Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security and cloud migration
Christophe Sahut
Corporate Infrastructure Architect / SGS

Application Security Forum - 2013
...
2

SGS in a few words
3

Agenda
 SaaS experience
 IaaS experience
4

Reminder: your (security) responsibility
Application

Application

Application

Data

Data

Data

Runtime

Runtime

Run...
5

SaaS experience
6

Use case
 Application fulfilling (most?) business needs
 Price/user/month – OPEX
 Side effect of ignoring this is sh...
7

… there are authentication requirements
8

Solution: SAML 2.0
 In two words
– Identity Provider on premise acting as a web proxy to
the authentication source (AD...
9

Nice solution but…
 Tricky to setup in multi-forests AD environments
 Not always easy to configure depending on SPs
...
10

And what about (de)provisionning?
 Provisioning can be done on the fly following
authentication (and authorization)
–...
11

Other concerns
 Data is by definition fully understood by the SaaS
provider
– Profiling (or worst) : “used for statis...
12

IaaS experience
13

Example: AWS
14

Connect to the
management console
15

Then
 Create Virtual Private Clouds (VPC)
– Network, route tables, gateways
– Virtual machines
– Load balancers
– Sto...
16

Example

Source: http://aws.amazon.com/articles/9982940049271604
17

Use segmentation/filtering
 Network ACLs
 Security groups

 (OS firewalls)
 (3rd party network firewalls)
18

VPC created. And then?
 Decide how to integrate it in existing
infrastructure
1) Keep it external
• Completely separa...
19

1) Keep it external

Internet

Load balancer

Corporate Data center

Bastion

Web Servers

Database
20

 Use bastion hosts
– RDP/SSH from known IPs, strong
authentication, logging/auditing

 VPC entry point opened only f...
21

2) Link it to datacenters / WAN

VPN

Load balancer

Corporate Data center

Bastion

Web Servers

Database
22

 Use a VPN (or leased line)
– Decide if you want a public or private VPC
One more Internet access vs private datacent...
23

What we did on IaaS
 VPC in different locations, VPNs
– SAML tests (WIF, mod_mellon,…)
– New versions of software on ...
24

Example of IaaS security benefit
 Launch/rebuild infrastructures in minutes
– With code like this:

 Configure this ...
25

Code the infrastructure
 With specific cloud tools
Cloudformation in AWS

 With scripting with CLI tools
Bash, Power...
26

Example use case
 Defacement/intrusion on a IaaS-based website
– Fire new infrastructure clone
– Enable verbose loggi...
27

Questions?
28

Merci/Thank you!
Contact:
@csahut
Slides:
http://slideshare.net/ASF-WS/presentations
Upcoming SlideShare
Loading in …5
×

ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut

986 views

Published on

Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut

  1. 1. Security and cloud migration Christophe Sahut Corporate Infrastructure Architect / SGS Application Security Forum - 2013 Western Switzerland 15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch
  2. 2. 2 SGS in a few words
  3. 3. 3 Agenda  SaaS experience  IaaS experience
  4. 4. 4 Reminder: your (security) responsibility Application Application Application Data Data Data Runtime Runtime Runtime Middleware Middleware Middleware OS OS OS Virtualization Virtualization Virtualization Servers Servers Servers Storage Storage Storage Networking Networking Networking IaaS PaaS SaaS
  5. 5. 5 SaaS experience
  6. 6. 6 Use case  Application fulfilling (most?) business needs  Price/user/month – OPEX  Side effect of ignoring this is shadow IT  Hopefully, …
  7. 7. 7 … there are authentication requirements
  8. 8. 8 Solution: SAML 2.0  In two words – Identity Provider on premise acting as a web proxy to the authentication source (AD, LDAP, SQL…) – Generates and signs authentication tokens – Send them to the SaaS service to prove the user has been authenticated – You’re loggued in  Enable Single Sign-On with SaaS services
  9. 9. 9 Nice solution but…  Tricky to setup in multi-forests AD environments  Not always easy to configure depending on SPs  Must be highly available
  10. 10. 10 And what about (de)provisionning?  Provisioning can be done on the fly following authentication (and authorization) – Works fine but de-provisioning is still a challenge – Reminder: you pay per user  Resource (user, group…) CRUD via web services not widely deployed yet http://www.simplecloud.info/
  11. 11. 11 Other concerns  Data is by definition fully understood by the SaaS provider – Profiling (or worst) : “used for statistics and UX” – Contracts say provider will not if you ask them not to if they say so, it must be true  Data is (sometimes) encrypted on disks But SaaS provider manages the portal to access it (…)
  12. 12. 12 IaaS experience
  13. 13. 13 Example: AWS
  14. 14. 14 Connect to the management console
  15. 15. 15 Then  Create Virtual Private Clouds (VPC) – Network, route tables, gateways – Virtual machines – Load balancers – Storage, snapshots – Managed databases –…  In a given location
  16. 16. 16 Example Source: http://aws.amazon.com/articles/9982940049271604
  17. 17. 17 Use segmentation/filtering  Network ACLs  Security groups  (OS firewalls)  (3rd party network firewalls)
  18. 18. 18 VPC created. And then?  Decide how to integrate it in existing infrastructure 1) Keep it external • Completely separate infrastructure 2) Link it to datacenters / WAN • Consider the VPC as a new site on the WAN
  19. 19. 19 1) Keep it external Internet Load balancer Corporate Data center Bastion Web Servers Database
  20. 20. 20  Use bastion hosts – RDP/SSH from known IPs, strong authentication, logging/auditing  VPC entry point opened only for the service provided
  21. 21. 21 2) Link it to datacenters / WAN VPN Load balancer Corporate Data center Bastion Web Servers Database
  22. 22. 22  Use a VPN (or leased line) – Decide if you want a public or private VPC One more Internet access vs private datacenter extension – Be careful to the network range and routing VPC part of the WAN – Wizard on AWS to setup dual-VPN to on-premise VPN concentrator – Setup firewall rules on both sides (drop all, then think)
  23. 23. 23 What we did on IaaS  VPC in different locations, VPNs – SAML tests (WIF, mod_mellon,…) – New versions of software on isolated networks  S3, load balancing, managed databases, DNS zone delegation, CDN, datawarehouse, PaaS …  More and more providers come with an AWS backend and we can evaluate what they do
  24. 24. 24 Example of IaaS security benefit  Launch/rebuild infrastructures in minutes – With code like this:  Configure this way networks, VPN, security groups, create instances, fetch data from a GIT repository, configure load balancers…
  25. 25. 25 Code the infrastructure  With specific cloud tools Cloudformation in AWS  With scripting with CLI tools Bash, Powershell …  With SDKs (.net, java,…), cloud API libraries (libcloud…), abstraction tools (Rightscale…) …  And versioning!
  26. 26. 26 Example use case  Defacement/intrusion on a IaaS-based website – Fire new infrastructure clone – Enable verbose logging – Redirect traffic (via DNS, load balancers…) to the new infrastructure – Identify attack, implement protection/blackhole – Isolate hacked infrastructure – Run forensic analysis – Get a coffee
  27. 27. 27 Questions?
  28. 28. 28 Merci/Thank you! Contact: @csahut Slides: http://slideshare.net/ASF-WS/presentations

×