INFORMATION SECURITY[in-fer-mey-shuhn si-kyoor-i-tee]nounProtecting information and information systems fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording or destruction.See Also: Job Security
LEVERAGING CLOUDARCHITECTUREHow can we (gently) re-architect to take advantage of thecloud?• Network• Web server• Application Server• Database server• Don’t forget audit/forensics!
NETWORKGood: Limit by IPBetter: Allow administration viaVPN onlyBest: Admin interface on separatehost, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
WEB/APP SERVERGood: Load balancing, “Basic” hardening (IP ACLs, onlyaccept GET/POST, server tuned for large loads). SSL’s cheapnowadaysBetter: Build Web Application Firewalls and reverse cachesinto your IaaS (mod_security’s free)Best: Use 3rd party services to handle load and minimizesecurity issues (CDNs like Akamai, Cloudflare)Required: Input filtering, output encoding.
DATASTOREGood: Place DBs on separate host from application.Better: Place DBs in separate datacenters, and replicateBest: Migrate to a “NOSQL” datastore (Cassandra, MongoDB,ElasticSearch)Required: Encrypt data-at-rest
NOSQL SECURITY?• Many NOSQL systems turn off even authentication• Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
INTER-PROCESSCOMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
LOGGING & FORENSICSWhat happens to logs when our scalable architecture…scales down?Cloud really really requires centralized logging, monitoring,and management.Also, consider erase vs. overwrite
WHAT HAVE WEBUILT?• Scalable solution• No single point of failure• Healthy caution of all those around us (filtering/encoding)• Data stored and transmitted safely• And a nice set of audit logs for when Bad Things happen
LEARN MORECloud Security AllianceOWASP Cloud top 10
THANKS ANDCONTACT INFO“Bad People” drawings from http://badpeopleproject.orgFollow me on twitter: @johnlkinsella