Security in Cloud Environments Security Product Manager Joern Mewes (joern.mewes@nokia.com) 16-11-2016 1
Cloud transformation happens in phases and will take 5+ years Steps into the cloud Now 2016+ 2020+ Network cloud Operator IT OSS/ BSS enterprise cloud Radio Network Cloud OSS/ BSS IT & enterprise Carrier grade clouds typically in silos following operator units Distributing and connecting across the datacenter architecture Logically integrated cloud infrastructure, cloud-scaled and optimized network services Telco Cloud Secure, Five 9 s, low latency, colossal data 2 Source: IDC, Nokia analysis
Cloud security is different Nightmare or next hope? John Chambers former CIO of Cisco "You'll have no idea what's in the data center. That is exciting to me as a network player But it is a security nightmare and it can't be handled in traditional ways." Vivek Kundra, Executive Vice President, Industries, Salesforce.com, Cloud computing is far more secure than traditional computing, because (cloud) companies can attract and retain cyber-security personnel of a higher quality than many governmental agencies. 3
Top 3 Security Risks in Cloud Environments Virtualization Weakness Dynamicity and Site motion Trust Gap How to preserve Isolation? How to cope with constant and automated changes? How to guarantee Trust and integrity? 4
The threats are real Hypervisors are becoming the cloud's security Achilles heel 5
Analysts predict it will get much worse... The vulnerabilities are there. It will happen, it s just a matter of time hackers are quite aware that a successful attack at hypervisor layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host. Labs Report 2015 Beyond application sandboxing, McAfee Labs predicts that 2015 will bring malware that can successfully exploit hypervisor vulnerabilities to break out of some security vendors' standalone sandbox systems. 6
Business agility requires a re-thinking of the way how security gets implemented Systems and services are launched and retired faster than security teams can identify, analyze, and track Physical boundaries between trusted and untrusted security domains do not exist anymore Security policies are enforced primarily by manually configuration and executed audits and processes Classical perimeter security systems in front of the cloud: Are missing topology and network information of the cloud Cannot cope with the scaling requirements of the cloud Do not see inter-vm traffic Are usually not integrated in the cloud based orchestration processes 7
Data and software integrity protection MME Core Cloud IMS HLR GW BSC Data protection: Cloud provider are seen as being responsible for data protection and privacy Shared data layer / bock storage systems need to consider service specific requirements for data privacy Number of open interfaces for data exchange increase significantly Autonomous VNF/service inter-communication requires a new way to authenticate and authorize data-access Radio Cloud SDN Networks OSS Cloud Software integrity protection: software integrity takes on greater significance. Software integrity comprises the whole lifecycle of virtualized applications, which can be roughly divided into the supply chain, the boot/launch and the runtime phase Software integrity must be maintained across different operating systems, software versions and patch levels 8
Cloud security is a layered approach OSS / BSS 1 1 Cloud Security Director Cloud Orchestrator Security orchestration & lifecycle management VNF Manager VNF 2 3 Security Element Manager Application / Network Management, deployment & monitoring CAM* FCAPS 2 Cloud aware firewall: enforcement points & VNF security functions 5 IMS vfw HLR MME OneNDS GW Hypervisor VMWare OpenStack Infrastructure Compute Storage Networking Software Defined Networking (SDN) 4 5 Virtual Infrastructure Manger 3 4 5 Security element manager: Security configuration & administration Secure virtualized infrastructure / hypervisor hardening Physical Security Functions & SDN security functions 9
Security Orchestration automate security processes within your cloud Dynamic Security Policies Security Incident Monitoring Threat response Security Orchestration Agility & Automation VNF and Hypervisor Hardening Security baseline checking and compliance management Trust Engine for Cloud 10
Cloud firewall requirements Next generation security to support cloud computing Virtualized Security VNFs purpose build for cloud environments Strict separation of control and data-plane Scalable data-plane for performance grow Full MANO integration meaning automated lifecycle management for: Deployment HEAT Orchestration template (HOT) Healing High Availability Scaling-UP / Scaling-OUT Seamless SDN integration for automated policy changes Security becomes part of the network fabric 11
Cloud firewall requirements High capacity due to support of CPU pinning and CPU isolation DPDK for fast packet processing SR-IOV for HW virtualization Direct PCI access from VM Intel Quick Assist technology for crypto operations Flexible deployment model (pay ones, use everwhere in your cloud) No need for UTM anymore Standardized hardware, virtualization and MANO/SDN integration allow the deployment of usecase specific security safeguards from various vendors 12
How Network Security gets implemented into Cloud Security Service Chain Cloud Orchestrator Security Orchestrator SDN Anti DDoS WAF IDS/IDP FW NAT Mobiles IoT Others 13