Security and cloud migration
Christophe Sahut
Corporate Infrastructure Architect / SGS

Application Security Forum - 2013
...
2

SGS in a few words
3

Agenda
 SaaS experience
 IaaS experience
4

Reminder: your (security) responsibility
Application

Application

Application

Data

Data

Data

Runtime

Runtime

Run...
5

SaaS experience
6

Use case
 Application fulfilling (most?) business needs
 Price/user/month – OPEX
 Side effect of ignoring this is sh...
7

… there are authentication requirements
8

Solution: SAML 2.0
 In two words
– Identity Provider on premise acting as a web proxy to
the authentication source (AD...
9

Nice solution but…
 Tricky to setup in multi-forests AD environments
 Not always easy to configure depending on SPs
...
10

And what about (de)provisionning?
 Provisioning can be done on the fly following
authentication (and authorization)
–...
11

Other concerns
 Data is by definition fully understood by the SaaS
provider
– Profiling (or worst) : “used for statis...
12

IaaS experience
13

Example: AWS
14

Connect to the
management console
15

Then
 Create Virtual Private Clouds (VPC)
– Network, route tables, gateways
– Virtual machines
– Load balancers
– Sto...
16

Example

Source: http://aws.amazon.com/articles/9982940049271604
17

Use segmentation/filtering
 Network ACLs
 Security groups

 (OS firewalls)
 (3rd party network firewalls)
18

VPC created. And then?
 Decide how to integrate it in existing
infrastructure
1) Keep it external
• Completely separa...
19

1) Keep it external

Internet

Load balancer

Corporate Data center

Bastion

Web Servers

Database
20

 Use bastion hosts
– RDP/SSH from known IPs, strong
authentication, logging/auditing

 VPC entry point opened only f...
21

2) Link it to datacenters / WAN

VPN

Load balancer

Corporate Data center

Bastion

Web Servers

Database
22

 Use a VPN (or leased line)
– Decide if you want a public or private VPC
One more Internet access vs private datacent...
23

What we did on IaaS
 VPC in different locations, VPNs
– SAML tests (WIF, mod_mellon,…)
– New versions of software on ...
24

Example of IaaS security benefit
 Launch/rebuild infrastructures in minutes
– With code like this:

 Configure this ...
25

Code the infrastructure
 With specific cloud tools
Cloudformation in AWS

 With scripting with CLI tools
Bash, Power...
26

Example use case
 Defacement/intrusion on a IaaS-based website
– Fire new infrastructure clone
– Enable verbose loggi...
27

Questions?
28

Merci/Thank you!
Contact:
@csahut
Slides:
http://slideshare.net/ASF-WS/presentations
Upcoming SlideShare
Loading in …5
×

ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut

762 views
698 views

Published on

Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
762
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • PaaS security = SaaS security + your application code security
  • SaaS: everything managed by vendor: your security responsibility is mainly the authentication to the application and the data you put in.PaaS: same thing + maintain your application securityIaaS: same + OS patching and security, architecture security (networking, firewalls, storage access …)
  • Example of cloud infrastructure: region, multi-az, VPC, ELB 3-tiers, bastion, NAT for upgrades
  • Available on marketplace: checkpoint, Vyatta, BigIPs, Sophos UTM (ex-astaro)
  • ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut

    1. 1. Security and cloud migration Christophe Sahut Corporate Infrastructure Architect / SGS Application Security Forum - 2013 Western Switzerland 15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch
    2. 2. 2 SGS in a few words
    3. 3. 3 Agenda  SaaS experience  IaaS experience
    4. 4. 4 Reminder: your (security) responsibility Application Application Application Data Data Data Runtime Runtime Runtime Middleware Middleware Middleware OS OS OS Virtualization Virtualization Virtualization Servers Servers Servers Storage Storage Storage Networking Networking Networking IaaS PaaS SaaS
    5. 5. 5 SaaS experience
    6. 6. 6 Use case  Application fulfilling (most?) business needs  Price/user/month – OPEX  Side effect of ignoring this is shadow IT  Hopefully, …
    7. 7. 7 … there are authentication requirements
    8. 8. 8 Solution: SAML 2.0  In two words – Identity Provider on premise acting as a web proxy to the authentication source (AD, LDAP, SQL…) – Generates and signs authentication tokens – Send them to the SaaS service to prove the user has been authenticated – You’re loggued in  Enable Single Sign-On with SaaS services
    9. 9. 9 Nice solution but…  Tricky to setup in multi-forests AD environments  Not always easy to configure depending on SPs  Must be highly available
    10. 10. 10 And what about (de)provisionning?  Provisioning can be done on the fly following authentication (and authorization) – Works fine but de-provisioning is still a challenge – Reminder: you pay per user  Resource (user, group…) CRUD via web services not widely deployed yet http://www.simplecloud.info/
    11. 11. 11 Other concerns  Data is by definition fully understood by the SaaS provider – Profiling (or worst) : “used for statistics and UX” – Contracts say provider will not if you ask them not to if they say so, it must be true  Data is (sometimes) encrypted on disks But SaaS provider manages the portal to access it (…)
    12. 12. 12 IaaS experience
    13. 13. 13 Example: AWS
    14. 14. 14 Connect to the management console
    15. 15. 15 Then  Create Virtual Private Clouds (VPC) – Network, route tables, gateways – Virtual machines – Load balancers – Storage, snapshots – Managed databases –…  In a given location
    16. 16. 16 Example Source: http://aws.amazon.com/articles/9982940049271604
    17. 17. 17 Use segmentation/filtering  Network ACLs  Security groups  (OS firewalls)  (3rd party network firewalls)
    18. 18. 18 VPC created. And then?  Decide how to integrate it in existing infrastructure 1) Keep it external • Completely separate infrastructure 2) Link it to datacenters / WAN • Consider the VPC as a new site on the WAN
    19. 19. 19 1) Keep it external Internet Load balancer Corporate Data center Bastion Web Servers Database
    20. 20. 20  Use bastion hosts – RDP/SSH from known IPs, strong authentication, logging/auditing  VPC entry point opened only for the service provided
    21. 21. 21 2) Link it to datacenters / WAN VPN Load balancer Corporate Data center Bastion Web Servers Database
    22. 22. 22  Use a VPN (or leased line) – Decide if you want a public or private VPC One more Internet access vs private datacenter extension – Be careful to the network range and routing VPC part of the WAN – Wizard on AWS to setup dual-VPN to on-premise VPN concentrator – Setup firewall rules on both sides (drop all, then think)
    23. 23. 23 What we did on IaaS  VPC in different locations, VPNs – SAML tests (WIF, mod_mellon,…) – New versions of software on isolated networks  S3, load balancing, managed databases, DNS zone delegation, CDN, datawarehouse, PaaS …  More and more providers come with an AWS backend and we can evaluate what they do
    24. 24. 24 Example of IaaS security benefit  Launch/rebuild infrastructures in minutes – With code like this:  Configure this way networks, VPN, security groups, create instances, fetch data from a GIT repository, configure load balancers…
    25. 25. 25 Code the infrastructure  With specific cloud tools Cloudformation in AWS  With scripting with CLI tools Bash, Powershell …  With SDKs (.net, java,…), cloud API libraries (libcloud…), abstraction tools (Rightscale…) …  And versioning!
    26. 26. 26 Example use case  Defacement/intrusion on a IaaS-based website – Fire new infrastructure clone – Enable verbose logging – Redirect traffic (via DNS, load balancers…) to the new infrastructure – Identify attack, implement protection/blackhole – Isolate hacked infrastructure – Run forensic analysis – Get a coffee
    27. 27. 27 Questions?
    28. 28. 28 Merci/Thank you! Contact: @csahut Slides: http://slideshare.net/ASF-WS/presentations

    ×