beyond the hype: understanding cloud security by bryan d. payne

Bryan D. Payne

Beyond the Hype: Understanding Cloud Security for Your Application

2

To the cloud!

Learn all about cloud

Security concerns

This is hard!

Bryan D. Payne, Director of Security Research@bdpsecurity

3

Attackers?

Where is my data?

Cloud provider

Other cloud tenants

Trust guest network?

How to access my instances?

Is there a right way?

My security policies?

Etc…


4

Computer Security: What We Know

Better Worse

Design for security from the start Retrofit security when it’s important

Understand your threats Just make it secure

Understand your goals Seriously, just add some security

Pervasive security culture That paranoid guy has it under control


5

Security Requires A Good Foundation


6

Security Needs System-Level Thinking


7

Example: Gene Sequence Analysis

• Variable workload• Sensitive patient data• Regulatory compliance• Computational integrity• Multiple tenants• Billing


+

4 SECURITY QUESTIONS


9

1. What are you protecting?

• Data• Computation

• CIA– Confidentiality– Integrity– Availability


10

2. What is your risk tolerance?


• Mindset• Budget• Repercussions

11

3. What are your threats?


• Adware• Botnets• Spyware• Corporate Espionage• Nation State Attacks• Curious Neighbor

12

4. What is your attack surface?


• Network architecture• Cloud provider• Software config• API Usage• Users / Admins

CLOUD SECURITY


14

Public or Private (or Hybrid)?


protect

threats

risk

surface

Inside / Outside FirewallHardware / software control

Policy / regulation allow public?Professional managementCan’t choose your neighbors

Physical controlInsight into software stack

APIs available on the InternetArchitectural specificity

15

What IaaS Provider?


protect

threats

risk

surface

16

Key Points

• Get IaaS-layer security from provider

• Choose wisely, based on your needs


CLOUD APPLICATION SECURITY


18

What Does Your App Look Like?


19

Access to App: Who and How?


Other cloud tenants (e.g., guest network)

Cloud admin

20

Protecting App Data


21

Protecting App Computation


22

Unique Cloud App Security Concerns

• Entropy is hard to come by• Be careful with reusing images• Rapid, code-driven deployment– Keys stored inside your app, be careful

• Data persistence is tricky


23

Key Points• Custom security is always hard

• The right IaaS platform can help

• Follow the community

• Cloud isn’t Legacy


PUTTING IT ALL TOGETHER


25

Cloud Provider Is Key

• Understand what you need

• Get the security you need at this level

• Don’t do this yourself


Protecting? Risk tolerance? Threats? Attack surface?

26

Cloud App Security is Specialized

• Unique security concerns

• Get expert help, if needed


Protecting? Risk tolerance? Threats? Attack surface?

27

Trends to Watch For

• OpenStack Security Group

• Cloud Attestation

• Attack Surface Research


https://launchpad.net/~openstack-ossg

https://cloudsecurityalliance.org/research/big-data/

http://wiki.openstack.org/OpenAttestation

http://code.google.com/p/vmitools/

Bryan D. Payne

[email protected]

@bdpsecurityhttp://www.bryanpayne.org

beyond the hype: understanding cloud security by bryan d. payne

Documents

director of security

director of security

director of security

director of security

director of security

director of security

director of security

computer security