• Share
  • Email
  • Embed
  • Like
  • Private Content
Look Ma' No Hands - Automating Security the RightScale Way
 

Look Ma' No Hands - Automating Security the RightScale Way

on

  • 1,063 views

RightScale Conference Santa Clara 2011: In the cloud, “manual” means “not doing it.” This session will provide guidance on how to automate portions of your security program using the ...

RightScale Conference Santa Clara 2011: In the cloud, “manual” means “not doing it.” This session will provide guidance on how to automate portions of your security program using the RightScale Cloud Management Platform. Since we use RightScale to manage RightScale, most of the discussion will focus on what we are doing to accomplish the task of “automating security.” At the end of the session, you will have some very specific action items that you can take back to your environment to implement.

Statistics

Views

Total Views
1,063
Views on SlideShare
1,033
Embed Views
30

Actions

Likes
0
Downloads
21
Comments
0

2 Embeds 30

http://www.rightscale.com 28
http://localhost 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Poor application security leading to InjectionSQL injection was one of the top exploit in the Verizon Data Breach ReportPoor system configurations, leading to system compromisedNote the recent Windows RDP “exploit”. RDP left open, with Administrator having a well known password.Poor application configuration leading to application compromiseBrowsers that run scripts automaticallyPoor user habits leading to compromised credentials, that are then used to access dataUsers who click on attachments. Zeus bot, FakeAV, etc.
  • ConsiderationsTCP/UDP paths are notguaranteed!From source to destination (initial loads or updates)Across public networks or private?Once in the “cloud”Within Cloud Provider (CP) network where data is storedCrossing CP network where data is storedWithin the hypervisorCan someone:View or Modify it? Yes: Unencrypted, encrypted w/keysSo encrypt it , and protect the keysDeny it? Yes: packet manipulationNo way to prevent. Can use reliable transports and dedicated connections
  • Can someone:View or Modify it? Yes: Unencrypted, encrypted w/keysSo encrypt it , and protect the keysDeny it? Yes: local system access if improper ACL. Improper CP controlsProper ACL for local accounts.No way to prevent CP access. Risk assessment should be performed.
  • Can someone:View or Modify it? Yes: Memory is clearNeed to protect running memory from the InstanceNeed to trust the CPDeny it? No: Not specifically data. Can affect the instance, but really not practical to affect data in memory without affecting running instance stability
  • The questions are discussed in more detail in the next 2 slides
  • Trusted ImagesWindows w/ critical/recommend patch installed to image creation date Known configurationsServerTemplatesTrusted software repositoriesFrozen repositoriesScript the install and configRightScripts
  • Credentials are passed as launch parameters in a secure manner (usually SSL) to the cloud controller/provider
  • HowSame mechanism as in your enterpriseRightScale can be used to automate/orchestrate where needed, but does not do the patchingWindows: Windows Update, SUS, SCOM agent, etc.Think about application patchingLinux: Unfreeze repositories OR RightScript to update repository to latest testedLatter probably works better with Change Control Process
  • RightScale is using:Option: Unfreeze security repo, daily updates, use “app pinning”“apt-pinning” to prevent Collectd plugin to show current vulnsUnattended upgrade: Will not apply kernel reboot patches
  • Add Package: *Pin: release a=lucid-securityPin-Priority: 500Package: *Pin: release o=UbuntuPin-Priority: 50Why (and how) this works: The preferences file will pin all packages from ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferencesmanpage.You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead: apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgradeThis will make apt look for the preferences file from a non-default location.The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.
  • Got it.. added another sed line to match /archive/ and change to /archive/latest. 20111013 could just as easily be added I guess..# CHANGE /MAJOR.MINOR FORMAT REPO URLS TO /MAJOR FORMAT, TO ALLOW ACCESS TO THE LATEST SECURITY UPDATES.sed -ri 's%centos/5.[0-9]%centos/5%' /etc/yum.repos.d/CentOS-*.repo

Look Ma' No Hands - Automating Security the RightScale Way Look Ma' No Hands - Automating Security the RightScale Way Presentation Transcript