Cloud Security - Check Point Institute for Information Security

homelybrrrInternet και Εφαρμογές Web

4 Δεκ 2013 (πριν από 3 χρόνια και 11 μήνες)

90 εμφανίσεις

©
2012
Check Point Software Technologies Ltd
.

Cloud Security

Tamir Zegman

Architect

2

©
2012
Check Point Software Technologies Ltd
.

Security as a Service


Not

the topic of this presentation


Many types of security services:


Mail Security (
Postini
)


Web Security (
ZScaler
)


DDoS

(
Prolexic
)


Anti
-
Virus (
VirusTotal
)


Many security offerings rely on Cloud Services (e.g.
signature updates, reputation services etc.)

3

©
2012
Check Point Software Technologies Ltd
.


Cloud can mean many things:


IaaS

(AWS EC2, Google Compute Engine)


PaaS

(Facebook Apps, AWS
BeanStalk
)


SaaS

(
SalesForce
, Facebook)


Private / Public / Community clouds


Enterprise / Consumer


4

©
2012
Check Point Software Technologies Ltd
.

Public cloud
-

new Security concerns


Physical security


Data lifecycle


Foreign governments


Multi
-
tenants:


Hypervisor attacks


Network attacks:


Sniffing


Spoofing


DDoS



5

©
2012
Check Point Software Technologies Ltd
.

Security Built
-
in?


The big cloud providers are taking security into
consideration:


http://www.windowsazure.com/en
-
us/support/trust
-
center/security
/


http://aws.amazon.com/security
/


https://trust.salesforce.com/trust/security
/


Seems like economies of scale play in favor of both
parties:


The cloud provider is likely to have better security knowhow


Improved resiliency under attacks (
DDoS

& DR)




6

©
2012
Check Point Software Technologies Ltd
.

Separation of Responsibilities


7

©
2012
Check Point Software Technologies Ltd
.

Separation of Responsibilities


Customers can only manage security at the tiers they are
responsible for


Customers
must manage
security at the tiers they are
responsible
for


Example:


In a
PaaS

Enviornment
:


The cloud provider is responsible for patching the OS layer


The customer needs to make sure there are no vulnerabilities
in his application code


8

©
2012
Check Point Software Technologies Ltd
.

S3


A “Simple Storage Service”


Upload and download of data objects


Data
in motion:


SSL/TLS


Data at rest:


Client side encryption + key management


Server side encryption


A simple service with little security implications


9

©
2012
Check Point Software Technologies Ltd
.

SalesForce


The de
-
facto standard in CRM (customer relationship
management)


Enjoy a big corporates install base


Stores very sensitive corporate data (list of customers,
potential deals etc.)


Security concerns:


Authorization and access control


Data Loss Prevention


10

©
2012
Check Point Software Technologies Ltd
.

Authentication to cloud Apps


Requirements (enterprise)


Strong authentication


Single sign on


Automatic User de
-
provisioning


Support office, remote and mobile users


Support multiple
SaaS

providers


Solutions:


SAML


-

for corporate


OpenID


-

mostly for consumer


OAuth



-

“machine to machine”



11

©
2012
Check Point Software Technologies Ltd
.

SAML

source: Google

12

©
2012
Check Point Software Technologies Ltd
.

Data at rest


SalesForce

(and others)


Solution:


A proxy + tokenization/encryption service (e.g.
CipherCloud
)


Difficulty around ‘search’ functionality:


compromise security


Homomorphic

encryption?


Fragile and limited




13

©
2012
Check Point Software Technologies Ltd
.

Network architecture


Network architectures:


Blurred perimeter:


Limited network topologies


Multiple cloud providers
-

similar but different


Limited or no control over tiers managed by the cloud
provider


SDN


Overlay of security management:





Cross vendor / region


Dynamically close/open ACLs


Dynamically close/open host FWs




14

©
2012
Check Point Software Technologies Ltd
.

Question


Thank you