Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut


Published on

Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’expérience par Christophe Sahut

  1. 1. Security and cloud migration Christophe Sahut Corporate Infrastructure Architect / SGS Application Security Forum - 2013 Western Switzerland 15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains
  2. 2. 2 SGS in a few words
  3. 3. 3 Agenda  SaaS experience  IaaS experience
  4. 4. 4 Reminder: your (security) responsibility Application Application Application Data Data Data Runtime Runtime Runtime Middleware Middleware Middleware OS OS OS Virtualization Virtualization Virtualization Servers Servers Servers Storage Storage Storage Networking Networking Networking IaaS PaaS SaaS
  5. 5. 5 SaaS experience
  6. 6. 6 Use case  Application fulfilling (most?) business needs  Price/user/month – OPEX  Side effect of ignoring this is shadow IT  Hopefully, …
  7. 7. 7 … there are authentication requirements
  8. 8. 8 Solution: SAML 2.0  In two words – Identity Provider on premise acting as a web proxy to the authentication source (AD, LDAP, SQL…) – Generates and signs authentication tokens – Send them to the SaaS service to prove the user has been authenticated – You’re loggued in  Enable Single Sign-On with SaaS services
  9. 9. 9 Nice solution but…  Tricky to setup in multi-forests AD environments  Not always easy to configure depending on SPs  Must be highly available
  10. 10. 10 And what about (de)provisionning?  Provisioning can be done on the fly following authentication (and authorization) – Works fine but de-provisioning is still a challenge – Reminder: you pay per user  Resource (user, group…) CRUD via web services not widely deployed yet
  11. 11. 11 Other concerns  Data is by definition fully understood by the SaaS provider – Profiling (or worst) : “used for statistics and UX” – Contracts say provider will not if you ask them not to if they say so, it must be true  Data is (sometimes) encrypted on disks But SaaS provider manages the portal to access it (…)
  12. 12. 12 IaaS experience
  13. 13. 13 Example: AWS
  14. 14. 14 Connect to the management console
  15. 15. 15 Then  Create Virtual Private Clouds (VPC) – Network, route tables, gateways – Virtual machines – Load balancers – Storage, snapshots – Managed databases –…  In a given location
  16. 16. 16 Example Source:
  17. 17. 17 Use segmentation/filtering  Network ACLs  Security groups  (OS firewalls)  (3rd party network firewalls)
  18. 18. 18 VPC created. And then?  Decide how to integrate it in existing infrastructure 1) Keep it external • Completely separate infrastructure 2) Link it to datacenters / WAN • Consider the VPC as a new site on the WAN
  19. 19. 19 1) Keep it external Internet Load balancer Corporate Data center Bastion Web Servers Database
  20. 20. 20  Use bastion hosts – RDP/SSH from known IPs, strong authentication, logging/auditing  VPC entry point opened only for the service provided
  21. 21. 21 2) Link it to datacenters / WAN VPN Load balancer Corporate Data center Bastion Web Servers Database
  22. 22. 22  Use a VPN (or leased line) – Decide if you want a public or private VPC One more Internet access vs private datacenter extension – Be careful to the network range and routing VPC part of the WAN – Wizard on AWS to setup dual-VPN to on-premise VPN concentrator – Setup firewall rules on both sides (drop all, then think)
  23. 23. 23 What we did on IaaS  VPC in different locations, VPNs – SAML tests (WIF, mod_mellon,…) – New versions of software on isolated networks  S3, load balancing, managed databases, DNS zone delegation, CDN, datawarehouse, PaaS …  More and more providers come with an AWS backend and we can evaluate what they do
  24. 24. 24 Example of IaaS security benefit  Launch/rebuild infrastructures in minutes – With code like this:  Configure this way networks, VPN, security groups, create instances, fetch data from a GIT repository, configure load balancers…
  25. 25. 25 Code the infrastructure  With specific cloud tools Cloudformation in AWS  With scripting with CLI tools Bash, Powershell …  With SDKs (.net, java,…), cloud API libraries (libcloud…), abstraction tools (Rightscale…) …  And versioning!
  26. 26. 26 Example use case  Defacement/intrusion on a IaaS-based website – Fire new infrastructure clone – Enable verbose logging – Redirect traffic (via DNS, load balancers…) to the new infrastructure – Identify attack, implement protection/blackhole – Isolate hacked infrastructure – Run forensic analysis – Get a coffee
  27. 27. 27 Questions?
  28. 28. 28 Merci/Thank you! Contact: @csahut Slides: