DEPARTMENT OF INFORMATICS

COLLEGE OF ENGINEERING AND INFORMATICS

UNIVERSITAS MULTIMEDIA NUSANTARA
ACADEMIC YEAR 2022-2023

IF674 - Cybersecurity: Cloud and

Operations Security
Topic : Hybrid Data Center Security

Yaman Khaeruzzaman, M.Sc.

IF674 - Cybersecurity: Cloud and Operation Security 1
Course Learning Objective (Sub-CLO):
1. Sub-CLO 06: Students are able to Investigate east-west
and north-south traffic protection methods and identify the
four phases of effective security in a hybrid data center
architecture. (C5)

IF674 - Cybersecurity: Cloud and Operation Security 2

OUTLINE

▪ Data Center Security

▪ Data Center Evolution
▪ Traditional Data Security Solution Weaknesses
▪ Traffic Protection
▪ Security in Hybrid Data Center
▪ Four phases Approach

IF674 - Cybersecurity: Cloud and Operation Security 3

Data Center Security

IF674 - Cybersecurity: Cloud and Operation Security 4

Data Center Evolution

IF674 - Cybersecurity: Cloud and Operation Security 5

Benefits of Cloud Computing
The benefit of moving toward a cloud computing model is that it
improves operational efficiencies and lowers capital expenditures:
▪ Optimizes existing hardware resources. Instead of using a “one
server, one application” model, you can run multiple virtual applications on
a single physical server, which means that organizations can leverage their
existing hardware infrastructure by running more applications within the
same system, provided that sufficient compute and memory resources
exist on the system.
▪ Reduces data center costs. Reduction of the server hardware “box”
count not only reduces the physical infrastructure real estate but also
reduces data center costs for power, cooling, and rack space, among
others.
IF674 - Cybersecurity: Cloud and Operation Security 6
Benefits of Cloud Computing (Cont.)
▪ Increases operational flexibility. Through the dynamic nature of virtual
machine (VM) provisioning, applications can be delivered more quickly
than they can through the traditional method of purchasing them,
“racking/stacking,” cabling, and so on. This operational flexibility helps
improve the agility of the IT organization.
▪ Maximizes efficiency of data center resources. Because
applications can experience asynchronous or bursty demand loads,
virtualization provides a more efficient way to address resource contention
issues and maximize server use. It also provides a better way to address
server maintenance and backup challenges. For example, IT staff can
migrate VMs to other virtualized servers or hypervisors while performing
hardware or software upgrades.
IF674 - Cybersecurity: Cloud and Operation Security 7
Traditional data security solution weaknesses
▪ Limited visibility and control. The “ports first” focus of traditional data
security solutions limits their ability to see all traffic on all ports, which
means that evasive or encrypted applications, and any corresponding
threats that may or may not use standard ports can evade detection.
▪ No concept of unknown traffic. Unknown traffic is high risk but
represents only a relatively small amount of traffic on every network.
Unknown traffic can be a custom application, an unidentified commercial
off-the-shelf application, or a threat. The common practice of blocking all
unknown traffic may cripple your business. Allowing it all is highly risky.
You need to be able to systematically manage unknown traffic using native
policy management tools to reduce your organizational security risks.
IF674 - Cybersecurity: Cloud and Operation Security 8
Traditional data security solution weaknesses
▪ Multiple policies, no policy reconciliation tools. Sequential traffic
analysis in traditional data center security solutions requires a
corresponding security policy or profile, often using multiple management
tools. Multiple security policies that mix positive (firewall) and negative
(application control, IPS, and anti-malware) control models can cause
security holes by missing traffic and/or not identifying the traffic. This
situation is made worse when there are no policy reconciliation tools.
▪ Cumbersome security policy update process. Existing security
solutions in the data center do not address the dynamic nature of your
cloud environment. In a virtual data center, VM application servers often
move from one physical host to another, so your security policies must
adapt to changing network conditions.
IF674 - Cybersecurity: Cloud and Operation Security 9
Traffic Protection

In a virtual data
center (private
cloud), there are
two different
types of traffic,
each of which is
secured in a
different manner:

IF674 - Cybersecurity: Cloud and Operation Security 10

Traffic Protection
▪ North-south refers to data packets that move in and out of the
virtualized environment from the host network or a corresponding
traditional data center. North-south traffic is secured by one or more
physical form factor perimeter edge firewalls. The edge firewall is
usually a high-throughput appliance working in high availability
active/passive (or active/active) mode to increase resiliency. It
controls all the traffic reaching into the data center and authorizes
only allowed and “clean” packets to flow into the virtualized
environment.

IF674 - Cybersecurity: Cloud and Operation Security 11

Traffic Protection
▪ East-west refers to data packets moving between virtual workloads
entirely within the private cloud. East-west traffic is protected by a
local, virtualized firewall instantiated on each hypervisor. East-west
firewalls are inserted transparently into the application infrastructure
and do not necessitate a redesign of the logical topology.
Organizations usually implement security to protect traffic flowing north-
south, but this approach is insufficient for protecting east-west traffic
within a private cloud. To improve their security posture, enterprises
must protect against threats across the entire network, both north-
south and east-west.
IF674 - Cybersecurity: Cloud and Operation Security 12
Three-tier
application
hosted in a
virtual data
center

IF674 - Cybersecurity: Cloud and Operation Security 13

Three-tier application
One common practice in a private cloud is to isolate VMs into different
tiers. Isolation provides clear delineation of application functions and
allows a security team to easily implement security policies. Isolation is
achieved using logical network attributes (such as a VLAN or a VXLAN)
or logical software constructs (such as security groups). A simple three-
tier application that is composed of a WEB-VM as the front end, an
APP-VM as the application, and a DB-VM providing database services.

IF674 - Cybersecurity: Cloud and Operation Security 14

Data Stealing Possible Schema
An attacker has multiple options to steal data from the DB-VM. The first
option is to initiate an SQL injection attack by sending HTTP requests
containing normalized SQL commands that target an application vulnerability.
The second option is to compromise the WEB-VM (using vulnerability
exploits) and then move laterally to the APP-VM, initiating a brute-force attack
to retrieve the SQL admin password.
After the DB-VM is compromised, the attacker can hide sensitive data
extraction by using techniques such as DNS tunneling or by moving data
across the network with NetBIOS and then off the network via FTP. Infiltration
into the environment and exfiltration of critical data can be completely
transparent and undetected because the data is carried over legitimate
protocols (such as HTTP and DNS) that are used for normal business
activities.
IF674 - Cybersecurity: Cloud and Operation Security 15
East-west protection benefits
▪ Authorizes only allowed applications to flow inside the data center,
between VMs
▪ Reduces lateral threat movement when a front-end workload has been
compromised
▪ Stops known and unknown threats that are sourced internally within the
data center
▪ Protects against data theft by leveraging data and file filtering capability
and blocking anti-spyware communications to the external world
▪ The unprecedented traffic and threat visibility that the virtualized security
device can now provide.
IF674 - Cybersecurity: Cloud and Operation Security 16
Security in hybrid data centers

IF674 - Cybersecurity: Cloud and Operation Security 17

Consolidating servers within trust levels.
Organizations often consolidate servers within the same trust level into
a single virtual computing environment: either one physical host or a
cluster of physical hosts. Security solutions should incorporate a robust
virtual systems capability in which a single instance of the associated
countermeasures can be partitioned into multiple logical instances, each
with its own policy, management, and event domains. This virtual
systems capability enables a single physical device to be used to
simultaneously meet the unique requirements of multiple VMs or groups
of VMs. Controlling and protecting inter-host traffic with physical
network security appliances that are properly positioned and configured
is the primary security focus.
IF674 - Cybersecurity: Cloud and Operation Security 18
Consolidating servers across trust levels
Workloads with different trust levels often coexist on the same physical
host or cluster of physical hosts. As a best practice for virtualization, you
should minimize the combination of workloads with different trust levels
on the same server. Live migrations of VMs also should be restricted to
servers supporting workloads within the same trust levels and within the
same subnet. Over time, and in particular as workloads move to the
cloud, maintenance of segmentation based on trust levels becomes
more challenging.

IF674 - Cybersecurity: Cloud and Operation Security 19

Selective network security virtualization.
Intra-host communications and live migrations are architected at this
phase. All intra-host communication paths are strictly controlled to
ensure that traffic between VMs at different trust levels is intermediated
either by an on-box, virtual security appliance or by an off-box, physical
security appliance. Long-distance live migrations (for example, between
data centers) are enabled by a combination of native live migration
features with external solutions that address associated networking and
performance challenges. The intense processing requirements of
solutions such as next-generation firewall virtual appliances will ensure
that purpose-built physical appliances continue to play a key role in the
virtual data center. However, virtual instances are ideally suited for
scenarios where countermeasures need to migrate along with the
workloads they control and protect.
IF674 - Cybersecurity: Cloud and Operation Security 20
Dynamic computing fabric
Conventional, static computing environments are transformed into dynamic
fabrics (private or hybrid clouds) where underlying resources such as network
devices, storage, and servers can be fluidly engaged in whatever
combination best meets the needs of the organization at any given point in
time. This phase requires networking and security solutions that not only can
be virtualized but are also virtualization-aware and can dynamically adjust as
necessary to address communication and protection requirements,
respectively. Associated security management applications also need to be
capable of orchestrating the activities of physical and virtual instances of
countermeasures first with each other and then with other infrastructure
components. This capability is necessary to ensure that adequate protection
is optimally delivered in situations where workloads are frequently migrating
across data center hosts.
IF674 - Cybersecurity: Cloud and Operation Security 21
NEXT DISCUSSION OUTLINE
▪ Securing the Cloud: Advanced Solution

IF674 - Cybersecurity: Cloud and Operation Security 22

REFERENCES
▪ Brooks, Charles J ., Grow, Christopher, Craig, Philip, and Short, Donald, 2018,
Cybersecurity Essential, John Wiley & Sons, Inc.,
▪ Miller, Lawrence C., 2016, Cybersecurity For Dummies®, Palo Alto Networks,
2nd Edition, John Wiley & Sons, Inc.
▪ Miller, Lawrence C., 2018, Cybersecurity Survival Guide: Principles & Best
Practices, Third Edition, Palo Alto Networks, Inc.

IF674 - Cybersecurity: Cloud and Operation Security 23

Visi
Menjadi Program Studi Strata Satu Informatika unggulan yang menghasilkan lulusan
INFORMATIKA

berwawasan internasional yang kompeten di bidang Ilmu Komputer (Computer

Science), berjiwa wirausaha dan berbudi pekerti luhur.

Misi
1. Menyelenggarakan pembelajaran dengan teknologi dan kurikulum terbaik serta didukung
tenaga pengajar profesional.
2. Melaksanakan kegiatan penelitian di bidang Informatika untuk memajukan ilmu dan
teknologi Informatika.
3. Melaksanakan kegiatan pengabdian kepada masyarakat berbasis ilmu dan teknologi
Informatika dalam rangka mengamalkan ilmu dan teknologi Informatika.