Module: Security

Upon completion of this module, you should be able to:

• Describe key security terminologies
• Describe key security threats in the cloud
• Discuss key security mechanisms deployed in the cloud
• Describe the role of GRC in the cloud

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 1

Cloud Computing Reference Model
Security Cross-layer Function

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 2

 Lesson: Introduction to Cloud Security
This lesson covers the following topic:
• Key information security terminologies

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 3

Drivers for Securing Cloud Infrastructure
• Information is an organization’s most valuable asset
• Various tools are deployed to protect the assets
• Trust is one of the key concerns of consumers adopting cloud

Trust = Visibility + Control

• Managing security has become increasingly important for cloud

service providers

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 4

Information Security
Information Security
A term that includes a set of practices that protect information and
information systems from unauthorized access, use, information disclosure,
disruption, modification, or destruction.
— US Federal law (Title 38 Part IV, Chapter 57, Subchapter III USC 5727)

• Goal of information security is to provide:

– Confidentiality, integrity, and availability
• Security mechanisms ensure right users have access to
right resources at the right time
• Auditing enables assessing effectiveness of the security
mechanisms

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 5

Key Terminologies of Information Security
• Confidentiality, Integrity, and • Velocity of attack
Availability (CIA)
• Information assurance
• Authentication,
• Data privacy
Authorization, and Auditing
(AAA) • Data ownership
• Defense-in-depth
• Trusted computing base
• Secure multi-tenancy

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 6

Confidentiality, Integrity, and Availability
• Confidentiality
– Provides required secrecy of information
– Ensures only authorized users have access to data
• Integrity
– Ensures unauthorized changes to data are not allowed
• Availability
– Ensures authorized users have reliable and timely access to
resources

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 7

Authentication, Authorization, and Auditing
• Authentication
– Process to ensure users or assets are who they claim to be
– Two methods: single-factor and multi-factor
• Authorization
– Process of determining access rights of a user, device, application,
or process to a service or resource
– Authorization should be performed only if authentication is
successful
• Auditing
– Process to evaluate the effectiveness of security enforcement
mechanisms

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 8

Defense-in-depth
Defense-in-depth
A strategy in which multiple layers of defense are deployed throughout the
infrastructure to help mitigate the risk of security threats in case one layer of
the defense is compromised.

• Also known as a “layered approach”

to security
• Provides service providers
additional time to detect and
respond to an attack
– Reduces the scope of a security
breach

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 9

Trusted Computing Base (TCB)
Trusted Computing Base
A set of all those components that are critical to the security of the cloud
infrastructure.

• Defines boundary for security-critical and non critical

parts of a system
• Vulnerabilities occurring inside TCB might jeopardize
security of the entire system

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 10

Secure Multi-tenancy
• Requires mechanisms that prevent a tenant or its process from
affecting another tenant’s information/process
• Providers are responsible for ensuring secure multi-tenancy
Key focus areas Description

Secure separation • Enables isolation of resources and services across consumers

• Example: At storage layer – separation of data at-rest and address space
separation

Availability • Ensures that resources are accessible to all consumers by adhering to BC practices

Service assurance • Ensures that SLOs are met by dedicating runtime resources and QoS control

Management • Enables end-to-end infrastructure and service management for service providers
• Provides ability to delegate day-to-day management activities to the consumers

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 11

Velocity-of-attack
Velocity-of-attack
Refers to a situation where an existing security threat in a cloud may spread
rapidly and have large impact.

• Factors amplifying threats and enable them spreading quickly:

– Large number of infrastructure components
– Homogeneity and standardization in platforms and components

• Mitigation requires:
– Strong and robust security enforcement
– Containment mechanisms

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 13

Information Assurance
• Ensures CIA of consumers’ data in the cloud
• Consumers need assurance that all the users:
– Operating on the cloud do so legitimately
– Accessing only those data for which they have rights
– Accessing only to the degree their policies and their roles permit
• Mitigation requires:
– Strong authentication and authorization mechanisms to validate:
• Consumers operating in cloud are genuine
• Have right level of access to resources
– Resilient cloud infrastructure

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 14

Data Privacy
• Legally protecting unauthorized disclosure of sensitive data of a
consumer such as:
– Personally identifiable information
– Details of services requested by a consumer
– Proprietary data of a consumer
• Mitigation requires deploying mechanisms such as:
– Data encryption (both data at-rest and in-transit)
– Data shredding

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 15

Data Ownership
• Two scenarios to determine ownership of data:
Scenarios Description

Data created • Data ownership remains with the creator based on factors such as:
on-premise – Contractual ownership
and then – Copyright law
stored in the – Trade secret
cloud – Intellectual property

• Determination of who owns the data depends on:

Data created – Terms of services (defined in service contract)
in the cloud
– Type of information
environment
– Country in which it is generated and stored

• Service provider must ensure that consumers own their data

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 16

Security Concepts and Relationships

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 17

 Lesson Summary
During this lesson the following topics were covered:
• Confidentiality, integrity, and availability
• Authentication, authorization, and auditing
• Defense-in-depth and trusted computing base
• Multi-tenancy and velocity of attack
• Information assurance
• Data ownership and data privacy

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 18

 Lesson: Cloud Security Threats
This lesson covers the following topic:
• Key threats in a cloud environment

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 19

Key Security Threats in a Cloud Environment
• Key security threats according to CSA and ENISA
– Data leakage
– Data loss
– Account hijacking
– Insecure APIs
– Malicious insiders
– Denial of service
– Abuse of cloud services
– Shared technology vulnerabilities
– Insufficient due diligence
– Loss of governance and compliance

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 20

Data Leakage
• Occurs when an attacker gains access to a cloud consumer’s
confidential data
• Unauthorized access to confidential data may be gained by:
– Compromising password database
– Exploiting poor application design
– Exploiting poor segregation of network traffic
– Exploiting poor encryption implementation
– Through a malicious insider
• Control measure
– Data encryption (both data at-rest and in-transit)
– Data shredding and multi-factor authentication

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 21

Data Loss
• Occurs due to various reasons other than malicious attacks
• Causes of data loss in the cloud include:
– Accidental deletion by the provider
– Destruction resulting from natural disasters
• Providers are often responsible for data loss
• Control measure
– Data backup and replication

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 23

Account Hijacking
• Occurs when an attacker gains access to consumers’ accounts
Types of attack Description

• Social engineering attack used to deceive users

Phishing • Carried out by spoofing email containing link to a fake website
• Users credentials entered on the fake site are captured
Installing
• Attacker installs malware in a consumer’s VM
keystroke-logging
malware • Malware captures users credentials and sends to the attacker

Man-in-the-middle • Attacker eavesdrops on the network to capture credential

• Controls measures: multi-factor authentication, IPSec, IDPS,

and firewall

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 24

Insecure APIs
• APIs are used to perform activities such as:
– Resource provisioning and configuration
– Resource monitoring and management
– Orchestration
• APIs may be open or proprietary
• Security of cloud services depends on security of APIs
• Control measures
– Design and develop APIs following security best practices
– Perform security review of APIs
– Access to APIs must be restricted to authorized users

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 25

Denial of Service (DoS) Attack
• Prevents legitimate users from accessing resources or services
• Could be targeted against compute systems, networks, or
storage resources
• Exhaust key resources, preventing production use by legitimate
consumers
– Example 1: Exhausting network bandwidth or CPU cycles
– Example 2: Exploiting weaknesses in communication protocols
– Example 3: Corrupting domain name server’s cache

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 26

Distributed Denial of Service (DoS) Attack
• DDoS is a variant of DoS attack
• Several systems launch a coordinated DoS attack on target(s)
– DDoS master program is installed on a compute system
– Master program communicates to agents at designated time
– Agents initiate the attack on receiving the command
• Attacker is able to multiply the effectiveness of the DoS attack
• Control measure
– Impose restrictions and limits on resource consumption

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 27

Malicious Insiders
Malicious Insiders

An organization’s current or former employee, contractor, or other business

partner who has or had authorized access to an organization's compute
systems, network, or storage.
— Computer Emergency Response Team (CERT)

• Intentional misuse of access to negatively impact CIA

• Control measures:
– Strict access control policies
– Security audit and data encryption
– Disable employee accounts immediately after separation
– Segregation of duties (role-based access control)
– Background investigation of candidates before hiring

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 28

Abuse of Cloud Services
• Cloud resources can be misused to perform unauthorized
activities such as
– Cracking an encryption key in minutes or hours
– Distributing pirated software
• Control measures
– Difficult to mitigate merely with the help of tools
– Establish agreement with consumers that have guidelines for
acceptable use of cloud resources

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 29

Insufficient Due Diligence
• Understanding the full scope of the undertaking while offering
cloud services
• Increase risks if services are offered without complete
understanding of operational responsibilities such as:
– Incident response
– Encryption
– Governance and compliance
– Security monitoring

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 30

Shared Technology Vulnerabilities
• An attacker may exploit the vulnerabilities of tools used to
enable multi-tenant environments
• Examples of threats:
– Failure of mechanisms that provide separation of memory and
storage
– Hyperjacking attack involves installing a rogue hypervisor that
takes control of compute system
• Control measure
– Securing components that are part of trusted computing base

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 31

Loss of Compliance
Loss of Compliance

Occur when a cloud service provider or cloud broker does not adhere to, and
demonstrating adherence to external laws and regulations as well as
corporate policies and procedures.

• Regulations mandate vulnerability assessment when using

certain type of data
– Aimed at discovering potential security vulnerabilities
• Example: PCI compliance for handling credit card data
– Participating cloud provider may prohibit through contract terms
– Cloud brokers and consumers have to rely on provider’s
vulnerability assessment results

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 32

Loss of Governance
• Causes of loss of governance:
– Provider outsource its services to third-parties
• Impact of outsourcing services to third-parties:
– No control over third-parties, and may impact commitments of the
provider
– Security controls of provider may change impacting terms and
conditions of provider
– Provider may not be able to supply evidence of meeting their
providers’ compliance requirements

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 33

 Lesson Summary
During this lesson the following topics were covered:
• Data leakage and data loss
• Account hijacking and insecure APIs
• Malicious insiders and denial of service
• Abuse of cloud services and shared technology
vulnerabilities
• Insufficient due diligence
• Loss of compliance and governance

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 34

 Lesson: Security Mechanisms – I
This lesson covers the following topics:
• Physical security
• Identity and access management

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 35

Introduction to Security Mechanisms
• Security mechanisms can be classified as:

Mechanisms Description
Security and personnel policies or standard procedures to direct the
Administrative
safe execution of various operations
Usually implemented through tools or devices deployed on computer
Technical
systems, networks, or storage

• Technical security mechanisms must be deployed at:

– Compute level
– Network level
– Storage level

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 36

Key Security Mechanisms
• Physical security • Virtual LAN and virtual SAN
• Identity and access management • Zoning and iSNS discovery domain
• Role-based access control • Security hypervisor and
management server
• Network monitoring and analysis
• Virtual machine hardening
• Firewall
• Securing operating system and
• Intrusion detection and prevention
applications
system
• LUN masking
• Adaptive security
• Data encryption
• Port binding and fabric binding
• Data shredding
• Virtual private network

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 37

Physical Security
• Foundation of overall IT security strategy
• Some of the measures to secure cloud infrastructure are:
– Disabling all unused devices and ports
– 24/7/365 onsite security
– Biometric or security badge-based authentication to grant access
to the facilities
– Surveillance cameras to monitor activity throughout the facility
– Sensors and alarms to detect motion and fire

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 38

Identity and Access Management
Identity and Access Management

A process of managing consumers’ identifiers, and their authentication and

authorization to access cloud resources.

• Cloud providers deploy both traditional and new authentication

and authorization mechanisms
Description
Mechanisms Examples

Restricts accessibility and sharing Windows ACLs, UNIX

Authorization
of files and folders permissions, and OAuth

Enables authentication among Multi-factor authentication,

Authentication
client and server Kerberos, CHAP, and OpenID

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 39

Windows ACL and UNIX Permission
Windows ACL
• Types of ACLs:
– DACL: determine access control
– SACL: determine what accesses
needs to be audited
• Support object ownership in
addition to ACLs
– Child objects inherit ACL of
parent object
UNIX Permission
• Common permissions:
Read/Write/Execute
• Specify operations by ownership
relation with respect to a file:
– What the owner can do?
– What the owner group can do?
– What everyone else can do?

• Use SID to control object access

– SIDs uniquely identify a user or
a user group

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 40

OAuth
OAuth

An open authorization mechanism allows a client to access protected

resources from a resource server on behalf of a resource owner.

• Entities involved in
authorization:
– Resource owner
– Resource server
– Client
– Authorization server

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 42

Multi-factor Authentication
• Multiple factors for authentication:
– First factor: What a user knows? For example, a password
– Second factor: What the user has? For example, a token
– Third factor: Who is the user? or What the user did? For example,
a unique ID or user’s past activity
• Access is granted only when all the factors are validated

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 44

Kerberos
Kerberos

A network authentication protocol, which provides strong authentication for

client/server applications by using secret-key cryptography. A client and
server can prove their identity to each other across an insecure network
connection.

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 45

Challenge Handshake Authentication Protocol
• Provides a method for initiators and targets to authenticate
each other by utilizing a secret code

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 47

OpenID
OpenID

An open standard for authentication in which a service provider uses

authentication services from an OpenID provider.

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 48

 Lesson Summary
During this lesson the following topics were covered:
• Physical security
• Windows ACLs and UNIX permissions
• OAuth
• Multi-factor authentication
• Kerberos and CHAP
• OpenID

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 49

 Lesson: Security Mechanisms – II
This lesson covers the following topics:
• Role-based access control
• Network monitoring and analysis
• Firewall and intrusion detection and prevention system
• Adaptive security
• VPN, VLAN, VSAN, zoning and iSNS discovery domain
• Port binding and fabric binding

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 50

Key Security Mechanisms
• Physical security • Zoning and iSNS discovery domain
• Identity and access management • Port binding and fabric binding
• Role-based access control • Security hypervisor and
management server
• Network monitoring and analysis
• Virtual machine hardening
• Firewall
• Securing operating system and
• Intrusion detection and prevention
applications
system
• LUN masking
• Adaptive security
• Data encryption
• Virtual private network
• Data shredding
• Virtual LAN and virtual SAN

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 51

Role-based Access Control
• An approach to restrict access to authorized users based on
their respective roles
– Only those privileges are assigned to a role that are required to
perform tasks associated with that role
• Separation of duties ensure that no single individual can both
specify an action and carry it out

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 52

Network Monitoring and Analysis
• A proactive measure to detect and prevent network failure or
performance problems
• Network monitoring can be performed in two ways:
Monitoring Description

Active Monitoring tools transmit data between two endpoints that are monitored

Passive Information about a link or device is collected by probing the link or device

• Mechanisms used to monitor, detect, and prevent attacks are:

– Firewalls, IDPS and network analysis/forensics systems

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 53

 Firewall
Firewall
A security mechanism designed to examine data packets traversing a network and
compare them to a set of filtering rules.

• Can be deployed at:

– Network level Examples of filtering parameters:
– Compute level • Source address
• Destination address
– Hypervisor level • Port numbers and protocols

• Can be physical or virtual

• Uses various parameter for traffic filtering

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 54

Firewall
Demilitarized Zone

• Secure internal assets while allowing Internet-based access to

resources

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 55

Intrusion Detection and Prevention System
Intrusion Detection and Prevention System

A security tool that automates the process of detecting and preventing events
that can compromise the confidentiality, integrity, or availability of IT
resources.

• Signature-based detection technique

– Scans for signatures to detect an intrusion
– Effective only for known threats
• Anomaly-based detection technique
Examples of events detected:
• Multiple login failures
• Excessive process failure
• Excessive network bandwidth
consumed by an activity

– Scans and analyzes events to detect if they

are statistically different from normal events
– Has the ability to detect various events

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 56

Intrusion Detection and Prevention System
Types of implementations
IDPS Description
Implementation
• Analyzes activity such as system logs and running
Compute system-based processes
• IDPS software is susceptible to attacks
• Monitors and analyzes network traffic, network devices,
network protocol, and application protocol behavior
• Deployed in the form of appliance or software on compute
Network-based system
• Usually isolated from malicious applications on compute
systems
• Monitors for anomalies in a hypervisor
Hypervisor-based
• Detection policies are typically kernel-specific

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 57

Adaptive Security
Adaptive Security

A mechanism that integrate with the cloud service providers’ standalone

mechanisms such as IDPS and firewalls and use heuristics to learn user
behavior and detect fraudulent activity.

• Identifies and blocks anomalies

• Parameters used to learn about a user are:
– Behavioral profile
– Device-related profile
– Type of web browser being used
– Plug-ins used in a browser

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 58

Virtual Private Network
• Extends an consumer’s private network across a public network
– Enables to apply internal network’s security and management
policies over the VPN connection
• Two methods to establish a VPN connection:
– Remote access VPN connection
• Remote client initiates a remote VPN connection request
• VPN server authenticates and grants access to cloud network
– Site-to-site VPN connection
• Remote site initiates a site-to-site VPN connection
• VPN server authenticates and grants access to cloud network

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 59

Virtual LAN and SAN
• Ensure security by providing isolation over shared
infrastructure
• Restricting communication among different consumers
• Zoning provides additional level of security within a VSAN

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 60

Zoning

• Logically segments node ports into groups

• Communication occur among node ports within a group
• WWPN-based zoning prevents unauthorized access when
node ports are re-cabled to different fabric ports
• Port zoning reduces the risk of WWPN spoofing

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 61

iSNS Discovery Domain

• iSNS Discovery Domain

– Function in the same way as FC
zones
– Enables functional groupings of
devices in an IP-SAN
– Devices in the same functional
group can communicate with
one another

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 62

Port Binding
• Port binding limits the devices that can be attached to a specific
switch port
Supported Environment Description
• Maps a WWPN to a switch port
FC SAN • WWPN login is rejected when illegitimate host
is connected
• Maps MAC and IP address of a compute system
to a switch port
Ethernet • Switch port forwards a packet only if a MAC
and IP address in a packet are mapped to that
port

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 63

Fabric Binding
• Fabric binding allows only authorized switches to join a fabric
– Ensures unauthorized switches are segmented from a fabric
– Authorized switch can merge into a fabric
– Can be used along with port and port-type locking capabilities

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 64

 Lesson Summary
During this lesson the following topics were covered:
• Role-based access control
• Network monitoring and analysis
• Firewall, IDPS, and adaptive security
• Port binding and fabric binding
• VPN, VLAN, and VSAN
• Zoning and iSNS discovery domain

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 65

 Lesson: Security Mechanisms – III
This lesson covers the following topics:
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking
• Data encryption
• Data shredding

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 66

Key Security Mechanisms
• Physical security • Virtual LAN and virtual SAN
• Identity and access management • Zoning and iSNS discovery domain
• Role-based access control • Security hypervisor and
management server
• Network monitoring and analysis
• Virtual machine hardening
• Firewall
• Securing operating system and
• Intrusion detection and prevention
applications
system
• LUN masking
• Adaptive security
• Data encryption
• Port binding and fabric binding
• Data shredding
• Virtual private network

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 67

Securing Hypervisor and Management Server
• Compromising a hypervisor or management server places all
VMs at risk
• Control measures:
– Install security-critical hypervisor updates
– Harden hypervisor using specifications provided by CSI and DISA
– Restrict core functionality to selected administrators
– Encrypt network traffic when managing remotely
– Deploy firewall between management system and rest of the
network
– Rotate or delete log files when they reach a certain size

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 68

Virtual Machine Hardening
• Process used to change the default configuration of a VM
• Removed or disabled devices that are not required
– Example: disabling USB ports or CD/DVD drives
• Tune configuration of VM features to operate in secure manner:
– Change default passwords
– Set permissions to VM files
– Disallow changes to MAC address assigned to a virtual NIC
• VM templates must be hardened to a known security baseline

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 69

Securing Operating Systems and Applications
• Three key security mechanisms for OS and application:
– Hardening OS and applications
– Malware protection software
– Sandboxing

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 70

Hardening OS and Applications
• OS hardening:
– Configure system and network components as per a hardening
checklist provided by CIS and DISA
– Delete unused files and applications, and install current OS
updates
– Perform vulnerability scan and penetration test to identify existing
vulnerabilities
• Application hardening:
– Design with proper architecture, threat modeling, and secure
coding
– Installing current application updates

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 71

Malware Protection Software
• Detects, prevents, and removes malware programs
• Common malware detection techniques: • Virus code incorporated into
– Signature-based detection
– Heuristics detection
• Protect applications by providing:
– Process spawning control
– Executable file protection
– System tampering protection
application’s executable file
• Virus code executed when
infected application runs
Can be prevented by:
• Disallowing modification of
application’s executable file

• Protects OS against attacks that modifies sensitive areas

– Disallows unauthorized modification of sensitive areas

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 72

Sandboxing
• Provides a tightly-controlled set of resources on which the
application executes
• Used for testing and verifying unproven or untrusted
applications
• Isolates execution of an application in order to restrict the
resources and privileges

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 74

LUN Masking
LUN Masking

Refers to the assignment of LUNs to specific host bus adapter world-wide

names.

• Protect against unauthorized access to storage

• Can be implemented on:
– Host
– Switch
– Storage system
• Stronger variant of LUN masking uses source Fibre
Channel address

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 75

Data Encryption
Data Encryption

A cryptographic technique in which data is encoded and made indecipherable

to eavesdroppers or hackers.

• Enables securing data in-flight and at-rest

• Provides protection from threats, such as data tampering,
media theft, and sniffing attacks
• Data encryption mechanism can be deployed at compute,
network, and storage
• Data should be encrypted as close to its origin as possible

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 76

Data Shredding
Data Shredding

A process of deleting data or residual representations (sometimes called

remanence) of data and making it unrecoverable

• Techniques for shredding data stored on tapes:

– Overwriting tapes with invalid data
– Degaussing media
– Destroying tapes

• Techniques for shredding data stored on disks and flash drives:

– Shredding algorithms

• Shred all copies of data including backup and replicas

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 77

 Security as a Service
Security as a Service

Refers to the provision of security applications and services via the cloud
either to cloud-based infrastructure and software or from the cloud to the
customers’ on-premise systems. This will enable enterprises to make use of
security services in new ways, or in ways that would not be cost effective if
provisioned locally.
— Cloud Security Alliance, “Security as a Service” Version 1.0 (2011)

• Enables consumers to reduce CAPEX on security deployments

• Enables reducing security management burden on consumers
• Security policies implemented are dictated by consumers

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 78

 Lesson Summary
During this lesson the following topics were covered:
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking and data encryption
• Data shredding and security as a Service

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 79

 Lesson: Governance, Risk, and Compliance
(GRC)
This lesson covers the following topics:
• Focus areas of cloud governance
• Key steps of risk management
• Types of compliance that control IT operations in cloud
• Key auditing activities in cloud

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 80

Introduction to GRC
GRC

A term encompassing processes that help an organization to ensure that their

acts are ethically correct and in accordance with their risk appetite (the risk
level an organization chooses to accept), internal policies and external
regulations.

• GRC work together to enforce policies and minimize risks

– Governance is the authority for making policies
– Risk management involves identifying resources that should
not be accessed by certain users to preserve CIA
– Compliance management assures that policies are being
enforced by implementing mechanisms

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 81

Governance
Governance

Determine the purpose, strategy, and operational rules by which companies

are directed and managed.

• Enterprise governance is based on business strategy

– IT governance is a subset discipline of enterprise governance
– Objective of IT governance is to determine desired behavior to
achieve IT’s strategic goals

• IT governance requires defining roles and responsibilities for:

– Directing, controlling, and executing decisions
– Determining information required to make decisions
– Handling exceptions

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 82

Risk Management
Risk and Risk Management

Risk is the effect of uncertainty on business objectives. Risk management is a

systematic process of assessing its assets, placing a realistic valuation on each
asset, and creating a risk profile that is rationalized for each information asset
across the business.

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 83

Compliance
Compliance

Act of adhering to, and demonstrating adherence to, external laws and
regulations, corporate policies and procedures, service provider's own
demands, consumers' demands, and/or the demands of participating cloud
providers (in case of hybrid cloud and cloud brokers).

• Two types of compliance policies control IT operations:

– Internal policy compliance
• Controls the nature of IT operations within an organization
• Require maintaining same compliance when operating in cloud
– External policy compliance
• Controls the nature of IT operations related to the flow of data out of
organization
• May differ based upon the type of information, and business

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 85

Compliance Management
Compliance Management

Ensures that the cloud services, service creation processes, and cloud
infrastructure resources adhere to relevant policies and legal requirements.

• Policies and regulations may be based on:

– Configuration best practices
– Security rules
– Change control processes
• Compliance management activities include:
– Periodic review of compliance enforcement
– Identifying deviations and initiating corrective actions

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 87

Auditing
Auditing

A process that determines the validity and reliability of information about the
enforcement of controls presented by a provider. Audit also provides an
assessment of the cloud provider’s control mechanisms and their ability to
provide the consumers, the logs required to verify the mechanisms.

• Performed by internal auditors or external auditors

• Cloud auditor is a role that audits cloud infrastructure
– Evaluates a provider in terms of:
• Security controls
• Privacy

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 88

Key Auditing Activities in the Cloud
Security Audit

• Determine how consumers’ data is segregated from each other

• Evaluate security mechanisms and ensure they are in
accordance with provider’s internal policies
• Determine how identity management is performed
• Determine whether adequate DR processes are available
• Evaluate whether appropriate governance processes are
available

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 89

Key Auditing Activities in the Cloud
Privacy Audit

• Evaluate use of encryption to protect consumers’ data

• Determine level of access provider’s employees have to
consumers’ resources and data
• Evaluate processes for controlling consumers’ access
• Evaluate whether data retention and destruction practices are
in accordance with privacy laws

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 90

 Lesson Summary
During this lesson the following topics were covered:
• Governance in the cloud
• Risk management for the cloud
• Compliance for the cloud
• Cloud auditing

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 91

 Concepts in Practice
• RSA SecurID
• RSA Security Analytics
• RSA Archer eGRC
• RSA Adaptive Authentication
• VMware vCloud Networking and Security

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 92

RSA Security Products
SecurID Security Analytics
• Provides two-factor • Enables to detect and
authentication investigate threats often
missed by other security
• To access a resource, a tools
user must combine their
secret PIN with token • Single platform captures
code and analyzes large
amounts of network,
• New token code is logs, and other data
generated every 60
seconds • Enables analysis of
terabytes of metadata,
log data, and recreated
network sessions
© Copyright 2014 EMC Corporation. All rights reserved.
Archer eGRC
• Enables organization to:
- Manage risks
- Demonstrate compliance
- Automate business
processes
- Gain visibility to corporate
risk and security controls
• Provides a single point of
visibility and coordination
for physical, virtual, and
cloud assets
Module: Security 93
RSA and VMware Security Products
RSA Adaptive Authentication
• Provides an authentication and fraud
detection platform
• Measures login and post-login activities
by evaluating risk indicators
• Provides transparent authentication when
protecting:
- Web sites and online portals
- Mobile applications and browsers
- ATM, SSL, and VPN
- Web access management applications
VMware vCloud Networking and
Security
• Virtualizes networking and security to
enable greater agility, efficiency and,
extensibility in the data center
• Delivers software-defined networks and
security with a broad range of services
including:
- Virtual firewall
- Virtual private network
- Load balancer
- VXLAN

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 95

 Module Summary
Key points covered in this module:
• Key security terminologies
• Key security threats in the cloud
• Security mechanisms for the cloud
• Governance, risk, and compliance

© Copyright 2014 EMC Corporation. All rights reserved. Module: Security 97