confraria security 17 june - cloud security
DESCRIPTION
Cloud Computing Security in Confraria Security & IT, 3rd meeting in LisbonTRANSCRIPT
Cloud ComputingCloud ComputingSecurity Security
by Vitor Domingosintrepid and professional basher
http://vitordomingos.com
* as seen on regular weather channel
Cloud Computing is ?Cloud Computing is ?- Network as a “cloud”
- Network is the computer (SUN moto)
- TCP/IP abstraction (1st cloud)
- www data abstraction (2nd cloud)
- Virtualization (3rd cloud)
Bottom line:
- Virtualization done right, with webservices
Cloud Computing is !Cloud Computing is !- on-demand self-service
- ubiquitous network access
- location independent resource pooling
- rapid elasticity
- measured service
- pay as you go
- abstract resources
CCaaSCCaaS- Software as a Service
- SalesForce
- Platform as a Service
- Google App Engine- Microsoft Azure
- Infrastructure as a Service
- Rackspace Mosso- Amazon Web Services
Cloud Computing leveragesCloud Computing leverages- Virtualization
- Multi-Tenancy
- Massive Scale
- Autonomic Computing
- Distributed Environment
- Security Technologies
- Service Oriented
Security in the CloudSecurity in the Cloud
Only the paranoid survive!Only the paranoid survive!- Key issues
trust, trust, multi-tenancy, trust, encryption, compliance
- Massive complex systems running on functional units
- Certification & Audit
- Loss of physical control
- Interoperability
- Accountability
please, keep in mind thatplease, keep in mind that- Shared hell:
- Hardware- Memory- Disks- NIC's (Virtual)
- Cache Snooping- Hypervisor Attacks- Persistent Root Kits- Password Cracking
- Broken or stolen key rings / authorization federation
- Never ending logs
Great things do comeGreat things do come- Provisioning
- Rapid reconstitution of services
- Storage fragmented
- Security layers (auth, firewall, logging, …)
- Network and Security perimeters
- Virtual Zoning
- Fault tolerance
ChallengesChallenges- Data dispersal and international privacy laws
- Isolation management & Multi-Tenancy
- Certification (SAS 70 Type II audits and ISO 27001)
- Data ownership
- QoS & SLA's garantees
- Secure Hypervisors
ChallengesChallenges- Massive outages
- Service bottle necks; DNS as your best friend
- Encryption needscloud resources, applications, storage, services
- Disaster recovery and contingency plans
- If you have it on Auto mode, you won't see it coming
- Honey for hackers
ToDoToDo- Network with VPN and VLAN's
- SLA's; read the fine prints
- Backup and recover often; Risk assessment
- Log (out of there) as if the world ended tomorrow
- Plan for failure
- YOU secure!!!
- Sandbox, Sandbox, Sandbox
You're not aloneYou're not alone- Security Groups
IBM; SUN; Amazon; ISV
- Cloud Security Alliance (awesome guide!!)
- OpenCloud Manifesto & Amazon Security Paper
- Cloud Computing ML at Google Groups
- Legal Cloud's
- Vivek Kundra, USA CTO, did it, so as Facebook,New York Times and Nasdaq (on AWS)
Wrap upWrap up- Plan
- Encrypt
- Backup
- Secure
- Audit
- Sandbox (check my last year sapo codebits talk)- http://codebits.sapo.pt/files/aws_23.pdf
- Trust
?mail: mail: [email protected]@prt.scsite: http://vitordomingos.comsite: http://vitordomingos.com