DELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing

Similar documents
Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

The Road to a Secure, Compliant Cloud

Intel, OpenStack, & Trust in the Open Cloud. Intel Introduction

Increasing Security and Compliance in the Cloud

Enhanced Privacy ID (EPID), 156

SYMANTEC DATA CENTER SECURITY

Enterprise & Cloud Security

Cloud Builders. Billy Cox. Director Cloud Strategy Software and Services Group

BUILDING A PRIVATE CLOUD. By Mark Black Jay Muelhoefer Parviz Peiravi Marco Righini

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Mitigating Risks with Cloud Computing Dan Reis

Security Models for Cloud

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Virtualize More While Improving Your Risk Posture: The 4 Must Haves of VirtualizaJon Security

Enterprise Cloud Computing. Eddie Toh Platform Marketing Manager, APAC Data Centre Group Cisco Summit 2010, Kuala Lumpur

PUBLIC AND HYBRID CLOUD: BREAKING DOWN BARRIERS

Introduction to AWS GoldBase

Virtual Machine Encryption Security & Compliance in the Cloud

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Pulse Secure Application Delivery

Cloud First Policy General Directorate of Governance and Operations Version April 2017

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

Accelerate Your Enterprise Private Cloud Initiative

VMware Hybrid Cloud Solution

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

10 Considerations for a Cloud Procurement. March 2017

Cloud Customer Architecture for Securing Workloads on Cloud Services

Who s Protecting Your Keys? August 2018

Open Hybrid Cloud & Red Hat Products Announcements

Securing Your Most Sensitive Data

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

2013 Cisco and/or its affiliates. All rights reserved. 1

Driving Business Outcomes: Cisco Data Center Innovation and Solutions

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Accelerating the HCLS Industry Through Cloud Computing

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

The Latest EMC s announcements

opportunity Mechanisms to Protect Data in the Open Cloud

Data Center and Cloud Automation

Building Trust in the Era of Cloud Computing

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Xen Project Overview and Update. Ian Pratt, Chairman of Xen.org, and Chief Scientist, Citrix Systems Inc.

THE FUTURE IS HYBRID. Patrick Harr. Global Vice President, Cloud Strategy and Solutions Hewlett-Packard Company

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Modern Database Architectures Demand Modern Data Security Measures

Microsoft Operations Management Suite (OMS) Fernando Andreazi RED CLOUD

AWS Reference Design Document

Etisalat Digital Enhancing Security in the Cloud

2018 Cisco and/or its affiliates. All rights reserved.

Practical Guide to Platform as a Service.

Cloud Essentials for Architects using OpenStack

MaaS360 Unified Mobility Management

Cisco Cloud Application Centric Infrastructure

RE-IMAGINING THE DATACENTER. Lynn Comp Director of Datacenter Solutions and Technologies

S Automating security compliance for physical, virtual, cloud, and container environments

The Next Opportunity in the Data Centre

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Why the cloud matters?

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Security & Compliance in the AWS Cloud. Amazon Web Services

Matrix IT work Copyright Do not remove source or Attribution from any graphic or portion of graphic

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Empowering Business Adoption of the Cloud through Intelligent Security Solutions and Active Defense Platforms

COMPLIANCE IN THE CLOUD

Intel and Symantec: Improving performance, security, manageability and data protection

Enabling Hybrid Cloud Transformation

Managing SaaS risks for cloud customers

VMware, SQL Server and Encrypting Private Data Townsend Security

Eucalyptus Overview The most widely deployed on-premise cloud computing platform

Delivering Complex Enterprise Applications via Hybrid Clouds

That Set the Foundation for the Private Cloud

Best Practices in Securing a Multicloud World

Fast IT - Policy Driven Infrastructure for the Intercloud World

Benefits of Extending your Datacenters with Amazon Web Services

PLANNING GUIDE Modernizing Servers and Software

ACCENTURE & COMMVAULT ACCENTURE CLOUD INNOVATION CENTER

Datacenter Security: Protection Beyond OS LifeCycle

NFV Infrastructure for Media Data Center Applications

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

DC: Le Converged Infrastructure per Software Defined e Cloud Cisco NetApp - Softway. Luigi MARCOCCHIA SOFTWAY

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

GDPR Update and ENISA guidelines

IBM Cloud for VMware Solutions

WHY COMPOSABLE INFRASTRUCTURE INSTEAD OF HYPERCONVERGENCE

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

McAfee Public Cloud Server Security Suite

Vision of the Software Defined Data Center (SDDC)

Intermedia s Private Cloud Exchange

Enabling Fast IT. In the IoE era. Alberto Degradi DCV Sales Leader. November 2014

Microsoft Security Management

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Closing the Hybrid Cloud Security Gap with Cavirin

Private Cloud Database Consolidation Name, Title

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Transcription:

DELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing Steve Orrin - Federal Chief Technologist, Intel Steve Forage - Senior Director, Cloud Solutions, Red Hat

Agenda The Drive to Cloud Key Challenges in Cloud Deployments Building Blocks for Trusted Cloud Architecture Intel capabilities Red Hat platforms Solutions for Trusted Clouds NEC/Black Box CSRA Summary

Why Cloud?

Business and Networking Challenges Increased Data Traffic Smart devices, video content, and cloud services are all generating double-digit growth in network traffic. ONF, 2013 Protection of Customer Data Target will pay customers who suffered from a 2013 data breach up to $10,000 each in damages. CNN Money, August 2015 Business Agility Business agility is at the top of every CEO s priority list. IT agility must become an imperative too. ZK Research, May 2014 Storage requirements are increasing 40% annually Improving Network Security Need More Bandwidth Network Virtualization Aligning IT and Corporate Goals Moving Applications to the Cloud Ensuring Applications Run Optimally BYOD Related Access and Policy Concerns

Key Security Challenges Attacks on the infrastructure Co-tenancy threats Regulation compliance Attacks are moving down in the stack. How do you establish root of trust in h/w? Visibility and Audit Challenges Building and Enforcing Trust in the Cloud No physical boundaries. Do you know where you workload/data is located? Lack of Visibility to the Integrity of Infrastructure. How do you know your workloads are running on compliant infrastructure?

Compliance Requirements & Regulatory Challenges Compliance in a cloud environment Achieving Audit and Visibility Commingled Regulatory Environments Continuous Monitoring Data Use Controls

Building Trust and Compliance in the Cloud: The big questions When using a cloud, the tenant is not in control of their physical infrastructure. How do they: Verify provisioning of the infrastructure? Trust where servers are located? Control where VMs are distributed? Support data sovereignty requirements? Implement granular controls? Audit policy configuration of their cloud? Prove compliance to industry bodies & national regulations

Increased Trust and Assurance Intel provides Infrastructure Trust and Location Control Trusted Execution Technology Cloud Integrity Technology leverages TXT Capability Run time Protection What does it give you? Assurance that your workloads and data are protected during execution BIOS Intel Chipset Flash VT Trusted Launch Enables isolation and tamper detection at boot-time TPM Compliance Hardware-based verification for compliance VMM/ OS Tenant-Controlled Protected & Trusted Workloads Trusted Geo-Tags/ Asset- Tags (Location) Trusted Boot & Trusted Pools (OS + VMM) Intel TXT + TPM Protect your workloads (VMs, Containers) encryption, trust Control where your workloads can run and be migrated to Assurance and proof that your workloads always run on trusted servers

How Trust is established using Intel TXT/TPM Trusted Execution Technology Intel Chipset TPM BIOS Flash VT VMM/ OS Trusted Launch Enables isolation and tamper detection at boot-time Compliance Hardware-based verification for compliance

Trusted Compute Pools Addresses critical needs in virtualized & cloud use models Provides control to ensure only trustable hypervisor is run on platform Protecting server prior to virtualization software boot Launch-time protections that complement run-time malware protections Compliance Support Trusted Launch Verified platform integrity reduces malware threat Trusted Pools Control VMs based on platform trust to better protect data Internet Control VMs based on platform trust Pools of platforms with trusted hypervisor VM Migration controlled across resource pools Similar to clearing airport checkpoint and then moving freely between gates Compliance Hardware support for compliance reporting enhances auditability of cloud environment

Cloud Integrity Technology 1.0 Platform Trust, Trusted Compute Pools Uses Intel TXT/TPM to verify the integrity of a platform (BIOS, OS, hypervisor) against a known good state or whitelist at boot time Helps create logical groupings (pools) of trusted systems, separates them from untrusted systems Enables: Visibility: Identify trusted platforms vs. untrusted Control: Set policy that only allows workloads to run on trusted servers Monitoring: Trust-based policies can be automatically tracked Use Model 1: Trusted Launch Attestation provides information about platform trust to improve response to malware threats Use Model 2: Trusted Compute Pools Attestation provides information to inform us of which systems are trustworthy for hosting our workloads Use Model 3: Compliance Attestation allows us to verify platform trust for comparison against policy and use in audit Compliance: Trust information can be delivered to audit logs Available as Open Source Delivered via OpenStack or integrated into Policy & Compliance products, e.g. HyTrust Cloud Control

Cloud Integrity Technology 2.0 Trusted Location and Boundary Control Addresses top cloud concerns: Visibility and Control of Workload Location Auditability and Regulatory Compliance Hardware-based Geo- and Asset Tags help control workload placement and migration Tags are securely stored in TPM, tag integrity is assured Location Boundary Control policy can be set for a workload, allowing or preventing its deployment This helps address and prove data sovereignty requirements Delivered via OpenStack or Policy & Compliance product, e.g. HyTrust Cloud Control

Attested Server Tagging & Trusted Geo-location in the Cloud Many Trusted Compute Pools Early Adopters also require: GEO tagging Regulatory Compliance Requirements: EU data protection directives (95/46/EC) FISMA (geo-tag) Payment Card Industry (PCI-DSS) (asset tag) HIPPA (Asset Tag) A PoC of the NIST IR 7904 solution is at the NIST National Cyber Center of Excellence (NCCOE) in Rockville, MD NIST IR 7904 USG recommendation for Trusted Geolocation in the Cloud Trusted resource pool based on hardware-based secure technical measurement capability Platform attestation and safer hypervisor launch - Provide integrity measurement and enforcement for the compute nodes Trust-based secure migration - Provide geolocation measurement and enforcement for the compute nodes

Hardware Features for Data Protection AES-NI Ubiquitous Data Protection with Cryptographic Acceleration AES-NI allows significant performance at a lower price-point, no custom hardware DRNG Better Keys and Simulations with On-Board Digital Random Number Generator Stronger encryption keys High degree of entropy provides quality random numbers for encryption keys and other operations DRNG solves the problem of limited entropy in virtual platforms Secure transactions on Internet and Intranet Internet Full-disk encryption protects data on hard disks Name: J.Doe SS# ζ χ Application-level encryption for automation and granularity Intrane t

Introducing New Instructions for Cryptography Acceleration ADOX/ADCX Extension of ADC (Add with Carry) instruction for use in large integer arithmetic (integers MUCH larger than 64b); one common use is Public Key cryptography (e.g. RSA) ADOX - Unsigned Integer Addition with carry-in/out using the Overflow Flag ADCX - Unsigned Integer Addition with carry-in/out using the Carry Flag Performance improvements are due to two parallel carry chains being supported at the same time Available starting in Broadwell CPUs ADOX/ADCX Used with MULX Can Substantially Improve Public Key Encryption Code Performance

Cloud Integrity Technology 3.0 Workload Integrity and Confidentiality with OpenStack Extend trust from BIOS to workload Boot-time integrity of workload Workload can be a VM or container Integrated with OpenStack Enterprise Ownership and Control Encrypt workload before moving it to cloud Own and manage the encryption keys Only release keys to CSP after integrity check succeeds This ensures verifiable end-to-end protection Can be applied to storage and network workloads too CSPs can offer CIT 3.0 as cloud service

Red Hat Cloud Infrastructure Cloud Management - Alternative Virtualization - OpenStack - Ceph

Why Red Hat Cloud Infrastructure Software The Forrester Wave : Private Cloud Software Suites, Q1 2016 RHCI received: + The highest score in the Strategy section + The second-highest score in the Current Offering section The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product or service depicted in Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Red Hat.. leads the evaluation with its powerful portal, top governance capabilities and a strategy built around integration, open source, and interoperability.

Red Hat Cloud Infrastructure Cloud Management - Alternative Virtualization - OpenStack

NEC/Black Box Solution Stack

NEC/BLack Box Solution Stack - Value Collectively we are delivering a highly performant, secure hyper-converged infrastructure appliance that is built for web-scale environments with NexGen technology in OpenSource environment. Provide a comprehensive cloud management tool that allows management, metering and charge-back for bi-modal (traditional mode-1 and agile, web-scale mode-2) environments; across on-premise private cloud as well as lower security public cloud offerings from Amazon and Microsoft. Provide agility and flexibility to the data center resources with the ability to dynamically reallocate resources with respect to compute, storage and networking. Ability to replace expensive legacy high-end networking and storage with cost effective infrastructure at a fraction of the price without sacrificing the intelligence and benefits. Support for Multi-Layer Security in a multi tenant cloud

Cloud Service Models

DoD Security Requirements Guidelines Summary ARC-P runs at FISMA High with 412 Security Controls in place

Solution Stack - ARC-P Cloud Brokering Options Adheres to FedRAMP Multi-Factor directives

Solution Stack Highlights Adding Red Hat OpenStack to ARC-P FedRAMP FISMA High Baseline ATO (with reciprocity to DoD Impact Level 4 or 5) Utilizing Intel TXT Technology Utilizing CEPH, OSP Director, and Red Hat Linux 7 To be added to cloud service offerings of CSRA on all contracts/bids To be in Private IaaS mode, each customer sets up the way they need Possible Ansible as a Service add-on Deployed in Government Private (off premise) Cloud or ARC-P on Premise

Summary Cloud Security begins with trust and visibility enabled by hardware and delivered by the infrastructure Intel is driving hardware assisted security into the ecosystem of OEMs, ISVs, and CSPs Red Hat delivers platform and solutions for private, hybrid, and public cloud The risks and threats to the Cloud can be mitigated and managed But it takes an ecosystem of software, hardware, and service providers Call to Action Work with your vendors and CSPs Require security and trust for your workloads and data Require visibility and the necessary feeds and monitoring to achieve compliance For Private and Hybrid use cases, implement your policies for workload and data protection/control and then enforce them via orchestration Make platform/hw trust a requirement on your service providers and supply chain Verify, then Trust, then Verify again Validate that controls are configured correctly and generating the necessary evidence (logs, reports, attestation of trust,...) Continuously validate trust level and residency

Q & A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback