Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

  • 1,445 views
Uploaded on

Talk I gave at OWASP San Francisco 3/14/2012

Talk I gave at OWASP San Francisco 3/14/2012

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,445
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
28
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Service: Infrastructure, Platform, Software as a serviceDeployment: Private, community, public, hybrid
  • So for each one of these things I’ll try to break it down into GOOD – BETTER – BEST.
  • Some of these points fit better for IaaS, this is one of them
  • Load balancing – linux virtual server“best” – I’m expecting/wanting resistance to some of these points – I believe CDN/NoSQL/Message Queues have security value from a scalability POV, but they’re not slam-dunk arguments.
  • RabbitMQ or ActiveMQ

Transcript

  • 1. REBUILDING FORTHE CLOUDHOW CLOUD ARCHITECTURE CAN IMPROVEAPPLICATION SECURITY
  • 2. INTRO
  • 3. AGENDADefinitions (brief, I promise)Cloud BenefitsCloud Security ConceptsMoving applications to the cloud, wrong wayMoving applications to the cloud, right wayPlease do ask questions!
  • 4. CLOUD [kloud]nounNIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
  • 5. INFORMATION SECURITY[in-fer-mey-shuhn si-kyoor-i-tee]nounProtecting information and information systems fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording or destruction.See Also: Job Security
  • 6. Artist: Tyler, 11. Dortmund, Germany
  • 7. CLOUD BENEFITSMain benefit: FlexibilityPossible benefit: Cost savings
  • 8. CLOUD SECURITYCLIFF NOTES• Trust nobody• Encrypt everything• Expect service issues
  • 9. WHAT’S WRONG WITH FORKLIFTING?
  • 10. FORKLIFTING…“Datacenter” application to the cloud:• Can’t trust what you used to• Datacenter apps usually not flexible• Confidentiality, Integrity, Availability all handled differently
  • 11. ENTERPRISE vs CLOUD
  • 12. HOW ABOUT PAAS?
  • 13. LEVERAGING CLOUDARCHITECTUREHow can we (gently) re-architect to take advantage of thecloud?• Network• Web server• Application Server• Database server• Don’t forget audit/forensics!
  • 14. NETWORKGood: Limit by IPBetter: Allow administration viaVPN onlyBest: Admin interface on separatehost, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
  • 15. WEB/APP SERVERGood: Load balancing, “Basic” hardening (IP ACLs, onlyaccept GET/POST, server tuned for large loads). SSL’s cheapnowadaysBetter: Build Web Application Firewalls and reverse cachesinto your IaaS (mod_security’s free)Best: Use 3rd party services to handle load and minimizesecurity issues (CDNs like Akamai, Cloudflare)Required: Input filtering, output encoding.
  • 16. DATASTOREGood: Place DBs on separate host from application.Better: Place DBs in separate datacenters, and replicateBest: Migrate to a “NOSQL” datastore (Cassandra, MongoDB,ElasticSearch)Required: Encrypt data-at-rest
  • 17. NOSQL SECURITY?• Many NOSQL systems turn off even authentication• Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
  • 18. INTER-PROCESSCOMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
  • 19. LOGGING & FORENSICSWhat happens to logs when our scalable architecture…scales down?Cloud really really requires centralized logging, monitoring,and management.Also, consider erase vs. overwrite
  • 20. WHAT HAVE WEBUILT?• Scalable solution• No single point of failure• Healthy caution of all those around us (filtering/encoding)• Data stored and transmitted safely• And a nice set of audit logs for when Bad Things happen
  • 21. LEARN MORECloud Security AllianceOWASP Cloud top 10
  • 22. THANKS ANDCONTACT INFO“Bad People” drawings from http://badpeopleproject.orgFollow me on twitter: @johnlkinsella