Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Servers in Public and Hybrid Clouds

1,583 views

Published on

RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.

Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.

We will discuss:

- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts

Don't miss out on this opportunity to find out about all you need to secure your cloud servers!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing Servers in Public and Hybrid Clouds

  1. 1. Securing Servers in Public and Hybrid Clouds <ul><li>Leveraging RightScale and CloudPassage </li></ul><ul><li>Dec 15, 2011 </li></ul>Watch the video of this webinar
  2. 2. Your Panel Today <ul><li>Host </li></ul><ul><li>Phil Cox , Director, Security and Compliance, RightScale @sec_prof </li></ul><ul><li>Presenting </li></ul><ul><li>Uri Budnik , Director, ISV Partner Program, RightScale. @uribudnik </li></ul><ul><li>Carson Sweet , CEO of CloudPassage. @carsonsweet </li></ul><ul><li>Q&A </li></ul><ul><li>Will Eschen , Account Executive, RightScale </li></ul><ul><li>Please use the “Questions” window to ask questions any time! </li></ul>
  3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>Security and Compliance in the Cloud – How are they Different? </li></ul><ul><li>Model for Securing Cloud-based Hosting Environments </li></ul><ul><li>Demo Deployment of Integrated Solution </li></ul><ul><li>Q&A </li></ul>
  4. 4. CloudPassage Background Select Customers Recent Awards <ul><ul><li>Production users since July 2010 </li></ul></ul><ul><ul><li>Publicly accessible since Jan 2011 </li></ul></ul><ul><ul><li>Commercial release Oct 2011 </li></ul></ul><ul><ul><li>Halo TM Solution </li></ul></ul><ul><ul><li>132 customers </li></ul></ul><ul><ul><li>2,154 servers secured </li></ul></ul><ul><ul><li>1,273,986 scans completed </li></ul></ul>Early Adoption Founded January 2010 Team of 27 security specialists Backed by Benchmark Capital Company Background
  5. 8. Cloud Changes the Balance <ul><li>Servers used to be highly isolated </li></ul><ul><ul><li>Bad guys clearly on the outside </li></ul></ul><ul><ul><li>Layers of perimeter security </li></ul></ul><ul><ul><li>Poor configurations were tolerable </li></ul></ul>private datacenter public cloud www-1 www-2 www-3 www-4
  6. 9. Cloud Changes the Balance <ul><li>Servers used to be highly isolated </li></ul><ul><ul><li>Bad guys clearly on the outside </li></ul></ul><ul><ul><li>Layers of perimeter security </li></ul></ul><ul><ul><li>Poor configurations were tolerable </li></ul></ul><ul><li>Cloud servers more exposed </li></ul><ul><ul><li>Outside of perimeter protections </li></ul></ul><ul><ul><li>Little network control or visibility </li></ul></ul><ul><ul><li>No idea who’s next door </li></ul></ul>private datacenter public cloud www-1 www-2 www-3 www-4
  7. 10. Cloud Changes the Balance <ul><li>Servers used to be highly isolated </li></ul><ul><ul><li>Bad guys clearly on the outside </li></ul></ul><ul><ul><li>Layers of perimeter security </li></ul></ul><ul><ul><li>Poor configurations were tolerable </li></ul></ul><ul><li>Cloud servers more exposed </li></ul><ul><ul><li>Outside of perimeter protections </li></ul></ul><ul><ul><li>Little network control or visibility </li></ul></ul><ul><ul><li>No idea who’s next door </li></ul></ul><ul><li>Sprawling, multiplying exposures </li></ul><ul><ul><li>Rapidly growing attack surface area </li></ul></ul><ul><ul><li>More servers = more vulnerabilities </li></ul></ul><ul><ul><li>More servers ≠ more people </li></ul></ul>private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10
  8. 11. Cloud Changes the Balance <ul><li>Servers used to be highly isolated </li></ul><ul><ul><li>Bad guys clearly on the outside </li></ul></ul><ul><ul><li>Layers of perimeter security </li></ul></ul><ul><ul><li>Poor configurations were tolerable </li></ul></ul><ul><li>Cloud servers more exposed </li></ul><ul><ul><li>Outside of perimeter protections </li></ul></ul><ul><ul><li>Little network control or visibility </li></ul></ul><ul><ul><li>No idea who’s next door </li></ul></ul><ul><li>Sprawling, multiplying exposures </li></ul><ul><ul><li>Rapidly growing attack surface area </li></ul></ul><ul><ul><li>More servers = more vulnerabilities </li></ul></ul><ul><ul><li>More servers ≠ more people </li></ul></ul><ul><li>Fraudsters target cloud servers </li></ul><ul><ul><li>Softer targets to penetrate </li></ul></ul><ul><ul><li>No perimeter defenses to thwart </li></ul></ul><ul><ul><li>Elasticity = more botnet to sell </li></ul></ul>private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10
  9. 12. Your Servers… Your Responsibility Direct from Amazon AWS Customer Responsibility Provider Responsibility “… the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “ it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011) Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System
  10. 13. CloudPassage Halo was purpose-built to actively protect servers in any cloud. RightScale can ensure secure server configurations across multiple clouds .
  11. 14. Halo GhostPorts two-factor access control Halo REST API for integration & automation Halo is a security Software-as-a-Service providing all you need to secure your cloud servers . Halo TM Functional Capabilities Dynamic network access control Configuration and package security Server account visibility & control Server compromise & intrusion alerting
  12. 15. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Halo Daemon Policies, Commands, Reports www-1 Halo www-1
  13. 16. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Policies & Commands www-1
  14. 17. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Results & Updates Halo www-1
  15. 18. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo www-1 State and Event Analysis
  16. 19. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Alerts, Reports and Trending www-1
  17. 20. 100% Multi-Cloud Capable <ul><li>Single pane of glass across hosting models </li></ul><ul><ul><li>Scales and bursts with dynamic cloud environments </li></ul></ul><ul><ul><li>Not dependant on chokepoints, static networks or fixed IPs </li></ul></ul><ul><ul><li>Agnostic to cloud provider, hypervisor or hardware </li></ul></ul>
  18. 21. Features & Pricing Dynamic network access control ✔ ✔ Server compromise & intrusion alerting ✔ ✔ Configuration and software security ✔ ✔ Server account visibility & control ✔ ✔ REST API access ✔ GhostPorts multi-factor authentication ✔ Data storage One day Two years Maximum scanning frequency Daily Hourly Servers protected Up to 25 Unlimited FREE $0.10/hour
  19. 22. Getting Started <ul><li>Register and setup Halo </li></ul><ul><ul><li>Up to 25 servers are free </li></ul></ul><ul><ul><li>Evaluation keys are available to unlock pro features </li></ul></ul><ul><li>Optimize your Halo configuration </li></ul><ul><ul><li>Set up some server groups & a firewall policy </li></ul></ul><ul><ul><li>Explore base policies provided by CloudPassage </li></ul></ul><ul><ul><li>Get answers and tips at community.cloudpassage.com </li></ul></ul><ul><li>Deploy Halo via RightScript </li></ul><ul><ul><li>Ensures consistent deployment of Halo across all servers </li></ul></ul><ul><ul><li>Offers additional visibility and remediation alternatives </li></ul></ul>
  20. 23. RightScale Integration <ul><li>Installation of Halo via RightScript </li></ul><ul><li>Load your Halo API key into RightScale as a credential </li></ul><ul><li>Add the CloudPassage Halo RightScript to your server templates </li></ul><ul><li>All launched servers will automatically have CloudPassage Halo activated </li></ul><ul><li>Easy, consistent security! </li></ul>
  21. 24. RightScale Real Customers, Real Deployments, Real Benefits <ul><li>Managed Cloud Deployments for 4 Years — globally </li></ul><ul><li>More than 45,000 users; launched more than 3MM servers! </li></ul><ul><li>Powering the largest production deployments on the cloud </li></ul>
  22. 25. What do we Mean by Cloud Computing? RightScale
  23. 26. RightScale Manages IaaS Clouds RightScale
  24. 27. Complete Systems Management
  25. 28. <ul><li>Dynamic configuration </li></ul><ul><li>Abstract role and behavior from cloud infrastructure </li></ul><ul><li>Predictable deployment </li></ul><ul><li>Cloud agnostic / portable </li></ul><ul><li>Object-oriented programming for sysadmins </li></ul>ServerTemplates
  26. 29. Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (CentOS 5.4) MySQL 5.0.36 (Ubuntu 8.10) MySQL 5.0.36 (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) My ASP appserver (windows 2008) My ASP.net (windows 2008) – security update 1 My ASP.net (windows 2008) – security update 8 SharePoint v4 (windows 2003) – 32bit SharePoint v4 (windows 2003) –64bit SharePoint v4.5 (windows 2003) –64bit … Configuring servers through bundling Images: A set of configuration directives that will install and configure software on top of the base image Configuring servers with ServerTemplates: CentOS 5.2 CentOS 5.4 Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007 Base Image Very few and basic
  27. 30. <ul><li>Integrated approach that puts together all the parts needed to architect single & multi-server deployments </li></ul>ServerTemplates VS.
  28. 31. CloudPassage / RightScale Integration Demo
  29. 32. Find Out More <ul><li>Web Resources: </li></ul><ul><ul><li>RightScale.com/partners/isv/CloudPassage.php </li></ul></ul><ul><ul><li>Right Scale.com/webinars </li></ul></ul><ul><ul><li>Right Scale.com/whitepapers </li></ul></ul><ul><ul><li>Community.CloudPassage.com </li></ul></ul><ul><li>Blogs: </li></ul><ul><ul><li>Blog.RightScale.com </li></ul></ul><ul><li>Follow us on Twitter </li></ul><ul><ul><li>@secprof </li></ul></ul><ul><ul><li>@uribudnik </li></ul></ul><ul><ul><li>@carsonsweet </li></ul></ul><ul><ul><li>@cloudpassage </li></ul></ul><ul><ul><li>@rightscale </li></ul></ul>
  30. 33. Thank you!!! <ul><li>Contact Information </li></ul><ul><li>CloudPassage Team </li></ul><ul><ul><li>info@ cloudpassage.com </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(415) 886-3020 </li></ul></ul><ul><li>RightScale </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(866) 720-0208 </li></ul></ul><ul><ul><li>phil @rightscale.com </li></ul></ul>
  31. 34. Additional Slides
  32. 35. Data Security <ul><li>We will cover … </li></ul><ul><li>Common data exposure vectors </li></ul><ul><li>Security benefits of centralized management </li></ul><ul><li>Unique security needs associated with hybrid and cross-cloud environments </li></ul>
  33. 36. Biggest real risks to data in the cloud? <ul><li>The same things as when your data were not in the cloud. </li></ul><ul><ul><li>Poor application security leading to Injection </li></ul></ul><ul><ul><li>Poor system configurations, leading to system compromised </li></ul></ul><ul><ul><li>Poor application configuration leading to application compromise </li></ul></ul><ul><ul><li>Poor user habits leading to compromised credentials, that are then used to access data </li></ul></ul>
  34. 37. Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In Transit
  35. 38. We must protect data “In Transit” <ul><li>Why? </li></ul><ul><ul><li>You do not want the bad guys to see or modify your data </li></ul></ul><ul><ul><li>You can ’t guarantee the path your data will take </li></ul></ul><ul><ul><li>You may have regulatory or contractual requirements to do so </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Sniffing along the path </li></ul></ul><ul><ul><li>Modification of existing data </li></ul></ul><ul><ul><li>Injection of new data </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Application Transport (SSL & TLS) </li></ul></ul><ul><ul><li>VPN (SSL, IPSEC, PPTP, L2TP) </li></ul></ul><ul><ul><li>App level data encryption (custom) </li></ul></ul>Map of Internet Traffic
  36. 39. We must protect data “At Rest” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li>Disclosure </li></ul></ul><ul><ul><li>Modification </li></ul></ul><ul><ul><li>Injection </li></ul></ul><ul><li>Risks </li></ul><ul><ul><li>Intrusion into Instance/Guest exposes data on its filesystem </li></ul></ul><ul><ul><li>Cloud provider access to ephemeral storage (e.g., EBS, SWIFT) </li></ul></ul><ul><ul><li>Cloud provider access to other storage options (e.g., S3, CloudFiles) </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Protection offered by running operating system (Access Control Lists) </li></ul></ul><ul><ul><li>*Encryption (and Key Management)* </li></ul></ul><ul><ul><li>SLA and Policies/Processes of the Cloud provider </li></ul></ul>
  37. 40. We must protect data while “In Process” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li>Disclosure </li></ul></ul><ul><ul><li>Modification </li></ul></ul><ul><ul><li>Injection </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Data is in clear in the memory of the Instance </li></ul></ul><ul><ul><li>Privileged users on a system can read memory </li></ul></ul><ul><ul><li>Hypervisor has access to instance memory </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Protect the system that is processing </li></ul></ul><ul><ul><li>Protect the hypervisor running the Instance </li></ul></ul><ul><ul><li>Limit administrative users </li></ul></ul>
  38. 41. Where RightScale shines <ul><li>RightScale can be used to ensure that poor system and application configurations are not what cause you to lose your data </li></ul><ul><li>Use RightScale to: </li></ul><ul><ul><li>Require data to be transmitted securely </li></ul></ul><ul><ul><li>Require data be stored securely </li></ul></ul><ul><ul><li>Ensure systems are appropriately patched and configured to minimize exposures </li></ul></ul><ul><li>The core technologies are </li></ul><ul><ul><li>RightImages </li></ul></ul><ul><ul><li>ServerTemplates </li></ul></ul><ul><ul><li>RightScripts </li></ul></ul><ul><ul><li>Repo’s and Mirrors </li></ul></ul><ul><li>Security Motto: “Build it secure, keep it secure!” </li></ul>
  39. 42. Build it Secure <ul><ul><li>Known </li></ul></ul><ul><ul><li>Configurations </li></ul></ul><ul><ul><li>Start with </li></ul></ul><ul><ul><li>Multi-Cloud </li></ul></ul><ul><ul><li>Images </li></ul></ul><ul><ul><li>Build with </li></ul></ul><ul><ul><li>ServerTemplates </li></ul></ul><ul><ul><li>Modify with </li></ul></ul><ul><ul><li>RightScripts </li></ul></ul><ul><ul><li>Build from </li></ul></ul><ul><ul><li>Frozen Repos </li></ul></ul>What How <ul><ul><li>Use Trusted Images </li></ul></ul><ul><ul><li>Script the install </li></ul></ul><ul><ul><li>and configuration </li></ul></ul>Trusted Repository
  40. 43. Keep it Secure <ul><li>What </li></ul><ul><ul><li>Update the Operating System </li></ul></ul><ul><ul><li>Update the applications </li></ul></ul><ul><ul><li>Validate the configuration </li></ul></ul><ul><li>How </li></ul><ul><ul><li>You can use the same mechanism as in your enterprise </li></ul></ul><ul><ul><ul><li>*OR* </li></ul></ul></ul><ul><ul><li> Use operational RightScripts to do it for you </li></ul></ul><ul><ul><ul><li>*OR* </li></ul></ul></ul><ul><ul><li>Use a partner ISV that specializes in that service </li></ul></ul>
  41. 44. Hybrid/cross cloud security concerns <ul><li>Cloud functionality differences </li></ul><ul><ul><li>This is the biggest concern in a non-homogeneous environment </li></ul></ul><ul><ul><li>Security features are different in scope and implementation for basically all different cloud orchestration technologies </li></ul></ul><ul><ul><li>Identity and Access Management features differ </li></ul></ul><ul><ul><li>Log levels and information differ </li></ul></ul><ul><li>Applying consistent builds throughout </li></ul><ul><ul><li>Think of the term “security group”, then define what that means in all the clouds you will use? </li></ul></ul><ul><ul><li>How do you manage them consistently? </li></ul></ul><ul><li>Physical protections will differ from provider to provider </li></ul><ul><ul><li>You will need to take this into consideration when looking at controls to implement </li></ul></ul>

×