Securing your Data in the Cloud Omer Trajman Sr. Dir. for Cloud and Virtualization Vertica Systems [email_address]

Something old…Something new Before we jump in what do we mean “ Cloud ?” Oh….and what do we mean “ securing ?” Plus ça change… Tools of the trade Key takeaways

Before we jump in what do we mean “ Cloud ?”

Oh….and what do we mean “ securing ?”

Plus ça change…

Tools of the trade

Key takeaways

What is….Cloud? What are Cloud Services? Other Peoples’ Software What are Cloud Platforms? Other Peoples’ Frameworks What is Cloud Infrastructure? Other Peoples’ Hardware

What are Cloud Services?

Other Peoples’ Software

What are Cloud Platforms?

Other Peoples’ Frameworks

What is Cloud Infrastructure?

Other Peoples’ Hardware

Security is a Tradeoff “ Security costs money, but it also costs in time, convenience, capabilities,… ” -Bruce Schneier Assess how important it is to secure your data What are the risks with in-house and cloud? Why not keep it under your mattress ?

“ Security costs money, but it also costs in time, convenience, capabilities,… ”

-Bruce Schneier

Assess how important it is to secure your data

What are the risks with in-house and cloud?

Why not keep it under your mattress ?

Data Security 101 Confidential and Proprietary Secure Communications On Disk Encryption Private Key Cryptography Timeliness of Data

Confidential and Proprietary

Secure Communications

On Disk Encryption

Private Key Cryptography

Timeliness of Data

History of Keeping Secrets Greeks use coded messages during wartime Manuscript for the Deciphering Cryptographic Messages was written circa 800 AD Computer Science was nurtured during the World Wars to keep communications secure In 1970 IBM invented DES for the NIST to support secure financial transactions In 1976 Diffie and Hellman introduced asymmetric key exchange

Greeks use coded messages during wartime

Manuscript for the Deciphering Cryptographic Messages was written circa 800 AD

Computer Science was nurtured during the World Wars to keep communications secure

In 1970 IBM invented DES for the NIST to support secure financial transactions

In 1976 Diffie and Hellman introduced asymmetric key exchange

What do we keep Secure Today? Most Security and Military Information Some Financial Data Some Personal Information Some Business Information

Most Security and Military Information

Some Financial Data

Some Personal Information

Some Business Information

Tools of the Trade Key Algorithms AES, Blowfish, RSA, DH Encryption in Place PGP, FileVault, Firmware Secure Transmission SSL, VPN, SSH Firewalls Comes with your OS

Key Algorithms

AES, Blowfish, RSA, DH

Encryption in Place

PGP, FileVault, Firmware

Secure Transmission

SSL, VPN, SSH

Firewalls

Comes with your OS

Securing the Cloud Create a VPN Firewall the host Encrypt the disk Consider where to keep sensitive data

Create a VPN

Firewall the host

Encrypt the disk

Consider where to keep sensitive data

Virtual Private Network Why Secure communication between your enterprise and cloud infrastructure What OpenVPN, Checkpoint, Cisco, CohesiveFT VPN

Why

Secure communication between your enterprise and cloud infrastructure

What

OpenVPN, Checkpoint, Cisco, CohesiveFT

Virtual Private Network How VPN Server in your enterprise Cloud machine configure to connect over VPN to a server in your enterprise Client keys deployed to cloud machines Challenges Provisioning VPN client software Key management for Cloud machines Failover if Cloud machines fail

How

VPN Server in your enterprise

Cloud machine configure to connect over VPN to a server in your enterprise

Client keys deployed to cloud machines

Challenges

Provisioning VPN client software

Key management for Cloud machines

Failover if Cloud machines fail

Why Guard against intrusion, enforce network policies What IaaS provided, OS Built-in, Checkpoint Firewall VPN

Why

Guard against intrusion, enforce network policies

What

IaaS provided, OS Built-in, Checkpoint

Firewall How For IaaS there is an API (e.g. Amazon EC2 groups) that controls network access Linux Firewall or iptables configuration Challenges Complex port requirements (e.g. ssh internally and https externally) Subtleties in configuration files can lead to a susceptible host

How

For IaaS there is an API (e.g. Amazon EC2 groups) that controls network access

Linux Firewall or iptables configuration

Challenges

Complex port requirements (e.g. ssh internally and https externally)

Subtleties in configuration files can lead to a susceptible host

Encryption Why Prevent malicious or accidental data leaks What Truecrypt, Encfs, CryptoFS, NTFS Encryption 1, Jonathan 2, Susan 3, David 03Wea91ab05841fe1oFVDxa2x99G

Why

Prevent malicious or accidental data leaks

What

Truecrypt, Encfs, CryptoFS, NTFS Encryption

Encryption How DIY – install an encrypted volume on the host May come as an IaaS option Challenges Key management Complicates host setup Incremental backup/recovery

How

DIY – install an encrypted volume on the host

May come as an IaaS option

Challenges

Key management

Complicates host setup

Incremental backup/recovery

What about Securing Resources? Don’t use passwords (use public/private keys) Open minimal ports (use dedicated servers) Monitor your system (tripwire, OSSEC) Use configuration tools (FireHOL, Bastille) Keep Backups (and keep them secure) Client Server Data

Don’t use passwords (use public/private keys)

Open minimal ports (use dedicated servers)

Monitor your system (tripwire, OSSEC)

Use configuration tools (FireHOL, Bastille)

Keep Backups (and keep them secure)

Future Developments Cloud offerings are constantly changing Management as a Service providers will facilitate setup configurations Security will become an integrated offering Best practices for Cloud security are growing out of enterprise and web security expertise

Cloud offerings are constantly changing

Management as a Service providers will facilitate setup configurations

Security will become an integrated offering

Best practices for Cloud security are growing out of enterprise and web security expertise

Key Takeaways Security is a trade off Use the same tools in the cloud VPN, Firewall, Encrypt…Detect and Backup Look for solutions from your provider Check your service agreement

Security is a trade off

Use the same tools in the cloud

VPN, Firewall, Encrypt…Detect and Backup

Look for solutions from your provider

Check your service agreement

References Twenty Rules for Amazon Cloud Security (George Reese, O’Reilly) Three tools to help you configure iptables (Chris Lynch, Linux.com) Disk Encryption Tools for Linux (Justin Krelc and Ed Tittel, All about Linux) VPN labs Amazon Security Whitepaper thank you – omer@vertica.com

Twenty Rules for Amazon Cloud Security (George Reese, O’Reilly)

Three tools to help you configure iptables (Chris Lynch, Linux.com)

Disk Encryption Tools for Linux

(Justin Krelc and Ed Tittel, All about Linux)

VPN labs

Amazon Security Whitepaper

thank you – omer@vertica.com