SDN

SDN security

1
Where’s My
Data, Exactly?
•User’s data might not
necessarily be in the user’s local
data center, but instead be
hosted in a regional data center,
but again this was not
something the user was aware
of or was interested in knowing.

2
Data Location
and Security
• Users don’t need to know the
location of their data if they have
confidence and trust in the storage
administrators (the company) to
store their data with regards to the
three tenets of security:
• Confidentiality
• Integrity
• Availability

3
• Big cloud providers (Google,
Amazon, and Microsoft, among
others) all have global networks and
could be (and probably are) storing
your company data in any part of the
world
• Other smaller cloud providers may
not have the scale of them but are
just as oblique in their storage
policies. After all, these providers are
storing your private and confidential
data on proprietary cloud storage
networks in locations you perhaps
cannot verify and that you will have
little chance of auditing

4
Baxtel, Amazon IAD71 Data Center
5
A block diagram of AWS
storage. AWS does not
guarantee that it can or will
provide details on the exact
physical location of
customer data

6
7
 Preventing Data
Leakage
• Unauthorized removal of data from businesses
has long been a problem, especially with the
advent of high-capacity removable storage.
• BYOD
• BYOC
• When employees do this on their own, using a
non-company-controlled cloud, they are
inadvertently causing a huge security problem
and most of the time are not in compliance with
information security policies.
8
Minimizing
Data Loss
• There are two key steps in minimizing data
loss:
• Apply the risk formula for data loss (Risk
= Impact × Rate of occurrence)
• Apply the 80:20 rule of data loss to
identify where you are likely to
experience a high impact data breach.
• Then use the Pareto 80:20 rule to
find the 80% of the record and files
compromised by the 20% of breach
vectors (hack, cloud uploads, data
being transferred to removable
media, BYOD devices)
9
• To understand how to approach data loss prevention, organizations need
to understand and identify the type of data they are trying to protect:
• Data in motion (traveling across the network)
• Data in use (being used at the endpoint)
• Data at rest (sitting idle in storage)
• Second, identify data as described or registered:
• Described: Out-of-box classifiers and policy templates, which help identify types
of data. This is helpful when looking for content such as personal identifiable
information.
• Registered: Data is registered to create a “fingerprint,” which allows full or partial
matching of specific information such as intellectual property.

10
 1
1

• Because most data loss is via

cloud uploads, data transferred to
removable media, and BYOD
devices, we need to apply our
efforts to the network and to data
in motion and data in use.
Data Loss Prevention (DLP)
• There are two basic types of DLP:
• Full suite DLP: covers the complete spectrum of
leakage vectors, from data moving through the network
(data in motion), data at the computer or endpoint
(data in use), to data stored on the server drives or in a
storage-area network (SAN) (data at rest).
• Channel data loss prevention: Channel DLP
is typically designed for some other function but was
modified to provide visibility and DLP functionality. Like:
email security, web gateways, and device control.

12
Intrusion Detection Systems (IDS)

• The earliest DLP solutions used deep packet

inspection (DPI) to perform pattern detection in a
similar manner to IDS.
• IDS detects malicious patterns known as signatures in
files. DLP used these techniques to identify patterns
such as account numbers or credit card information.

13
14
• Today most DLP solutions use a
technique called data fingerprinting.
The DLP uses the fingerprinting
process on data in the database
(structured data) and on data in files
and documents (unstructured data).
• The fingerprinting process creates a
one-time hash of the structured and
unstructured data and stores it in a
database as a unique reference.

15
• DLP uses data fingerprints to identify files or partial files as
it scans them looking for sensitive information, and then
DLP can block them from leaving the network.
• However, DLP is not always about prevention, despite its
name; many companies prefer just to detect the movement
of data out of their network, because they fear that
blocking data flow could have a detrimental effect on
business processes.
• Blocking can be performed on email and web mail access.

16
• For email, the DLP will act as a mail
transfer agent, which will provide the
technological means to selectively block
or allow individual email messages.
• However, blocking other protocols is not
so easy and requires that the traffic
crossing the wire be analyzed in real
time using DPI.
• Another method commonly used is to
implement an Internet Content
Adaptation Protocol (ICAP) proxy server
to filter all HTTP, HTTPS, and FTP request
at the gateway and redirect them to the
DLP for analysis and inspection of traffic
for violations.
17
18
Why Auditing?
• CSPs must also allow independent and recognized
auditing companies to audit their service to ensure it
meets regulations compliance.
• These regulations include Health Insurance
Portability and Accountability Act (HIPAA) and the
Payment Card Industry - Data Security Standard (PCI-
DSS), depending on the industry, which means
providers may supply their services in community or
hybrid deployment modes to ensure that they meet
specific industry regulations.

19
 • It should be obvious why a business would want to have access to logs on
Logging & their local network. Reasons include the following:
• The ability to detect and/or track suspicious behavior
Auditing (1) • Providing support for troubleshooting, maintenance, and operations
• Support for forensic analysis

20
 Logging & Auditing (2) – some solutions

• A virtual machine as a log

collector.
• Each virtual machine in the IaaS
cloud send back its individual
logs to the company’s data
center for aggregation and
analysis.
• Send the log traffic directly to a
managed security partner or, as
shown here, to a third-party
auditor (TPA) and have them
deal with it all.

21
22
Encryption in Virtual networks – Data in motion IPsec VPNs are a
good way to
encrypt data
over the WAN,
but the
encryption
terminates at
the cloud edge,
leaving data in
the clear within
the cloud

23
 Encryption in Virtual Networks – Data at rest
Not all data needs to be encrypted. Companies should have some process to
determine what types of data need extra security.

24
25