Securing the Cloud


Published on

This "mini" version of my CSA Congress talk about building a secure cloud was given at the San Francisco Cloud Security Meetup in November, 2011.

I got some great feedback while giving this talk, and will be applying it to an updated version of this deck which will be released during the CSA Congress, November 15th and 16th 2011.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • TITLE MIS Training Institute Section # - Page XXXXXX XXX ©
  • Securing the Cloud

    1. 1. Building a Secure Cloud SF Cloud Security Meetup 11/3/0211
    2. 2. Intro
    3. 3. Why?
    4. 4. Why? From
    5. 5. Required functionality <ul><li>“ Basic” pieces: </li></ul><ul><ul><li>Highly available infrastructure (HVM+Net+Storage) </li></ul></ul><ul><li>Security pieces: </li></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Intrusion detection </li></ul></ul><ul><ul><li>Security monitoring </li></ul></ul>
    6. 6. Security Monitoring <ul><li>Centralized log management is a must. </li></ul><ul><li>As the cloud grows, the amount of data to process will be huge. </li></ul><ul><li>You need a system with relatively low false-positive rate. </li></ul>
    7. 7. Building a secure cloud <ul><li>Setup hardware – lab first, if possible </li></ul><ul><li>Select software </li></ul><ul><li>Trial period </li></ul><ul><li>Move to production </li></ul>
    8. 8. Practice Makes Perfect <ul><li>If you do this right, you will build, tear down, and rebuild this cloud several times as you learn from your (and your vendors) mistakes. </li></ul>
    9. 9. Who Do You Trust? <ul><li>Who do you trust to build your secure cloud? </li></ul><ul><ul><li>Yourself </li></ul></ul><ul><ul><li>Your staff </li></ul></ul><ul><ul><li>3 rd party security/cloud professionals </li></ul></ul><ul><ul><li>Vendor support staff? </li></ul></ul>
    10. 10. Who Do You Trust From a vendor’s website:
    11. 11. Who Do You Trust?
    12. 12. Setup Basics <ul><li>Harden Hypervisor OS </li></ul><ul><li>Layer Security </li></ul><ul><li>Use an automation suite </li></ul>
    13. 13. Selecting a Cloud Platform <ul><li>Create a list of possible packages </li></ul><ul><li>Look for security features in each </li></ul><ul><li>Legwork – how have the maintainers treated security? </li></ul><ul><li>Pick two or three to test out </li></ul><ul><li>Trial period is mandatory . </li></ul>
    14. 14. Trial Period <ul><li>Incorrect: </li></ul><ul><li>Get software </li></ul><ul><li>Install software </li></ul><ul><li>Test functionality </li></ul>
    15. 15. Trial Period <ul><li>Incorrect: </li></ul><ul><li>Get software </li></ul><ul><li>Install software </li></ul><ul><li>Test functionality </li></ul><ul><li>Correct: </li></ul><ul><li>Get software </li></ul><ul><li>Review software </li></ul><ul><li>Install while monitoring </li></ul><ul><li>Understand results of installation </li></ul><ul><li>Test functionality </li></ul><ul><li>Test security </li></ul><ul><li>… </li></ul><ul><li>Profit </li></ul>
    16. 16. Review Software <ul><li>If you’re lucky, your chosen software is either open-source or is at least human-readable. </li></ul><ul><li>Some things to look at: </li></ul><ul><ul><li>Installer scripts </li></ul></ul><ul><ul><li>Startup scripts </li></ul></ul><ul><ul><li>Default configurations </li></ul></ul><ul><ul><li>Cronjobs or other automated processes </li></ul></ul><ul><ul><li>Main application </li></ul></ul><ul><ul><li>Inter-system connectivity </li></ul></ul>
    17. 17. Review Software <ul><li>Ask: </li></ul><ul><ul><li>What does this code do to my already hardened system? Are firewalls disabled, or security measures removed? </li></ul></ul><ul><ul><li>What new software (and potential vulnerabilities) does it install? </li></ul></ul><ul><ul><li>What exactly is the code doing? </li></ul></ul><ul><ul><li>Is the application more trusting than it should be? </li></ul></ul><ul><ul><li>Where was the developer lazy? </li></ul></ul>
    18. 18. Code Review
    19. 19. Monitor The Installation <ul><li>The installation environment is yours – control it. </li></ul><ul><ul><li>Capture a log of the installation process </li></ul></ul><ul><ul><li>Make sure IDS capture any changes made during installation </li></ul></ul><ul><ul><li>With your initial security configuration, the initial installation will probably not be successful. </li></ul></ul>
    20. 20. Review Gathered Intelligence <ul><li>Review the results of the install </li></ul><ul><ul><li>Look for errors during installation </li></ul></ul><ul><ul><li>Some can be fixed by loosening security controls </li></ul></ul><ul><ul><li>Some must be fixed by vendor </li></ul></ul>
    21. 21. Test Security <ul><li>Standard security testing scenario: The app is insecure, question is if you have enough resources to find the weakness. </li></ul><ul><ul><li>Low-hanging fruit: SQL Injection, XSS, lack of encryption, default values </li></ul></ul><ul><ul><li>Sweeter fruit: buffer overflows, non-standard (read: “bad”) encryption, bad resource handling </li></ul></ul><ul><ul><li>Do some threat modeling </li></ul></ul>
    22. 22. Test Security <ul><li>Network scan – Do a thorough scan, not just looking for known ports. Make sure you know where the application is listening, and what your firewall is allowing. </li></ul><ul><li>Vulnerability Scanner – applications that leverage open-source packages may come with known vulnerabilities </li></ul><ul><li>Don’t just perform network-based tests – test from on the box as well. </li></ul><ul><li>Fuzzing – when you find a particular input that looks like it was developed in-house without common libraries, throw a fuzzer at it. </li></ul>
    23. 23. Test Security
    24. 24. Sound familiar? <ul><li>I’ve basically described a Secure Software Development Lifecycle (Secure SDLC) </li></ul><ul><li>As your organization grows in size, you’ll want to adopt several standardized processes: </li></ul><ul><ul><li>Security reviews </li></ul></ul><ul><ul><li>Test, build, and release processes </li></ul></ul>
    25. 25. Operations – Who Do You Trust? <ul><li>How do you keep your new cloud running smoothly? </li></ul><ul><ul><li>Monitor security and performance </li></ul></ul><ul><ul><li>Keep systems up-to-date </li></ul></ul><ul><ul><li>Troubleshoot issues as they arise </li></ul></ul>
    26. 26. Operations – Who Do You Trust?
    27. 27. <ul><li>Follow a SSDLC (design, build, test, and run with security in mind) </li></ul><ul><li>Be confident in your security – have statistics and test results to confirm your state of security. </li></ul><ul><li>Do not trust vendors </li></ul>Summary
    28. 28. Stay in Touch <ul><li>Email – [email_address] </li></ul><ul><li>Twitter - @johnlkinsella </li></ul>