Enterprise & Cloud Security Greg Brown VP and CTO: Cloud and Internet of Things McAfee An Intel Company August 20, 2013
You Do NOT Want to Own the Data Intel: 15B 2015 Cisco: 50B 2020 2 August 21, 2013
Growth Drives Need to Adopt Cloud Computing By 2015 15 billion connected devices 2 >1500 exabytes of cloud data traffic 1 >3 billion connected users 1 1400 exabytes of data stored/processed via clouds 3 Why Cloud? An Intel IT example Agility: Provision new resources 90 days 15 minutes Efficiency: Asset utilization 10% >60% Cost Savings: $9M savings in last 2 years Private Cloud IT Survey Results Hybrid Cloud (Public + Private) Public Cloud Today: 14% 35% by 2015 5 Today: 7% 2014: 42% 2014: 23% >40% of IT operations 4 >40% of IT operations 4 1. Cisco Global Cloud Index Nov 2011 2. Intel ECG Worldwide Device Estimates Year 2020 - Intel One Smart Network Work forecast 3. IDC Extracting Value from Chaos June 2011 http://www.emc.com/digital_universe. 4. ODCA global member survey, Oct 2011, N=63 5. Gartner, Dec 2010, N=55 The Road Map From Virtualization to Cloud Computing (G00210845) 3
Security is Top Barrier to Cloud Adoption IT Pro survey of key concerns: 61% Lack of visibility inhibiting private cloud adoption 1 55% Lack of control over data key concern for public cloud adoption 1 57% Avoid putting workloads with compliance mandates in cloud 1 Traditional Data Center Networks Email, web traffic at risk Potential data loss Private/Public Cloud Mfg HR Behind firewall Highly controlled Mature security tools User & Intelligent Devices Multi-tenant, shared Virtualized Auditing difficult Ensure right people access right data Protect against new types of malware 1. source: McCann what s holding the cloud back? cloud security global IT survey, sponsored by Intel, May 2012 4
The Cloud Drives New Security Needs Traditional Data Center Virtualized and Private Cloud Data Center Public Cloud Data Center Mfg Mf. HR Mfg VMM HR Sales Company B Company A Company C IT Security Policy Challenges Reduced physical control, visibility Increased multi-tenancy Reduced effectiveness/efficiency of existing security toolbox Increased attack surface 5
New Security for a Virtual Cloud World Virtualized & Private Cloud Data Center Public Cloud Data Center Company A MFG VMM HR Sales Company B Company C COMPANY B COMPANY C COMPANY A Learn more about how Intel TXT and McAfee epo security solutions work together. 6
Foundation of Client to Cloud Security Cloud Security Mission: Worry-Free Cloud Computing In next 4 years, make cloud security equal to or better than traditional best in class enterprise security Public/Private Clouds (Servers, Network, Storage) User & Intelligent Devices Private Public Secure the Connections Apps, data, traffic 3 Secure Cloud Data Centers Infrastructure & data protection, audit/compliance 1 2 Secure the Devices Identity, device integrity & data protection 4 Common Security Standards & Broad Industry Collaboration Hardware-enhanced security + software & services key to achieve mission 7
Understanding Cloud Integrity Internet Private Cloud Public Cloud TRADITIONAL EVOLVING Digital Certificates Validate web server authenticity External Assessment & Reputation Validate web server authenticity Host Integrity Ensure server is known good Location & Asset Control Control workload location VM Integrity Ensure all VMs are known good Security Stack Integrity Security systems operational Real-time Integrity Continuous monitoring Endpoint Aware Integrity Client/cloud mutual trust McAfee SiteAdvisor Enterprise McAfee Cloud Secure Intel Trusted Execution Technology (TXT) Intel Virtualization Technology (VT) McAfee MOVE AV McAfee Application Control & Change Control Will deliver on-going advancements to hardware & software security for greater controls & auditability 1 McCann 2012 State of Cloud Security Global Survey, Feb 2012 8
Optimized Client Security for Cloud Users Key Challenges Complex identity management New forms of malware below OS* Growing range of online attacks Private Cloud Public Cloud McAfee Cloud Identity Manager Intel Identity Protection Technology McAfee Deep Defender Identity Federation Salesforce.com Google.com Strengthen and Simplify Authentication Protect against Man in the Middle Attacks Protect against Zero-Day Attacks Applications McAfee Deep Defender Operating System McAfee DeepSAFE Authentication Data Protection Client Devices 9 *OS=operating system
Secure the Connections: Traffic from Device to Clouds USERS & DEVICES CLOUD INFRASTRUCTURE (Servers, Network, Storage) Application Consumers Network Security Policy, Audit, Reporting, Governance & Risk Web Security Email Security Private Cloud Intelligent Devices Administrators Integrity Assessment Identity Management Data Loss Prevention Public Cloud TODAY FUTURE Policy Enforcement Driven by Integrity Assessment at enterprise perimeter or cloud edge 10
Accelerating Cloud Security Standards Accelerate cloud adoption via consensus on security best practices Reduce manual audit cycles via common framework for regulatory standards Streamline security implementations via standards for controls and APIs across cloud environments Enable IT to easily compare cloud provider security levels Example: Aligning hardware and software controls to ODCA requirements ODCA Security Provider Assurance Usage Model 1.0 Solution should be able to support the following functional requirements by assurance levels, where applicable: * Bronze (basic): Identity management, security incident & event monitoring Silver (enterprise): Network intrusion prevention, event logging, administrative changes tracking Gold (financial): Penetration testing, asset segmentation, encrypted communication, Geo limits, storage encryption Platinum (military): Strong encryption for data *Several of the requirements are supported by Intel / McAfee 11
Enabling Open, Interoperable Cloud & Security Solutions Intel Cloud Builders Infrastructure as a Service / Cloud Resource Management Cloud Security Cloud Efficiency Cloud Storage/Networking Client Aware www.intel.com/cloudbuilders 12
Enabling Open, Interoperable Security Solutions SIA Associate Partner SIA Technology Partner (McAfee Compatible) www.mcafee.com/us/partners/security-innovation-alliance
McAfee Strategy Customer Value Proposition Elastic and Efficient Security across the Infrastructure (compute, storage and network) Protect Sensitive Data where-ever it goes (Physical, Virtual and Cloud, SaaS or IaaS) Centralized and Simplified Security Management in dynamic datacenter environments Create Trust by attesting to the security posture of the workload in the cloud 14
McAfee Strategy Customer Value Proposition Elastic and Efficient Security across the Infrastructure (compute, storage and network) Know what and where all the workloads are Discover all your workloads and provide complete security visibility in epo 15
Discover Complete visibility into your Private Cloud You cannot secure what you cannot see Automatically discover your entire physical and virtual infrastructure (hypervisors, virtual machines, virtual appliances) through the vsphere Data Center Connector Dynamically discover new instances and discard old ones Auto-populate or manually enter the VM/Host location in epo tags Show ESXi Server to vcenter relationship Display imported virtual machines in epo system tree including the Virtual Machine to Host relationship
Discover epolicy Orchestrator Data Center Dashboard Single pane security management Know the protection status of every workload, on-premise and offpremise in a single epo dashboard Monitor key metrics and trends of all Data Center components such as Security and power status Applications categorized into Known Good, Known Bad, Grey List Historical security data Customizable dashboards such as executive overviews
McAfee Strategy Customer Value Proposition Elastic and Efficient Security across the Infrastructure (compute, storage and network) Know what and where all the workloads are Protect workloads and ensure compliance Discover all your workloads and provide complete security visibility Secure each workload with the desired policies on-premise and off-premise 18
Protect The Appropriate Security for a Workload S e r v e r s 19
Protect Boot Attestation in the epo Tree Intel Trusted Execution Technology (TXT) provides Boot Attestation 20 Boot your hypervisor from a trusted image Determine trust worthiness of the hypervisor boot using Intel TXT by validating the Firmware/BIOS and the VMM image that booted Display the boot trust status in epolicy Orchestrator Create policies based on this status e.g. create a secure VM policy that alerts the epo administrator if a critical VM is running on an untrusted hypervisor
Protect Boot Attestation through Intel TXT PCI PCI PCI MOVE Virtualization Infrastructure Trusted Trusted Trusted How it works Consider a McAfee-secured federated datacenter (epo, MOVE) where trusted boot status is an attribute in the epo system tree Security policy mandates that PCI workloads must run only on trusted hosts If the TXT string on the host does not match the expected value, the host is marked as Untrusted. On receipt of the status change, epo recommends that the PCI VMs on that host be moved to a different trusted hypervisor Partners like HyTrust, Trapezoid have epo integrations that leverage this capability. 21 August 21, 2013
McAfee Strategy Customer Value Proposition Elastic and Efficient Security across the Infrastructure (compute, storage and network) Know what and where all the workloads are Protect workloads and ensure compliance Extend workloads securely into the cloud Discover all your workloads and provide complete security visibility Secure each workload with the desired policies on-premise and off-premise Grow your infrastructure into the cloud with automatic provisioning of security policies 22
Grow AWS Data Center Connector 1. Choose the Cloud Provider to connect with 2. Name your connection and enter cloud credentials 3. Monitor/manage security of your cloud workloads from epo Grow with confidence Discover and secure cloud machines automatically through the AWS Data Center Connector Dynamically update new instances as you scale up and discard old ones as you scale down Auto-populate or manually enter the cloud machine location/provider in epo tags Ensure an identical security posture between your on-premise and cloudbased workloads 23 August 21, 2013
Intel and McAfee Better Security Together Unique Differentiated Comprehensive Innovative, integrated hardware/software solutions that are unparalleled in the industry Deep Defender on Xeon Elastic Network Security for SDN Trust Attestation in the Datacenter Solutions with superior functionality, performance, and efficiency McAfee is optimized for superior performance on Intel Architecture Technologies and ecosystem leadership that help eliminate security gaps and complexity Customized GTM for specific customer segments like Health Care, Public Cloud Providers 24 August 21, 2013
Summary of McAfee Security Solutions Layer Security Services McAfee Solutions Endpoints Management Identity Data Applications Network Anti-virus Runtime protection (Application Whitelisting, File Integrity) Vulnerability management (patches, configurations) Centralized policy administration Incident management and event correlation Centralized compliance monitoring User authentication Federation of identities Device authentication Encryption for data at rest and data in motion Content monitoring/filtering (DLP) Content monitoring/filtering for file shares DB activity and vulnerability monitoring Monitoring/filtering for web and email Network access control Network behavior analysis Network intrusion detection / prevention Network firewall Datacenter Security Suite Vulnerability Manager (MVM) epolicy Orchestrator (epo) Global Threat Intelligence (GTI) Compliance Suite ESM (SIEM product) Cloud Identity Manager Endpoint Encryption DLP Cloud Security Platform Network Security Platform 25 August 21, 2013
Greg Brown VP and CTO Cloud and Internet of Things McAfee, An Intel Company greg_brown@mcafee.com