beyond the hype: understanding cloud security by bryan d. payne
DESCRIPTION
Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.TRANSCRIPT
Bryan D. Payne
Beyond the Hype: Understanding Cloud Security for Your Application
2
To the cloud!
Learn all about cloud
Security concerns
This is hard!
Bryan D. Payne, Director of Security Research@bdpsecurity
3
Attackers?
Where is my data?
Cloud provider
Other cloud tenants
Trust guest network?
How to access my instances?
Is there a right way?
My security policies?
Etc…
Bryan D. Payne, Director of Security Research@bdpsecurity
4
Computer Security: What We Know
Better Worse
Design for security from the start Retrofit security when it’s important
Understand your threats Just make it secure
Understand your goals Seriously, just add some security
Pervasive security culture That paranoid guy has it under control
Bryan D. Payne, Director of Security Research@bdpsecurity
5
Security Requires A Good Foundation
Bryan D. Payne, Director of Security Research@bdpsecurity
6
Security Needs System-Level Thinking
Bryan D. Payne, Director of Security Research@bdpsecurity
7
Example: Gene Sequence Analysis
• Variable workload• Sensitive patient data• Regulatory compliance• Computational integrity• Multiple tenants• Billing
Bryan D. Payne, Director of Security Research@bdpsecurity
+
4 SECURITY QUESTIONS
Bryan D. Payne, Director of Security Research@bdpsecurity
9
1. What are you protecting?
• Data• Computation
• CIA– Confidentiality– Integrity– Availability
Bryan D. Payne, Director of Security Research@bdpsecurity
10
2. What is your risk tolerance?
Bryan D. Payne, Director of Security Research@bdpsecurity
• Mindset• Budget• Repercussions
11
3. What are your threats?
Bryan D. Payne, Director of Security Research@bdpsecurity
• Adware• Botnets• Spyware• Corporate Espionage• Nation State Attacks• Curious Neighbor
12
4. What is your attack surface?
Bryan D. Payne, Director of Security Research@bdpsecurity
• Network architecture• Cloud provider• Software config• API Usage• Users / Admins
CLOUD SECURITY
Bryan D. Payne, Director of Security Research@bdpsecurity
14
Public or Private (or Hybrid)?
Bryan D. Payne, Director of Security Research@bdpsecurity
protect
threats
risk
surface
Inside / Outside FirewallHardware / software control
Policy / regulation allow public?Professional managementCan’t choose your neighbors
Physical controlInsight into software stack
APIs available on the InternetArchitectural specificity
15
What IaaS Provider?
Bryan D. Payne, Director of Security Research@bdpsecurity
protect
threats
risk
surface
16
Key Points
• Get IaaS-layer security from provider
• Choose wisely, based on your needs
Bryan D. Payne, Director of Security Research@bdpsecurity
CLOUD APPLICATION SECURITY
Bryan D. Payne, Director of Security Research@bdpsecurity
18
What Does Your App Look Like?
Bryan D. Payne, Director of Security Research@bdpsecurity
19
Access to App: Who and How?
Bryan D. Payne, Director of Security Research@bdpsecurity
Other cloud tenants (e.g., guest network)
Cloud admin
20
Protecting App Data
Bryan D. Payne, Director of Security Research@bdpsecurity
21
Protecting App Computation
Bryan D. Payne, Director of Security Research@bdpsecurity
22
Unique Cloud App Security Concerns
• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deployment– Keys stored inside your app, be careful
• Data persistence is tricky
Bryan D. Payne, Director of Security Research@bdpsecurity
23
Key Points• Custom security is always hard
• The right IaaS platform can help
• Follow the community
• Cloud isn’t Legacy
Bryan D. Payne, Director of Security Research@bdpsecurity
PUTTING IT ALL TOGETHER
Bryan D. Payne, Director of Security Research@bdpsecurity
25
Cloud Provider Is Key
• Understand what you need
• Get the security you need at this level
• Don’t do this yourself
Bryan D. Payne, Director of Security Research@bdpsecurity
Protecting? Risk tolerance? Threats? Attack surface?
26
Cloud App Security is Specialized
• Unique security concerns
• Get expert help, if needed
Bryan D. Payne, Director of Security Research@bdpsecurity
Protecting? Risk tolerance? Threats? Attack surface?
27
Trends to Watch For
• OpenStack Security Group
• Cloud Attestation
• Attack Surface Research
Bryan D. Payne, Director of Security Research@bdpsecurity
https://launchpad.net/~openstack-ossg
https://cloudsecurityalliance.org/research/big-data/
http://wiki.openstack.org/OpenAttestation
http://code.google.com/p/vmitools/