Automating Security for the                Cloud                           Make it easy, make it safe.                    ...
whoami                                           Slides available soon on   Rand Wacker                          community...
DevOps and Security                           Big Data Analysts© 2012 CloudPassage Inc.
Shared Responsibility Model                                                                         Responsibility  EC2 Sh...
Survey: Cloud Security Practices                  Question: How do you secure your cloud servers today?                   ...
© 2012 CloudPassage Inc.
Cloud Security Challenges                                                           Metered Usage                         ...
The Alfred E Newman     Guide to Easy Cloud     Security© 2012 CloudPassage Inc.
Firewalling in the Cloud:      Beyond Simple Security      Groups© 2012 CloudPassage Inc.
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Moving to the Cloud                             Auth             DB                  DB               DB                  ...
Moving to the Cloud                             Auth             DB                  DB               DB                  ...
Cloud Servers at Risk                                     Load                                    Balancer                ...
Firewalling in the Cloud                                      Load                                     Balancer           ...
Firewalling in the Cloud                                      Load                             Load                       ...
Firewalling in the Cloud                                      Load                             Load                       ...
Firewalling in the Cloud                                      Load                             Load                       ...
Multi-Cloud Firewalling         App           App            DB                                        DB            App  ...
Multi-Cloud Firewalling         App           App            DB                                        DB            App  ...
Lessons to Learn     Whatever firewall options you have, use them          Make sure your firewall rules are updated      ...
Controlling Access to Your      Cloud Servers:      Solving the Contractor      Problem© 2012 CloudPassage Inc.
Meet Jed the Web Designer                              Jed is highly mobile                               Jed still uses F...
WRONG WAY: Open Access                                  Web                           ftp   Server© 2012 CloudPassage Inc.
WRONG WAY: Open Access© 2012 CloudPassage Inc.
Manual Options - PITA                MANUALLY turn FTP server on and off when                          Jed needs access?  ...
Halo Multi-Factor Cloud Auth                           Prevent brute force attacks on                             SSH and ...
Using Multi-Factor Auth                                 Web                                Server                         ...
Using Multi-Factor Auth                                         DB                                        Server          ...
Using Multi-Factor Auth                                         DB                                        Server          ...
Using Multi-Factor Auth                                 DB                                Server                          ...
REMEMBER: Delete Jed!!!                                                              DB                                   ...
Lessons to Learn      You may behave securely, but does everyone                 who works for you?                Securit...
Automation will set you      free, America…                           (Apologies to Alton Brown)© 2012 CloudPassage Inc.
Automatable Security Tasks•   Scan for recent vulnerabilities of installed software packages.•   Verify firewall rules mat...
The Secure, Automated Cloud© 2012 CloudPassage Inc.
Wrapping Up© 2012 CloudPassage Inc.
Moral of the Story• Security of your cloud servers is your  responsibility• Security risks in the cloud are real  (just ch...
How To Secure Cloud Servers    Servers in hybrid and public clouds must be self-    defending with highly automated contro...
Try Halo FREE - 5 Minute Setup               Register for Halo at           cloudpassage.com/register               Instal...
In Closing         • CloudPassage Installfest March 28th!                – Helpful cloud security advice! Pizza! Beer!    ...
Thank You!                              Rand Wacker                           rand@cloudpassage.com                       ...
What does CloudPassage do?     Security for virtual servers running in public and private clouds                          ...
CloudPassage Halo      Architecture© 2012 CloudPassage Inc.
How It Works                                          Halo• Halo Daemon                            Daemon                 ...
www-1   Alerts, Reports                                           www-1      www-2    and Trending                        ...
Automating Security for the Cloud - Make it Easy, Make it Safe
Upcoming SlideShare
Loading in...5
×

Automating Security for the Cloud - Make it Easy, Make it Safe

867

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
867
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • SAASFast and easyThe only cloud security platform built for the cloud
  • Automating Security for the Cloud - Make it Easy, Make it Safe

    1. 1. Automating Security for the Cloud Make it easy, make it safe. Rand Wacker rand@cloudpassage.com @randwacker We’re Hiring!© 2012 CloudPassage Inc.
    2. 2. whoami Slides available soon on Rand Wacker community.cloudpassage.com @randwacker rand@cloudpassage.com Security Cloud UC Berkeley ✘ ✘ Oracle ✘ Amazon ✘ IronPort/ScanSafe ✘ ✘ Cisco ✘ CloudPassage ✘ ✘© 2012 CloudPassage Inc.
    3. 3. DevOps and Security Big Data Analysts© 2012 CloudPassage Inc.
    4. 4. Shared Responsibility Model Responsibility EC2 Shared Responsibility Model Data Customer “…the customer should assume responsibility and management of, but not App Code limited to, the guest operating system.. and associated application software...” App Framework “…it is possible for customers to enhance Operating System security and/or meet more stringent compliance requirements with the addition of Virtual Machine Responsibility host based firewalls, host based Hypervisor intrusion detection/prevention, Provider encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities© 2012 CloudPassage Inc.
    5. 5. Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Open source or custom-developed tools Commercial Tool Were not securing our cloud servers My provider does it for me Amazon Security Group Source: CloudPassage CloudSec Community Survey© 2012 CloudPassage Inc.
    6. 6. © 2012 CloudPassage Inc.
    7. 7. Cloud Security Challenges Metered Usage www-7 www-8 www-9 www-10 www-4 www-5 www-6 Cloud Provider B Temporary & Dynamic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter© 2012 CloudPassage Inc.
    8. 8. The Alfred E Newman Guide to Easy Cloud Security© 2012 CloudPassage Inc.
    9. 9. Firewalling in the Cloud: Beyond Simple Security Groups© 2012 CloudPassage Inc.
    10. 10. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    11. 11. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    12. 12. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud© 2012 CloudPassage Inc.
    13. 13. Cloud Servers at Risk Load Balancer App App Server Server DB Master public cloud© 2012 CloudPassage Inc.
    14. 14. Firewalling in the Cloud Load Balancer FW Halo App App Server Server FW FW Halo Halo DB Master FW Halo public cloud© 2012 CloudPassage Inc.
    15. 15. Firewalling in the Cloud Load Load Balancer Balancer FW FW Halo Halo App App App Server Server Server FW FW FW Halo Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
    16. 16. Firewalling in the Cloud Load Load Balancer Balancer FW FW Halo Halo App App App Server Server App Server FW FW Server FW IP Halo Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
    17. 17. Firewalling in the Cloud Load Load Balancer Balancer FW FW Halo Halo App App Server Server App FW FW Server IP Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
    18. 18. Multi-Cloud Firewalling App App DB DB App App Server Server Server Server FW FW FW FW FW FW Halo Halo Halo Halo Halo Halo US West Cloud US East Cloud Firewall DB DB Halo Halo Private Datacenter© 2012 CloudPassage Inc.
    19. 19. Multi-Cloud Firewalling App App DB DB App App Server Server Server Server FW FW FW FW FW FW Halo Halo Halo Halo Halo Halo US West Cloud US East Cloud Firewall DB DB Halo Halo Private Datacenter© 2012 CloudPassage Inc.
    20. 20. Lessons to Learn Whatever firewall options you have, use them Make sure your firewall rules are updated quickly Plan for the future, because you will be multi- cloud© 2012 CloudPassage Inc.
    21. 21. Controlling Access to Your Cloud Servers: Solving the Contractor Problem© 2012 CloudPassage Inc.
    22. 22. Meet Jed the Web Designer Jed is highly mobile Jed still uses FTP You hired Jed for design skills, not technical acumen How do you avoid Jed’s FTP access becoming a gaping hole in your server?© 2012 CloudPassage Inc.
    23. 23. WRONG WAY: Open Access Web ftp Server© 2012 CloudPassage Inc.
    24. 24. WRONG WAY: Open Access© 2012 CloudPassage Inc.
    25. 25. Manual Options - PITA MANUALLY turn FTP server on and off when Jed needs access? MANUALLY activate and deactivate account for Jed when he needs access? MANUALLY change firewall rules when Jed needs access? MANUALLY make Jed’s transfer for him?© 2012 CloudPassage Inc.
    26. 26. Halo Multi-Factor Cloud Auth Prevent brute force attacks on SSH and web applications YubiKey-generated one-time password No batteries or moving parts© 2012 CloudPassage Inc.
    27. 27. Using Multi-Factor Auth Web Server FW Halo© 2012 CloudPassage Inc.
    28. 28. Using Multi-Factor Auth DB Server FW Halo CloudPassa ge Halo https Halo Grid© 2012 CloudPassage Inc.
    29. 29. Using Multi-Factor Auth DB Server FW Halo CloudPassa ge Halo https Halo Grid© 2012 CloudPassage Inc.
    30. 30. Using Multi-Factor Auth DB Server FW Halo© 2012 CloudPassage Inc.
    31. 31. REMEMBER: Delete Jed!!! DB Server FW Halo De-provision Jed Remove GhostPorts Access, User Local Server Accounts Portal CloudPassa ge Halo https https RESTful Halo Grid API Gateway© 2012 CloudPassage Inc.
    32. 32. Lessons to Learn You may behave securely, but does everyone who works for you? Security that complicates daily tasks will be circumvented Make sure to clean up after others© 2012 CloudPassage Inc.
    33. 33. Automation will set you free, America… (Apologies to Alton Brown)© 2012 CloudPassage Inc.
    34. 34. Automatable Security Tasks• Scan for recent vulnerabilities of installed software packages.• Verify firewall rules match policy.• Alert administrators of missing server.• Get a report of every server that a user *does not* have an account on.• Get a report of every server that a user has an account on.• Get alerted if a new cloud server gets created.• Monitor for unauthorized/unexpected changes to application code files.• Make sure that init.d startup scripts cant be tampered with by non-root users.• Find server accounts that don’t have passwords (it happens).• Get a report of every server that a user *does not* have an account on. Many, many more at community.cloudpassage.com© 2012 CloudPassage Inc.
    35. 35. The Secure, Automated Cloud© 2012 CloudPassage Inc.
    36. 36. Wrapping Up© 2012 CloudPassage Inc.
    37. 37. Moral of the Story• Security of your cloud servers is your responsibility• Security risks in the cloud are real (just check your logs)• Security automation isn’t just a best practice, it makes your life easier© 2012 CloudPassage Inc.
    38. 38. How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic firewall & Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities© 2012 CloudPassage Inc.
    39. 39. Try Halo FREE - 5 Minute Setup Register for Halo at cloudpassage.com/register Install Halo daemons on cloud servers Configure security policies in Halo web portal© 2012 CloudPassage Inc.
    40. 40. In Closing • CloudPassage Installfest March 28th! – Helpful cloud security advice! Pizza! Beer! – Free tickets: cloudpassage.eventbrite.com • Ask Questions! – Lots More Info: community.cloudpassage.com – Small Bits of Info: @cloudpassage • We’re hiring! We’re Expert in Security and/or Cloud? Hiring! DevOps, Rails, UX, Freemium Marketing – Email: jobs@cloudpassage.com© 2012 CloudPassage Inc.
    41. 41. Thank You! Rand Wacker rand@cloudpassage.com @randwacker© 2012 CloudPassage Inc.
    42. 42. What does CloudPassage do? Security for virtual servers running in public and private clouds Dynamic firewall Server & cloud event management alerting Configuration and Security & compliance vulnerability scanning auditing Server access and Server integrity & privilege management intrusion alerting  Cloud adoption without fear  Faster and easier compliance  Repel attacks on your servers  Free Basic version, 5 minutes setup© 2012 CloudPassage Inc.
    43. 43. CloudPassage Halo Architecture© 2012 CloudPassage Inc.
    44. 44. How It Works Halo• Halo Daemon Daemon www-1 – Ultra light-weight software – Installed on server image Halo – Automatically provisioned www-1• Halo Grid – Elastic compute grid – Hosted by CloudPassage – Does the heavy lifting for the Halo Daemons Halo Grid© 2012 CloudPassage Inc.
    45. 45. www-1 Alerts, Reports www-1 www-2 and Trending www-3 www-4 Halo Halo Halo Halo User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×