Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Beyond the Hype: Understanding Cloud Security by Bryan D. Payne

1,170 views

Published on

Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.

  • Be the first to comment

  • Be the first to like this

Beyond the Hype: Understanding Cloud Security by Bryan D. Payne

  1. 1. Beyond the Hype: Understanding Cloud Security for Your Application Bryan D. Payne
  2. 2. To the Learn all Security This is cloud! about cloud concerns hard! Bryan D. Payne, Director of Security Research2 @bdpsecurity
  3. 3. Trust guest Cloud Attackers? network? provider My How to access Where is security my instances? my data? policies? Is there a Other cloud right way? Etc… tenants Bryan D. Payne, Director of Security Research3 @bdpsecurity
  4. 4. Computer Security: What We KnowBetter WorseDesign for security from the start Retrofit security when it’s importantUnderstand your threats Just make it secureUnderstand your goals Seriously, just add some securityPervasive security culture That paranoid guy has it under control Bryan D. Payne, Director of Security Research4 @bdpsecurity
  5. 5. Security Requires A Good Foundation Bryan D. Payne, Director of Security Research5 @bdpsecurity
  6. 6. Security Needs System-Level Thinking Bryan D. Payne, Director of Security Research6 @bdpsecurity
  7. 7. Example: Gene Sequence Analysis • Variable workload • Sensitive patient data + • Regulatory compliance • Computational integrity • Multiple tenants • Billing Bryan D. Payne, Director of Security Research7 @bdpsecurity
  8. 8. 4 SECURITY QUESTIONS Bryan D. Payne, Director of Security Research8 @bdpsecurity
  9. 9. 1. What are you protecting? • Data • Computation • CIA – Confidentiality – Integrity – Availability Bryan D. Payne, Director of Security Research9 @bdpsecurity
  10. 10. 2. What is your risk tolerance? • Mindset • Budget • Repercussions Bryan D. Payne, Director of Security Research10 @bdpsecurity
  11. 11. 3. What are your threats? • Adware • Botnets • Spyware • Corporate Espionage • Nation State Attacks • Curious Neighbor Bryan D. Payne, Director of Security Research11 @bdpsecurity
  12. 12. 4. What is your attack surface? • Network architecture • Cloud provider • Software config • API Usage • Users / Admins Bryan D. Payne, Director of Security Research12 @bdpsecurity
  13. 13. CLOUD SECURITY Bryan D. Payne, Director of Security Research13 @bdpsecurity
  14. 14. Public or Private (or Hybrid)? Inside / Outside Firewall Hardware / software control protect Policy / regulation allow public? Professional management risk Can’t choose your neighbors Physical control Insight into software stack threats APIs available on the Internet Architectural specificity surface Bryan D. Payne, Director of Security Research14 @bdpsecurity
  15. 15. What IaaS Provider? protect risk threats surface Bryan D. Payne, Director of Security Research15 @bdpsecurity
  16. 16. Key Points • Get IaaS-layer security from provider • Choose wisely, based on your needs Bryan D. Payne, Director of Security Research16 @bdpsecurity
  17. 17. CLOUD APPLICATION SECURITY Bryan D. Payne, Director of Security Research17 @bdpsecurity
  18. 18. What Does Your App Look Like? Bryan D. Payne, Director of Security Research18 @bdpsecurity
  19. 19. Access to App: Who and How? Other cloud tenants (e.g., guest network) Cloud admin Bryan D. Payne, Director of Security Research19 @bdpsecurity
  20. 20. Protecting App Data Bryan D. Payne, Director of Security Research20 @bdpsecurity
  21. 21. Protecting App Computation Bryan D. Payne, Director of Security Research21 @bdpsecurity
  22. 22. Unique Cloud App Security Concerns• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deployment – Keys stored inside your app, be careful• Data persistence is tricky Bryan D. Payne, Director of Security Research22 @bdpsecurity
  23. 23. Key Points • Custom security is always hard • The right IaaS platform can help • Follow the community • Cloud isn’t Legacy Bryan D. Payne, Director of Security Research23 @bdpsecurity
  24. 24. PUTTING IT ALL TOGETHER Bryan D. Payne, Director of Security Research24 @bdpsecurity
  25. 25. Cloud Provider Is Key • Understand what you need • Get the security you need at this level • Don’t do this yourself Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research25 @bdpsecurity
  26. 26. Cloud App Security is Specialized • Unique security concerns • Get expert help, if needed Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research26 @bdpsecurity
  27. 27. Trends to Watch For• OpenStack Security Group https://launchpad.net/~openstack-ossg• Cloud Attestation http://wiki.openstack.org/OpenAttestation http://code.google.com/p/vmitools/• Attack Surface Research https://cloudsecurityalliance.org/research/big-data/ Bryan D. Payne, Director of Security Research27 @bdpsecurity
  28. 28. Bryan D. Payne bryan.payne@nebula.com @bdpsecurity http://www.bryanpayne.org28

×