Cloud Passage - Securing Servers in Public & Hybrid Clouds
 

Cloud Passage - Securing Servers in Public & Hybrid Clouds

on

  • 810 views

RightScale Conference Santa Clara 2011: Cloud computing is one of the most disruptive new technologies since the Internet. One of the fastest-growing sectors of cloud computing is ...

RightScale Conference Santa Clara 2011: Cloud computing is one of the most disruptive new technologies since the Internet. One of the fastest-growing sectors of cloud computing is infrastructure-as-a-service (IaaS). Cloud-based IaaS offers tremendous scalability, flexibility and speed in deploying information processing compute resources. Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. In this sesson, Carson Sweet will discuss why security and compliance is different in the cloud, outline a model for securing cloud-based hosting environments and explain best practices for implementing this model.

Statistics

Views

Total Views
810
Views on SlideShare
778
Embed Views
32

Actions

Likes
0
Downloads
24
Comments
0

3 Embeds 32

http://www.rightscale.com 29
http://localhost 2
http://staging.rightscale.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • y
  • y
  • y
  • y
  • y

Cloud Passage - Securing Servers in Public & Hybrid Clouds Cloud Passage - Securing Servers in Public & Hybrid Clouds Presentation Transcript

  • Securing Servers in Public & Hybrid Clouds Carson Sweet CEO, CloudPassage Watch the video of this presentation RightScale User Conference© 2011 CloudPassage Inc.
  • What’s So Different?© 2011 CloudPassage Inc. www.cloudpassage.com
  • What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 www-4 – Poor configurations were tolerable public cloud© 2011 CloudPassage Inc. www.cloudpassage.com
  • What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door www-4 public cloud© 2011 CloudPassage Inc. www.cloudpassage.com
  • What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door • Sprawling, multiplying exposures – Rapidly growing attack surface area – More servers = more vulnerabilities – More servers ≠ more people www-4 www-5 www-6 www-7 www-8 www-9 www-10 public cloud© 2011 CloudPassage Inc. www.cloudpassage.com
  • What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door • Sprawling, multiplying exposures – Rapidly growing attack surface area – More servers = more vulnerabilities – More servers ≠ more people www-4 www-5 www-6 • Fraudsters target cloud servers www-7 www-8 www-9 www-10 – Softer targets to penetrate – No perimeter defenses to thwart – Elasticity = more botnet to sell public cloud© 2011 CloudPassage Inc. www.cloudpassage.com
  • Got Cloud Servers? You Are OnThe Hook! Responsibility Data AWS Shared Responsibility Model Customer “…the customer should assume App Code responsibility and management of, but not limited to, the guest operating system.. and App Framework associated application software...” Operating System “…it is possible for customers to enhance security and/or meet more stringent Virtual Machine Responsibility compliance requirements with the addition of Hypervisor host based firewalls, host based intrusion Provider detection/prevention, encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities© 2011 CloudPassage Inc. www.cloudpassage.com
  • How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities© 2011 CloudPassage Inc. www.cloudpassage.com
  • Architectural Challenges• Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership• Elasticity (not all servers are steady-state) – Cloudbursting, stale servers, dynamic provisioning• Scalability (handle variable workloads) – May have one dev server or 1,000 number-crunchers• Portability (same controls work anywhere) – Nobody wants multiple tools or IaaS provider lock-in© 2011 CloudPassage Inc. www.cloudpassage.com
  • How We Did It: HaloTM Architecture• Halo Daemon Halo Daemon www-1 – Ultra light-weight software – Installed on server image Halo – Automatically provisioned www-1• Halo Compute Grid – Elastic compute grid – Hosted by CloudPassage – Does the heavy lifting for the Halo Halo Daemons (95% or more cycles) Compute Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • www-1 www-1 Halo Halo Daemon User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Halo Compute API Gateway Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • www-1 www-1 Halo Policies & Commands User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • www-1 Halo Results & Updates User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • www-1 www-1 Halo State and Event User Portal Analysis CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • www-1 Alerts, Reports www-1 and Trending Halo User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2011 CloudPassage Inc. www.cloudpassage.com
  • HaloTM Functional Capabilities Halo is a security Software-as-a-Service providing all you need to secure your cloud servers. Dynamic network Server compromise & access control intrusion alerting Configuration and Halo GhostPorts server package security access control Server account Halo REST API for visibility & control integration & automation© 2011 CloudPassage Inc. www.cloudpassage.com
  • Portable = “Works Anywhere” Single pane of glass across hosting models • Scales and bursts with dynamic cloud environments • Not dependant on chokepoints, static networks or fixed IPs • Agnostic to cloud provider, hypervisor or hardware© 2011 CloudPassage Inc. www.cloudpassage.com
  • RightScale Integration• Deployment via RightScript (today) – Extremely easy access to cloud server security – Included in template = automatic security – No other cloud management console can do this• Self-Securing Server Templates (in R&D phase) – CloudPassage IDs exposures & compliance issues – RightScale consumes data, fixes issues via RightScripts – New and existing servers become compliant “on the fly”© 2011 CloudPassage Inc. www.cloudpassage.com
  • Questions? Comments? Ideas?© 2011 CloudPassage Inc. www.cloudpassage.com