Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security


Published on

Talk I gave at OWASP San Francisco 3/14/2012

Published in: Technology
  • Be the first to comment

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

  2. 2. INTRO
  3. 3. AGENDADefinitions (brief, I promise)Cloud BenefitsCloud Security ConceptsMoving applications to the cloud, wrong wayMoving applications to the cloud, right wayPlease do ask questions!
  4. 4. CLOUD [kloud]nounNIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
  5. 5. INFORMATION SECURITY[in-fer-mey-shuhn si-kyoor-i-tee]nounProtecting information and information systems fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording or destruction.See Also: Job Security
  6. 6. Artist: Tyler, 11. Dortmund, Germany
  7. 7. CLOUD BENEFITSMain benefit: FlexibilityPossible benefit: Cost savings
  8. 8. CLOUD SECURITYCLIFF NOTES• Trust nobody• Encrypt everything• Expect service issues
  10. 10. FORKLIFTING…“Datacenter” application to the cloud:• Can’t trust what you used to• Datacenter apps usually not flexible• Confidentiality, Integrity, Availability all handled differently
  12. 12. HOW ABOUT PAAS?
  13. 13. LEVERAGING CLOUDARCHITECTUREHow can we (gently) re-architect to take advantage of thecloud?• Network• Web server• Application Server• Database server• Don’t forget audit/forensics!
  14. 14. NETWORKGood: Limit by IPBetter: Allow administration viaVPN onlyBest: Admin interface on separatehost, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
  15. 15. WEB/APP SERVERGood: Load balancing, “Basic” hardening (IP ACLs, onlyaccept GET/POST, server tuned for large loads). SSL’s cheapnowadaysBetter: Build Web Application Firewalls and reverse cachesinto your IaaS (mod_security’s free)Best: Use 3rd party services to handle load and minimizesecurity issues (CDNs like Akamai, Cloudflare)Required: Input filtering, output encoding.
  16. 16. DATASTOREGood: Place DBs on separate host from application.Better: Place DBs in separate datacenters, and replicateBest: Migrate to a “NOSQL” datastore (Cassandra, MongoDB,ElasticSearch)Required: Encrypt data-at-rest
  17. 17. NOSQL SECURITY?• Many NOSQL systems turn off even authentication• Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
  18. 18. INTER-PROCESSCOMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
  19. 19. LOGGING & FORENSICSWhat happens to logs when our scalable architecture…scales down?Cloud really really requires centralized logging, monitoring,and management.Also, consider erase vs. overwrite
  20. 20. WHAT HAVE WEBUILT?• Scalable solution• No single point of failure• Healthy caution of all those around us (filtering/encoding)• Data stored and transmitted safely• And a nice set of audit logs for when Bad Things happen
  21. 21. LEARN MORECloud Security AllianceOWASP Cloud top 10
  22. 22. THANKS ANDCONTACT INFO“Bad People” drawings from http://badpeopleproject.orgFollow me on twitter: @johnlkinsella