26%! 40%! 44%! Enterprise security tools don't work in the cloud! Provider access to guest servers! Achieving compliance with PCI or other standards! Multi-tenancy of infrastructure or applications! Lack of perimeter defenses and/or network control! Multiple Choice Source: CloudPassage CloudSec Community Survey Question: What security concerns are most important to you regarding public cloud computing?
assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes EC2 Shared Responsibility Model Customer Responsibility� Provider Responsibility� Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System!
or custom-developed tools! Commercial Tool! My provider does it for me! Amazon Security Group! We're not securing our cloud servers! Source: CloudPassage CloudSec Community Survey Question: How do you secure your cloud servers today?
(you don’t own everything)! – The only thing you can count on is guest VM ownership • Elasticity (not all servers are steady-state)! – Cloud-bursting, stale servers, dynamic provisioning • Scalability (handle variable workloads)! – May have one dev server or 1,000 number-crunchers • Portability (same controls must work anywhere)! – Nobody wants multiple tools or IaaS provider lock-in
Provider� Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System! The VM is the Unit of Control�
App Code! App Framework! OS! FW FW Add host-based firewalls (inbound and outbound) Secure the OS services and configurations Ensure application stacks are up-to-date and locked down Continuously verify application code is current and un-tampered Track sensitive data and prevent egress
package security! Server account ! visibility & control! Server compromise & intrusion alerting! Server forensics and security analytics! Integration & automation capabilities! Servers in hybrid and public clouds must be self- defending with highly automated controls like… How To Secure Cloud Servers
cloud in your org…! • Cloud users often don’t understand security, and definitely don’t know their responsibility! • Cloud security is different, and hard! • The bad guys know this!! • Cloud has different points of control, leverage them!!
running what, and where! • Read and understand what your provider does, and what you are responsible for! • Take extra precautions when moving servers outside your data center! • Start with public cloud, after that everything is easy!! • Focus on securing what you control!
Server Configurations! Server account ! Management! Compromise & intrusion alerting! Security & compliance auditing! Vulnerability Management! Security for virtual servers running in public and private clouds ü Cloud adoption without fear! ü Faster and easier compliance! ü Repel attacks on your servers! ü Free Basic version, 5 minutes setup!