Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
Upcoming SlideShare
Loading in...5
×
 

Beyond the Hype: Understanding Cloud Security by Bryan D. Payne

on

  • 704 views

Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.

Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.

Statistics

Views

Total Views
704
Views on SlideShare
440
Embed Views
264

Actions

Likes
0
Downloads
4
Comments
0

4 Embeds 264

https://www.nebula.com 169
http://www.nebula.com 85
http://localhost 7
https://edit.nebula.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This slide should be done graphically showing a timeline with the above events on them. Ideally, reveal the timeline one step at a time, leading up to something funny (but tasteful!) for the final point
  • Before we get our hands too dirty, let’s think about what we mean by security!
  • The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
  • The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
  • Introduce a running example that we will use for the rest of the presentation. Tom is tasked with transitioning an internal corporate application into the cloud. The application has the following characteristics: highly variable workload requirements, sensitive data, different tenants need strict firewalling for compliance reasons, etc. Working example could be a gene sequencing system in a hospital of the future?? We will then use this to understand the security questions you need to be asking as you think about the cloud.
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • Understand what you are trying to protect. And what would be the consequences if your protection failed. Think about CIA (confidentiality, integrity, availability) and think about the various pieces of your system (all of the pieces of your cloud application, data in various forms / places, what parts need to be accessible to whom, what parts need to be private, etc)
  • How bad would it be if you had a security breach. How much are you willing to spend to prevent such a breach. Are you a state-run intelligence agency? Or are you hosting a family blog?
  • Who are you worried about breaking your security? The kid next door? Typical malware? Targeted corporate espionage from a competitor. Nation state level attacker?
  • Where in your system are you potentially vulnerable to attack. This could be from within the cloud. From the cloud provider. From a vulnerability in your cloud app. From a social engineering attack on your cloud account. From someone that finds a vulnerability in the cloud APIs and steals your credentials. Etc…
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • Discuss security tradeoffs (professionally maintained, but out in the open vs. behind your firewall and optionally professionally maintained) (auditability differences) (…)
  • If private, are you setting it up yourself? Or are you choosing a canned solution? If the former, do you have the expertise to get the security properties you need? If the later, does your provider offer the security you need? How can you verify any of this? Discuss different options (AWS, Rackspace, HP, Nebula, OpenStack, Eucalyptus,OpenCloud, ???). Can your cloud prove that it is running the right software to you? Can your cloud allow you to monitor your own instances (network traffic, host monitoring, related logs from cloud services, etc)?
  • “Security rapidly becoming a differentiator”, “Understand what you need and ensure you get that from your provider”, “Lots of choices”, “avoiding lock-in is always a plus”
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.

Beyond the Hype: Understanding Cloud Security by Bryan D. Payne Beyond the Hype: Understanding Cloud Security by Bryan D. Payne Presentation Transcript

  • Beyond the Hype: Understanding Cloud Security for Your Application Bryan D. Payne
  • To the Learn all Security This is cloud! about cloud concerns hard! Bryan D. Payne, Director of Security Research2 @bdpsecurity
  • Trust guest Cloud Attackers? network? provider My How to access Where is security my instances? my data? policies? Is there a Other cloud right way? Etc… tenants Bryan D. Payne, Director of Security Research3 @bdpsecurity
  • Computer Security: What We KnowBetter WorseDesign for security from the start Retrofit security when it’s importantUnderstand your threats Just make it secureUnderstand your goals Seriously, just add some securityPervasive security culture That paranoid guy has it under control Bryan D. Payne, Director of Security Research4 @bdpsecurity
  • Security Requires A Good Foundation Bryan D. Payne, Director of Security Research5 @bdpsecurity
  • Security Needs System-Level Thinking Bryan D. Payne, Director of Security Research6 @bdpsecurity
  • Example: Gene Sequence Analysis • Variable workload • Sensitive patient data + • Regulatory compliance • Computational integrity • Multiple tenants • Billing Bryan D. Payne, Director of Security Research7 @bdpsecurity
  • 4 SECURITY QUESTIONS Bryan D. Payne, Director of Security Research8 @bdpsecurity
  • 1. What are you protecting? • Data • Computation • CIA – Confidentiality – Integrity – Availability Bryan D. Payne, Director of Security Research9 @bdpsecurity
  • 2. What is your risk tolerance? • Mindset • Budget • Repercussions Bryan D. Payne, Director of Security Research10 @bdpsecurity
  • 3. What are your threats? • Adware • Botnets • Spyware • Corporate Espionage • Nation State Attacks • Curious Neighbor Bryan D. Payne, Director of Security Research11 @bdpsecurity
  • 4. What is your attack surface? • Network architecture • Cloud provider • Software config • API Usage • Users / Admins Bryan D. Payne, Director of Security Research12 @bdpsecurity
  • CLOUD SECURITY Bryan D. Payne, Director of Security Research13 @bdpsecurity
  • Public or Private (or Hybrid)? Inside / Outside Firewall Hardware / software control protect Policy / regulation allow public? Professional management risk Can’t choose your neighbors Physical control Insight into software stack threats APIs available on the Internet Architectural specificity surface Bryan D. Payne, Director of Security Research14 @bdpsecurity
  • What IaaS Provider? protect risk threats surface Bryan D. Payne, Director of Security Research15 @bdpsecurity
  • Key Points • Get IaaS-layer security from provider • Choose wisely, based on your needs Bryan D. Payne, Director of Security Research16 @bdpsecurity
  • CLOUD APPLICATION SECURITY Bryan D. Payne, Director of Security Research17 @bdpsecurity
  • What Does Your App Look Like? Bryan D. Payne, Director of Security Research18 @bdpsecurity
  • Access to App: Who and How? Other cloud tenants (e.g., guest network) Cloud admin Bryan D. Payne, Director of Security Research19 @bdpsecurity
  • Protecting App Data Bryan D. Payne, Director of Security Research20 @bdpsecurity
  • Protecting App Computation Bryan D. Payne, Director of Security Research21 @bdpsecurity
  • Unique Cloud App Security Concerns• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deployment – Keys stored inside your app, be careful• Data persistence is tricky Bryan D. Payne, Director of Security Research22 @bdpsecurity
  • Key Points • Custom security is always hard • The right IaaS platform can help • Follow the community • Cloud isn’t Legacy Bryan D. Payne, Director of Security Research23 @bdpsecurity
  • PUTTING IT ALL TOGETHER Bryan D. Payne, Director of Security Research24 @bdpsecurity
  • Cloud Provider Is Key • Understand what you need • Get the security you need at this level • Don’t do this yourself Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research25 @bdpsecurity
  • Cloud App Security is Specialized • Unique security concerns • Get expert help, if needed Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research26 @bdpsecurity
  • Trends to Watch For• OpenStack Security Group https://launchpad.net/~openstack-ossg• Cloud Attestation http://wiki.openstack.org/OpenAttestation http://code.google.com/p/vmitools/• Attack Surface Research https://cloudsecurityalliance.org/research/big-data/ Bryan D. Payne, Director of Security Research27 @bdpsecurity
  • Bryan D. Payne bryan.payne@nebula.com @bdpsecurity http://www.bryanpayne.org28