baythreat why the cloud changes everything
TRANSCRIPT
© 2011 CloudPassage Inc.
Why The Cloud Changes EverythingBayThreat 2011: Building Security
Rand Wacker@randwacker
© 2011 CloudPassage Inc.
whoami
Security
Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
Sendmail …
IronPort ✘
Cisco ✘
CloudPassage ✘ ✘
Rand Wacker
@randwacker
Slides available tonight on
community.cloudpassage.com
© 2011 CloudPassage Inc.
Agenda
1. Who is in the cloud
2. Who secures the cloud
3. Why cloud security is different
4. How to approach the cloud
5. Suggestions and best practices
© 2011 CloudPassage Inc.
What is running in the cloud?
Who: App-dev shops, integrators, Enterp. BU’s
Why: Fast, cheap, agile
Risks: Code stolen or hacked, live data theftDevelopment
Permanent Application Hosting
Who:SaaS providers, social media, gaming
Why: Scalable, elastic, ties costs to growth
Risks: Compliance, data theft, oper. disruptionWho:Big data, social, retail, life-sci, media
Why: Agility, speed, scale, “lease the spikes”
Risks: Intellectual property theft
TemporaryWorkloads
© 2011 CloudPassage Inc.
Survey: Cloud Security Concerns
We have no security concerns
Enterprise security tools don't work in the cloud
Provider access to guest servers
Achieving compliance with PCI or other standards
Multi-tenancy of infrastructure or applications
Lack of perimter defenses and/or network control
16%
23%
24%
26%
40%
44%
Multiple Choice
Source: CloudPassage CloudSec Community Survey
Question: What security concerns are most important to you regarding public cloud computing?
© 2011 CloudPassage Inc.
“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...”
- CISO, Fortune 500Name withheld upon request
© 2011 CloudPassage Inc.
Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
EC2 Shared Responsibility Model Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2011 CloudPassage Inc.
Delineation of Responsibility
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
IaaS PaaS SaaSInterface Interface Interface
ClientSegregation:
Virtual/Hypervisor
None(Client ID in DB)
File Permissions
Customer Responsibility
Provider Responsibilit
y
Application of Security in IaaS
App Framework / App stack
Virtual Machine/OS
Hypervisor
Storage
Physical Network
Physical Facilities
Application Logic
API GUI
Compute
Ph
ysic
al
Se
cure
De
velo
pm
en
t L
ifecy
cle
File
/Re
cord
A
cce
ss C
on
tro
l
Au
diti
ng
/Pe
n T
est
ing
SIE
M
Enc
rypt
ion
Arc
hite
ctu
re/D
esi
gn
NID
S/N
IPS
Pa
cke
t F
ilte
ring
Pro
xy/M
iddl
ewar
eCo
nfig
ura
tion
Lo
ckd
ow
n
HID
S/H
IPS
Pro
xy/M
iddl
ewar
e
Au
the
ntic
atio
n
Fo
ren
sics
Enc
rypt
ion
NA
C
DLP
App
licat
ion
Whi
te L
istin
g
An
ti-V
irus
Virt
ual N
etw
ork
Pa
tch
ing
Customer
Provider
© 2011 CloudPassage Inc.
Survey: Cloud Security Practices
Wrote my own automa-tion tools
Commercial tool
Open source or custom
tool
Amazon Se-curity Group
We're not securing our cloud servers
Manually, us-ing a check-
list
My provider does it for me
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
© 2011 CloudPassage Inc.
What’s So Different?private datacenter
public cloud
www-1 www-2 www-3 www-4
• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were
tolerable
© 2011 CloudPassage Inc.
What’s So Different?private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were
tolerable
• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door
www-4
© 2011 CloudPassage Inc.
What’s So Different?private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were
tolerable
• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door
• Sprawling, multiplying exposures– Rapidly growing attack surface
area– More servers = more
vulnerabilities– More servers ≠ more people
www-7
www-4
www-8
www-5
www-9
www-6
www-10
© 2011 CloudPassage Inc.
What’s So Different?private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were
tolerable
• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door
• Sprawling, multiplying exposures– Rapidly growing attack surface
area– More servers = more
vulnerabilities– More servers ≠ more people
• Fraudsters target cloud servers– Softer targets to penetrate– No perimeter defenses to thwart– Elasticity = more botnet to sell
www-7
www-4
www-8
www-5
www-9
www-6
www-10
© 2011 CloudPassage Inc.
Survey: OS Running in the Cloud
BSD
Linux
Windows and Linux
Windows
78%
55%
Running Windows
Running Linux
Source: CloudPassage CloudSec Community Survey
Question: Which operating systems do you run on your cloud servers?
© 2011 CloudPassage Inc.
Dynamic network access control
Configuration and package security
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analytics
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
How To Secure Cloud Servers
© 2011 CloudPassage Inc.
Architectural Challenges
• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)– Cloudbursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)– May have one dev server or 1,000 number-crunchers
• Portability (same controls work anywhere)– Nobody wants multiple tools or IaaS provider lock-in
© 2011 CloudPassage Inc.
Portable = “Works Anywhere”
Public Cloud Hybrid Cloud
Private Cloud Traditional Hardware
Which is hardest to
solve?
© 2011 CloudPassage Inc.
Problem: How can we secure large-scale, dynamic application stacks across clouds we probably don’t control?Proposal:Highly automated, scalable, elastic security at the guest VM level.
© 2011 CloudPassage Inc.
Controlled by Hosting-
User
Controlled by
Hosting-Provider Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
The VM is the Unit of Control
© 2011 CloudPassage Inc.
The VM is the Unit of Scale
Physical Facilities
Hypervisor
Virtual Machine
Data
App Code
App Framework
Operating System
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2011 CloudPassage Inc.
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Private Cloud IaaS Provider
The VM is the Unit of Portability
© 2011 CloudPassage Inc.
Thesis
In cloud environments, the intersection of
control, portability & scaleis almost always
the guest virtual-machine.
© 2011 CloudPassage Inc.
Déjà vu – Laptops as a Model
• We’ve dealt with securing portable assets in the past
• Security needed to change from being network-based to host-based
• Expect similar to occur with cloud
• Dynamic shared resources means host-based technology must be reworked prior to use
© 2011 CloudPassage Inc.
Summary• There are people using cloud in your org…
• Cloud users often don’t understand security, and definitely don’t know their responsibility
• Cloud security is different, and hard
• The bad guys know this!
• Cloud has different points of control, leverage them!
© 2011 CloudPassage Inc.
Best Practices• Know who is running what, and where
• Read and understand what your provider does, and what you are responsible for
• Take extra precautions when moving servers outside your data center
• Start with public cloud, after that everything is easy!
• Focus on securing what you control
© 2011 CloudPassage Inc.
Wrapping Up
• Continue the discussion– Slides available:
community.cloudpassage.com
• Contact me– Email: [email protected]– Twitter: @randwacker
• We’re hiring!Expert in Security and/or Cloud?
– Email: [email protected]
© 2011 CloudPassage Inc.
What does CloudPassage do?
Firewall Management
Server Configurations
Server account Management
Compromise & intrusion alerting
Security & compliance auditing
Vulnerability Management
Security for virtual servers running in public and private clouds
Cloud adoption without fearFaster and easier complianceRepel attacks on your serversFree Basic version, 5 minutes
setup