Your SlideShare is downloading. ×

BayThreat Why The Cloud Changes Everything

791

Published on

Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security …

Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security

These slides are from a talk delivered by Rand Wacker at BayThreat 2011.

ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
791
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • 1. Zappos is creating apps for their unique corporate culture2. Foursquare is a great example in social media – scaling up & down over the weekend.3, Ebayxmas - Highway into the city expand from 3 to 7 lanes in rush hour
  • SAASFast and easyThe only cloud security platform built for the cloud
  • Transcript

    • 1. Why The Cloud Changes Everything BayThreat 2011: Building Security Rand Wacker @randwacker© 2011 CloudPassage Inc.
    • 2. How I Learned to Stop Worrying and Get DevOps to Love Security© 2011 CloudPassage Inc.
    • 3. whoami Slides available tonight on Rand Wacker community.cloudpassage.com @randwacker rand@cloudpassage.com Security Cloud UC Berkeley ✘ ✘ Oracle ✘ Amazon ✘ Sendmail … IronPort ✘ Cisco ✘ CloudPassage ✘ ✘© 2011 CloudPassage Inc.
    • 4. Agenda 1. Who is in the cloud 2. Who secures the cloud 3. Why cloud security is different 4. How to approach the cloud 5. Suggestions and best practices© 2011 CloudPassage Inc.
    • 5. Cloud Operators Are Different© 2011 CloudPassage Inc.
    • 6. What is running in the cloud? Who: App-dev shops, integrators, Enterp. BU’s Why: Fast, cheap, agile Development Risks: Code stolen or hacked, live data theft Who: SaaS providers, social media, gaming Why: Scalable, elastic, ties costs to growth Permanent Risks: Compliance, data theft, oper. disruption Application Hosting Who: Big data, social, retail, life-sci, media Why: Agility, speed, scale, “lease the spikes” Temporary Risks: Intellectual property theft Workloads© 2011 CloudPassage Inc.
    • 7. Who is running in the cloud? IT Server Admins Big Data Analysts© 2011 CloudPassage Inc.
    • 8. Who is running in the cloud?© 2011 CloudPassage Inc.
    • 9. Survey: Cloud Security Concerns Question: What security concerns are most important to you regarding public cloud computing? Multiple Choice Lack of perimter defenses and/or 44% network control Multi-tenancy of infrastructure or 40% applications Achieving compliance with PCI or other 26% standards Provider access to guest servers 24%Enterprise security tools dont work in the 23% cloud We have no security concerns 16% Source: CloudPassage CloudSec Community Survey © 2011 CloudPassage Inc.
    • 10. “We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...” - CISO, Fortune 500 Name withheld upon request© 2011 CloudPassage Inc.
    • 11. Cloud Responsibility, Not So Different© 2011 CloudPassage Inc.
    • 12. Shared Responsibility Model Responsibility EC2 Shared Responsibility Model Data Customer “…the customer should assume App Code responsibility and management of, but not limited to, the guest operating system.. and App Framework associated application software...” Operating System “…it is possible for customers to enhance security and/or meet more stringent Virtual Machine compliance requirements with the addition of Responsibility host based firewalls, host based intrusion Hypervisor Provider detection/prevention, encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities© 2011 CloudPassage Inc.
    • 13. Delineation of Responsibility IaaS PaaS SaaS Interface Interface Interface Application Application Application Solution Stack Solution Stack Solution Stack Customer Responsibility Operating System Operating System Operating System Provider Hypervisor Hypervisor Hypervisor Responsibility Compute & Storage Compute & Storage Compute & Storage Network Network Network Facility Facility Facility Client Virtual/ File Permissions None Segregation: Hypervisor (Client ID in DB)© 2011 CloudPassage Inc.
    • 14. Provider Customer Virtual Network API Compute Logic VirtualPhysical PhysicalFacilities Network App stack Hypervisor Application Machine/OS GUI App Framework / Storage Authentication Configuration Lockdown Patching NIDS/NIPS HIDS/HIPS Packet Filtering Proxy/Middleware Proxy/Middleware Application White Listing Anti-Virus File/Record Access Control Encryption Encryption DLP NAC SIEM Auditing/Pen Testing Forensics Application of Security in IaaS Secure Development Lifecycle Architecture/Design Physical
    • 15. Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Wrote my own Commercial tool automation tools Open source or custom tool My provider does it for me Amazon Security Group Were not securing our Manually, using cloud servers a checklist Source: CloudPassage CloudSec Community Survey© 2011 CloudPassage Inc.
    • 16. Cloud Risk is Different© 2011 CloudPassage Inc.
    • 17. What’s So Different?© 2011 CloudPassage Inc.
    • 18. What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 www-4 – Poor configurations were tolerable public cloud© 2011 CloudPassage Inc.
    • 19. What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door www-4 public cloud© 2011 CloudPassage Inc.
    • 20. What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door • Sprawling, multiplying exposures – Rapidly growing attack surface area – More servers = more vulnerabilities – More servers ≠ more people www-4 www-5 www-6 www-7 www-8 www-9 www-10 public cloud© 2011 CloudPassage Inc.
    • 21. What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door • Sprawling, multiplying exposures – Rapidly growing attack surface area – More servers = more vulnerabilities – More servers ≠ more people www-4 www-5 www-6 • Fraudsters target cloud servers www-7 www-8 www-9 www-10 – Softer targets to penetrate – No perimeter defenses to thwart – Elasticity = more botnet to sell public cloud© 2011 CloudPassage Inc.
    • 22. © 2011 CloudPassage Inc.
    • 23. © 2011 CloudPassage Inc.
    • 24. Survey: OS Running in the Cloud Question: Which operating systems do you run on your cloud servers? Windows 78% Running WindowsWindows and Linux Running Linux 55% Linux BSD Source: CloudPassage CloudSec Community Survey© 2011 CloudPassage Inc.
    • 25. Cloud Security Approach© 2011 CloudPassage Inc.
    • 26. How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities© 2011 CloudPassage Inc.
    • 27. Architectural Challenges• Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership• Elasticity (not all servers are steady-state) – Cloudbursting, stale servers, dynamic provisioning• Scalability (handle variable workloads) – May have one dev server or 1,000 number-crunchers• Portability (same controls work anywhere) – Nobody wants multiple tools or IaaS provider lock-in© 2011 CloudPassage Inc.
    • 28. Portable = “Works Anywhere” Public Cloud Hybrid Cloud Which is hardest to solve? Private Cloud Traditional Hardware© 2011 CloudPassage Inc.
    • 29. Problem: How can we secure large- scale, dynamic application stacks across clouds we probably don’t control? Proposal: Highly automated, scalable, elastic security at the guest VM level.© 2011 CloudPassage Inc.
    • 30. The VM is the Unit of Control Data App Code Controlled by App Framework Hosting-User Operating System Virtual Machine HypervisorControlled Compute & Storageby Hosting- Provider Shared Network Physical Facilities© 2011 CloudPassage Inc.
    • 31. The VM is the Unit of Scale Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities© 2011 CloudPassage Inc.
    • 32. The VM is the Unit of Portability Private Cloud IaaS Provider Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Hypervisor Compute & Storage Compute & Storage Shared Network Shared Network Physical Facilities Physical Facilities© 2011 CloudPassage Inc.
    • 33. Thesis In cloud environments, the intersection of control, portability & scale is almost always the guest virtual-machine.© 2011 CloudPassage Inc.
    • 34. Haven’t We Dealt With This Before?© 2011 CloudPassage Inc.
    • 35. Déjà vu – Laptops as a Model• We’ve dealt with securing portable assets in the past• Security needed to change from being network-based to host-based• Expect similar to occur with cloud• Dynamic shared resources means host-based technology must be reworked prior to use© 2011 CloudPassage Inc.
    • 36. Security Hamster Sine Wave of PainUsed with permission, and extended thanks to Andy Jaquith
    • 37. In Closing© 2011 CloudPassage Inc.
    • 38. Summary• There are people using cloud in your org…• Cloud users often don’t understand security, and definitely don’t know their responsibility• Cloud security is different, and hard• The bad guys know this!• Cloud has different points of control, leverage them!© 2011 CloudPassage Inc.
    • 39. Best Practices• Know who is running what, and where• Read and understand what your provider does, and what you are responsible for• Take extra precautions when moving servers outside your data center• Start with public cloud, after that everything is easy!• Focus on securing what you control© 2011 CloudPassage Inc.
    • 40. Wrapping Up • Continue the discussion – Slides available: community.cloudpassage.com • Contact me – Email: rand@cloudpassage.com – Twitter: @randwacker • We’re hiring! Expert in Security and/or Cloud? – Email: jobs@cloudpassage.com© 2011 CloudPassage Inc.
    • 41. Thank You
    • 42. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Compromise & Management intrusion alerting Server Security & compliance Configurations auditing Server account Vulnerability Management Management  Cloud adoption without fear  Faster and easier compliance  Repel attacks on your servers  Free Basic version, 5 minutes setup© 2011 CloudPassage Inc.

    ×