Flava SecureG: Highest Security Cloud Environment After LY Corporation Merger

Transcript

1. 'MBWB
   4FDVSF(
   )JHIFTU
   4FDVSJUZ
   $MPVE
   &OWJSPONFOU BGUFS
   -:
   $PSQPSBUJPO
   .FSHFS 4FSWJDF
   *OGSBTUSVDUVSF
   (SPVQ )JSPLJ
   4IJSPLVSB

2. • This presentation reflects the state at the time of

   presentation and is subject to change. • Details about the management of specific information will not be covered. Disclaimer

3. • Hiroki Shirokura • Principal Software Engineer / Engineering Manager

   @ Service Infrastructure Group •Responsibility: Flava (our Private Cloud) • SDN, Cloud, Security • Architect, Operation, People Manager •HN: slankdev Self-Introduction

4. Highest Security Cloud Environment @ LY

5. • This presentation is not about: ◦ Technical Checklists for

   High Security and its Best Practices (VDI, Traffic Logs, etc..) Today’s Message

6. • This presentation is not about: ◦ Technical Checklists for

   High Security and its Best Practices (VDI, Traffic Logs, etc..) • Instead, we focus on: ◦ Universal Philosophies & Principles Data Processing (Computing) Data Storing (Storage) Data Communication & Access Control (Network) Today’s Message

7. Our Security Vision

8. Our Security Vision Security For protecting user data

9. Our Security Vision Agility Security For protecting user data For

   market needs, trends ??

10. Our Security Vision Agility Security For protecting user data For

    market needs, trends LY’s Game Changing

11. We are the Private Cloud Company LINE Cloud YJ Cloud

    Flava(LY Cloud) LINE Service LINE Service YJ Service YJ Service • Single Big OpenStack Cluster • Single Big Shared Network • Fragmented Secure Network • Single Big OpenStack Cluster • Multiple Virtual Overlay Network on Single Big Shared Underlay Network • No Fragmented Facility for Any Security levels We merged 2 different infra requirements and implementation into new cloud called Flava • Instead of choosing one over the other • We built an entirely new solution • Many OpenStack Cluster • Physically Separated Multiple Network • Fragmented Secure Network

12. “Fundamental Solutioning” through the Technology HTTP Driver VPC IAM LINE

    and YJ experienced scalability issues with OpenStack due to the performance limitations of RabbitMQ, but by inventing special internal messaging driver called "HTTP Driver", we unlocked OpenStack's scale limit and achieve the super scale OpenStack cluster size. With the introduction of VPC, networks can be flexibly separated for each service. Each networks has different security levels which can be constructed on a single physical device. This improves security and reduces equipment costs. Provides Athenz-based authentication and authorization functions not only for cloud control plane but also for data plane communication. Certificate- based access control enables flexible control and minimizes permissions.

13. “Fundamental Solutioning” through the Technology HTTP Driver VPC IAM LINE

    and YJ experienced scalability issues with OpenStack due to the performance limitations of RabbitMQ, but by inventing special internal messaging driver called "HTTP Driver", we unlocked OpenStack's scale limit and achieve the super scale OpenStack cluster size. With the introduction of VPC, networks can be flexibly separated for each service. Each networks has different security levels which can be constructed on a single physical device. This improves security and reduces equipment costs. Provides Athenz-based authentication and authorization functions not only for cloud control plane but also for data plane communication. Certificate- based access control enables flexible control and minimizes permissions.

14. “Fundamental Solutioning” through the Technology HTTP Driver VPC IAM LINE

    and YJ experienced scalability issues with OpenStack due to the performance limitations of RabbitMQ, but by inventing special internal messaging driver called "HTTP Driver", we unlocked OpenStack's scale limit and achieve the super scale OpenStack cluster size. With the introduction of VPC, networks can be flexibly separated for each service. Each networks has different security levels which can be constructed on a single physical device. This improves security and reduces equipment costs. Provides Athenz-based authentication and authorization functions not only for cloud control plane but also for data plane communication. Certificate- based access control enables flexible control and minimizes permissions.

15. “Fundamental Solutioning” through the Technology HTTP Driver VPC IAM LINE

    and YJ experienced scalability issues with OpenStack due to the performance limitations of RabbitMQ, but by inventing special internal messaging driver called "HTTP Driver", we unlocked OpenStack's scale limit and achieve the super scale OpenStack cluster size. With the introduction of VPC, networks can be flexibly separated for each service. Each networks has different security levels which can be constructed on a single physical device. This improves security and reduces equipment costs. Provides Athenz-based authentication and authorization functions not only for cloud control plane but also for data plane communication. Certificate- based access control enables flexible control and minimizes permissions.

16. Flava - Products Project & Management IAM, Operation log, Audit

    log, Approval, Notice, Monitoring Compute & Container Server, Kubernetes, Container registry, ML Runner, App Runner, Function, Batch, Event Bridge Network CDN, DNS, VPC, Network LB, Application LB, Frontend proxy, Egress proxy, GSLB, Service Map, Traffic Director Storage File storage, Block storage, Object storage Database MySQL, Redis, Cassandra, OpenSearch, MongoDB, PostgreSQL Security Secret Manager, Certificate Manager Application Integration MQ for Pulsar,

17. Project & Management IAM, Operation log, Audit log, Approval, Notice,

    Monitoring Compute & Container Server, Kubernetes, Container registry, ML Runner, App Runner, Function, Batch, Event Bridge Network CDN, DNS, VPC, Network LB, Application LB, Frontend proxy, Egress proxy, GSLB, Service Map, Traffic Director Storage File storage, Block storage, Object storage Database MySQL, Redis, Cassandra, OpenSearch, MongoDB, PostgreSQL Security Secret Manager, Certificate Manager Application Integration MQ for Pulsar, Flava - Products

18. Existing Highest Security @ Ex-LINE, Ex-YJ

19. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation (Infrastructure user) Use machine resources. Design infrastructure requirements. Request the requirements to Security Team and Infra Team Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team (Infrastructure user) Manage security resource (FW, IDS, etc..). Design security infrastructure requirements Request the requirements to Infrastructure operator. (Infrastructure operator) Manage infrastructure resource (hypervisor, vm, wire, vlan) Design infrastructure from user requirements SysTeam

20. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam (1) Deploy Network Devices (3) Deploy Hypervisor and servers (2) Configure Network appliance to setup each VLAN

21. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam (4) check the IDS status and set Firewall rules

22. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam (5) Deploy server side application on server

23. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam (6) Deploying Additional Component (7) Deploy Network Devices (8) Updating Firewall rules

24. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam

25. (Past) Actual Fintech Service Infrastructure Architecture There are So-many Human

    Operation Fintech Segment Other Site Underlay Network Internet Other Site Private Line HWLB HWLB IDS TAP Site to Site VPN SecTeam NetTeam Fintech Team SysTeam

26. (Past) Many Workflows for High Secure Workflow System1 (YJ) ACL

    System1 for normal ACL System2 for secure Security Consulting System Workflow System1 (L) ACL System1 for normal Security Assessment System ACL System2 for secure LINE Cloud YJ Cloud ACL System3 for secure Developers are always confusing each security policy and its workflows while the development, operation with high security requirements ACL System3 for secure Workflow System2 (YJ) Workflow System2 (L)

27. (Past) Many Workflows for High Secure Workflow System1 (YJ) ACL

    System1 for normal ACL System2 for secure Security Consulting System Workflow System1 (L) ACL System1 for normal Security Assessment System ACL System2 for secure LINE Cloud YJ Cloud ACL System3 for secure Developers are always confusing each security policy and its workflows while the development, operation with high security requirements ACL System3 for secure Workflow System2 (YJ) Workflow System2 (L)

28. (Past) Many Workflows for High Secure Workflow System1 (YJ) ACL

    System1 for normal ACL System2 for secure Security Consulting System Workflow System1 (L) ACL System1 for normal Security Assessment System ACL System2 for secure LINE Cloud YJ Cloud ACL System3 for secure Developers are always confusing each security policy and its workflows while the development, operation with high security requirements ACL System3 for secure Workflow System2 (YJ) Workflow System2 (L) For Normal Environment For Secure Environment

29. • CAPEX concern ◦ Fragmented Infrastructure per projects ◦ Hard

    to Scale Estimation • OPEX concern ◦ Operation costs for Fragmented Infrastructures ◦ Gap for Normal env and Secure env Summary: Existing High Security Environment

30. • CAPEX concern ◦ Fragmented Infrastructure per projects ◦ Hard

    to Scale Estimation • OPEX concern ◦ Operation costs for Fragmented Infrastructures ◦ Gap for Normal env and Secure env Summary: Existing High Security Environment

31. New Highest Security @ LY

32. Flava SecureG Project • To provide highest security environment with

    our Private Cloud as normal feature • To Cover Ex-L, Ex-YJ high security services ◦ Pay, Commerce, etc.. • To Achieve ◦ PCI-DSS, 2G3M Jp Guideline (3省2ガイドライン) ◦ LY Security Policy • Vision: Security x Agility

33. Flava SecureG Project • To provide highest security environment with

    our Private Cloud as normal feature • To Cover Ex-L, Ex-YJ high security services ◦ Pay, Commerce, etc.. • To Achieve ◦ PCI-DSS, 2G3M Jp Guideline (3省2ガイドライン) ◦ LY Security Policy • Vision: Security x Agility

34. Flava SecureG Project • To provide highest security environment with

    our Private Cloud as normal feature • To Cover Ex-L, Ex-YJ high security services ◦ Pay, Commerce, etc.. • To Achieve ◦ PCI-DSS, 2G3M Jp Guideline (3省2ガイドライン) ◦ LY Security Policy • Vision: Security x Agility

35. Flava SecureG Project • To provide highest security environment with

    our Private Cloud as normal feature • To Cover Ex-L, Ex-YJ high security services ◦ Pay, Commerce, etc.. • To Achieve ◦ PCI-DSS, 2G3M Jp Guideline (3省2ガイドライン) ◦ LY Security Policy • Vision: Security x Agility

36. • To provide highest security environment with our Private Cloud

    as normal feature • To Cover Ex-L, Ex-YJ high security services ◦ Pay, Commerce, etc.. • To Achieve ◦ PCI-DSS, 2G3M Jp Guideline (3省2ガイドライン) ◦ LY Security Policy • Vision: Security x Agility Flava SecureG Project

37. Information Classification & Network Segmentation • Prod • Pluto •

    Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret VPC Network Segment Info. Classification

38. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret

39. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    More Secure • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret

40. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret Personal Information

41. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret Former: Gokuhi, 極秘, 극비

42. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret

43. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret Default Network

44. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret Default Network Direct External Access Back Office Tools

45. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret

46. Information Classification & Network Segmentation VPC Network Segment Info. Classification

    • Prod • Pluto • Tool • Secret • Top Secret • Public • Internal Use Only • Restricted • Secret • Top Secret

47. Differences between Network Segment • Access Control Policy ◦ Type-1:

    Default Permitted Rules ◦ Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret

48. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

49. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

50. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

51. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

52. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

53. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment Difference between (Prod) & (Secret, Top Secret)

54. • Access Control Policy ◦ Type-1: Default Permitted Rules ◦

    Type-2: Additional Permit Rule Approval Policy (No Approval) ◦ Type-3: Additional Permit Rule Approval Policy (Require Approval with XXX) • Example ◦ Type-1: Monitoring System, Container Registry ◦ Type-2: Whitelist ports between Prod <-> Tool ◦ Type-2: Any connection between Prod <-> Prod ◦ Type-3: Any connection between Secret <-> Secret ◦ Type-3: Any connection between Top Secret <-> To Secret Differences between Network Segment

55. “tech-verse” VPC “prod” net “topsecret” net “tech-verse” VPC 1.Creating VPC

    Network “topsecret” 2.Creating VMs in “topsecret” 3.Append ACL Permit rule in “topsecret” Infrastructure Usage in Flava “prod” net AS-IS VM1 TO-BE VM1 VM2
56. None
57. None
58. None
59. None
60. None
61. None
62. None
63. None
64. None
65. None
66. None
67. None
68. None
69. None
70. None
71. None
72. None

73. • Prevent Data Leakage from Secure environment ◦ SCP, Filesystem,

    etc.. • Tracking the Human operation ◦ For incident response • All Tools. All Risks. One Place. ◦ Unified Control of Tools & Risk Surface Data Access via VDI Normal Jump Server Secret Jump Server Secret VPC Network TopSecret VPC Network Prod VPC Network Office or VPN Secure Room VDI Top Secret Jump Server

74. • Prevent Data Leakage from Secure environment ◦ SCP, Filesystem,

    etc.. • Tracking the Human operation ◦ For incident response • All Tools. All Risks. One Place. ◦ Unified Control of Tools & Risk Surface Data Access via VDI Normal Jump Server Secret Jump Server Secret VPC Network TopSecret VPC Network Prod VPC Network Office or VPN Secure Room VDI Top Secret Jump Server Restriction • Clipboard • File transfer

75. • Prevent Data Leakage from Secure environment ◦ SCP, Filesystem,

    etc.. • Tracking the Human operation ◦ For incident response • All Tools. All Risks. One Place. ◦ Unified Control of Tools & Risk Surface Data Access via VDI Normal Jump Server Secret Jump Server Secret VPC Network TopSecret VPC Network Prod VPC Network Office or VPN Secure Room VDI Top Secret Jump Server Restriction • Clipboard • File transfer Screen recording for post audit operation

76. Internal Mechanism

77. VPC1 “prod” network Physical Isolation • Stricter hardware control for

    highly classified data (Locked Door, CCTV) • Full-rack coverage is simple but costly → handle by classification + separate via software Logical Viewpoint Datacenter Room Normal Rack Physical Viewpoint Hypervisor Storage Server DB1 VM1 volume1 VM1 DB1 volume1 DB2 K8s1 volume2 “topsecret” network Secure Rack Hypervisor Storage Server volume2 K8s1 DB2

78. VPC1 “prod” network Physical Isolation • Stricter hardware control for

    highly classified data (Locked Door, CCTV) • Full-rack coverage is simple but costly → handle by classification + separate via software Logical Viewpoint Datacenter Room Normal Rack Physical Viewpoint Hypervisor Storage Server DB1 VM1 volume1 VM1 DB1 volume1 DB2 K8s1 volume2 “topsecret” network Secure Rack Hypervisor Storage Server volume2 K8s1 DB2 Special Scheduling done by Nova scheduler • Physical placement scheduling is done by software layer VM (attaching the network) Network (has segment type) Segment type -> Top Secret

79. VPC1 topsecret prod Physical Isolation • Physical placement scheduling is

    done by software layer VM (attaching the network) Network (has segment type) Segment type -> Top Secret • Stricter hardware control for highly classified data (Locked Door, CCTV) • Full-rack coverage is simple but costly → handle by classification + separate via software DB2 DB1 K8s1 VM1 Logical Viewpoint Datacenter Room Physical Viewpoint volume1 volume2 Secure Rack Normal Rack Hypervisor Storage Server Hypervisor Storage Server VM1 DB1 volume1 volume2 K8s1 DB2 Low Cost but lower security High Security but Expensive Additional Security Rack side panel, Physical Locked door, etc..

80. Data Storing & Computing Remote Storage HV Disk VM DB

    App Enc Key Plain Data Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data User Enc Key E2EE Processing Plain Data in some layer Remote Storage HV Disk App Plain Data Plain Data Remote Storage HV Disk App Plain Data Enc Data Plain Data VM VM Plain Data Plain Data Enc Key

81. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App Enc Key Plain Data User Enc Key HV Disk App Plain Data Plain Data App Plain Data Plain Data VM VM Plain Data Plain Data Enc Key

82. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App Enc Key Plain Data User Enc Key HV Disk App Plain Data Plain Data App Plain Data Plain Data VM VM Plain Data Plain Data Enc Key

83. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App Enc Key Plain Data User Enc Key HV Disk App Plain Data Plain Data App Plain Data Plain Data VM VM Plain Data Plain Data Enc Key

84. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App Enc Key Plain Data User Enc Key HV Disk App Plain Data Plain Data App Plain Data Plain Data VM VM Plain Data Plain Data Enc Key

85. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App Enc Key Plain Data User Enc Key HV Disk App Plain Data Plain Data App Plain Data Plain Data VM VM Plain Data Plain Data Enc Key Where we encrypt the data, Where we manage the key

86. Data Storing & Computing Remote Storage HV Disk VM DB

    Enc Data Enc Data Enc Data Enc Data Remote Storage HV Disk VM DB App Enc Data Enc Data Enc Data Enc Data Enc Data E2EE Processing Plain Data in some layer Remote Storage Remote Storage HV Disk Enc Data App User Enc Key HV Disk App App Plain Data VM VM Enc Key Plain Data Plain Data Plain Data Plain Data Plain Data Plain Data Enc Key If the data is really important, we will protect data access with VDI

87. Proxy App Enc Key Plain Data User Enc Key Plain

    Data Enc Key Plain Data Pkt Fwd App Enc Key Plain Data User ACL Plain Data Enc Data Data Communications Enc Key ACL

88. Proxy App Enc Key Plain Data User Enc Key Plain

    Data Enc Key Plain Data Pkt Fwd App Enc Key Plain Data User ACL Plain Data Enc Data Data Communications Enc Key ACL Pkt Fwd (Router, Switch) is just forwarding the packets which is already encrypted.

89. Proxy App Enc Key Plain Data User Enc Key Plain

    Data Enc Key Plain Data Pkt Fwd App Enc Key Plain Data User ACL Plain Data Enc Data Data Communications Enc Key ACL Proxy is terminating application layer connection and processing plain data

90. Proxy App Enc Key Plain Data User Enc Key Plain

    Data Enc Key Plain Data Pkt Fwd App Enc Key Plain Data User ACL Plain Data Enc Data Data Communications Enc Key ACL Proxy is terminating application layer connection and processing plain data Extract only on memory No logging in sensitive data to file, stdout

91. Proxy App Enc Key Plain Data User Enc Key Plain

    Data Enc Key Plain Data Pkt Fwd App Enc Key Plain Data User Plain Data Enc Data Data Communications Enc Key ACL ACL No human operation to update the ACL All the acl dataplane configuration is done by security management system

92. • Re-defining the Security Policy from the Design ◦ Many

    “Chicken Egg” Problems • Abstracting, Generalization from the Specified Protocol ◦ The Philosophy of Asking “Why” ▪ Data definition ▪ Communication path ▪ Encryption status ▪ Access control ▪ Auditing Lesson Learned

93. • Re-defining the Security Policy from the Design ◦ Many

    “Chicken Egg” Problems • Abstracting, Generalization from the Specified Protocol ◦ The Philosophy of Asking “Why” ▪ Data definition ▪ Communication path ▪ Encryption status ▪ Access control ▪ Auditing Lesson Learned

94. • Re-defining the Security Policy from the Design ◦ Many

    “Chicken Egg” Problems • Abstracting, Generalization from the Specified Protocol ◦ The Philosophy of Asking “Why” ▪ Data definition ▪ Communication path ▪ Encryption status ▪ Access control ▪ Auditing Lesson Learned

95. • Migration • Tracking Technical viewpoint Risks • Continuous Audit

    ◦ Permitted ACL but no traffic ◦ Dropped logs for a long time ◦ Permitted but bit risky configuration Summary & Future Works • This presentation is not about: ◦ Technical Checklists for High Security and its Best Practices (VDI, Traffic Logs, etc..) • Instead, we focus on: ◦ Universal Philosophies & Principles Data Processing (Computing) Data Storing (Storage) Data Communication & Access Control (Network)

96. • Migration • Tracking Technical viewpoint Risks • Continuous Audit

    ◦ Permitted ACL but no traffic ◦ Dropped logs for a long time ◦ Permitted but bit risky configuration Summary & Future Works • This presentation is not about: ◦ Technical Checklists for High Security and its Best Practices (VDI, Traffic Logs, etc..) • Instead, we focus on: ◦ Universal Philosophies & Principles Data Processing (Computing) Data Storing (Storage) Data Communication & Access Control (Network)

97. • Migration • Tracking Technical viewpoint Risks • Continuous Audit

    ◦ Permitted ACL but no traffic ◦ Dropped logs for a long time ◦ Permitted but bit risky configuration Summary & Future Works • This presentation is not about: ◦ Technical Checklists for High Security and its Best Practices (VDI, Traffic Logs, etc..) • Instead, we focus on: ◦ Universal Philosophies & Principles Data Processing (Computing) Data Storing (Storage) Data Communication & Access Control (Network)

98. • Migration • Tracking Technical viewpoint Risks • Continuous Audit

    ◦ Permitted ACL but no traffic ◦ Dropped logs for a long time ◦ Permitted but bit risky configuration Summary & Future Works • This presentation is not about: ◦ Technical Checklists for High Security and its Best Practices (VDI, Traffic Logs, etc..) • Instead, we focus on: ◦ Universal Philosophies & Principles Data Processing (Computing) Data Storing (Storage) Data Communication & Access Control (Network)

99. End of Slide To Be Continued ... !?