Presentation is loading. Please wait.

Presentation is loading. Please wait.

Infrastructure as a Service

Published byDale Pierce Modified over 5 years ago

Similar presentations

Presentation on theme: "Infrastructure as a Service"— Presentation transcript:

2 Infrastructure as a Service
Flexibility. Economy of resources. Free choice of computing power. New risks to providers and enterprises.

3 Economy 1. IT infrastructure on demand – more cost-effective.
2. No redundant IT infrastructure, staff, and/or investments. No restraining factor to innovations. 3. Flexible response to the needs in computing power. Flexibility, scalability, configurability, mobility.

4 Flexibility 1. Outsourcing hardware infrastructure; retaining IT management. 2. Outsourcing all aspects of IT management. 3. Mixed model; outsourcing some segments of IT management where applicable. Most often implemented on demand of enterprise administrative branches.

5 IDC market research International Data Corporation Surveyed
top managers of 244 leading IT companies world-wide. As early as in 2008.

6 Primary concerns Will I have the same level of control over the IT infrastructure and the data? Does the IT infrastructure comply with the Law? How can I demonstrate it to the auditors? How will I prove to my company that the IT system is secure? How do I know that Service-Level Agreements will be observed?

7 Data-Processing Centre
Risk 1: Placing sensitive data outside the secure perimeter may expose them to security risks. Risk 2: Placing sensitive data outside the secure perimeter may be incompatible with the Law.

8 Secure perimeter Firewall. DMZ. Network segmentation.
Intrusion Detection & Prevention Systems. Network monitors.

9 Virtualization More computing power from physical servers' redundant capacities. Smaller DPC's, server consolidation, reduced costs of operation. Individual services; diversified configuration of applications.

10 Virtualization kills secure perimeter
Impossible to build and apply secure perimeter: Many servers are installed on one hardware platform. Data security has to be built around the data themselves and each server. Generally low level of security. Secure perimeter loses its sense. Only application of new line of defence allows for transferring IT operations to the cloud.

11 Difficulties of cloud security
Means of cloud security in principle the same as traditional means of system security. Providers of cloud services install virtual machines on the same physical servers. Increases efficiency of virtualization, compromises security. Traditional means of system security can't protect from attacks on virtual machines from within the same physical server.

12 System administrators have access via Internet.
Access to the servers System administrators have access via Internet. Unlike traditional systems with access control on physical level. Additional challenges to the system security. Strict control of the administrators' access – critical. So is control and transparency of changes on the system level.

13 VM state and volatility
Virtual machines are dynamic. Can be easily – rolled back to a previous state; – shut down and/or restarted; – cloned and moved between servers. Vulnerabilities and/or misconfigurations can spread uncontrollably.

14 Vulnerabilities & attacks from within
The same level of risk to be hacked or infected. In fact it's even higher: A number of VM's working at the same time on a physical server increases the attacked space. New challenge: hacking or infecting from within. On the same physical server one virtual machine may attack another virtual machine. Intrusion Detection and Prevention systems now must be capable of working on the VM level, regardless of the location of that VM in the cloud.

15 A VM may be compromised even if turned off.
Idle virtual machines A VM may be compromised even if turned off. Enough if the perpetrator has access to the images storage. VM defenceless while turned off: No security software is operating. It's responsibility of the provider of cloud services to scan idle virtual machines regularly. Companies should control if providers enable scanning on regular basis in their cloud environment.

16 Security solutions designed for x86 platform.
Efficiency Security solutions designed for x86 platform. Without the virtualization in mind. Massive scanning of multiple resources will cause a dramatic decrease in efficiency of the whole cloud structure. Solution is in scanning on the hypervisor level: No concurrency for resources on the VM level. Companies should control if providers enables scanning on regular basis in their cloud environment.

17 Data integrity In a cloud attacked space is bigger and under greater risks than in traditional environment. It's critically important to prove that the data were not compromised to internal and external auditors. Logs must be analyzed for system integrity, file integrity, as well as internal activities. Compliance with security standards (PCI DSS, HIPAA, etc.) provides “safe haven” in case of data security breach.

18 Update management Once a company subscribed to a cloud service, updating their applications is not provider's responsibility. About 90% of data security breaches occurred due to misunderstanding of update management. “Virtual patches”: Blocking vulnerability attacks on the network level. If timely update is impossible or impracticable.

19 Laws and policies Data security standards (PCI DSS, HIPAA, GLBA, etc.) and security audit recommendations (ISO, SAS70, etc.) require ability to prove compliance with Law regardless physical loction of the cloud system Service-Level Agreements must provide for access to physical servers, virtual servers, firewall configuration, intrusion detection and prevention systems, logs, and anti-viruses.

20 Firewalls Reduce the attacked space. Cloud firewalls must comprise:
– VM isolation; – input/output traffic filtration; – IP protocols coverage (TCP, UDP, ICMP, etc.); – IP frameworks coverage (TCP, ARP, etc.); – DoS attacks prevention; – sniffing and spoofing prevention. Also control over the physical location.

21 Intrusion detection & prevention
Primary task to screen operating system's and applications' vulnerabilities until they will be eliminated. Must provide protection from known, as well as unknown (zero-day) vulnerabilities. Must provide protection from XSS and SQL injection.

22 Data integrity Detecting and preventing unauthorized changes in the operating system, files, and/or registers. Must include: – scheduled scanning and scanning on demand; – files' formats, properties, attributes and CRC; – directories' properties and attributes; – configurability of the scope of scanned objects; – reports (for audit).

23 Log analysis Detecting events, significant from the point of view of the information security, in the logs. Suspicious behaviour. Administrators' actions. Statistical analysis of events throughout the whole cloud infrastructure. Security of Information and Event Management (SIEM).

24 Measures against malicious s/w
Anti-viruses adpted for the cloud environment. VMsafe: Software interface provided from the hypervisor (Vmware). Scanning active and idle virtual machines. Checking integrity of the VM's as well as their content (files, applications, and registers). Guarantees economical use of the physical resources.

25 VMsafe Protects active as well as idle virtual machines.
Prevents blocking and/or uninstalling anti-viruses. Integrated with the cloud management control panel (Vmware vCenter). Automatic configuration of new virtual machines.

26 Thank you for your attention!
Any questions? Thank you for your attention!

Download ppt "Infrastructure as a Service"

Similar presentations

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:

Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
VMware Virtualization Last Update 2014.02.06 2.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

VMware Virtualization Last Update Copyright Kenneth M. Chipps Ph.D.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Security Guidelines and Management

Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Copyright 2009 Trend Micro Inc. Harish Agastya, Director Server Security Product Marketing Server Security Press Presentation.

Copyright 2009 Trend Micro Inc. Harish Agastya, Director Server Security Product Marketing Server Security Press Presentation.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
An emerging computing paradigm where data and services reside in massively scalable data centers and can be ubiquitously accessed from any connected devices.

An emerging computing paradigm where data and services reside in massively scalable data centers and can be ubiquitously accessed from any connected devices.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Similar presentations

Ads by Google