With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Misha Govshteyn, VP of Emerging Products at Alert Logic will present a new approach for a an IDS solution in a public cloud.
4. Comprehensive Security
IDS
2 Factor Authentication “Strong security controls are a
Vulnerability Scanning requirement for many
mission-critical IT
Integrity Monitoring workloads. Customers
demand that service providers
Configuration Assessment (Tripwire)
address security as they move
Firewall IT infrastructure to fully elastic
public cloud environments”
Antivirus
Web Application Firewall - Joel Friedman, Datapipe CSO
TDE – Transparent Database Encryption
4
5. Why detect intrusions?
Do you want to know if your
webservers are making connections to
botnet command & control servers?
Do you want to know if someone is
running a vulnerability scan on you
without your knowledge?
Do you trust that your development
teams and software vendors have
eliminated 100% of SQL injection or
other common attacks?
5
7. Public Cloud Security Complexity
Security solutions must be built specifically for public cloud
elastic
scaling
utility management
pricing automation
PUBLIC CLOUD
SECURITY
REQUIREMENTS
=
managed self-service
operations provisioning
Traditional “Big Box”
third-party
ownership
Security Appliances are
Dead
Page 7
7
8. AWS environment challenges
1 • Lack of network introspection facilities such as SPAN
2 • Ephemeral networking means IP addresses cannot be
used as host identifiers
• Services must be tightly coupled to provisioning systems
3 via API to support auto-scaling and role-based
management
Building a scalable security cloud service requires new solutions
specifically designed to operate for cloud environments
8
9. Soft-Tap Architecture
Unique approach to network security monitoring in EC2
eth0 eth0 eth0 eth0 eth0
Soft Soft Soft Soft
Tap Tap IDS Tap Tap
eth1
vpn eth1
vpn eth1
vpn vpn
eth1 vpn
eth1
VPN Transport
9
10. Alert Logic for Amazon EC2
Enabling: IDS for LM for VA for
• Traffic monitoring via Cloud Cloud Cloud
software-based network taps
• Log collection via a software agents
• Virtual appliances based data collection Virtual Appliances & Host Agents
• Host agents that continuously track the
state of monitored instances
• Automated software and configuration Management API
deployment via internal management APIs
• Multi-tenant aware provisioning API for
integration with service provider Provisioning API
Provides:
• Auto-scaling by tracking IP addresses of protected hosts
• Load balancing & fail over between appliances
• Transport-level data encryption
• Centralized resource authorization via certificates for
Amazon Web Services
Page 10
12. Datapipe IDS for EC2: Setup Process
API TM LM SOC
Integration UI
CMS
Deploy certificates
+ + +
Install software
packages and
virtual appliances
VPN Transport
13. Attack Scenario
SQL Injection
Attack
(this time
unsuccessful)
Attacker
(me)
VPN Transport
13
14. What happens next
Incident identified Threat level
by correlation escalated to 60
engine out of 100
Notification sent Incident
to Datapipe investigated by
security Alert Logic SOC
Incident
remediated by Attacker blocked
Datapipe security at the firewall
team
14
15. Availability
• In beta today with select customers
• Available as a managed service for AWS customers
exclusively through Datapipe in early 2012
• RightScale enabled: bundled into ServerTemplates for automation
• Auto-scaling support coming soon
• Available as a self-service solution for AWS and other
public clouds from Alert Logic in 1H 2012
Questions?
Contact: @mgbits
15