• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Evolution of a secure cloud
 

Evolution of a secure cloud

on

  • 808 views

Presentation for a webinar on 6/21/12 for the Atlantic Provinces Chapter of ISACA

Presentation for a webinar on 6/21/12 for the Atlantic Provinces Chapter of ISACA

Statistics

Views

Total Views
808
Views on SlideShare
692
Embed Views
116

Actions

Likes
0
Downloads
29
Comments
0

5 Embeds 116

http://www.kavistechnology.com 68
http://www.michael-kavis.com 26
http://www.doyoubuzz.com 16
http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Can you change the box build dynamic to go left to right…thanks.It is also fast, dynamic and information rich.

Evolution of a secure cloud Evolution of a secure cloud Presentation Transcript

  • The Atlantic Provinces Chapter of ISACAPresentsThe Evolution of a Secure CloudJune 21, 2012 Mike Kavis VP of Architecture, Inmar
  • Your Speaker Mike Kavis has been architecting solutions in the cloud since 2008 and was the CTO for startup M-Dot Network which won the 2010 AWS Startup Challenge. Mike is now the VP of Architecture for Inmar who purchased M- Dot in 2011 and is responsible for Inmar’s Digital Promotions PaaS at Inmar.® © 2012 Inmar, Inc. All Rights Reserved. 2 Not to be reproduced or distributed without written permission from Inmar
  • Some things might be better on premise! Source: http://geekandpoke.typepad.com/® © 2012 Inmar, Inc. All Rights Reserved. 3 Not to be reproduced or distributed without written permission from Inmar
  • Inmar’s Digital Promotion PaaS Brand Digital Inmar’s Offer Network Publisher Exchange Point of Sale Digital Offers Retailer Clearinghouse Mfg. Agent® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Continuous maturity & increased security over time Features PaaS & SelfAmount of Published Service Access SaaS (coming National APIs soon) IaaS Network First Customer POC Security & Regulatory Requirements ® © 2012 Inmar, Inc. All Rights Reserved. 5 Not to be reproduced or distributed without written permission from Inmar
  • It all started with AWS and a credit card (POC)® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • IaaS – Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Server OS Storage Provider Network Outsourcing the security perimeter® © 2012 Inmar, Inc. All Rights Reserved. 7 Not to be reproduced or distributed without written permission from Inmar
  • Minimal Amount of Security for the POC • Data Center/Perimeter Security • AWS Keys • Basic application authorization and authentication • Standard LAMP AMI® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Researched Security & Compliance Requirements • 13 Domains of Cloud Computing • Based on our requirements, the feedback from Security experts was: – Focus on ISO 27001 and PCI – All others are a subset • POS Traffic – Encrypt, compress, send over https https://cloudsecurityalliance.org/csaguide.pdf – Chain, store and consumer level authentication – No credit card information on wire – No non standard open ports® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • First Customer Launch Coupon B2B Portal Portal Mobile Coupons Reporting SaaS Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Moderate Amount of Security for Launch Challenges • Segregation of duties is impossible when there are 2 guys • Keeping up with patches was a challenge Decision Points • Just enough security for one client • Deployments were manageable manually • Consolidated work on fewer servers (light load) • Focused on application security (Authentication/Authorization)® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • SaaS - Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Provider Server OS Storage Perimeter Outsourcing the application® © 2012 Inmar, Inc. All Rights Reserved. 12 Not to be reproduced or distributed without written permission from Inmar
  • SaaS Considerations (still in startup mode) Data • Independent retailer databases • Encrypted in flight • Shopper ID masked Decision Points • Deployments were still manageable manually • Relied on IaaS and standard images • Basic monitoring • Patch when critical • Redundant across zones® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • National Network Digital Social Incentives Media Analytics Mobile PaaS Advertising Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • PaaS - Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Server OS Storage Provider Perimeter Outsourcing the application platform® © 2012 Inmar, Inc. All Rights Reserved. 15 Not to be reproduced or distributed without written permission from Inmar
  • Current Situation Acquired by Inmar, focused on security and scalability • 30+ person team • 4 person DevOps team • My focus is on the Platform, another VP owns the apps Decision Points • Pass audits, get certifications • Follow IT controls best practices • Distribute work across many nodes • Automate everything • Minimize access, segregation of duties • Intrusion detection and prevention • Patching strategy® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Intrusion Detection and Prevention Lock down and remove unnecessary software and services • Operating System • Database • Application Server • Monitors and alerts for access attempts • Lock down production DB Access – all non-api access on read- only slaves • All CRUD via APIs (data service layer) with credentials * rare exceptions Leverage AWS’s IAM (Identity and Access Management) services • Multiple security groups with different permissions • Multiple AWS Accounts (Prod, QA, R&D) • Chef scripts automate security in AMI creation® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Restrict Access – Central Logging Strategy Admins have Developers access Web Servers total access log server only DB Logs | App Svr Logs | Web Logs API Servers S DB Logs | App Svr Logs | API Logs Y Log search & analytics Database Servers S DB Logs | App Svr Logs | App Logs L Log centralization/prep O Utility Servers DB Logs | App Svr Logs | App Logs G Log Servers® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • SLA & Performance Management® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar © 2012 Inmar®, Inc. CONFIDENTIAL Not to be reproduced or distributed without written permission from Inmar
  • Published APIs ???? Digital Social Incentives Media Analytics Mobile PaaS Advertising Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Next on the List API 2.0 • Versioning strategy • More advanced security • API access, key management, OAuth Self Service • Self register • Self subscribe and publish • Online payments • Hybrid clouds • Offload payments to a processor® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Recommendations Have a roadmap • Prioritize and chip away at the list • Make security tasks part of your sprint planning • Have a living, breathing security document because you will get asked for it daily® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Recommendations Think Differently • It’s just another data center, only you can’t see it. • Apply same best practices • Apply some new best practices for the cloud • Every problem has a solution Don’t be Mordac!® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • Questions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
  • For more information: Mike Kavis michael.kavis@inmar.com