Más contenido relacionado La actualidad más candente (9) Similar a BSides SF - Automating Security for the Cloud (20) BSides SF - Automating Security for the Cloud1. Automating Security for the
Cloud
Why we all need to care…
Security B-Sides SF 2012
Rand Wacker
rand@cloudpassage.com
@randwacker
© 2012 CloudPassage Inc.
2. whoami
Slides available soon on
Rand Wacker community.cloudpassage.com
@randwacker
rand@cloudpassage.com
Security Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
Sendmail …
IronPort ✘
Cisco ✘
CloudPassage ✘ ✘
© 2012 CloudPassage Inc.
3. Agenda
1. Who Runs What in the Cloud
2. Cloud Security Differences
3. DevOps vs SecOps
4. Making Everyone Happy
5. The End
© 2012 CloudPassage Inc.
4. Who is running in the cloud?
IT Server Admins Big Data Analysts
© 2012 CloudPassage Inc.
5. Who is running in the cloud?
IT Server Admins
Big Data Analysts
© 2012 CloudPassage Inc.
6. What is running in the cloud?
Who: App-dev shops, integrators, Enterp. BU’s
Development Why: Fast, cheap, agile
Risks: Code stolen or hacked, live data theft
Who: SaaS providers, social media, gaming
Why: Scalable, elastic, ties costs to growth
Permanent
Risks: Compliance, data theft, oper. disruption
Application Hosting
Who: Big data, social, retail, life-sci, media
Why: Agility, speed, scale, “lease the spikes”
Temporary
Risks: Intellectual property theft
Workloads
© 2012 CloudPassage Inc.
7. “We didn’t think we had cloud
servers. Then we checked our
developers’ expense reports
for AWS...”
- CISO, Fortune 500
Name withheld upon request
© 2012 CloudPassage Inc.
9. Cloud Security Is New
private datacenter
www-1 www-2 www-3 www-4
public cloud
© 2012 CloudPassage Inc.
10. Cloud Security Is New
private datacenter
www-1 www-2 www-3 www-4
public cloud
© 2012 CloudPassage Inc.
11. Cloud Security Is New
private datacenter
www-1 www-2 www-3 www-4
public cloud
© 2012 CloudPassage Inc.
12. Cloud Security Is Different
private datacenter
www-1 www-2 www-3 www-4
public cloud
© 2012 CloudPassage Inc.
13. Cloud Security Is Different
private datacenter
www-1 www-2 www-3
www-4
public cloud
© 2012 CloudPassage Inc.
14. Cloud Security Is Different
private datacenter
www-1 www-2 www-3
www-4
public cloud
© 2012 CloudPassage Inc.
15. Cloud Security Is Different
private datacenter
www-1 www-2 www-3
www-4
public cloud
© 2012 CloudPassage Inc.
16. Cloud Security Is Complex
Cloud Provider B
Cloud Provider A
www-1 www-2 www-3 www-4
Private Datacenter
© 2012 CloudPassage Inc.
17. Cloud Security Is Complex
Cloud Provider B
www-4
Cloud Provider A
www-1 www-2 www-3
Private Datacenter
© 2012 CloudPassage Inc.
18. Cloud Security Is Complex
Cloud Provider B
www-4 www-5 www-6
www-7 www-8 www-9 www-10
Cloud Provider A
www-1 www-2 www-3
Private Datacenter
© 2012 CloudPassage Inc.
19. Cloud Security Is Complex
www-7 www-8 www-9 www-10
Cloud Provider B
www-4 www-5 www-6
Cloud Provider A
www-1 www-2 www-3
Private Datacenter
© 2012 CloudPassage Inc.
20. Cloud Security Is Complex
www-7 www-8 www-9 www-10
Cloud Provider B
www-4 www-5 www-6
Cloud Provider A
www-1 www-2 www-3
Private Datacenter
© 2012 CloudPassage Inc.
21. Security Products Aren’t Adapting
Metered Usage
www-7 www-8 www-9 www-10
www-4 www-5 www-6
Cloud Provider B
Temporary &
Elastic Deployments
Cloud Provider A
www-1 www-2 www-3
Multiple Cloud
Environments
Private Datacenter
© 2012 CloudPassage Inc.
22. Survey: Cloud Security Concerns
Question: What security concerns are most important to you regarding
public cloud computing?
Multiple Choice
Lack of perimeter defenses and/or network
44%
control
Multi-tenancy of infrastructure or
40%
applications
Achieving compliance with PCI or other
26%
standards
Provider access to guest servers 24%
Enterprise security tools don't work in the
23%
cloud
© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
23. Shared Responsibility Model
Responsibility
EC2 Shared Responsibility Model Data
Customer
“…the customer should assume App Code
responsibility and management of, but not
limited to, the guest operating system.. and App Framework
associated application software...”
Operating System
“…it is possible for customers to enhance
security and/or meet more stringent Virtual Machine
compliance requirements with the addition of
Responsibility
host based firewalls, host based intrusion Hypervisor
Provider
detection/prevention, encryption and key
management.” Compute & Storage
Amazon Web Services: Overview of Security Shared Network
Processes
Physical Facilities
© 2012 CloudPassage Inc.
24. Provider
Customer
Virtual Network
API
Compute
Logic
Virtual
Physical
Physical
Facilities
Network
App stack
Hypervisor
Application
Machine/OS
GUI
App Framework /
Storage
Authentication
Configuration Lockdown
Patching
NIDS/NIPS HIDS/HIPS
Packet Filtering
Proxy/Middleware Proxy/Middleware
Application White Listing
Anti-Virus
File/Record
Access Control
Encryption Encryption
DLP
NAC
SIEM
Auditing/Pen Testing
Forensics
Application of Security in IaaS
Secure Development Lifecycle
Architecture/Design
Physical
25. Survey: Cloud Security Practices
Question: How do you secure your cloud servers today?
Open source or
custom-developed
tools
Commercial Tool
We're not securing
our cloud servers
My provider does it
for me
Amazon Security
Group
Source: CloudPassage CloudSec Community Survey
© 2012 CloudPassage Inc.
28. How I Learned to Stop
Worrying and Get DevOps
to Love Security
© 2012 CloudPassage Inc.
30. What Is DevOps?
DevOps
IT Operations Security
Operations
© 2012 CloudPassage Inc.
33. Traditional DC Protection
Auth DB DB
Server
core core
Firewal
l
Server Provisioning
Load App
Balancer Server
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
34. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Server Provisioning
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
35. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Server Provisioning
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
Firewall Updates
© 2012 CloudPassage Inc.
36. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
37. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
Site Debugging!!!
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
38. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
Site Debugging!!!
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
39. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
Site Debugging!!!
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
40. Traditional DC Protection
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
Site Debugging!!!
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
41. Moving to the Cloud
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
© 2012 CloudPassage Inc.
42. Moving to the Cloud
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
public cloud
© 2012 CloudPassage Inc.
43. Moving to the Cloud
Auth DB DB DB
Server
Load App Load App
Balancer Server Balancer Server
public cloud
© 2012 CloudPassage Inc.
48. Protecting Cloud Servers
Load
Balancer
FW
App App
Server Server
FW FW
DB
Master
FW
public cloud
© 2012 CloudPassage Inc.
49. Protecting Cloud Servers
Load
Balancer
FW
App App App
Server Server Server
FW FW FW
DB
Master
FW
public cloud
© 2012 CloudPassage Inc.
50. Protecting Cloud Servers
Load Load
Balancer Balancer
FW FW
App App App
Server Server Server
FW FW FW
DB DB
Master Slave
FW FW
public cloud
© 2012 CloudPassage Inc.
51. Protecting Cloud Servers
Load Load
Balancer Balancer
FW FW
App App
Server Server App
FW FW Server
IP
DB DB
Master Slave
FW FW
public cloud
© 2012 CloudPassage Inc.
52. Protecting Cloud Servers
Load Load
Balancer Balancer
FW FW
App App
Server Server App
FW FW Server
IP
DB DB
Master Slave
FW FW
public cloud
© 2012 CloudPassage Inc.
53. Protecting Cloud Servers
Load Load
Balancer Balancer
FW FW
App App
Server Server App
FW FW Server
IP
DB DB
Master Slave
FW FW
public cloud
© 2012 CloudPassage Inc.
54. Cloud Security Challenges
• Inconsistent Control (you don’t own everything)
– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)
– Cloud-bursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)
– May have one dev server or 1,000 number-crunchers
• Portability (same controls must work anywhere)
– Nobody wants multiple tools or IaaS provider lock-in
© 2012 CloudPassage Inc.
55. So our tools are broken and
everyone hates us, now
what?
© 2012 CloudPassage Inc.
57. The VM is the Unit of Control
Data
App Code Controlled by
App Framework Hosting-User
Operating System
Virtual Machine
Hypervisor
Controlled
Compute & Storage
by Hosting-
Provider Shared Network
Physical Facilities
© 2012 CloudPassage Inc.
58. The VM is the Unit of Scale
Data Data
App Code App Code
App Framework App Framework
Operating System Operating System
Virtual Machine Virtual Machine
Hypervisor
Compute & Storage
Shared Network
Physical Facilities
© 2012 CloudPassage Inc.
59. The VM is the Unit of Portability
Private Cloud IaaS Provider
Data Data
App Code App Code
App Framework App Framework
Operating System Operating System
Virtual Machine Virtual Machine
Hypervisor Hypervisor
Compute & Storage Compute & Storage
Shared Network Shared Network
Physical Facilities Physical Facilities
© 2012 CloudPassage Inc.
60. Thesis
In cloud environments, the intersection of
control, portability & scale
is always
the guest virtual-machine.
© 2012 CloudPassage Inc.
61. Secure the VM
Data
App Code
App Framework
OS
Virtual Machine
© 2012 CloudPassage Inc.
62. Secure the VM
Data
App Code
App Framework
OS
Virtual Machine
Secure the OS services
and configurations
© 2012 CloudPassage Inc.
63. Secure the VM
Data
App Code
App Framework
FW
OS FW
Add host-based firewalls
(inbound and outbound) Virtual Machine
Secure the OS services
and configurations
© 2012 CloudPassage Inc.
64. Secure the VM
Data
App Code Ensure application stacks
are up-to-date and locked
App Framework down
FW
OS FW
Add host-based firewalls
(inbound and outbound) Virtual Machine
Secure the OS services
and configurations
© 2012 CloudPassage Inc.
65. Secure the VM
Continuously verify Data
application code is
current and un-tampered App Code Ensure application stacks
are up-to-date and locked
App Framework down
FW
OS FW
Add host-based firewalls
(inbound and outbound) Virtual Machine
Secure the OS services
and configurations
© 2012 CloudPassage Inc.
66. Secure the VM
Track sensitive data and
prevent egress
Continuously verify Data
application code is
current and un-tampered App Code Ensure application stacks
are up-to-date and locked
App Framework down
FW
OS FW
Add host-based firewalls
(inbound and outbound) Virtual Machine
Secure the OS services
and configurations
© 2012 CloudPassage Inc.
68. Automate Policy Application
FULLY
AUTOMATE
Data
App Code Data
App Code Data
App Framework
FW
OS FrameworkCode Data
App App FW
Virtual Machine App Framework Code
FW
OS App FW
Virtual Machine App Framework
FW
OS FW
Virtual MachineOS
FW FW
Virtual Machine
© 2012 CloudPassage Inc.
72. How To Secure Cloud Servers
Servers in hybrid and public clouds must be self-
defending with highly automated controls like…
Dynamic network Server compromise &
access control intrusion alerting
Configuration and Server forensics and
package security security analytics
Server account Integration & automation
visibility & control capabilities
© 2012 CloudPassage Inc.
73. Summary
• There are people using cloud in your org…
• Cloud users often don’t understand security, and
definitely don’t know their responsibility
• Cloud security is different, and hard
• The bad guys know this!
• Cloud has different points of control, leverage them!
© 2012 CloudPassage Inc.
74. Best Practices
• Know who is running what, and where
• Read and understand what your provider does, and
what you are responsible for
• Take extra precautions when moving servers
outside your data center
• Start with public cloud, after that everything is easy!
• Focus on securing what you control
© 2012 CloudPassage Inc.
75. Wrapping Up
• Continue the discussion
– Slides available: community.cloudpassage.com
• Contact me
– Email: rand@cloudpassage.com
– Twitter: @randwacker
• We’re hiring! BTW,
Expert in Security and/or Cloud? We’re
– Email: jobs@cloudpassage.com Hiring!
© 2012 CloudPassage Inc.
77. What does CloudPassage do?
Security for virtual servers running in public and private clouds
Firewall Compromise &
Management intrusion alerting
Server Security & compliance
Configurations auditing
Server account Vulnerability
Management Management
Cloud adoption without fear
Faster and easier compliance
Repel attacks on your servers
Free Basic version, 5 minutes setup
© 2012 CloudPassage Inc.
Notas del editor 1. Zappos is creating apps for their unique corporate culture2. Foursquare is a great example in social media – scaling up & down over the weekend.3, Ebayxmas - Highway into the city expand from 3 to 7 lanes in rush hour SAASFast and easyThe only cloud security platform built for the cloud