Securing Servers in Public and Hybrid Clouds

Like this? Share it with your network

Share

Securing Servers in Public and Hybrid Clouds

  • 1,594 views
Uploaded on

RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established......

RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.

Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.

We will discuss:

- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts

Don't miss out on this opportunity to find out about all you need to secure your cloud servers!

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,594
On Slideshare
1,594
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
32
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • y
  • y
  • y
  • y
  • y
  • Poor application security leading to Injection SQL injection was one of the top exploit in the Verizon Data Breach Report Poor system configurations, leading to system compromised Note the recent Windows RDP “exploit”. RDP left open, with Administrator having a well known password. Poor application configuration leading to application compromise Browsers that run scripts automatically Poor user habits leading to compromised credentials, that are then used to access data Users who click on attachments. Zeus bot, FakeAV, etc.
  • Considerations TCP/UDP paths are not guaranteed! From source to destination (initial loads or updates) Across public networks or private? Once in the “cloud” Within Cloud Provider (CP) network where data is stored Crossing CP network where data is stored Within the hypervisor Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: packet manipulation No way to prevent. Can use reliable transports and dedicated connections
  • Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: local system access if improper ACL. Improper CP controls Proper ACL for local accounts. No way to prevent CP access. Risk assessment should be performed.
  • Can someone: View or Modify it? Yes: Memory is clear Need to protect running memory from the Instance Need to trust the CP Deny it? No: Not specifically data. Can affect the instance, but really not practical to affect data in memory without affecting running instance stability
  • Trusted Images Windows w/ critical/recommend patch installed to image creation date  Known configurations ServerTemplates Trusted software repositories Frozen repositories Script the install and config RightScripts
  • How Same mechanism as in your enterprise  RightScale can be used to automate/orchestrate where needed, but does not do the patching Windows: Windows Update, SUS, SCOM agent, etc. Think about application patching Linux: Unfreeze repositories OR RightScript to update repository to latest tested Latter probably works better with Change Control Process

Transcript

  • 1. Securing Servers in Public and Hybrid Clouds
    • Leveraging RightScale and CloudPassage
    • Dec 15, 2011
    Watch the video of this webinar
  • 2. Your Panel Today
    • Host
    • Phil Cox , Director, Security and Compliance, RightScale @sec_prof
    • Presenting
    • Uri Budnik , Director, ISV Partner Program, RightScale. @uribudnik
    • Carson Sweet , CEO of CloudPassage. @carsonsweet
    • Q&A
    • Will Eschen , Account Executive, RightScale
    • Please use the “Questions” window to ask questions any time!
  • 3. Agenda
    • Introduction
    • Security and Compliance in the Cloud – How are they Different?
    • Model for Securing Cloud-based Hosting Environments
    • Demo Deployment of Integrated Solution
    • Q&A
  • 4. CloudPassage Background Select Customers Recent Awards
      • Production users since July 2010
      • Publicly accessible since Jan 2011
      • Commercial release Oct 2011
      • Halo TM Solution
      • 132 customers
      • 2,154 servers secured
      • 1,273,986 scans completed
    Early Adoption Founded January 2010 Team of 27 security specialists Backed by Benchmark Capital Company Background
  • 5.  
  • 6.  
  • 7.  
  • 8. Cloud Changes the Balance
    • Servers used to be highly isolated
      • Bad guys clearly on the outside
      • Layers of perimeter security
      • Poor configurations were tolerable
    private datacenter public cloud www-1 www-2 www-3 www-4
  • 9. Cloud Changes the Balance
    • Servers used to be highly isolated
      • Bad guys clearly on the outside
      • Layers of perimeter security
      • Poor configurations were tolerable
    • Cloud servers more exposed
      • Outside of perimeter protections
      • Little network control or visibility
      • No idea who’s next door
    private datacenter public cloud www-1 www-2 www-3 www-4
  • 10. Cloud Changes the Balance
    • Servers used to be highly isolated
      • Bad guys clearly on the outside
      • Layers of perimeter security
      • Poor configurations were tolerable
    • Cloud servers more exposed
      • Outside of perimeter protections
      • Little network control or visibility
      • No idea who’s next door
    • Sprawling, multiplying exposures
      • Rapidly growing attack surface area
      • More servers = more vulnerabilities
      • More servers ≠ more people
    private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10
  • 11. Cloud Changes the Balance
    • Servers used to be highly isolated
      • Bad guys clearly on the outside
      • Layers of perimeter security
      • Poor configurations were tolerable
    • Cloud servers more exposed
      • Outside of perimeter protections
      • Little network control or visibility
      • No idea who’s next door
    • Sprawling, multiplying exposures
      • Rapidly growing attack surface area
      • More servers = more vulnerabilities
      • More servers ≠ more people
    • Fraudsters target cloud servers
      • Softer targets to penetrate
      • No perimeter defenses to thwart
      • Elasticity = more botnet to sell
    private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10
  • 12. Your Servers… Your Responsibility Direct from Amazon AWS Customer Responsibility Provider Responsibility “… the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “ it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011) Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System
  • 13. CloudPassage Halo was purpose-built to actively protect servers in any cloud. RightScale can ensure secure server configurations across multiple clouds .
  • 14. Halo GhostPorts two-factor access control Halo REST API for integration & automation Halo is a security Software-as-a-Service providing all you need to secure your cloud servers . Halo TM Functional Capabilities Dynamic network access control Configuration and package security Server account visibility & control Server compromise & intrusion alerting
  • 15. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Halo Daemon Policies, Commands, Reports www-1 Halo www-1
  • 16. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Policies & Commands www-1
  • 17. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Results & Updates Halo www-1
  • 18. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo www-1 State and Event Analysis
  • 19. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Alerts, Reports and Trending www-1
  • 20. 100% Multi-Cloud Capable
    • Single pane of glass across hosting models
      • Scales and bursts with dynamic cloud environments
      • Not dependant on chokepoints, static networks or fixed IPs
      • Agnostic to cloud provider, hypervisor or hardware
  • 21. Features & Pricing Dynamic network access control ✔ ✔ Server compromise & intrusion alerting ✔ ✔ Configuration and software security ✔ ✔ Server account visibility & control ✔ ✔ REST API access ✔ GhostPorts multi-factor authentication ✔ Data storage One day Two years Maximum scanning frequency Daily Hourly Servers protected Up to 25 Unlimited FREE $0.10/hour
  • 22. Getting Started
    • Register and setup Halo
      • Up to 25 servers are free
      • Evaluation keys are available to unlock pro features
    • Optimize your Halo configuration
      • Set up some server groups & a firewall policy
      • Explore base policies provided by CloudPassage
      • Get answers and tips at community.cloudpassage.com
    • Deploy Halo via RightScript
      • Ensures consistent deployment of Halo across all servers
      • Offers additional visibility and remediation alternatives
  • 23. RightScale Integration
    • Installation of Halo via RightScript
    • Load your Halo API key into RightScale as a credential
    • Add the CloudPassage Halo RightScript to your server templates
    • All launched servers will automatically have CloudPassage Halo activated
    • Easy, consistent security!
  • 24. RightScale Real Customers, Real Deployments, Real Benefits
    • Managed Cloud Deployments for 4 Years — globally
    • More than 45,000 users; launched more than 3MM servers!
    • Powering the largest production deployments on the cloud
  • 25. What do we Mean by Cloud Computing? RightScale
  • 26. RightScale Manages IaaS Clouds RightScale
  • 27. Complete Systems Management
  • 28.
    • Dynamic configuration
    • Abstract role and behavior from cloud infrastructure
    • Predictable deployment
    • Cloud agnostic / portable
    • Object-oriented programming for sysadmins
    ServerTemplates
  • 29. Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (CentOS 5.4) MySQL 5.0.36 (Ubuntu 8.10) MySQL 5.0.36 (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) My ASP appserver (windows 2008) My ASP.net (windows 2008) – security update 1 My ASP.net (windows 2008) – security update 8 SharePoint v4 (windows 2003) – 32bit SharePoint v4 (windows 2003) –64bit SharePoint v4.5 (windows 2003) –64bit … Configuring servers through bundling Images: A set of configuration directives that will install and configure software on top of the base image Configuring servers with ServerTemplates: CentOS 5.2 CentOS 5.4 Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007 Base Image Very few and basic
  • 30.
    • Integrated approach that puts together all the parts needed to architect single & multi-server deployments
    ServerTemplates VS.
  • 31. CloudPassage / RightScale Integration Demo
  • 32. Find Out More
    • Web Resources:
      • RightScale.com/partners/isv/CloudPassage.php
      • Right Scale.com/webinars
      • Right Scale.com/whitepapers
      • Community.CloudPassage.com
    • Blogs:
      • Blog.RightScale.com
    • Follow us on Twitter
      • @secprof
      • @uribudnik
      • @carsonsweet
      • @cloudpassage
      • @rightscale
  • 33. Thank you!!!
    • Contact Information
    • CloudPassage Team
      • info@ cloudpassage.com
      • [email_address]
      • (415) 886-3020
    • RightScale
      • [email_address]
      • (866) 720-0208
      • phil @rightscale.com
  • 34. Additional Slides
  • 35. Data Security
    • We will cover …
    • Common data exposure vectors
    • Security benefits of centralized management
    • Unique security needs associated with hybrid and cross-cloud environments
  • 36. Biggest real risks to data in the cloud?
    • The same things as when your data were not in the cloud.
      • Poor application security leading to Injection
      • Poor system configurations, leading to system compromised
      • Poor application configuration leading to application compromise
      • Poor user habits leading to compromised credentials, that are then used to access data
  • 37. Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In Transit
  • 38. We must protect data “In Transit”
    • Why?
      • You do not want the bad guys to see or modify your data
      • You can ’t guarantee the path your data will take
      • You may have regulatory or contractual requirements to do so
    • Risk
      • Sniffing along the path
      • Modification of existing data
      • Injection of new data
    • Common Solutions
      • Application Transport (SSL & TLS)
      • VPN (SSL, IPSEC, PPTP, L2TP)
      • App level data encryption (custom)
    Map of Internet Traffic
  • 39. We must protect data “At Rest”
    • Why? Same as previous: You do not want unauthorized
      • Disclosure
      • Modification
      • Injection
    • Risks
      • Intrusion into Instance/Guest exposes data on its filesystem
      • Cloud provider access to ephemeral storage (e.g., EBS, SWIFT)
      • Cloud provider access to other storage options (e.g., S3, CloudFiles)
    • Common Solutions
      • Protection offered by running operating system (Access Control Lists)
      • *Encryption (and Key Management)*
      • SLA and Policies/Processes of the Cloud provider
  • 40. We must protect data while “In Process”
    • Why? Same as previous: You do not want unauthorized
      • Disclosure
      • Modification
      • Injection
    • Risk
      • Data is in clear in the memory of the Instance
      • Privileged users on a system can read memory
      • Hypervisor has access to instance memory
    • Common Solutions
      • Protect the system that is processing
      • Protect the hypervisor running the Instance
      • Limit administrative users
  • 41. Where RightScale shines
    • RightScale can be used to ensure that poor system and application configurations are not what cause you to lose your data
    • Use RightScale to:
      • Require data to be transmitted securely
      • Require data be stored securely
      • Ensure systems are appropriately patched and configured to minimize exposures
    • The core technologies are
      • RightImages
      • ServerTemplates
      • RightScripts
      • Repo’s and Mirrors
    • Security Motto: “Build it secure, keep it secure!”
  • 42. Build it Secure
      • Known
      • Configurations
      • Start with
      • Multi-Cloud
      • Images
      • Build with
      • ServerTemplates
      • Modify with
      • RightScripts
      • Build from
      • Frozen Repos
    What How
      • Use Trusted Images
      • Script the install
      • and configuration
    Trusted Repository
  • 43. Keep it Secure
    • What
      • Update the Operating System
      • Update the applications
      • Validate the configuration
    • How
      • You can use the same mechanism as in your enterprise
        • *OR*
      •  Use operational RightScripts to do it for you
        • *OR*
      • Use a partner ISV that specializes in that service
  • 44. Hybrid/cross cloud security concerns
    • Cloud functionality differences
      • This is the biggest concern in a non-homogeneous environment
      • Security features are different in scope and implementation for basically all different cloud orchestration technologies
      • Identity and Access Management features differ
      • Log levels and information differ
    • Applying consistent builds throughout
      • Think of the term “security group”, then define what that means in all the clouds you will use?
      • How do you manage them consistently?
    • Physical protections will differ from provider to provider
      • You will need to take this into consideration when looking at controls to implement