Mais conteúdo relacionado Semelhante a BayThreat Why The Cloud Changes Everything (20) Mais de CloudPassage (20) BayThreat Why The Cloud Changes Everything1. Why The Cloud Changes
Everything
BayThreat 2011: Building Security
Rand Wacker
@randwacker
© 2011 CloudPassage Inc.
2. How I Learned to Stop
Worrying and Get DevOps
to Love Security
© 2011 CloudPassage Inc.
3. whoami
Slides available tonight on
Rand Wacker community.cloudpassage.com
@randwacker
rand@cloudpassage.com
Security Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
Sendmail …
IronPort ✘
Cisco ✘
CloudPassage ✘ ✘
© 2011 CloudPassage Inc.
4. Agenda
1. Who is in the cloud
2. Who secures the cloud
3. Why cloud security is different
4. How to approach the cloud
5. Suggestions and best practices
© 2011 CloudPassage Inc.
6. What is running in the cloud?
Who: App-dev shops, integrators, Enterp. BU’s
Why: Fast, cheap, agile
Development
Risks: Code stolen or hacked, live data theft
Who: SaaS providers, social media, gaming
Why: Scalable, elastic, ties costs to growth
Permanent
Risks: Compliance, data theft, oper. disruption
Application Hosting
Who: Big data, social, retail, life-sci, media
Why: Agility, speed, scale, “lease the spikes”
Temporary
Risks: Intellectual property theft
Workloads
© 2011 CloudPassage Inc.
7. Who is running in the cloud?
IT Server Admins Big Data Analysts
© 2011 CloudPassage Inc.
9. Survey: Cloud Security Concerns
Question: What security concerns are most important to you regarding
public cloud computing?
Multiple Choice
Lack of perimter defenses and/or 44%
network control
Multi-tenancy of infrastructure or 40%
applications
Achieving compliance with PCI or other 26%
standards
Provider access to guest servers 24%
Enterprise security tools don't work in the 23%
cloud
We have no security concerns 16%
Source: CloudPassage CloudSec Community Survey
© 2011 CloudPassage Inc.
10. “We didn’t think we had cloud
servers. Then we checked our
developers’ expense reports
for AWS...”
- CISO, Fortune 500
Name withheld upon request
© 2011 CloudPassage Inc.
12. Shared Responsibility Model
Responsibility
EC2 Shared Responsibility Model Data
Customer
“…the customer should assume App Code
responsibility and management of, but not
limited to, the guest operating system.. and App Framework
associated application software...”
Operating System
“…it is possible for customers to enhance
security and/or meet more stringent Virtual Machine
compliance requirements with the addition of
Responsibility
host based firewalls, host based intrusion Hypervisor
Provider
detection/prevention, encryption and key
management.” Compute & Storage
Amazon Web Services: Overview of Security Shared Network
Processes
Physical Facilities
© 2011 CloudPassage Inc.
13. Delineation of Responsibility
IaaS PaaS SaaS
Interface Interface Interface
Application Application Application
Solution Stack Solution Stack Solution Stack
Customer
Responsibility Operating System Operating System Operating System
Provider Hypervisor Hypervisor Hypervisor
Responsibility
Compute & Storage Compute & Storage Compute & Storage
Network Network Network
Facility Facility Facility
Client Virtual/ File Permissions None
Segregation: Hypervisor (Client ID in DB)
© 2011 CloudPassage Inc.
14. Provider
Customer
Virtual Network
API
Compute
Logic
Virtual
Physical
Physical
Facilities
Network
App stack
Hypervisor
Application
Machine/OS
GUI
App Framework /
Storage
Authentication
Configuration Lockdown
Patching
NIDS/NIPS HIDS/HIPS
Packet Filtering
Proxy/Middleware Proxy/Middleware
Application White Listing
Anti-Virus
File/Record
Access Control
Encryption Encryption
DLP
NAC
SIEM
Auditing/Pen Testing
Forensics
Application of Security in IaaS
Secure Development Lifecycle
Architecture/Design
Physical
15. Survey: Cloud Security Practices
Question: How do you secure your cloud servers today?
Wrote my own Commercial tool
automation tools
Open source or
custom tool
My provider
does it for me
Amazon
Security Group
We're not
securing our
Manually, using cloud servers
a checklist
Source: CloudPassage CloudSec Community Survey
© 2011 CloudPassage Inc.
18. What’s So Different?
• Servers used to be highly isolated
private datacenter
– Bad guys clearly on the outside
– Layers of perimeter security www-1 www-2 www-3 www-4
– Poor configurations were tolerable
public cloud
© 2011 CloudPassage Inc.
19. What’s So Different?
• Servers used to be highly isolated
private datacenter
– Bad guys clearly on the outside
– Layers of perimeter security www-1 www-2 www-3
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
www-4
public cloud
© 2011 CloudPassage Inc.
20. What’s So Different?
• Servers used to be highly isolated
private datacenter
– Bad guys clearly on the outside
– Layers of perimeter security www-1 www-2 www-3
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
• Sprawling, multiplying exposures
– Rapidly growing attack surface area
– More servers = more vulnerabilities
– More servers ≠ more people www-4 www-5 www-6
www-7 www-8 www-9 www-10
public cloud
© 2011 CloudPassage Inc.
21. What’s So Different?
• Servers used to be highly isolated
private datacenter
– Bad guys clearly on the outside
– Layers of perimeter security www-1 www-2 www-3
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
• Sprawling, multiplying exposures
– Rapidly growing attack surface area
– More servers = more vulnerabilities
– More servers ≠ more people www-4 www-5 www-6
• Fraudsters target cloud servers www-7 www-8 www-9 www-10
– Softer targets to penetrate
– No perimeter defenses to thwart
– Elasticity = more botnet to sell public cloud
© 2011 CloudPassage Inc.
24. Survey: OS Running in the Cloud
Question: Which operating systems do you run on your cloud servers?
Windows
78% Running
Windows
Windows and Linux
Running
Linux 55%
Linux
BSD
Source: CloudPassage CloudSec Community Survey
© 2011 CloudPassage Inc.
26. How To Secure Cloud Servers
Servers in hybrid and public clouds must be self-
defending with highly automated controls like…
Dynamic network Server compromise &
access control intrusion alerting
Configuration and Server forensics and
package security security analytics
Server account Integration & automation
visibility & control capabilities
© 2011 CloudPassage Inc.
27. Architectural Challenges
• Inconsistent Control (you don’t own everything)
– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)
– Cloudbursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)
– May have one dev server or 1,000 number-crunchers
• Portability (same controls work anywhere)
– Nobody wants multiple tools or IaaS provider lock-in
© 2011 CloudPassage Inc.
28. Portable = “Works Anywhere”
Public Cloud Hybrid Cloud
Which is hardest
to solve?
Private Cloud Traditional Hardware
© 2011 CloudPassage Inc.
29. Problem:
How can we secure large-
scale, dynamic application stacks
across clouds we probably don’t
control?
Proposal:
Highly automated, scalable, elastic
security at the guest VM level.
© 2011 CloudPassage Inc.
30. The VM is the Unit of Control
Data
App Code Controlled by
App Framework Hosting-User
Operating System
Virtual Machine
Hypervisor
Controlled
Compute & Storage
by Hosting-
Provider Shared Network
Physical Facilities
© 2011 CloudPassage Inc.
31. The VM is the Unit of Scale
Data Data
App Code App Code
App Framework App Framework
Operating System Operating System
Virtual Machine Virtual Machine
Hypervisor
Compute & Storage
Shared Network
Physical Facilities
© 2011 CloudPassage Inc.
32. The VM is the Unit of Portability
Private Cloud IaaS Provider
Data Data
App Code App Code
App Framework App Framework
Operating System Operating System
Virtual Machine Virtual Machine
Hypervisor Hypervisor
Compute & Storage Compute & Storage
Shared Network Shared Network
Physical Facilities Physical Facilities
© 2011 CloudPassage Inc.
33. Thesis
In cloud environments, the intersection of
control, portability & scale
is almost always
the guest virtual-machine.
© 2011 CloudPassage Inc.
35. Déjà vu – Laptops as a Model
• We’ve dealt with securing portable assets in the past
• Security needed to change from being network-based to
host-based
• Expect similar to occur with cloud
• Dynamic shared resources means host-based
technology must be reworked prior to use
© 2011 CloudPassage Inc.
38. Summary
• There are people using cloud in your org…
• Cloud users often don’t understand security, and
definitely don’t know their responsibility
• Cloud security is different, and hard
• The bad guys know this!
• Cloud has different points of control, leverage them!
© 2011 CloudPassage Inc.
39. Best Practices
• Know who is running what, and where
• Read and understand what your provider does, and
what you are responsible for
• Take extra precautions when moving servers
outside your data center
• Start with public cloud, after that everything is easy!
• Focus on securing what you control
© 2011 CloudPassage Inc.
40. Wrapping Up
• Continue the discussion
– Slides available: community.cloudpassage.com
• Contact me
– Email: rand@cloudpassage.com
– Twitter: @randwacker
• We’re hiring!
Expert in Security and/or Cloud?
– Email: jobs@cloudpassage.com
© 2011 CloudPassage Inc.
42. What does CloudPassage do?
Security for virtual servers running in public and private clouds
Firewall Compromise &
Management intrusion alerting
Server Security & compliance
Configurations auditing
Server account Vulnerability
Management Management
Cloud adoption without fear
Faster and easier compliance
Repel attacks on your servers
Free Basic version, 5 minutes setup
© 2011 CloudPassage Inc.
Notas do Editor 1. Zappos is creating apps for their unique corporate culture2. Foursquare is a great example in social media – scaling up & down over the weekend.3, Ebayxmas - Highway into the city expand from 3 to 7 lanes in rush hour SAASFast and easyThe only cloud security platform built for the cloud