SlideShare una empresa de Scribd logo

BSides SF - Automating Security for the Cloud

Descargar como PPTX, PDF
CloudPassage
CloudPassage

Delivered by Rand Wacker at Security BSides San Francisco 2012

TecnologíaEmpresariales
1 de 77
Automating Security for the Cloud Why we all need to care… Security B-Sides SF 2012 Rand Wacker rand@cloudpassage.com @randwacker © 2012 CloudPassage Inc.
whoami Slides available soon on Rand Wacker community.cloudpassage.com @randwacker rand@cloudpassage.com Security Cloud UC Berkeley ✘ ✘ Oracle ✘ Amazon ✘ Sendmail … IronPort ✘ Cisco ✘ CloudPassage ✘ ✘ © 2012 CloudPassage Inc.
Agenda 1. Who Runs What in the Cloud 2. Cloud Security Differences 3. DevOps vs SecOps 4. Making Everyone Happy 5. The End © 2012 CloudPassage Inc.
Who is running in the cloud? IT Server Admins Big Data Analysts © 2012 CloudPassage Inc.
Who is running in the cloud? IT Server Admins Big Data Analysts © 2012 CloudPassage Inc.
What is running in the cloud? Who: App-dev shops, integrators, Enterp. BU’s Development Why: Fast, cheap, agile Risks: Code stolen or hacked, live data theft Who: SaaS providers, social media, gaming Why: Scalable, elastic, ties costs to growth Permanent Risks: Compliance, data theft, oper. disruption Application Hosting Who: Big data, social, retail, life-sci, media Why: Agility, speed, scale, “lease the spikes” Temporary Risks: Intellectual property theft Workloads © 2012 CloudPassage Inc.
“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...” - CISO, Fortune 500 Name withheld upon request © 2012 CloudPassage Inc.
Why Your Security Toolbox Doesn’t Work In The Cloud © 2012 CloudPassage Inc.
Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
Cloud Security Is Complex Cloud Provider B Cloud Provider A www-1 www-2 www-3 www-4 Private Datacenter © 2012 CloudPassage Inc.
Cloud Security Is Complex Cloud Provider B www-4 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
Cloud Security Is Complex Cloud Provider B www-4 www-5 www-6 www-7 www-8 www-9 www-10 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
Security Products Aren’t Adapting Metered Usage www-7 www-8 www-9 www-10 www-4 www-5 www-6 Cloud Provider B Temporary & Elastic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter © 2012 CloudPassage Inc.
Survey: Cloud Security Concerns Question: What security concerns are most important to you regarding public cloud computing? Multiple Choice Lack of perimeter defenses and/or network 44% control Multi-tenancy of infrastructure or 40% applications Achieving compliance with PCI or other 26% standards Provider access to guest servers 24% Enterprise security tools don't work in the 23% cloud © 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
Shared Responsibility Model Responsibility EC2 Shared Responsibility Model Data Customer “…the customer should assume App Code responsibility and management of, but not limited to, the guest operating system.. and App Framework associated application software...” Operating System “…it is possible for customers to enhance security and/or meet more stringent Virtual Machine compliance requirements with the addition of Responsibility host based firewalls, host based intrusion Hypervisor Provider detection/prevention, encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities © 2012 CloudPassage Inc.
Provider Customer Virtual Network API Compute Logic Virtual Physical Physical Facilities Network App stack Hypervisor Application Machine/OS GUI App Framework / Storage Authentication Configuration Lockdown Patching NIDS/NIPS HIDS/HIPS Packet Filtering Proxy/Middleware Proxy/Middleware Application White Listing Anti-Virus File/Record Access Control Encryption Encryption DLP NAC SIEM Auditing/Pen Testing Forensics Application of Security in IaaS Secure Development Lifecycle Architecture/Design Physical
Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Open source or custom-developed tools Commercial Tool We're not securing our cloud servers My provider does it for me Amazon Security Group Source: CloudPassage CloudSec Community Survey © 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
How I Learned to Stop Worrying and Get DevOps to Love Security © 2012 CloudPassage Inc.
What Is DevOps? DevOps IT Operations © 2012 CloudPassage Inc.
What Is DevOps? DevOps IT Operations Security Operations © 2012 CloudPassage Inc.
Why Does DevOps Love Cloud? © 2012 CloudPassage Inc.
Different Job Goals SecOps DevOps © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB Server core core Firewal l Server Provisioning Load App Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Firewall Updates © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud © 2012 CloudPassage Inc.
Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer FW App App Server Server FW FW DB Master FW public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Balancer FW App App App Server Server Server FW FW FW DB Master FW public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
Cloud Security Challenges • Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership • Elasticity (not all servers are steady-state) – Cloud-bursting, stale servers, dynamic provisioning • Scalability (handle variable workloads) – May have one dev server or 1,000 number-crunchers • Portability (same controls must work anywhere) – Nobody wants multiple tools or IaaS provider lock-in © 2012 CloudPassage Inc.
So our tools are broken and everyone hates us, now what? © 2012 CloudPassage Inc.
With Gratitude: Hyperbole and a Half
The VM is the Unit of Control Data App Code Controlled by App Framework Hosting-User Operating System Virtual Machine Hypervisor Controlled Compute & Storage by Hosting- Provider Shared Network Physical Facilities © 2012 CloudPassage Inc.
The VM is the Unit of Scale Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities © 2012 CloudPassage Inc.
The VM is the Unit of Portability Private Cloud IaaS Provider Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Hypervisor Compute & Storage Compute & Storage Shared Network Shared Network Physical Facilities Physical Facilities © 2012 CloudPassage Inc.
Thesis In cloud environments, the intersection of control, portability & scale is always the guest virtual-machine. © 2012 CloudPassage Inc.
Secure the VM Data App Code App Framework OS Virtual Machine © 2012 CloudPassage Inc.
Secure the VM Data App Code App Framework OS Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
Secure the VM Data App Code App Framework FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
Secure the VM Data App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
Secure the VM Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
Secure the VM Track sensitive data and prevent egress Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
Automate Policy Application FULLY AUTOMATE Data App Code App Framework FW OS FW Virtual Machine © 2012 CloudPassage Inc.
Automate Policy Application FULLY AUTOMATE Data App Code Data App Code Data App Framework FW OS FrameworkCode Data App App FW Virtual Machine App Framework Code FW OS App FW Virtual Machine App Framework FW OS FW Virtual MachineOS FW FW Virtual Machine © 2012 CloudPassage Inc.
Separate Security Controls Data App Code App Framework FW OS FW SecOps Virtual Machine DevOps © 2012 CloudPassage Inc.
The Secure, Automated Cloud © 2012 CloudPassage Inc.
Wrapping Up © 2012 CloudPassage Inc.
How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities © 2012 CloudPassage Inc.
Summary • There are people using cloud in your org… • Cloud users often don’t understand security, and definitely don’t know their responsibility • Cloud security is different, and hard • The bad guys know this! • Cloud has different points of control, leverage them! © 2012 CloudPassage Inc.
Best Practices • Know who is running what, and where • Read and understand what your provider does, and what you are responsible for • Take extra precautions when moving servers outside your data center • Start with public cloud, after that everything is easy! • Focus on securing what you control © 2012 CloudPassage Inc.
Wrapping Up • Continue the discussion – Slides available: community.cloudpassage.com • Contact me – Email: rand@cloudpassage.com – Twitter: @randwacker • We’re hiring! BTW, Expert in Security and/or Cloud? We’re – Email: jobs@cloudpassage.com Hiring! © 2012 CloudPassage Inc.
Thank You! © 2012 CloudPassage Inc.
What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Compromise & Management intrusion alerting Server Security & compliance Configurations auditing Server account Vulnerability Management Management  Cloud adoption without fear  Faster and easier compliance  Repel attacks on your servers  Free Basic version, 5 minutes setup © 2012 CloudPassage Inc.

Recomendados

Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
Nishant Kaushik
 
Building and Deploying OpenSplice DDS Based Cloud Messaging
Building and Deploying OpenSplice DDS Based Cloud Messaging Building and Deploying OpenSplice DDS Based Cloud Messaging
Building and Deploying OpenSplice DDS Based Cloud Messaging
Angelo Corsaro
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
CloudPassage
 
G07.2014 magic quadrant for enterprise file synchronization and sharing
G07.2014 magic quadrant for enterprise file synchronization and sharingG07.2014 magic quadrant for enterprise file synchronization and sharing
G07.2014 magic quadrant for enterprise file synchronization and sharing
Satya Harish
 
DevOps in a Public OpenStack Cloud - Hui Cheng
DevOps in a Public OpenStack Cloud - Hui ChengDevOps in a Public OpenStack Cloud - Hui Cheng
DevOps in a Public OpenStack Cloud - Hui Cheng
Hui Cheng
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Security
craigbalding
 

Recomendados

Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
Nishant Kaushik
 
Building and Deploying OpenSplice DDS Based Cloud Messaging
Building and Deploying OpenSplice DDS Based Cloud Messaging Building and Deploying OpenSplice DDS Based Cloud Messaging
Building and Deploying OpenSplice DDS Based Cloud Messaging
Angelo Corsaro
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
CloudPassage
 
G07.2014 magic quadrant for enterprise file synchronization and sharing
G07.2014 magic quadrant for enterprise file synchronization and sharingG07.2014 magic quadrant for enterprise file synchronization and sharing
G07.2014 magic quadrant for enterprise file synchronization and sharing
Satya Harish
 
DevOps in a Public OpenStack Cloud - Hui Cheng
DevOps in a Public OpenStack Cloud - Hui ChengDevOps in a Public OpenStack Cloud - Hui Cheng
DevOps in a Public OpenStack Cloud - Hui Cheng
Hui Cheng
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Security
craigbalding
 
Session 2: Windows Azure Infrastructure as a Service (IaaS)
Session 2: Windows Azure Infrastructure as a Service (IaaS)Session 2: Windows Azure Infrastructure as a Service (IaaS)
Session 2: Windows Azure Infrastructure as a Service (IaaS)
Digicomp Academy AG
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
Ernest Mueller
 
Session 1: Einführung in Windows Azure
Session 1: Einführung in Windows AzureSession 1: Einführung in Windows Azure
Session 1: Einführung in Windows Azure
Digicomp Academy AG
 
Cloud Foundry Open Tour Keynote
Cloud Foundry Open Tour KeynoteCloud Foundry Open Tour Keynote
Cloud Foundry Open Tour Keynote
RamnivasLaddad
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
acijjournal
 
Session 4: Fortgeschrittene Themen
Session 4: Fortgeschrittene ThemenSession 4: Fortgeschrittene Themen
Session 4: Fortgeschrittene Themen
Digicomp Academy AG
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Joseph Holbrook, Chief Learning Officer (CLO)
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria
Luiz Gustavo Santos
 
Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSec
CloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptxDelivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
OpenStack Foundation
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
Portability In The Cloud
Portability In The CloudPortability In The Cloud
Portability In The Cloud
Bharath Ram Srinivasan
 
Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)
rachgregs
 
Getting Started Developing with Platform as a Service
Getting Started Developing with Platform as a ServiceGetting Started Developing with Platform as a Service
Getting Started Developing with Platform as a Service
CloudBees
 
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consume
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consumeCisco Connect Ottawa 2018 multi cloud connect, protect, and consume
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consume
Cisco Canada
 
Cloud connected Solutions
Cloud connected SolutionsCloud connected Solutions
Cloud connected Solutions
Maurizio Taffone
 
cloud Raid
cloud Raidcloud Raid
cloud Raid
gsmenon1
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
GovCloud Network
 

Más contenido relacionado

La actualidad más candente

Cloud Foundry Open Tour Keynote
Cloud Foundry Open Tour KeynoteCloud Foundry Open Tour Keynote
Cloud Foundry Open Tour Keynote
RamnivasLaddad
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
acijjournal
 

La actualidad más candente (9)

Session 2: Windows Azure Infrastructure as a Service (IaaS)
Session 2: Windows Azure Infrastructure as a Service (IaaS)Session 2: Windows Azure Infrastructure as a Service (IaaS)
Session 2: Windows Azure Infrastructure as a Service (IaaS)
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Session 1: Einführung in Windows Azure
Session 1: Einführung in Windows AzureSession 1: Einführung in Windows Azure
Session 1: Einführung in Windows Azure
 
Cloud Foundry Open Tour Keynote
Cloud Foundry Open Tour KeynoteCloud Foundry Open Tour Keynote
Cloud Foundry Open Tour Keynote
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 
Session 4: Fortgeschrittene Themen
Session 4: Fortgeschrittene ThemenSession 4: Fortgeschrittene Themen
Session 4: Fortgeschrittene Themen
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria
 

Similar a BSides SF - Automating Security for the Cloud

Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSec
CloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptxDelivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
OpenStack Foundation
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)
rachgregs
 

Similar a BSides SF - Automating Security for the Cloud (20)

Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSec
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it Safe
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
 
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptxDelivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
Portability In The Cloud
Portability In The CloudPortability In The Cloud
Portability In The Cloud
 
Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)
 
Getting Started Developing with Platform as a Service
Getting Started Developing with Platform as a ServiceGetting Started Developing with Platform as a Service
Getting Started Developing with Platform as a Service
 
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consume
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consumeCisco Connect Ottawa 2018 multi cloud connect, protect, and consume
Cisco Connect Ottawa 2018 multi cloud connect, protect, and consume
 
Cloud connected Solutions
Cloud connected SolutionsCloud connected Solutions
Cloud connected Solutions
 
cloud Raid
cloud Raidcloud Raid
cloud Raid
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
 
Cisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloudCisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloud
 
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
 
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
20,000 Hours in the Cloud - Top 5 Cloud Lessons Learned By Tom Lounibos, CEO ...
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
 
Cloudy Security
Cloudy SecurityCloudy Security
Cloudy Security
 
eFolder Webinar: How One Partner Leverages Dell AppAssure and StorageCraft
eFolder Webinar: How One Partner Leverages Dell AppAssure and StorageCrafteFolder Webinar: How One Partner Leverages Dell AppAssure and StorageCraft
eFolder Webinar: How One Partner Leverages Dell AppAssure and StorageCraft
 

Más de CloudPassage

Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
CloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
CloudPassage
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud Security
CloudPassage
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes Everything
CloudPassage
 

Más de CloudPassage (18)

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage Careers
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud Security
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes Everything
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

BSides SF - Automating Security for the Cloud

  • 1. Automating Security for the Cloud Why we all need to care… Security B-Sides SF 2012 Rand Wacker rand@cloudpassage.com @randwacker © 2012 CloudPassage Inc.
  • 2. whoami Slides available soon on Rand Wacker community.cloudpassage.com @randwacker rand@cloudpassage.com Security Cloud UC Berkeley ✘ ✘ Oracle ✘ Amazon ✘ Sendmail … IronPort ✘ Cisco ✘ CloudPassage ✘ ✘ © 2012 CloudPassage Inc.
  • 3. Agenda 1. Who Runs What in the Cloud 2. Cloud Security Differences 3. DevOps vs SecOps 4. Making Everyone Happy 5. The End © 2012 CloudPassage Inc.
  • 4. Who is running in the cloud? IT Server Admins Big Data Analysts © 2012 CloudPassage Inc.
  • 5. Who is running in the cloud? IT Server Admins Big Data Analysts © 2012 CloudPassage Inc.
  • 6. What is running in the cloud? Who: App-dev shops, integrators, Enterp. BU’s Development Why: Fast, cheap, agile Risks: Code stolen or hacked, live data theft Who: SaaS providers, social media, gaming Why: Scalable, elastic, ties costs to growth Permanent Risks: Compliance, data theft, oper. disruption Application Hosting Who: Big data, social, retail, life-sci, media Why: Agility, speed, scale, “lease the spikes” Temporary Risks: Intellectual property theft Workloads © 2012 CloudPassage Inc.
  • 7. “We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...” - CISO, Fortune 500 Name withheld upon request © 2012 CloudPassage Inc.
  • 8. Why Your Security Toolbox Doesn’t Work In The Cloud © 2012 CloudPassage Inc.
  • 9. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 10. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 11. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 12. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 13. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 14. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 15. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 public cloud © 2012 CloudPassage Inc.
  • 16. Cloud Security Is Complex Cloud Provider B Cloud Provider A www-1 www-2 www-3 www-4 Private Datacenter © 2012 CloudPassage Inc.
  • 17. Cloud Security Is Complex Cloud Provider B www-4 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
  • 18. Cloud Security Is Complex Cloud Provider B www-4 www-5 www-6 www-7 www-8 www-9 www-10 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
  • 19. Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
  • 20. Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 Cloud Provider A www-1 www-2 www-3 Private Datacenter © 2012 CloudPassage Inc.
  • 21. Security Products Aren’t Adapting Metered Usage www-7 www-8 www-9 www-10 www-4 www-5 www-6 Cloud Provider B Temporary & Elastic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter © 2012 CloudPassage Inc.
  • 22. Survey: Cloud Security Concerns Question: What security concerns are most important to you regarding public cloud computing? Multiple Choice Lack of perimeter defenses and/or network 44% control Multi-tenancy of infrastructure or 40% applications Achieving compliance with PCI or other 26% standards Provider access to guest servers 24% Enterprise security tools don't work in the 23% cloud © 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
  • 23. Shared Responsibility Model Responsibility EC2 Shared Responsibility Model Data Customer “…the customer should assume App Code responsibility and management of, but not limited to, the guest operating system.. and App Framework associated application software...” Operating System “…it is possible for customers to enhance security and/or meet more stringent Virtual Machine compliance requirements with the addition of Responsibility host based firewalls, host based intrusion Hypervisor Provider detection/prevention, encryption and key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities © 2012 CloudPassage Inc.
  • 24. Provider Customer Virtual Network API Compute Logic Virtual Physical Physical Facilities Network App stack Hypervisor Application Machine/OS GUI App Framework / Storage Authentication Configuration Lockdown Patching NIDS/NIPS HIDS/HIPS Packet Filtering Proxy/Middleware Proxy/Middleware Application White Listing Anti-Virus File/Record Access Control Encryption Encryption DLP NAC SIEM Auditing/Pen Testing Forensics Application of Security in IaaS Secure Development Lifecycle Architecture/Design Physical
  • 25. Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Open source or custom-developed tools Commercial Tool We're not securing our cloud servers My provider does it for me Amazon Security Group Source: CloudPassage CloudSec Community Survey © 2012 CloudPassage Inc.
  • 28. How I Learned to Stop Worrying and Get DevOps to Love Security © 2012 CloudPassage Inc.
  • 29. What Is DevOps? DevOps IT Operations © 2012 CloudPassage Inc.
  • 30. What Is DevOps? DevOps IT Operations Security Operations © 2012 CloudPassage Inc.
  • 31. Why Does DevOps Love Cloud? © 2012 CloudPassage Inc.
  • 32. Different Job Goals SecOps DevOps © 2012 CloudPassage Inc.
  • 33. Traditional DC Protection Auth DB DB Server core core Firewal l Server Provisioning Load App Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 34. Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 35. Traditional DC Protection Auth DB DB DB Server core core Firewal l Server Provisioning Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Firewall Updates © 2012 CloudPassage Inc.
  • 36. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 37. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 38. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 39. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 40. Traditional DC Protection Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server Site Debugging!!! dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 41. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc.
  • 42. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud © 2012 CloudPassage Inc.
  • 43. Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud © 2012 CloudPassage Inc.
  • 44. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
  • 45. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
  • 46. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
  • 47. Protecting Cloud Servers Load Balancer App App Server Server DB Master public cloud © 2012 CloudPassage Inc.
  • 48. Protecting Cloud Servers Load Balancer FW App App Server Server FW FW DB Master FW public cloud © 2012 CloudPassage Inc.
  • 49. Protecting Cloud Servers Load Balancer FW App App App Server Server Server FW FW FW DB Master FW public cloud © 2012 CloudPassage Inc.
  • 50. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
  • 51. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
  • 52. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
  • 53. Protecting Cloud Servers Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud © 2012 CloudPassage Inc.
  • 54. Cloud Security Challenges • Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership • Elasticity (not all servers are steady-state) – Cloud-bursting, stale servers, dynamic provisioning • Scalability (handle variable workloads) – May have one dev server or 1,000 number-crunchers • Portability (same controls must work anywhere) – Nobody wants multiple tools or IaaS provider lock-in © 2012 CloudPassage Inc.
  • 55. So our tools are broken and everyone hates us, now what? © 2012 CloudPassage Inc.
  • 57. The VM is the Unit of Control Data App Code Controlled by App Framework Hosting-User Operating System Virtual Machine Hypervisor Controlled Compute & Storage by Hosting- Provider Shared Network Physical Facilities © 2012 CloudPassage Inc.
  • 58. The VM is the Unit of Scale Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities © 2012 CloudPassage Inc.
  • 59. The VM is the Unit of Portability Private Cloud IaaS Provider Data Data App Code App Code App Framework App Framework Operating System Operating System Virtual Machine Virtual Machine Hypervisor Hypervisor Compute & Storage Compute & Storage Shared Network Shared Network Physical Facilities Physical Facilities © 2012 CloudPassage Inc.
  • 60. Thesis In cloud environments, the intersection of control, portability & scale is always the guest virtual-machine. © 2012 CloudPassage Inc.
  • 61. Secure the VM Data App Code App Framework OS Virtual Machine © 2012 CloudPassage Inc.
  • 62. Secure the VM Data App Code App Framework OS Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
  • 63. Secure the VM Data App Code App Framework FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
  • 64. Secure the VM Data App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
  • 65. Secure the VM Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
  • 66. Secure the VM Track sensitive data and prevent egress Continuously verify Data application code is current and un-tampered App Code Ensure application stacks are up-to-date and locked App Framework down FW OS FW Add host-based firewalls (inbound and outbound) Virtual Machine Secure the OS services and configurations © 2012 CloudPassage Inc.
  • 67. Automate Policy Application FULLY AUTOMATE Data App Code App Framework FW OS FW Virtual Machine © 2012 CloudPassage Inc.
  • 68. Automate Policy Application FULLY AUTOMATE Data App Code Data App Code Data App Framework FW OS FrameworkCode Data App App FW Virtual Machine App Framework Code FW OS App FW Virtual Machine App Framework FW OS FW Virtual MachineOS FW FW Virtual Machine © 2012 CloudPassage Inc.
  • 69. Separate Security Controls Data App Code App Framework FW OS FW SecOps Virtual Machine DevOps © 2012 CloudPassage Inc.
  • 70. The Secure, Automated Cloud © 2012 CloudPassage Inc.
  • 71. Wrapping Up © 2012 CloudPassage Inc.
  • 72. How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities © 2012 CloudPassage Inc.
  • 73. Summary • There are people using cloud in your org… • Cloud users often don’t understand security, and definitely don’t know their responsibility • Cloud security is different, and hard • The bad guys know this! • Cloud has different points of control, leverage them! © 2012 CloudPassage Inc.
  • 74. Best Practices • Know who is running what, and where • Read and understand what your provider does, and what you are responsible for • Take extra precautions when moving servers outside your data center • Start with public cloud, after that everything is easy! • Focus on securing what you control © 2012 CloudPassage Inc.
  • 75. Wrapping Up • Continue the discussion – Slides available: community.cloudpassage.com • Contact me – Email: rand@cloudpassage.com – Twitter: @randwacker • We’re hiring! BTW, Expert in Security and/or Cloud? We’re – Email: jobs@cloudpassage.com Hiring! © 2012 CloudPassage Inc.
  • 76. Thank You! © 2012 CloudPassage Inc.
  • 77. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Compromise & Management intrusion alerting Server Security & compliance Configurations auditing Server account Vulnerability Management Management  Cloud adoption without fear  Faster and easier compliance  Repel attacks on your servers  Free Basic version, 5 minutes setup © 2012 CloudPassage Inc.

Notas del editor

  1. 1. Zappos is creating apps for their unique corporate culture2. Foursquare is a great example in social media – scaling up & down over the weekend.3, Ebayxmas - Highway into the city expand from 3 to 7 lanes in rush hour
  2. SAASFast and easyThe only cloud security platform built for the cloud