Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

1,792 views

Published on

Talk I gave at OWASP San Francisco 3/14/2012

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,792
On SlideShare
0
From Embeds
0
Number of Embeds
86
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Service: Infrastructure, Platform, Software as a serviceDeployment: Private, community, public, hybrid
  • So for each one of these things I’ll try to break it down into GOOD – BETTER – BEST.
  • Some of these points fit better for IaaS, this is one of them
  • Load balancing – linux virtual server“best” – I’m expecting/wanting resistance to some of these points – I believe CDN/NoSQL/Message Queues have security value from a scalability POV, but they’re not slam-dunk arguments.
  • RabbitMQ or ActiveMQ
  • Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

    1. 1. REBUILDING FORTHE CLOUDHOW CLOUD ARCHITECTURE CAN IMPROVEAPPLICATION SECURITY
    2. 2. INTRO
    3. 3. AGENDADefinitions (brief, I promise)Cloud BenefitsCloud Security ConceptsMoving applications to the cloud, wrong wayMoving applications to the cloud, right wayPlease do ask questions!
    4. 4. CLOUD [kloud]nounNIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
    5. 5. INFORMATION SECURITY[in-fer-mey-shuhn si-kyoor-i-tee]nounProtecting information and information systems fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording or destruction.See Also: Job Security
    6. 6. Artist: Tyler, 11. Dortmund, Germany
    7. 7. CLOUD BENEFITSMain benefit: FlexibilityPossible benefit: Cost savings
    8. 8. CLOUD SECURITYCLIFF NOTES• Trust nobody• Encrypt everything• Expect service issues
    9. 9. WHAT’S WRONG WITH FORKLIFTING?
    10. 10. FORKLIFTING…“Datacenter” application to the cloud:• Can’t trust what you used to• Datacenter apps usually not flexible• Confidentiality, Integrity, Availability all handled differently
    11. 11. ENTERPRISE vs CLOUD
    12. 12. HOW ABOUT PAAS?
    13. 13. LEVERAGING CLOUDARCHITECTUREHow can we (gently) re-architect to take advantage of thecloud?• Network• Web server• Application Server• Database server• Don’t forget audit/forensics!
    14. 14. NETWORKGood: Limit by IPBetter: Allow administration viaVPN onlyBest: Admin interface on separatehost, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
    15. 15. WEB/APP SERVERGood: Load balancing, “Basic” hardening (IP ACLs, onlyaccept GET/POST, server tuned for large loads). SSL’s cheapnowadaysBetter: Build Web Application Firewalls and reverse cachesinto your IaaS (mod_security’s free)Best: Use 3rd party services to handle load and minimizesecurity issues (CDNs like Akamai, Cloudflare)Required: Input filtering, output encoding.
    16. 16. DATASTOREGood: Place DBs on separate host from application.Better: Place DBs in separate datacenters, and replicateBest: Migrate to a “NOSQL” datastore (Cassandra, MongoDB,ElasticSearch)Required: Encrypt data-at-rest
    17. 17. NOSQL SECURITY?• Many NOSQL systems turn off even authentication• Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
    18. 18. INTER-PROCESSCOMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
    19. 19. LOGGING & FORENSICSWhat happens to logs when our scalable architecture…scales down?Cloud really really requires centralized logging, monitoring,and management.Also, consider erase vs. overwrite
    20. 20. WHAT HAVE WEBUILT?• Scalable solution• No single point of failure• Healthy caution of all those around us (filtering/encoding)• Data stored and transmitted safely• And a nice set of audit logs for when Bad Things happen
    21. 21. LEARN MORECloud Security AllianceOWASP Cloud top 10
    22. 22. THANKS ANDCONTACT INFO“Bad People” drawings from http://badpeopleproject.orgFollow me on twitter: @johnlkinsella

    ×