Beyond the Hype: Understanding Cloud Security for Your Application

Transcript

1. Bryan  D.  Payne   Beyond  the  Hype:  Understanding  Cloud  

   Security  for  Your  Applica>on  

2. 2   To  the   cloud!   Learn  all  

   about  cloud   Security   concerns   This  is   hard!   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

3. AGackers?   Where  is   my  data?   3  

   Cloud   provider   Other  cloud   tenants   Trust  guest   network?   How  to  access   my  instances?   Is  there  a   right  way?   My   security   policies?   Etc…   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

4. Computer  Security:  What  We  Know   Be#er   Worse  

   Design  for  security  from  the  start   Retrofit  security  when  it’s  important   Understand  your  threats   Just  make  it  secure   Understand  your  goals   Seriously,  just  add  some  security   Pervasive  security  culture   That  paranoid  guy  has  it  under  control   4   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

5. Security  Requires  A  Good  Founda>on   5   Bryan  D.

    Payne,  Director  of  Security  Research   @bdpsecurity  

6. Security  Needs  System-­‐Level  Thinking   6   Bryan  D.  Payne,

    Director  of  Security  Research   @bdpsecurity  

7. Example:  Gene  Sequence  Analysis   •  Variable  workload   • 

   Sensi>ve  pa>ent  data   •  Regulatory  compliance   •  Computa>onal  integrity   •  Mul>ple  tenants   •  Billing   7   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   +  

8. 4  SECURITY  QUESTIONS   8   Bryan  D.  Payne,  Director

    of  Security  Research   @bdpsecurity  

9. 1.  What  are  you  protec>ng?   •  Data   • 

   Computa>on   •  CIA   – Confiden>ality   – Integrity   – Availability   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   9  

10. 2.  What  is  your  risk  tolerance?   10   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   •  Mindset   •  Budget   •  Repercussions  

11. 3.  What  are  your  threats?   11   Bryan  D.

     Payne,  Director  of  Security  Research   @bdpsecurity   •  Adware   •  Botnets   •  Spyware   •  Corporate  Espionage   •  Na>on  State  AGacks   •  Curious  Neighbor  

12. 4.  What  is  your  aGack  surface?   12   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   •  Network  architecture   •  Cloud  provider   •  Soiware  config   •  API  Usage   •  Users  /  Admins    

13. CLOUD  SECURITY   13   Bryan  D.  Payne,  Director  of

     Security  Research   @bdpsecurity  

14. Public  or  Private  (or  Hybrid)?   14   Bryan  D.

     Payne,  Director  of  Security  Research   @bdpsecurity   protect   threats   risk   surface   Inside  /  Outside  Firewall   Hardware  /  soiware  control   Policy  /  regula>on  allow  public?   Professional  management   Can’t  choose  your  neighbors   Physical  control   Insight  into  soiware  stack   APIs  available  on  the  Internet   Architectural  specificity  

15. What  IaaS  Provider?   15   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity   protect   threats   risk   surface  

16. Key  Points   •  Get  IaaS-­‐layer  security  from  provider  

    •  Choose  wisely,  based  on  your  needs   16   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

17. CLOUD  APPLICATION  SECURITY   17   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  

18. What  Does  Your  App  Look  Like?   18   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity  

19. Access  to  App:  Who  and  How?   19   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   Other  cloud  tenants  (e.g.,  guest  network)   Cloud  admin  

20. Protec>ng  App  Data   20   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  

21. Protec>ng  App  Computa>on   21   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  

22. Unique  Cloud  App  Security  Concerns   •  Entropy  is  hard

     to  come  by   •  Be  careful  with  reusing  images   •  Rapid,  code-­‐driven  deployment   – Keys  stored  inside  your  app,  be  careful   •  Data  persistence  is  tricky   22   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

23. Key  Points   •  Custom  security  is  always  hard  

    •  The  right  IaaS  plamorm  can  help   •  Follow  the  community   •  Cloud  isn’t  Legacy   23   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  

24. PUTTING  IT  ALL  TOGETHER   24   Bryan  D.  Payne,

     Director  of  Security  Research   @bdpsecurity  

25. Cloud  Provider  Is  Key   •  Understand  what  you  need

      •  Get  the  security  you  need  at  this  level   •  Don’t  do  this  yourself   25   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   Protec>ng?   Risk  tolerance?   Threats?   AGack  surface?  

26. Cloud  App  Security  is  Specialized   •  Unique  security  concerns

      •  Get  expert  help,  if  needed   26   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   Protec>ng?   Risk  tolerance?   Threats?   AGack  surface?  

27. Trends  to  Watch  For   •  OpenStack  Security  Group  

    •  Cloud  AGesta>on   •  AGack  Surface  Research   27   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   hGps://launchpad.net/~openstack-­‐ossg   hGps://cloudsecurityalliance.org/research/big-­‐data/   hGp://wiki.openstack.org/OpenAGesta>on   hGp://code.google.com/p/vmitools/  

28. 28   Bryan  D.  Payne     [email protected]    

    @bdpsecurity   h5p://www.bryanpayne.org