The Atlantic Provinces Chapter of ISACAPresentsThe Evolution of a Secure CloudJune 21, 2012                               ...
Your Speaker     Mike Kavis has been architecting solutions in the cloud since 2008 and was     the CTO for startup M-Dot ...
Some things might be better on premise!                                        Source: http://geekandpoke.typepad.com/®   ...
Inmar’s Digital Promotion PaaS                  Brand                                                            Digital  ...
Continuous maturity & increased security over time Features                                                               ...
It all started with AWS and a credit card (POC)®    © 2012 Inmar, Inc. All Rights Reserved.    Not to be reproduced or dis...
IaaS – Areas of Responsibility    Consumer                                                        ID                      ...
Minimal Amount of Security for the POC     • Data Center/Perimeter       Security     • AWS Keys     • Basic application  ...
Researched Security & Compliance Requirements     • 13 Domains of Cloud Computing     • Based on our requirements, the    ...
First Customer Launch                               Coupon                                                            B2B ...
Moderate Amount of Security for Launch    Challenges     • Segregation of duties is impossible when       there are 2 guys...
SaaS - Areas of Responsibility    Consumer                                                        ID                      ...
SaaS Considerations (still in startup mode)    Data     • Independent retailer databases     • Encrypted in flight     • S...
National Network                              Digital                                                           Social    ...
PaaS - Areas of Responsibility    Consumer                                                        ID                      ...
Current Situation    Acquired by Inmar, focused    on security and scalability     • 30+ person team     • 4 person DevOps...
Intrusion Detection and Prevention    Lock down and remove unnecessary    software and services     • Operating System    ...
Restrict Access – Central Logging Strategy                                                                                ...
SLA & Performance Management®    © 2012 Inmar, Inc. All Rights Reserved.    Not to be reproduced or distributed without wr...
Published APIs                                                                                ????                        ...
Next on the List    API 2.0     • Versioning strategy     • More advanced security     • API access, key management, OAuth...
Recommendations    Have a roadmap     • Prioritize and chip away at the list     • Make security tasks part of your sprint...
Recommendations    Think Differently     • It’s just another data center, only you can’t       see it.     • Apply same be...
Questions®    © 2012 Inmar, Inc. All Rights Reserved.    Not to be reproduced or distributed without written permission fr...
For more information:  Mike Kavis  michael.kavis@inmar.com
Upcoming SlideShare
Loading in …5
×

Evolution of a secure cloud

1,241 views

Published on

Presentation for a webinar on 6/21/12 for the Atlantic Provinces Chapter of ISACA

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,241
On SlideShare
0
From Embeds
0
Number of Embeds
126
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Can you change the box build dynamic to go left to right…thanks.It is also fast, dynamic and information rich.
  • Evolution of a secure cloud

    1. 1. The Atlantic Provinces Chapter of ISACAPresentsThe Evolution of a Secure CloudJune 21, 2012 Mike Kavis VP of Architecture, Inmar
    2. 2. Your Speaker Mike Kavis has been architecting solutions in the cloud since 2008 and was the CTO for startup M-Dot Network which won the 2010 AWS Startup Challenge. Mike is now the VP of Architecture for Inmar who purchased M- Dot in 2011 and is responsible for Inmar’s Digital Promotions PaaS at Inmar.® © 2012 Inmar, Inc. All Rights Reserved. 2 Not to be reproduced or distributed without written permission from Inmar
    3. 3. Some things might be better on premise! Source: http://geekandpoke.typepad.com/® © 2012 Inmar, Inc. All Rights Reserved. 3 Not to be reproduced or distributed without written permission from Inmar
    4. 4. Inmar’s Digital Promotion PaaS Brand Digital Inmar’s Offer Network Publisher Exchange Point of Sale Digital Offers Retailer Clearinghouse Mfg. Agent® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    5. 5. Continuous maturity & increased security over time Features PaaS & SelfAmount of Published Service Access SaaS (coming National APIs soon) IaaS Network First Customer POC Security & Regulatory Requirements ® © 2012 Inmar, Inc. All Rights Reserved. 5 Not to be reproduced or distributed without written permission from Inmar
    6. 6. It all started with AWS and a credit card (POC)® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    7. 7. IaaS – Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Server OS Storage Provider Network Outsourcing the security perimeter® © 2012 Inmar, Inc. All Rights Reserved. 7 Not to be reproduced or distributed without written permission from Inmar
    8. 8. Minimal Amount of Security for the POC • Data Center/Perimeter Security • AWS Keys • Basic application authorization and authentication • Standard LAMP AMI® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    9. 9. Researched Security & Compliance Requirements • 13 Domains of Cloud Computing • Based on our requirements, the feedback from Security experts was: – Focus on ISO 27001 and PCI – All others are a subset • POS Traffic – Encrypt, compress, send over https https://cloudsecurityalliance.org/csaguide.pdf – Chain, store and consumer level authentication – No credit card information on wire – No non standard open ports® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    10. 10. First Customer Launch Coupon B2B Portal Portal Mobile Coupons Reporting SaaS Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    11. 11. Moderate Amount of Security for Launch Challenges • Segregation of duties is impossible when there are 2 guys • Keeping up with patches was a challenge Decision Points • Just enough security for one client • Deployments were manageable manually • Consolidated work on fewer servers (light load) • Focused on application security (Authentication/Authorization)® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    12. 12. SaaS - Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Provider Server OS Storage Perimeter Outsourcing the application® © 2012 Inmar, Inc. All Rights Reserved. 12 Not to be reproduced or distributed without written permission from Inmar
    13. 13. SaaS Considerations (still in startup mode) Data • Independent retailer databases • Encrypted in flight • Shopper ID masked Decision Points • Deployments were still manageable manually • Relied on IaaS and standard images • Basic monitoring • Patch when critical • Redundant across zones® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    14. 14. National Network Digital Social Incentives Media Analytics Mobile PaaS Advertising Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    15. 15. PaaS - Areas of Responsibility Consumer ID Access Application Management configuration Application Authentication Authorization Server OS Storage Provider Perimeter Outsourcing the application platform® © 2012 Inmar, Inc. All Rights Reserved. 15 Not to be reproduced or distributed without written permission from Inmar
    16. 16. Current Situation Acquired by Inmar, focused on security and scalability • 30+ person team • 4 person DevOps team • My focus is on the Platform, another VP owns the apps Decision Points • Pass audits, get certifications • Follow IT controls best practices • Distribute work across many nodes • Automate everything • Minimize access, segregation of duties • Intrusion detection and prevention • Patching strategy® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    17. 17. Intrusion Detection and Prevention Lock down and remove unnecessary software and services • Operating System • Database • Application Server • Monitors and alerts for access attempts • Lock down production DB Access – all non-api access on read- only slaves • All CRUD via APIs (data service layer) with credentials * rare exceptions Leverage AWS’s IAM (Identity and Access Management) services • Multiple security groups with different permissions • Multiple AWS Accounts (Prod, QA, R&D) • Chef scripts automate security in AMI creation® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    18. 18. Restrict Access – Central Logging Strategy Admins have Developers access Web Servers total access log server only DB Logs | App Svr Logs | Web Logs API Servers S DB Logs | App Svr Logs | API Logs Y Log search & analytics Database Servers S DB Logs | App Svr Logs | App Logs L Log centralization/prep O Utility Servers DB Logs | App Svr Logs | App Logs G Log Servers® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    19. 19. SLA & Performance Management® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar © 2012 Inmar®, Inc. CONFIDENTIAL Not to be reproduced or distributed without written permission from Inmar
    20. 20. Published APIs ???? Digital Social Incentives Media Analytics Mobile PaaS Advertising Real time high speed transactions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    21. 21. Next on the List API 2.0 • Versioning strategy • More advanced security • API access, key management, OAuth Self Service • Self register • Self subscribe and publish • Online payments • Hybrid clouds • Offload payments to a processor® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    22. 22. Recommendations Have a roadmap • Prioritize and chip away at the list • Make security tasks part of your sprint planning • Have a living, breathing security document because you will get asked for it daily® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    23. 23. Recommendations Think Differently • It’s just another data center, only you can’t see it. • Apply same best practices • Apply some new best practices for the cloud • Every problem has a solution Don’t be Mordac!® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    24. 24. Questions® © 2012 Inmar, Inc. All Rights Reserved. Not to be reproduced or distributed without written permission from Inmar
    25. 25. For more information: Mike Kavis michael.kavis@inmar.com

    ×