportionate to value of assets – Strengthen application implementation security 8 Copyright © 2012, Intel Corporation. All rights reserved.
- 9. Lessons Learned • Holistic view of risk and vulnerability is required • Virtualization technology is still maturing • Virtualization administrators must be treated as a “super admin” • Applications and systems landing in the environment must be hardened There are still functions that cannot be virtualized 9 Copyright © 2012, Intel Corporation. All rights reserved.
- 10. To Learn More… Virtualizing High Security Servers radio show Looking into the Cloud radio show Virtualizing High-Security Servers paper 10 Copyright © 2012, Intel Corporation. All rights reserved.
- 11. More Resources Enterprise Private Cloud Architecture Rethinking Information Security Information Security Protect to Enable Strategy video Learn more about Intel IT’s Initiatives at Intel.com/IT 11 Copyright © 2012, Intel Corporation. All rights reserved.
- 12. Legal Notices This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Intel, and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. * Other names and brands may be claimed as the property of others. Copyright © 2012, Intel Corporation. All rights reserved. 12 Copyright © 2012, Intel Corporation. All rights reserved.
Editor's Notes
- #4: Virtualization and Cloud Aside from the technology, the main challenge with Virtualization is the flipside of benefits. With greater Efficiency comes greater asset density. And with greater asset density comes a larger attack surface. So the goal for us is figuring out the right level of controls that we need to expand and adopt.
- #7: The key guidance for implementing controls steams from how we decide to handle Trust and Consequence.Before we build out our environments we consider the amount of trust that we want to build into them.And as we move servers and applications into these environment we consider how much risk they can assume.
- #8: We came up with 3 kinds of virtualization environments. Low Trust Zones, High Trust Zones and something in between.In the case of the DMZ we started with a virtualization environment that at its core had a lot of risk from exposure to the internet. So we created multiple zones of consequence within that environment.In the case of the HTZ (High Trust Zone) we sough to create an environment that can be considered trustworthy. I’ll go into a little more detail on each of these next.
- #9: The High Trust Zone came about from the need for virtualizing Internal Enterprise applications and servers that hosted Mission Critical data or business functions or systems and servers that hosted highly classified data. In our road down virtualization we hit a security limiter and needed to create a solution.