Beyond the Hype: Understanding Cloud Security for Your Application

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
November 07, 2012

Beyond the Hype: Understanding Cloud Security for Your Application

International Cloud Computing Expo, November 2012

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

November 07, 2012
Tweet

Transcript

  1. Bryan  D.  Payne   Beyond  the  Hype:  Understanding  Cloud  

    Security  for  Your  Applica>on  
  2. 2   To  the   cloud!   Learn  all  

    about  cloud   Security   concerns   This  is   hard!   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  3. AGackers?   Where  is   my  data?   3  

    Cloud   provider   Other  cloud   tenants   Trust  guest   network?   How  to  access   my  instances?   Is  there  a   right  way?   My   security   policies?   Etc…   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  4. Computer  Security:  What  We  Know   Be#er   Worse  

    Design  for  security  from  the  start   Retrofit  security  when  it’s  important   Understand  your  threats   Just  make  it  secure   Understand  your  goals   Seriously,  just  add  some  security   Pervasive  security  culture   That  paranoid  guy  has  it  under  control   4   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  5. Security  Requires  A  Good  Founda>on   5   Bryan  D.

     Payne,  Director  of  Security  Research   @bdpsecurity  
  6. Security  Needs  System-­‐Level  Thinking   6   Bryan  D.  Payne,

     Director  of  Security  Research   @bdpsecurity  
  7. Example:  Gene  Sequence  Analysis   •  Variable  workload   • 

    Sensi>ve  pa>ent  data   •  Regulatory  compliance   •  Computa>onal  integrity   •  Mul>ple  tenants   •  Billing   7   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   +  
  8. 4  SECURITY  QUESTIONS   8   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  
  9. 1.  What  are  you  protec>ng?   •  Data   • 

    Computa>on   •  CIA   – Confiden>ality   – Integrity   – Availability   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   9  
  10. 2.  What  is  your  risk  tolerance?   10   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   •  Mindset   •  Budget   •  Repercussions  
  11. 3.  What  are  your  threats?   11   Bryan  D.

     Payne,  Director  of  Security  Research   @bdpsecurity   •  Adware   •  Botnets   •  Spyware   •  Corporate  Espionage   •  Na>on  State  AGacks   •  Curious  Neighbor  
  12. 4.  What  is  your  aGack  surface?   12   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   •  Network  architecture   •  Cloud  provider   •  Soiware  config   •  API  Usage   •  Users  /  Admins    
  13. CLOUD  SECURITY   13   Bryan  D.  Payne,  Director  of

     Security  Research   @bdpsecurity  
  14. Public  or  Private  (or  Hybrid)?   14   Bryan  D.

     Payne,  Director  of  Security  Research   @bdpsecurity   protect   threats   risk   surface   Inside  /  Outside  Firewall   Hardware  /  soiware  control   Policy  /  regula>on  allow  public?   Professional  management   Can’t  choose  your  neighbors   Physical  control   Insight  into  soiware  stack   APIs  available  on  the  Internet   Architectural  specificity  
  15. What  IaaS  Provider?   15   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity   protect   threats   risk   surface  
  16. Key  Points   •  Get  IaaS-­‐layer  security  from  provider  

    •  Choose  wisely,  based  on  your  needs   16   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  17. CLOUD  APPLICATION  SECURITY   17   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  
  18. What  Does  Your  App  Look  Like?   18   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  19. Access  to  App:  Who  and  How?   19   Bryan

     D.  Payne,  Director  of  Security  Research   @bdpsecurity   Other  cloud  tenants  (e.g.,  guest  network)   Cloud  admin  
  20. Protec>ng  App  Data   20   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  
  21. Protec>ng  App  Computa>on   21   Bryan  D.  Payne,  Director

     of  Security  Research   @bdpsecurity  
  22. Unique  Cloud  App  Security  Concerns   •  Entropy  is  hard

     to  come  by   •  Be  careful  with  reusing  images   •  Rapid,  code-­‐driven  deployment   – Keys  stored  inside  your  app,  be  careful   •  Data  persistence  is  tricky   22   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  23. Key  Points   •  Custom  security  is  always  hard  

    •  The  right  IaaS  plamorm  can  help   •  Follow  the  community   •  Cloud  isn’t  Legacy   23   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity  
  24. PUTTING  IT  ALL  TOGETHER   24   Bryan  D.  Payne,

     Director  of  Security  Research   @bdpsecurity  
  25. Cloud  Provider  Is  Key   •  Understand  what  you  need

      •  Get  the  security  you  need  at  this  level   •  Don’t  do  this  yourself   25   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   Protec>ng?   Risk  tolerance?   Threats?   AGack  surface?  
  26. Cloud  App  Security  is  Specialized   •  Unique  security  concerns

      •  Get  expert  help,  if  needed   26   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   Protec>ng?   Risk  tolerance?   Threats?   AGack  surface?  
  27. Trends  to  Watch  For   •  OpenStack  Security  Group  

    •  Cloud  AGesta>on   •  AGack  Surface  Research   27   Bryan  D.  Payne,  Director  of  Security  Research   @bdpsecurity   hGps://launchpad.net/~openstack-­‐ossg   hGps://cloudsecurityalliance.org/research/big-­‐data/   hGp://wiki.openstack.org/OpenAGesta>on   hGp://code.google.com/p/vmitools/  
  28. 28   Bryan  D.  Payne     bryan.payne@nebula.com    

    @bdpsecurity   h5p://www.bryanpayne.org