baythreat why the cloud changes everything

© 2011 CloudPassage Inc.

Why The Cloud Changes EverythingBayThreat 2011: Building Security

Rand Wacker@randwacker


How I Learned to Stop Worrying and Get DevOps to Love Security


whoami

Security

Cloud

UC Berkeley ✘ ✘

Oracle ✘

Amazon ✘

Sendmail …

IronPort ✘

Cisco ✘

CloudPassage ✘ ✘

Rand Wacker

@randwacker

[email protected]

Slides available tonight on

community.cloudpassage.com


Agenda

1. Who is in the cloud

2. Who secures the cloud

3. Why cloud security is different

4. How to approach the cloud

5. Suggestions and best practices


Cloud Operators Are Different


What is running in the cloud?

Who: App-dev shops, integrators, Enterp. BU’s

Why: Fast, cheap, agile

Risks: Code stolen or hacked, live data theftDevelopment

Permanent Application Hosting

Who:SaaS providers, social media, gaming

Why: Scalable, elastic, ties costs to growth

Risks: Compliance, data theft, oper. disruptionWho:Big data, social, retail, life-sci, media

Why: Agility, speed, scale, “lease the spikes”

Risks: Intellectual property theft

TemporaryWorkloads


Who is running in the cloud?IT Server Admins Big Data Analysts


Who is running in the cloud?


Survey: Cloud Security Concerns

We have no security concerns

Enterprise security tools don't work in the cloud

Provider access to guest servers

Achieving compliance with PCI or other standards

Multi-tenancy of infrastructure or applications

Lack of perimter defenses and/or network control

16%

23%

24%

26%

40%

44%

Multiple Choice

Source: CloudPassage CloudSec Community Survey

Question: What security concerns are most important to you regarding public cloud computing?


“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...”

- CISO, Fortune 500Name withheld upon request


Cloud Responsibility, Not So Different


Shared Responsibility Model

“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”

“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

EC2 Shared Responsibility Model Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Delineation of Responsibility

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

IaaS PaaS SaaSInterface Interface Interface

ClientSegregation:

Virtual/Hypervisor

None(Client ID in DB)

File Permissions

Customer Responsibility

Provider Responsibilit

y

Application of Security in IaaS

App Framework / App stack

Virtual Machine/OS

Hypervisor

Storage

Physical Network

Physical Facilities

Application Logic

API GUI

Compute

Ph

ysic

al

Se

cure

De

velo

pm

en

t L

ifecy

cle

File

/Re

cord

A

cce

ss C

on

tro

l

Au

diti

ng

/Pe

n T

est

ing

SIE

M

Enc

rypt

ion

Arc

hite

ctu

re/D

esi

gn

NID

S/N

IPS

Pa

cke

t F

ilte

ring

Pro

xy/M

iddl

ewar

eCo

nfig

ura

tion

Lo

ckd

ow

n

HID

S/H

IPS

Pro

xy/M

iddl

ewar

e

Au

the

ntic

atio

n

Fo

ren

sics

Enc

rypt

ion

NA

C

DLP

App

licat

ion

Whi

te L

istin

g

An

ti-V

irus

Virt

ual N

etw

ork

Pa

tch

ing

Customer

Provider


Survey: Cloud Security Practices

Wrote my own automa-tion tools

Commercial tool

Open source or custom

tool

Amazon Se-curity Group

We're not securing our cloud servers

Manually, us-ing a check-

list

My provider does it for me


Question: How do you secure your cloud servers today?


Cloud Risk is Different


What’s So Different?


What’s So Different?private datacenter

public cloud

www-1 www-2 www-3 www-4

• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were

tolerable



public cloud

www-1 www-2 www-3


tolerable

• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door

www-4



public cloud

www-1 www-2 www-3


tolerable


• Sprawling, multiplying exposures– Rapidly growing attack surface

area– More servers = more

vulnerabilities– More servers ≠ more people

www-7

www-4

www-8

www-5

www-9

www-6

www-10



public cloud

www-1 www-2 www-3


tolerable


• Sprawling, multiplying exposures– Rapidly growing attack surface

area– More servers = more

vulnerabilities– More servers ≠ more people

• Fraudsters target cloud servers– Softer targets to penetrate– No perimeter defenses to thwart– Elasticity = more botnet to sell

www-7

www-4

www-8

www-5

www-9

www-6

www-10


Survey: OS Running in the Cloud

BSD

Linux

Windows and Linux

Windows

78%

55%

Running Windows

Running Linux


Question: Which operating systems do you run on your cloud servers?


Cloud Security Approach


Dynamic network access control

Configuration and package security

Server account visibility & control

Server compromise & intrusion alerting

Server forensics and security analytics

Integration & automation capabilities

Servers in hybrid and public clouds must be self-defending with highly automated controls like…

How To Secure Cloud Servers


Architectural Challenges

• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership

• Elasticity (not all servers are steady-state)– Cloudbursting, stale servers, dynamic provisioning

• Scalability (handle variable workloads)– May have one dev server or 1,000 number-crunchers

• Portability (same controls work anywhere)– Nobody wants multiple tools or IaaS provider lock-in


Portable = “Works Anywhere”

Public Cloud Hybrid Cloud

Private Cloud Traditional Hardware

Which is hardest to

solve?


Problem: How can we secure large-scale, dynamic application stacks across clouds we probably don’t control?Proposal:Highly automated, scalable, elastic security at the guest VM level.


Controlled by Hosting-

User

Controlled by

Hosting-Provider Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

The VM is the Unit of Control


The VM is the Unit of Scale

Physical Facilities

Hypervisor

Virtual Machine

Data

App Code

App Framework

Operating System

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Private Cloud IaaS Provider

The VM is the Unit of Portability


Thesis

In cloud environments, the intersection of

control, portability & scaleis almost always

the guest virtual-machine.


Haven’t We Dealt With This Before?


Déjà vu – Laptops as a Model

• We’ve dealt with securing portable assets in the past

• Security needed to change from being network-based to host-based

• Expect similar to occur with cloud

• Dynamic shared resources means host-based technology must be reworked prior to use

Security Hamster Sine Wave of Pain

Used with permission, and extended thanks to Andy Jaquith


In Closing


Summary• There are people using cloud in your org…

• Cloud users often don’t understand security, and definitely don’t know their responsibility

• Cloud security is different, and hard

• The bad guys know this!

• Cloud has different points of control, leverage them!


Best Practices• Know who is running what, and where

• Read and understand what your provider does, and what you are responsible for

• Take extra precautions when moving servers outside your data center

• Start with public cloud, after that everything is easy!

• Focus on securing what you control


Wrapping Up

• Continue the discussion– Slides available:

community.cloudpassage.com

• Contact me– Email: [email protected]– Twitter: @randwacker

• We’re hiring!Expert in Security and/or Cloud?

– Email: [email protected]

Thank You


What does CloudPassage do?

Firewall Management

Server Configurations

Server account Management

Compromise & intrusion alerting

Security & compliance auditing

Vulnerability Management

Security for virtual servers running in public and private clouds

Cloud adoption without fearFaster and easier complianceRepel attacks on your serversFree Basic version, 5 minutes

setup

baythreat why the cloud changes everything

Technology

cloud responsibility

cloud servers

cloud changes

cloud operators aredifferent

live data theft

building security rand

disruption application

social media