automating security for the cloud - make it easy, make it safe

© 2012 CloudPassage Inc.

Automating Security for the

Cloud

Make it easy, make it safe.

Rand [email protected]

@randwacker We’re

Hiring!


whoami

Security Cloud

UC Berkeley ✘ ✘

Oracle ✘

Amazon ✘

IronPort/ScanSafe ✘ ✘

Cisco ✘

CloudPassage ✘ ✘

Rand Wacker

@randwacker

[email protected]

Slides available soon on

community.cloudpassage.com


DevOps and Security

Big Data Analysts


Shared Responsibility Model

“…the customer should assume

responsibility and management of, but not

limited to, the guest operating system.. and

associated application software...”

“…it is possible for customers to enhance

security and/or meet more stringent

compliance requirements with the addition of

host based firewalls, host based

intrusion detection/prevention,

encryption and key management.”

Amazon Web Services: Overview of Security

Processes

EC2 Shared Responsibility Model Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Survey: Cloud Security Practices

Open source or custom-developed

tools

Commercial Tool

My provider does it for me

Amazon Security Group

We're not securing our cloud servers

Source: CloudPassage CloudSec Community Survey

Question: How do you secure your cloud servers today?


Cloud Security Challenges

Cloud Provider A

www-4 www-5 www-6Cloud Provider B

www-7 www-8 www-9 www-10

Private Datacenter

www-1 www-2 www-3

Temporary &

Dynamic Deployments

Multiple Cloud

Environments

Metered Usage


The Alfred E Newman

Guide to Easy Cloud

Security


Firewalling in the Cloud:

Beyond Simple Security

Groups


Traditional DC Protection

DB

Load

Balancer

Auth

Server

App

Server

DB

Load

Balancer

App

Server

DB

Firewal

l

dmz dmz

corecore

Firewal

l


Moving to the Cloud

DB

Load

Balancer

Auth

Server

App

Server

DB

Load

Balancer

App

Server

DB

Firewal

l

dmz dmz

corecore

Firewal

l


Firewal

l

dmz dmz

corecore

Firewal

l

Moving to the Cloud

DB

Load

Balancer

Auth

Server

App

Server

DB

Load

Balancer

App

Server

DB

public cloud


Cloud Servers at Risk

public cloud

Load

Balancer

App

Server

App

Server

DB

Master


Firewalling in the Cloud

public cloud

Load

Balancer

Halo

FW

App

Server

Halo

FW

App

Server

Halo

FW

DB

Master

Halo

FW



public cloud

Load

Balancer

Halo

FW

App

Server

Halo

FW

App

Server

Halo

FW

Load

Balancer

Halo

FW

App

Server

Halo

FW

DB

Master

Halo

FW

DB

Slave

Halo

FW


App

Server

IP


public cloud

Load

Balancer

Halo

FW

App

Server

Halo

FW

App

Server

Halo

FW

Load

Balancer

Halo

FW

App

Server

Halo

FW

DB

Master

Halo

FW

DB

Slave

Halo

FW



public cloud

Load

Balancer

Halo

FW

App

Server

Halo

FW

App

Server

Halo

FW

Load

Balancer

Halo

FW

DB

Master

Halo

FW

DB

Slave

Halo

FW

App

Server

IP


Multi-Cloud Firewalling

US West Cloud

Private Datacenter

App

Server

Halo

FW

App

Server

Halo

FW

US East Cloud

App

Server

Halo

FW

App

Server

Halo

FW

DB

Halo

FW

DB

Halo

DB

Halo

Firewall

DB

Halo

FW


Lessons to Learn

Whatever firewall options you have, use them

Make sure your firewall rules are updated

quickly

Plan for the future, because you will be multi-

cloud


Controlling Access to Your

Cloud Servers:

Solving the Contractor

Problem


Meet Jed the Web Designer

Jed is highly mobile

Jed still uses FTP

You hired Jed for design skills, not technical

acumen

How do you avoid Jed’s FTP access becoming a

gaping hole in your server?


WRONG WAY: Open Access

Web

Serverftp


WRONG WAY: Open Access


Manual Options - PITA

MANUALLY turn FTP server on and off when

Jed needs access?

MANUALLY activate and deactivate account

for Jed when he needs access?

MANUALLY change firewall rules when Jed

needs access?

MANUALLY make Jed’s transfer for him?


Halo Multi-Factor Cloud Auth

Prevent brute force attacks on

SSH and web applications

YubiKey-generated one-time

password

No batteries or moving parts


Using Multi-Factor Auth

Web

Server

Halo

FW



Halo Grid

Clo

ud

Pa

ssa

ge

Ha

lo

https

DB

Server

Halo

FW



Halo Grid

https

Clo

ud

Pa

ssa

ge

Ha

lo

DB

Server

Halo

FW



DB

Server

Halo

FW


REMEMBER: Delete Jed!!!

Halo Grid

Clo

ud

Pa

ssa

ge

Ha

lo

DB

Server

Halo

FW

UserPortal

https

RESTfulAPI Gateway

https

Remove GhostPorts Access,

Local Server Accounts

De-provision Jed


Lessons to Learn

You may behave securely, but does everyone

who works for you?

Security that complicates daily tasks

will be circumvented

Make sure to clean up after others


Automation will set you

free, America…

(Apologies to Alton Brown)


Automatable Security Tasks

• Scan for recent vulnerabilities of installed software packages.

• Verify firewall rules match policy.

• Alert administrators of missing server.

• Get a report of every server that a user *does not* have an account on.

• Get a report of every server that a user has an account on.

• Get alerted if a new cloud server gets created.

• Monitor for unauthorized/unexpected changes to application code files.

• Make sure that init.d startup scripts can't be tampered with by non-root users.

• Find server accounts that don’t have passwords (it happens).

• Get a report of every server that a user *does not* have an account on.

Many, many more at

community.cloudpassage.com


The Secure, Automated Cloud


Wrapping Up


Moral of the Story

• Security of your cloud servers is your

responsibility

• Security risks in the cloud are real

(just check your logs)

• Security automation isn’t just a best

practice, it makes your life easier


Dynamic firewall &

access control

Configuration and

package security

Server account

visibility & control

Server compromise &

intrusion alerting

Server forensics and

security analytics

Integration & automation

capabilities

Servers in hybrid and public clouds must be self-

defending with highly automated controls like…

How To Secure Cloud Servers


Try Halo FREE - 5 Minute Setup

Register for Halo at

cloudpassage.com/register

Configure security policies

in Halo web portal

Install Halo daemons on

cloud servers


In Closing

• CloudPassage Installfest March 28th!

– Helpful cloud security advice! Pizza! Beer!

– Free tickets: cloudpassage.eventbrite.com

• Ask Questions!

– Lots More Info: community.cloudpassage.com

– Small Bits of Info: @cloudpassage

• We’re hiring!

Expert in Security and/or Cloud?

DevOps, Rails, UX, Freemium Marketing

– Email: [email protected]

We’re

Hiring!


Thank You!Rand Wacker

[email protected]

@randwacker


What does CloudPassage do?Security for virtual servers running in public and private clouds

Cloud adoption without fear

Faster and easier compliance

Repel attacks on your servers

Free Basic version, 5 minutes setup

Dynamic firewall

management

Configuration and

vulnerability scanning

Server access and

privilege management

Server & cloud event

alerting

Security & compliance

auditing

Server integrity &

intrusion alerting


CloudPassage Halo

Architecture


How It Works

Halo Grid

• Halo Daemon

– Ultra light-weight software

– Installed on server image

– Automatically provisioned

• Halo Grid

– Elastic compute grid

– Hosted by CloudPassage

– Does the heavy lifting for the Halo

Daemons

www-1

www-1

Halo

Halo

Daemon


www-4

Halo

www-3

Halo

Alerts, Reports

and Trendingwww-1

ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Policies,

Commands,

Reports

www-1

Halo

www-2

Halo

automating security for the cloud - make it easy, make it safe

Technology

easy cloud security

app server ipfirewalling

cloud security practicessource

cloud servers

cloud provider b www

security andor

simple security groups

security big data analysts