The document discusses a webinar about securing servers in public and hybrid clouds using RightScale and CloudPassage. CloudPassage's Halo product provides security capabilities like network access control, configuration monitoring, and intrusion detection. RightScale helps deploy and manage servers across multiple clouds. A demo showed integrating CloudPassage Halo with RightScale for consistent security configuration of servers deployed in different clouds.
DevEX - reference for building teams, processes, and platforms
Securing Cloud Servers with RightScale and CloudPassage
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12. Your Servers… Your Responsibility Direct from Amazon AWS Customer Responsibility Provider Responsibility “… the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “ it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011) Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System
13. CloudPassage Halo was purpose-built to actively protect servers in any cloud. RightScale can ensure secure server configurations across multiple clouds .
14. Halo GhostPorts two-factor access control Halo REST API for integration & automation Halo is a security Software-as-a-Service providing all you need to secure your cloud servers . Halo TM Functional Capabilities Dynamic network access control Configuration and package security Server account visibility & control Server compromise & intrusion alerting
15. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Halo Daemon Policies, Commands, Reports www-1 Halo www-1
18. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo www-1 State and Event Analysis
19. Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Alerts, Reports and Trending www-1
20.
21. Features & Pricing Dynamic network access control ✔ ✔ Server compromise & intrusion alerting ✔ ✔ Configuration and software security ✔ ✔ Server account visibility & control ✔ ✔ REST API access ✔ GhostPorts multi-factor authentication ✔ Data storage One day Two years Maximum scanning frequency Daily Hourly Servers protected Up to 25 Unlimited FREE $0.10/hour
22.
23.
24.
25. What do we Mean by Cloud Computing? RightScale
29. Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (CentOS 5.4) MySQL 5.0.36 (Ubuntu 8.10) MySQL 5.0.36 (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) My ASP appserver (windows 2008) My ASP.net (windows 2008) – security update 1 My ASP.net (windows 2008) – security update 8 SharePoint v4 (windows 2003) – 32bit SharePoint v4 (windows 2003) –64bit SharePoint v4.5 (windows 2003) –64bit … Configuring servers through bundling Images: A set of configuration directives that will install and configure software on top of the base image Configuring servers with ServerTemplates: CentOS 5.2 CentOS 5.4 Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007 Base Image Very few and basic
37. Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In Transit
38.
39.
40.
41.
42.
43.
44.
Notas do Editor
y
y
y
y
y
Poor application security leading to Injection SQL injection was one of the top exploit in the Verizon Data Breach Report Poor system configurations, leading to system compromised Note the recent Windows RDP “exploit”. RDP left open, with Administrator having a well known password. Poor application configuration leading to application compromise Browsers that run scripts automatically Poor user habits leading to compromised credentials, that are then used to access data Users who click on attachments. Zeus bot, FakeAV, etc.
Considerations TCP/UDP paths are not guaranteed! From source to destination (initial loads or updates) Across public networks or private? Once in the “cloud” Within Cloud Provider (CP) network where data is stored Crossing CP network where data is stored Within the hypervisor Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: packet manipulation No way to prevent. Can use reliable transports and dedicated connections
Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: local system access if improper ACL. Improper CP controls Proper ACL for local accounts. No way to prevent CP access. Risk assessment should be performed.
Can someone: View or Modify it? Yes: Memory is clear Need to protect running memory from the Instance Need to trust the CP Deny it? No: Not specifically data. Can affect the instance, but really not practical to affect data in memory without affecting running instance stability
Trusted Images Windows w/ critical/recommend patch installed to image creation date Known configurations ServerTemplates Trusted software repositories Frozen repositories Script the install and config RightScripts
How Same mechanism as in your enterprise RightScale can be used to automate/orchestrate where needed, but does not do the patching Windows: Windows Update, SUS, SCOM agent, etc. Think about application patching Linux: Unfreeze repositories OR RightScript to update repository to latest tested Latter probably works better with Change Control Process