SlideShare a Scribd company logo

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

Download as PPTX, PDF
John Kinsella
John Kinsella

Talk I gave at OWASP San Francisco 3/14/2012

Technology
1 of 22
REBUILDING FOR THE CLOUD HOW CLOUD ARCHITECTURE CAN IMPROVE APPLICATION SECURITY
INTRO
AGENDA Definitions (brief, I promise) Cloud Benefits Cloud Security Concepts Moving applications to the cloud, wrong way Moving applications to the cloud, right way Please do ask questions!
CLOUD [kloud] noun NIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
INFORMATION SECURITY [in-fer-mey-shuhn si-kyoor-i-tee] noun Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. See Also: Job Security
Artist: Tyler, 11. Dortmund, Germany
CLOUD BENEFITS Main benefit: Flexibility Possible benefit: Cost savings
CLOUD SECURITY CLIFF NOTES • Trust nobody • Encrypt everything • Expect service issues
WHAT’S WRONG WITH FORKLIFTING?
FORKLIFTING… “Datacenter” application to the cloud: • Can’t trust what you used to • Datacenter apps usually not flexible • Confidentiality, Integrity, Availability all handled differently
ENTERPRISE vs CLOUD
HOW ABOUT PAAS?
LEVERAGING CLOUD ARCHITECTURE How can we (gently) re-architect to take advantage of the cloud? • Network • Web server • Application Server • Database server • Don’t forget audit/forensics!
NETWORK Good: Limit by IP Better: Allow administration via VPN only Best: Admin interface on separate host, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
WEB/APP SERVER Good: Load balancing, “Basic” hardening (IP ACLs, only accept GET/POST, server tuned for large loads). SSL’s cheap nowadays Better: Build Web Application Firewalls and reverse caches into your IaaS (mod_security’s free) Best: Use 3rd party services to handle load and minimize security issues (CDNs like Akamai, Cloudflare) Required: Input filtering, output encoding.
DATASTORE Good: Place DBs on separate host from application. Better: Place DBs in separate datacenters, and replicate Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB, ElasticSearch) Required: Encrypt data-at-rest
NOSQL SECURITY? • Many NOSQL systems turn off even authentication • Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
INTER-PROCESS COMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
LOGGING & FORENSICS What happens to logs when our scalable architecture… scales down? Cloud really really requires centralized logging, monitoring, and management. Also, consider erase vs. overwrite
WHAT HAVE WE BUILT? • Scalable solution • No single point of failure • Healthy caution of all those around us (filtering/encoding) • Data stored and transmitted safely • And a nice set of audit logs for when Bad Things happen
LEARN MORE Cloud Security Alliance OWASP Cloud top 10
THANKS AND CONTACT INFO “Bad People” drawings from http://badpeopleproject.org Follow me on twitter: @johnlkinsella

Recommended

Architeture diagram
Architeture diagramArchiteture diagram
Architeture diagramJack Huang
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Bogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliBogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliRossi di Albizzate
 
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...Booosting platform voor koplopers in bouwinnovatie
 
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting platform voor koplopers in bouwinnovatie
 
Influence line diagram for model arch bridge
Influence line diagram for model arch bridgeInfluence line diagram for model arch bridge
Influence line diagram for model arch bridgekunalsahu9883
 
Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.David Collings
 
Deezer - Big data as a streaming service
Deezer - Big data as a streaming serviceDeezer - Big data as a streaming service
Deezer - Big data as a streaming serviceJulie Knibbe
 

Recommended

Architeture diagram
Architeture diagramArchiteture diagram
Architeture diagramJack Huang
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Bogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliBogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliRossi di Albizzate
 
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...Booosting platform voor koplopers in bouwinnovatie
 
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting platform voor koplopers in bouwinnovatie
 
Influence line diagram for model arch bridge
Influence line diagram for model arch bridgeInfluence line diagram for model arch bridge
Influence line diagram for model arch bridgekunalsahu9883
 
Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.David Collings
 
Deezer - Big data as a streaming service
Deezer - Big data as a streaming serviceDeezer - Big data as a streaming service
Deezer - Big data as a streaming serviceJulie Knibbe
 
How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?QATestLab
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wiresAjinkya Patel
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.pptHiralal Pawar
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueRavikanth lakkakula
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to archesHILLFORT
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in constructionSARASWATI PATHARIYA
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsChris Saint-Amant
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in BriefAnthony Dehnashi
 
Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

More Related Content

Viewers also liked

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?QATestLab
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wiresAjinkya Patel
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.pptHiralal Pawar
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueRavikanth lakkakula
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to archesHILLFORT
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in constructionSARASWATI PATHARIYA
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsChris Saint-Amant
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in BriefAnthony Dehnashi
 

Viewers also liked (8)

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wires
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.ppt
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance technique
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to arches
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in construction
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in Brief
 

More from John Kinsella

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 

More from John Kinsella (11)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

  • 1. REBUILDING FOR THE CLOUD HOW CLOUD ARCHITECTURE CAN IMPROVE APPLICATION SECURITY
  • 3. AGENDA Definitions (brief, I promise) Cloud Benefits Cloud Security Concepts Moving applications to the cloud, wrong way Moving applications to the cloud, right way Please do ask questions!
  • 4. CLOUD [kloud] noun NIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
  • 5. INFORMATION SECURITY [in-fer-mey-shuhn si-kyoor-i-tee] noun Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. See Also: Job Security
  • 6. Artist: Tyler, 11. Dortmund, Germany
  • 7. CLOUD BENEFITS Main benefit: Flexibility Possible benefit: Cost savings
  • 8. CLOUD SECURITY CLIFF NOTES • Trust nobody • Encrypt everything • Expect service issues
  • 9. WHAT’S WRONG WITH FORKLIFTING?
  • 10. FORKLIFTING… “Datacenter” application to the cloud: • Can’t trust what you used to • Datacenter apps usually not flexible • Confidentiality, Integrity, Availability all handled differently
  • 13. LEVERAGING CLOUD ARCHITECTURE How can we (gently) re-architect to take advantage of the cloud? • Network • Web server • Application Server • Database server • Don’t forget audit/forensics!
  • 14. NETWORK Good: Limit by IP Better: Allow administration via VPN only Best: Admin interface on separate host, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
  • 15. WEB/APP SERVER Good: Load balancing, “Basic” hardening (IP ACLs, only accept GET/POST, server tuned for large loads). SSL’s cheap nowadays Better: Build Web Application Firewalls and reverse caches into your IaaS (mod_security’s free) Best: Use 3rd party services to handle load and minimize security issues (CDNs like Akamai, Cloudflare) Required: Input filtering, output encoding.
  • 16. DATASTORE Good: Place DBs on separate host from application. Better: Place DBs in separate datacenters, and replicate Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB, ElasticSearch) Required: Encrypt data-at-rest
  • 17. NOSQL SECURITY? • Many NOSQL systems turn off even authentication • Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
  • 18. INTER-PROCESS COMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
  • 19. LOGGING & FORENSICS What happens to logs when our scalable architecture… scales down? Cloud really really requires centralized logging, monitoring, and management. Also, consider erase vs. overwrite
  • 20. WHAT HAVE WE BUILT? • Scalable solution • No single point of failure • Healthy caution of all those around us (filtering/encoding) • Data stored and transmitted safely • And a nice set of audit logs for when Bad Things happen
  • 21. LEARN MORE Cloud Security Alliance OWASP Cloud top 10
  • 22. THANKS AND CONTACT INFO “Bad People” drawings from http://badpeopleproject.org Follow me on twitter: @johnlkinsella

Editor's Notes

  1. Service: Infrastructure, Platform, Software as a serviceDeployment: Private, community, public, hybrid
  2. So for each one of these things I’ll try to break it down into GOOD – BETTER – BEST.
  3. Some of these points fit better for IaaS, this is one of them
  4. Load balancing – linux virtual server“best” – I’m expecting/wanting resistance to some of these points – I believe CDN/NoSQL/Message Queues have security value from a scalability POV, but they’re not slam-dunk arguments.
  5. RabbitMQ or ActiveMQ