Automating Security for the Cloud (Why We All Need To Care)

© 2012 CloudPassage Inc.! Automating Security for the Cloud Why
we all need to care… Security B-Sides SF 2012! ! Rand Wacker! [email protected]! @randwacker!

© 2012 CloudPassage Inc.! whoami Security Cloud UC Berkeley ✘
✘ Oracle ✘ Amazon ✘ Sendmail … IronPort ✘ Cisco ✘ CloudPassage ✘ ✘ Rand Wacker @randwacker [email protected] Slides available soon on community.cloudpassage.com

© 2012 CloudPassage Inc.! Agenda 1.  Who Runs What in
the Cloud 2.  Cloud Security Differences 3.  DevOps vs SecOps 4.  Making Everyone Happy 5.  The End

© 2012 CloudPassage Inc.! Who is running in the cloud?
IT Server Admins Big Data Analysts

© 2012 CloudPassage Inc.! What is running in the cloud?
Who: App-dev shops, integrators, Enterp. BU’s Why: Fast, cheap, agile Risks: Code stolen or hacked, live data theft Development Permanent Application Hosting Who: SaaS providers, social media, gaming Why: Scalable, elastic, ties costs to growth Risks: Compliance, data theft, oper. disruption Who: Big data, social, retail, life-sci, media Why: Agility, speed, scale, “lease the spikes” Risks: Intellectual property theft Temporary Workloads

© 2012 CloudPassage Inc.! “We didn’t think we had cloud
servers. Then we checked our developers’ expense reports for AWS...” - CISO, Fortune 500 Name withheld upon request

© 2012 CloudPassage Inc.! Why Your Security Toolbox Doesn’t Work
In The Cloud

© 2012 CloudPassage Inc.! www-1 www-2 www-3 www-4 Cloud Security
Is New private datacenter public cloud www-1 www-2 www-3 www-4

© 2012 CloudPassage Inc.! www-4 Cloud Security Is Different private
datacenter public cloud www-1 www-2 www-3 www-4 www-4

© 2012 CloudPassage Inc.! Cloud Security Is Complex Cloud Provider
A www-7 www-4 www-8 www-5 www-9 www-6 www-10 Cloud Provider B www-7 www-8 www-9 www-10 Private Datacenter www-1 www-2 www-3 www-4

© 2012 CloudPassage Inc.! Security Products Aren’t Adapting Cloud Provider
A www-4 www-5 www-6 Cloud Provider B www-7 www-8 www-9 www-10 Private Datacenter www-1 www-2 www-3 Temporary & Elastic Deployments Multiple Cloud Environments Metered Usage

© 2012 CloudPassage Inc.! Survey: Cloud Security Concerns 23%! 24%!
26%! 40%! 44%! Enterprise security tools don't work in the cloud! Provider access to guest servers! Achieving compliance with PCI or other standards! Multi-tenancy of infrastructure or applications! Lack of perimeter defenses and/or network control! Multiple Choice Source: CloudPassage CloudSec Community Survey Question: What security concerns are most important to you regarding public cloud computing?

© 2012 CloudPassage Inc.! Shared Responsibility Model “…the customer should
assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes EC2 Shared Responsibility Model Customer Responsibility� Provider Responsibility� Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System!

Application of Security in IaaS App Framework / App
stack Virtual Machine/OS Hypervisor Storage Physical Network Physical Facili?es Applica?on Logic API GUI Compute Physical Secure Development Lifecycle File/Record Access Control Auditing/Pen Testing SIEM Encryption Architecture/Design NIDS/NIPS Packet Filtering Proxy/Middleware Configuration Lockdown HIDS/HIPS Proxy/Middleware Authentication Forensics Encryption NAC DLP Application White Listing Anti-Virus Virtual Network Patching Customer� Provider�

© 2012 CloudPassage Inc.! Survey: Cloud Security Practices Open source
or custom-developed tools! Commercial Tool! My provider does it for me! Amazon Security Group! We're not securing our cloud servers! Source: CloudPassage CloudSec Community Survey Question: How do you secure your cloud servers today?

© 2012 CloudPassage Inc.! How I Learned to Stop Worrying
and Get DevOps to Love Security

© 2012 CloudPassage Inc.! What Is DevOps? IT Operations DevOps
Security Operations

© 2012 CloudPassage Inc.! Traditional DC Protection DB Load Balancer
Auth Server App Server DB Load Balancer App Server DB Firewall Firewall dmz dmz core core 4FSWFS1SPWJTJPOJOH� 'JSFXBMM6QEBUFT�

© 2012 CloudPassage Inc.! Traditional DC Protection DB Load Balancer
Auth Server App Server DB Load Balancer App Server DB Firewall dmz dmz core core Firewall 4JUF%FCVHHJOH�

© 2012 CloudPassage Inc.! Moving to the Cloud DB Load
Balancer Auth Server App Server DB Load Balancer App Server DB Firewall dmz dmz core core Firewall

© 2012 CloudPassage Inc.! Firewall dmz dmz core core Firewall
Moving to the Cloud DB Load Balancer Auth Server App Server DB Load Balancer App Server DB public cloud

© 2012 CloudPassage Inc.! Protecting Cloud Servers public cloud Load
Balancer App Server App Server DB Master

Balancer App Server App Server DB Master FW FW FW FW

Balancer FW App Server FW App Server FW Load Balancer FW App Server FW DB Master FW DB Slave FW

© 2012 CloudPassage Inc.! App Server IP Protecting Cloud Servers
public cloud Load Balancer FW App Server FW App Server FW Load Balancer FW App Server FW DB Master FW DB Slave FW

© 2012 CloudPassage Inc.! App Server IP Protecting Cloud Servers
public cloud Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW

© 2012 CloudPassage Inc.! Cloud Security Challenges •  Inconsistent Control
(you don’t own everything)! –  The only thing you can count on is guest VM ownership •  Elasticity (not all servers are steady-state)! –  Cloud-bursting, stale servers, dynamic provisioning •  Scalability (handle variable workloads)! –  May have one dev server or 1,000 number-crunchers •  Portability (same controls must work anywhere)! –  Nobody wants multiple tools or IaaS provider lock-in

© 2012 CloudPassage Inc.! So our tools are broken and
everyone hates us, now what?

With Gratitude: Hyperbole and a Half

© 2012 CloudPassage Inc.! Controlled by Hosting-User� Controlled by Hosting-
Provider� Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System! The VM is the Unit of Control�

© 2012 CloudPassage Inc.! The VM is the Unit of
Scale� Physical Facilities! Hypervisor! Virtual Machine! Data! App Code! App Framework! Operating System! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System!

© 2012 CloudPassage Inc.! Physical Facilities! Hypervisor! Compute & Storage!
Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System! Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System! Private Cloud� IaaS Provider� The VM is the Unit of Portability�

© 2012 CloudPassage Inc.! Thesis In cloud environments, the intersection
of ! control, portability & scale" is always  the guest virtual-machine."

© 2012 CloudPassage Inc.! Secure the VM Virtual Machine! Data!
App Code! App Framework! OS! FW FW Add host-based ﬁrewalls (inbound and outbound) Secure the OS services and conﬁgurations Ensure application stacks are up-to-date and locked down Continuously verify application code is current and un-tampered Track sensitive data and prevent egress

© 2012 CloudPassage Inc.! Virtual Machine! Data! App Code! App
Framework! OS! FW FW Virtual Machine! Data! App Code! App Framework! OS! FW FW Virtual Machine! Data! App Code! App Framework! OS! FW FW Automate Policy Application Virtual Machine! Data! App Code! App Framework! OS! FW FW FULLY AUTOMATE

© 2012 CloudPassage Inc.! Separate Security Controls Virtual Machine! Data!
App Code! App Framework! OS! FW FW DevOps SecOps

© 2012 CloudPassage Inc.! Dynamic network access control! Conﬁguration and
package security! Server account ! visibility & control! Server compromise & intrusion alerting! Server forensics and security analytics! Integration & automation capabilities! Servers in hybrid and public clouds must be self- defending with highly automated controls like… How To Secure Cloud Servers

© 2012 CloudPassage Inc.! Summary •  There are people using
cloud in your org…! •  Cloud users often don’t understand security, and deﬁnitely don’t know their responsibility! •  Cloud security is different, and hard! •  The bad guys know this!! •  Cloud has different points of control, leverage them!!

© 2012 CloudPassage Inc.! Best Practices •  Know who is
running what, and where! •  Read and understand what your provider does, and what you are responsible for! •  Take extra precautions when moving servers outside your data center! •  Start with public cloud, after that everything is easy!! •  Focus on securing what you control!

© 2012 CloudPassage Inc.! Wrapping Up •  Continue the discussion
–  Slides available: community.cloudpassage.com •  Contact me –  Email: [email protected] –  Twitter: @randwacker •  We’re hiring! Expert in Security and/or Cloud? –  Email: [email protected] BTW, We’re Hiring!

© 2012 CloudPassage Inc.! What does CloudPassage do? Firewall Management!
Server Conﬁgurations! Server account ! Management! Compromise & intrusion alerting! Security & compliance auditing! Vulnerability Management! Security for virtual servers running in public and private clouds ü Cloud adoption without fear! ü Faster and easier compliance! ü Repel attacks on your servers! ü Free Basic version, 5 minutes setup!

Automating Security for the Cloud (Why We All N...

Automating Security for the Cloud (Why We All Need To Care)

More Decks by CloudPassage

Other Decks in Technology

Featured

Transcript