Your SlideShare is downloading. ×
0
Beyond the Hype: Understanding Cloud    Security for Your Application            Bryan D. Payne
To the    Learn all                       Security        This is    cloud!   about cloud                      concerns   ...
Trust guest       Cloud                                                      Attackers?                        network?   ...
Computer Security: What We KnowBetter                                     WorseDesign for security from the start         ...
Security Requires A Good Foundation               Bryan D. Payne, Director of Security Research5                          ...
Security Needs System-Level Thinking               Bryan D. Payne, Director of Security Research6                         ...
Example: Gene Sequence Analysis                                      •    Variable workload                               ...
4 SECURITY QUESTIONS             Bryan D. Payne, Director of Security Research8                            @bdpsecurity
1. What are you protecting?                                • Data                                • Computation            ...
2. What is your risk tolerance?                                    • Mindset                                    • Budget  ...
3. What are your threats?                            •     Adware                            •     Botnets                ...
4. What is your attack surface?                                 •    Network architecture                                 ...
CLOUD SECURITY              Bryan D. Payne, Director of Security Research13                             @bdpsecurity
Public or Private (or Hybrid)?               Inside / Outside Firewall               Hardware / software control     prote...
What IaaS Provider?     protect      risk     threats     surface                  Bryan D. Payne, Director of Security Re...
Key Points     • Get IaaS-layer security from provider     • Choose wisely, based on your needs                Bryan D. Pa...
CLOUD APPLICATION SECURITY              Bryan D. Payne, Director of Security Research17                             @bdpse...
What Does Your App Look Like?             Bryan D. Payne, Director of Security Research18                            @bdps...
Access to App: Who and How?           Other cloud tenants (e.g., guest network)           Cloud admin              Bryan D...
Protecting App Data        Bryan D. Payne, Director of Security Research20                       @bdpsecurity
Protecting App Computation            Bryan D. Payne, Director of Security Research21                           @bdpsecurity
Unique Cloud App Security Concerns• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deploym...
Key Points     • Custom security is always hard     • The right IaaS platform can help     • Follow the community     • Cl...
PUTTING IT ALL TOGETHER              Bryan D. Payne, Director of Security Research24                             @bdpsecur...
Cloud Provider Is Key     • Understand what you need     • Get the security you need at this level     • Don’t do this you...
Cloud App Security is Specialized                • Unique security concerns                • Get expert help, if needed   ...
Trends to Watch For• OpenStack Security Group     https://launchpad.net/~openstack-ossg• Cloud Attestation     http://wiki...
Bryan D. Payne     bryan.payne@nebula.com            @bdpsecurity     http://www.bryanpayne.org28
Upcoming SlideShare
Loading in...5
×

Beyond the Hype: Understanding Cloud Security by Bryan D. Payne

573

Published on

Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
573
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This slide should be done graphically showing a timeline with the above events on them. Ideally, reveal the timeline one step at a time, leading up to something funny (but tasteful!) for the final point
  • Before we get our hands too dirty, let’s think about what we mean by security!
  • The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
  • The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
  • Introduce a running example that we will use for the rest of the presentation. Tom is tasked with transitioning an internal corporate application into the cloud. The application has the following characteristics: highly variable workload requirements, sensitive data, different tenants need strict firewalling for compliance reasons, etc. Working example could be a gene sequencing system in a hospital of the future?? We will then use this to understand the security questions you need to be asking as you think about the cloud.
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • Understand what you are trying to protect. And what would be the consequences if your protection failed. Think about CIA (confidentiality, integrity, availability) and think about the various pieces of your system (all of the pieces of your cloud application, data in various forms / places, what parts need to be accessible to whom, what parts need to be private, etc)
  • How bad would it be if you had a security breach. How much are you willing to spend to prevent such a breach. Are you a state-run intelligence agency? Or are you hosting a family blog?
  • Who are you worried about breaking your security? The kid next door? Typical malware? Targeted corporate espionage from a competitor. Nation state level attacker?
  • Where in your system are you potentially vulnerable to attack. This could be from within the cloud. From the cloud provider. From a vulnerability in your cloud app. From a social engineering attack on your cloud account. From someone that finds a vulnerability in the cloud APIs and steals your credentials. Etc…
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • Discuss security tradeoffs (professionally maintained, but out in the open vs. behind your firewall and optionally professionally maintained) (auditability differences) (…)
  • If private, are you setting it up yourself? Or are you choosing a canned solution? If the former, do you have the expertise to get the security properties you need? If the later, does your provider offer the security you need? How can you verify any of this? Discuss different options (AWS, Rackspace, HP, Nebula, OpenStack, Eucalyptus,OpenCloud, ???). Can your cloud prove that it is running the right software to you? Can your cloud allow you to monitor your own instances (network traffic, host monitoring, related logs from cloud services, etc)?
  • “Security rapidly becoming a differentiator”, “Understand what you need and ensure you get that from your provider”, “Lots of choices”, “avoiding lock-in is always a plus”
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • 2-3 pictures of different cloud application architectures
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
  • Transcript of "Beyond the Hype: Understanding Cloud Security by Bryan D. Payne"

    1. 1. Beyond the Hype: Understanding Cloud Security for Your Application Bryan D. Payne
    2. 2. To the Learn all Security This is cloud! about cloud concerns hard! Bryan D. Payne, Director of Security Research2 @bdpsecurity
    3. 3. Trust guest Cloud Attackers? network? provider My How to access Where is security my instances? my data? policies? Is there a Other cloud right way? Etc… tenants Bryan D. Payne, Director of Security Research3 @bdpsecurity
    4. 4. Computer Security: What We KnowBetter WorseDesign for security from the start Retrofit security when it’s importantUnderstand your threats Just make it secureUnderstand your goals Seriously, just add some securityPervasive security culture That paranoid guy has it under control Bryan D. Payne, Director of Security Research4 @bdpsecurity
    5. 5. Security Requires A Good Foundation Bryan D. Payne, Director of Security Research5 @bdpsecurity
    6. 6. Security Needs System-Level Thinking Bryan D. Payne, Director of Security Research6 @bdpsecurity
    7. 7. Example: Gene Sequence Analysis • Variable workload • Sensitive patient data + • Regulatory compliance • Computational integrity • Multiple tenants • Billing Bryan D. Payne, Director of Security Research7 @bdpsecurity
    8. 8. 4 SECURITY QUESTIONS Bryan D. Payne, Director of Security Research8 @bdpsecurity
    9. 9. 1. What are you protecting? • Data • Computation • CIA – Confidentiality – Integrity – Availability Bryan D. Payne, Director of Security Research9 @bdpsecurity
    10. 10. 2. What is your risk tolerance? • Mindset • Budget • Repercussions Bryan D. Payne, Director of Security Research10 @bdpsecurity
    11. 11. 3. What are your threats? • Adware • Botnets • Spyware • Corporate Espionage • Nation State Attacks • Curious Neighbor Bryan D. Payne, Director of Security Research11 @bdpsecurity
    12. 12. 4. What is your attack surface? • Network architecture • Cloud provider • Software config • API Usage • Users / Admins Bryan D. Payne, Director of Security Research12 @bdpsecurity
    13. 13. CLOUD SECURITY Bryan D. Payne, Director of Security Research13 @bdpsecurity
    14. 14. Public or Private (or Hybrid)? Inside / Outside Firewall Hardware / software control protect Policy / regulation allow public? Professional management risk Can’t choose your neighbors Physical control Insight into software stack threats APIs available on the Internet Architectural specificity surface Bryan D. Payne, Director of Security Research14 @bdpsecurity
    15. 15. What IaaS Provider? protect risk threats surface Bryan D. Payne, Director of Security Research15 @bdpsecurity
    16. 16. Key Points • Get IaaS-layer security from provider • Choose wisely, based on your needs Bryan D. Payne, Director of Security Research16 @bdpsecurity
    17. 17. CLOUD APPLICATION SECURITY Bryan D. Payne, Director of Security Research17 @bdpsecurity
    18. 18. What Does Your App Look Like? Bryan D. Payne, Director of Security Research18 @bdpsecurity
    19. 19. Access to App: Who and How? Other cloud tenants (e.g., guest network) Cloud admin Bryan D. Payne, Director of Security Research19 @bdpsecurity
    20. 20. Protecting App Data Bryan D. Payne, Director of Security Research20 @bdpsecurity
    21. 21. Protecting App Computation Bryan D. Payne, Director of Security Research21 @bdpsecurity
    22. 22. Unique Cloud App Security Concerns• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deployment – Keys stored inside your app, be careful• Data persistence is tricky Bryan D. Payne, Director of Security Research22 @bdpsecurity
    23. 23. Key Points • Custom security is always hard • The right IaaS platform can help • Follow the community • Cloud isn’t Legacy Bryan D. Payne, Director of Security Research23 @bdpsecurity
    24. 24. PUTTING IT ALL TOGETHER Bryan D. Payne, Director of Security Research24 @bdpsecurity
    25. 25. Cloud Provider Is Key • Understand what you need • Get the security you need at this level • Don’t do this yourself Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research25 @bdpsecurity
    26. 26. Cloud App Security is Specialized • Unique security concerns • Get expert help, if needed Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research26 @bdpsecurity
    27. 27. Trends to Watch For• OpenStack Security Group https://launchpad.net/~openstack-ossg• Cloud Attestation http://wiki.openstack.org/OpenAttestation http://code.google.com/p/vmitools/• Attack Surface Research https://cloudsecurityalliance.org/research/big-data/ Bryan D. Payne, Director of Security Research27 @bdpsecurity
    28. 28. Bryan D. Payne bryan.payne@nebula.com @bdpsecurity http://www.bryanpayne.org28
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×