Automating Security for the                Cloud                           Why we all need to care…                       ...
whoami                                          Slides available soon on   Rand Wacker                         community.c...
Agenda                           1. Who Runs What in the Cloud                           2. Cloud Security Differences    ...
Who is running in the cloud?         IT Server Admins   Big Data Analysts© 2012 CloudPassage Inc.
Who is running in the cloud?         IT Server Admins                            Big Data Analysts© 2012 CloudPassage Inc.
What is running in the cloud?                           Who: App-dev shops, integrators, Enterp. BU’s Development         ...
“We didn’t think we had cloud     servers. Then we checked our     developers’ expense reports     for AWS...”            ...
Why Your Security Toolbox     Doesn’t Work In The Cloud© 2012 CloudPassage Inc.
Cloud Security Is New                                    private datacenter                           www-1   www-2       ...
Cloud Security Is New                                    private datacenter                           www-1   www-2       ...
Cloud Security Is New                                    private datacenter                           www-1   www-2       ...
Cloud Security Is Different                                    private datacenter                           www-1   www-2 ...
Cloud Security Is Different                                    private datacenter                           www-1   www-2 ...
Cloud Security Is Different                                    private datacenter                           www-1   www-2 ...
Cloud Security Is Different                                    private datacenter                           www-1   www-2 ...
Cloud Security Is Complex                                                 Cloud Provider B                     Cloud Provi...
Cloud Security Is Complex                                                 Cloud Provider B                           www-4...
Cloud Security Is Complex                                                                     Cloud Provider B            ...
Cloud Security Is Complex                                                                   www-7   www-8   www-9   www-10...
Cloud Security Is Complex                                                                   www-7   www-8   www-9   www-10...
Security Products Aren’t Adapting                                                           Metered Usage                 ...
Survey: Cloud Security Concerns     Question: What security concerns are most important to you regarding     public cloud ...
Shared Responsibility Model                                                                         Responsibility  EC2 Sh...
Provider                                                                         Customer                                 ...
Survey: Cloud Security Practices                  Question: How do you secure your cloud servers today?                   ...
© 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
How I Learned to Stop     Worrying and Get DevOps     to Love Security© 2012 CloudPassage Inc.
What Is DevOps?                            DevOps                           IT Operations© 2012 CloudPassage Inc.
What Is DevOps?                            DevOps                           IT Operations    Security                     ...
Why Does DevOps Love Cloud?© 2012 CloudPassage Inc.
Different Job Goals                                    SecOps                           DevOps© 2012 CloudPassage Inc.
Traditional DC Protection                             Auth             DB                DB                            Ser...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Traditional DC Protection                             Auth             DB                  DB               DB            ...
Moving to the Cloud                             Auth             DB                  DB               DB                  ...
Moving to the Cloud                             Auth             DB                  DB               DB                  ...
Moving to the Cloud                             Auth      DB              DB       DB                            Server   ...
Protecting Cloud Servers                                     Load                                    Balancer             ...
Protecting Cloud Servers                                     Load                                    Balancer             ...
Protecting Cloud Servers                                     Load                                    Balancer             ...
Protecting Cloud Servers                                     Load                                    Balancer             ...
Protecting Cloud Servers                                      Load                                     Balancer           ...
Protecting Cloud Servers                                      Load                                     Balancer           ...
Protecting Cloud Servers                                      Load                             Load                       ...
Protecting Cloud Servers                                      Load                             Load                       ...
Protecting Cloud Servers                                      Load                             Load                       ...
Protecting Cloud Servers                                      Load                             Load                       ...
Cloud Security Challenges• Inconsistent Control (you don’t own everything)      – The only thing you can count on is guest...
So our tools are broken and     everyone hates us, now     what?© 2012 CloudPassage Inc.
With Gratitude: Hyperbole and a Half
The VM is the Unit of Control                                         Data                                      App Code  ...
The VM is the Unit of Scale                           Data                                Data                     App Cod...
The VM is the Unit of Portability           Private Cloud                       IaaS Provider                      Data   ...
Thesis          In cloud environments, the intersection of      control, portability & scale                           is ...
Secure the VM                                Data                             App Code                           App Frame...
Secure the VM                                Data                             App Code                           App Frame...
Secure the VM                                       Data                                    App Code                      ...
Secure the VM                                       Data                                    App Code              Ensure a...
Secure the VM     Continuously verify               Data     application code is  current and un-tampered           App Co...
Secure the VM                                                         Track sensitive data and                            ...
Automate Policy Application             FULLY           AUTOMATE                                     Data                 ...
Automate Policy Application             FULLY           AUTOMATE                                       Data               ...
Separate Security Controls                                     Data                                  App Code             ...
The Secure, Automated Cloud© 2012 CloudPassage Inc.
Wrapping Up© 2012 CloudPassage Inc.
How To Secure Cloud Servers    Servers in hybrid and public clouds must be self-    defending with highly automated contro...
Summary• There are people using cloud in your org…• Cloud users often don’t understand security, and  definitely don’t kno...
Best Practices• Know who is running what, and where• Read and understand what your provider does, and  what you are respon...
Wrapping Up         • Continue the discussion                – Slides available:   community.cloudpassage.com         • Co...
Thank You!© 2012 CloudPassage Inc.
What does CloudPassage do?     Security for virtual servers running in public and private clouds                     Firew...
Upcoming SlideShare
Loading in...5
×

BSides SF - Automating Security for the Cloud

970

Published on

Delivered by Rand Wacker at Security BSides San Francisco 2012

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
970
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 1. Zappos is creating apps for their unique corporate culture2. Foursquare is a great example in social media – scaling up & down over the weekend.3, Ebayxmas - Highway into the city expand from 3 to 7 lanes in rush hour
  • SAASFast and easyThe only cloud security platform built for the cloud
  • BSides SF - Automating Security for the Cloud

    1. 1. Automating Security for the Cloud Why we all need to care… Security B-Sides SF 2012 Rand Wacker rand@cloudpassage.com @randwacker© 2012 CloudPassage Inc.
    2. 2. whoami Slides available soon on Rand Wacker community.cloudpassage.com @randwacker rand@cloudpassage.com Security Cloud UC Berkeley ✘ ✘ Oracle ✘ Amazon ✘ Sendmail … IronPort ✘ Cisco ✘ CloudPassage ✘ ✘© 2012 CloudPassage Inc.
    3. 3. Agenda 1. Who Runs What in the Cloud 2. Cloud Security Differences 3. DevOps vs SecOps 4. Making Everyone Happy 5. The End© 2012 CloudPassage Inc.
    4. 4. Who is running in the cloud? IT Server Admins Big Data Analysts© 2012 CloudPassage Inc.
    5. 5. Who is running in the cloud? IT Server Admins Big Data Analysts© 2012 CloudPassage Inc.
    6. 6. What is running in the cloud? Who: App-dev shops, integrators, Enterp. BU’s Development Why: Fast, cheap, agile Risks: Code stolen or hacked, live data theft Who: SaaS providers, social media, gaming Why: Scalable, elastic, ties costs to growth Permanent Risks: Compliance, data theft, oper. disruption Application Hosting Who: Big data, social, retail, life-sci, media Why: Agility, speed, scale, “lease the spikes” Temporary Risks: Intellectual property theft Workloads© 2012 CloudPassage Inc.
    7. 7. “We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...” - CISO, Fortune 500 Name withheld upon request© 2012 CloudPassage Inc.
    8. 8. Why Your Security Toolbox Doesn’t Work In The Cloud© 2012 CloudPassage Inc.
    9. 9. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    10. 10. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    11. 11. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    12. 12. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    13. 13. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    14. 14. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    15. 15. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
    16. 16. Cloud Security Is Complex Cloud Provider B Cloud Provider A www-1 www-2 www-3 www-4 Private Datacenter© 2012 CloudPassage Inc.
    17. 17. Cloud Security Is Complex Cloud Provider B www-4 Cloud Provider A www-1 www-2 www-3 Private Datacenter© 2012 CloudPassage Inc.
    18. 18. Cloud Security Is Complex Cloud Provider B www-4 www-5 www-6 www-7 www-8 www-9 www-10 Cloud Provider A www-1 www-2 www-3 Private Datacenter© 2012 CloudPassage Inc.
    19. 19. Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter© 2012 CloudPassage Inc.
    20. 20. Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter© 2012 CloudPassage Inc.
    21. 21. Security Products Aren’t Adapting Metered Usage www-7 www-8 www-9 www-10 www-4 www-5 www-6 Cloud Provider B Temporary & Elastic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter© 2012 CloudPassage Inc.
    22. 22. Survey: Cloud Security Concerns Question: What security concerns are most important to you regarding public cloud computing? Multiple ChoiceLack of perimeter defenses and/or network 44% control Multi-tenancy of infrastructure or 40% applications Achieving compliance with PCI or other 26% standards Provider access to guest servers 24% Enterprise security tools dont work in the 23% cloud© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
    23. 23. Shared Responsibility Model Responsibility EC2 Shared Responsibility Model Data Customer “…the customer should assume App Code responsibility and management of, but not limited to, the guest operating system.. and App Framework associated application software...” Operating System “…it is possible for customers to enhance security and/or meet more stringent Virtual Machine compliance requirements with the addition of Responsibility host based firewalls, host based intrusion Hypervisor Provider detection/prevention, encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities© 2012 CloudPassage Inc.
    24. 24. Provider Customer Virtual Network API Compute Logic VirtualPhysical PhysicalFacilities Network App stack Hypervisor Application Machine/OS GUI App Framework / Storage Authentication Configuration Lockdown Patching NIDS/NIPS HIDS/HIPS Packet Filtering Proxy/Middleware Proxy/Middleware Application White Listing Anti-Virus File/Record Access Control Encryption Encryption DLP NAC SIEM Auditing/Pen Testing Forensics Application of Security in IaaS Secure Development Lifecycle Architecture/Design Physical
    25. 25. Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Open source or custom-developed tools Commercial Tool Were not securing our cloud servers My provider does it for me Amazon Security Group Source: CloudPassage CloudSec Community Survey© 2012 CloudPassage Inc.
    26. 26. © 2012 CloudPassage Inc.
    27. 27. © 2012 CloudPassage Inc.
    28. 28. How I Learned to Stop Worrying and Get DevOps to Love Security© 2012 CloudPassage Inc.
    29. 29. What Is DevOps? DevOps IT Operations© 2012 CloudPassage Inc.
    30. 30. What Is DevOps? DevOps IT Operations Security Operations© 2012 CloudPassage Inc.
    31. 31. Why Does DevOps Love Cloud?© 2012 CloudPassage Inc.
    32. 32. Different Job Goals SecOps DevOps© 2012 CloudPassage Inc.
    33. 33. Traditional DC Protection Auth DB DB Server core core Firewal l Server Provisioning Load App Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    34. 34. Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    35. 35. Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Firewall Updates© 2012 CloudPassage Inc.
    36. 36. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    37. 37. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l© 2012 CloudPassage Inc.
    38. 38. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l© 2012 CloudPassage Inc.
    39. 39. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l© 2012 CloudPassage Inc.
    40. 40. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l© 2012 CloudPassage Inc.
    41. 41. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc.
    42. 42. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud© 2012 CloudPassage Inc.
    43. 43. Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud© 2012 CloudPassage Inc.
    44. 44. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud© 2012 CloudPassage Inc.
    45. 45. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud© 2012 CloudPassage Inc.
    46. 46. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud© 2012 CloudPassage Inc.
    47. 47. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud© 2012 CloudPassage Inc.
    48. 48. Protecting Cloud Servers Load Balancer FW App App Server Server FW FW DB Master FW public cloud© 2012 CloudPassage Inc.
    49. 49. Protecting Cloud Servers Load Balancer FW App App App Server Server Server FW FW FW DB Master FW public cloud© 2012 CloudPassage Inc.
    50. 50. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud© 2012 CloudPassage Inc.
    51. 51. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud© 2012 CloudPassage Inc.
    52. 52. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud© 2012 CloudPassage Inc.
    53. 53. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud© 2012 CloudPassage Inc.
    54. 54. Cloud Security Challenges• Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership• Elasticity (not all servers are steady-state) – Cloud-bursting, stale servers, dynamic provisioning• Scalability (handle variable workloads) – May have one dev server or 1,000 number-crunchers• Portability (same controls must work anywhere) – Nobody wants multiple tools or IaaS provider lock-in© 2012 CloudPassage Inc.
    55. 55. So our tools are broken and everyone hates us, now what?© 2012 CloudPassage Inc.
    56. 56. With Gratitude: Hyperbole and a Half
    57. 57. The VM is the Unit of Control Data App Code Controlled by App Framework Hosting-User Operating System Virtual Machine HypervisorControlled Compute & Storageby Hosting- Provider Shared Network Physical Facilities© 2012 CloudPassage Inc.
    58. 58. The VM is the Unit of Scale Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities© 2012 CloudPassage Inc.
    59. 59. The VM is the Unit of Portability Private Cloud IaaS Provider Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Hypervisor Compute & Storage Compute & Storage Shared Network Shared Network Physical Facilities Physical Facilities© 2012 CloudPassage Inc.
    60. 60. Thesis In cloud environments, the intersection of control, portability & scale is always the guest virtual-machine.© 2012 CloudPassage Inc.
    61. 61. Secure the VM Data App Code App Framework OS Virtual Machine© 2012 CloudPassage Inc.
    62. 62. Secure the VM Data App Code App Framework OS Virtual Machine Secure the OS services and configurations© 2012 CloudPassage Inc.
    63. 63. Secure the VM Data App Code App Framework FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations© 2012 CloudPassage Inc.
    64. 64. Secure the VM Data App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations© 2012 CloudPassage Inc.
    65. 65. Secure the VM Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations© 2012 CloudPassage Inc.
    66. 66. Secure the VM Track sensitive data and prevent egress Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations© 2012 CloudPassage Inc.
    67. 67. Automate Policy Application FULLY AUTOMATE Data App Code App Framework FW OS FW Virtual Machine© 2012 CloudPassage Inc.
    68. 68. Automate Policy Application FULLY AUTOMATE Data App Code Data App Code Data App Framework FW OS FrameworkCode Data App App FW Virtual Machine App Framework Code FW OS App FW Virtual Machine App Framework FW OS FW Virtual MachineOS FW FW Virtual Machine© 2012 CloudPassage Inc.
    69. 69. Separate Security Controls Data App Code App Framework FW OS FW SecOps Virtual Machine DevOps© 2012 CloudPassage Inc.
    70. 70. The Secure, Automated Cloud© 2012 CloudPassage Inc.
    71. 71. Wrapping Up© 2012 CloudPassage Inc.
    72. 72. How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities© 2012 CloudPassage Inc.
    73. 73. Summary• There are people using cloud in your org…• Cloud users often don’t understand security, and definitely don’t know their responsibility• Cloud security is different, and hard• The bad guys know this!• Cloud has different points of control, leverage them!© 2012 CloudPassage Inc.
    74. 74. Best Practices• Know who is running what, and where• Read and understand what your provider does, and what you are responsible for• Take extra precautions when moving servers outside your data center• Start with public cloud, after that everything is easy!• Focus on securing what you control© 2012 CloudPassage Inc.
    75. 75. Wrapping Up • Continue the discussion – Slides available: community.cloudpassage.com • Contact me – Email: rand@cloudpassage.com – Twitter: @randwacker • We’re hiring! BTW, Expert in Security and/or Cloud? We’re – Email: jobs@cloudpassage.com Hiring!© 2012 CloudPassage Inc.
    76. 76. Thank You!© 2012 CloudPassage Inc.
    77. 77. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Compromise & Management intrusion alerting Server Security & compliance Configurations auditing Server account Vulnerability Management Management  Cloud adoption without fear  Faster and easier compliance  Repel attacks on your servers  Free Basic version, 5 minutes setup© 2012 CloudPassage Inc.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×