The many benefits of running enterprise applications in cloud computing environments make the migration from traditional data center hosting to cloud service providers compelling. Differences in the way cloud computing services are delivered raise questions about how best to ensure that cloud-hosted applications implement security measures associated with conventional defense-in-depth strategies. Although the virtualized, distributed infrastructure characteristic of cloud computing environments does not directly support the separate zones long used to deploy multi-tier applications, there are architectural features and services available from many cloud service providers that can be used to design functionally equivalent security models. This session will present practical design considerations and architectural patterns for securing cloud-based applications. It will highlight key functions and security measures available from major cloud providers such as Amazon Web Service and Microsoft Azure. Despite the quite valid security concerns many organizations have about deploying applications to cloud computing environments, the infrastructure and platform services many CSPs offer may actually result in stronger security controls than would be feasible in in-house or traditional IT outsourcing environments.

1. Defending Applications In the Cloud
Architecting Layered Security Solutions in Cloud
Computing Environments
0

2. Agenda
• Introductions and context
• Conventional solution architecture
• Moving solutions to the cloud
• Intrusion detection and prevention in the
cloud
• Defensive strategies
• Security challenges in the cloud
1

3. Introductions
• Opinions on this topic are informed by three
perspectives:
– Current position as Chief Security and Privacy Officer
for a health IT services firm that operates systems in
conventional data centers and cloud computing
environments
– Adjunct professor at UMUC teaching courses in
information assurance, particularly Intrusion
Detection and Prevention
– Experience as a government contractor architecting,
implementing, and securing federal and state systems
2

4. Context
• Rapid adoption of cloud computing models
across most (if not all) industry sectors
– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS)
– Software as a Service (SaaS)
• Security is a prominent area of concern for
organizations moving systems, data, and services
to the cloud
• Well accepted network security practices, tools,
and architecture patterns do not always transfer
directly to the cloud
3

5. Security Architecture
• Specifics vary widely, but conventional security
architecture solutions reflect a “defense in depth”
approach with typical elements including:
– Network firewalls
– Intrusion detection and prevention systems
– Physical or logical subnets (VLANs)
– Identity and access management
– Threat and vulnerability scanners
– Audit logging and monitoring
– Event correlation/security information and event
management
– Disaster recovery
4

6. Network Security
Conventional Data Center Cloud Service Provider
Packet filtering firewall Network ACL; Security groups
Stateful inspection/intrusion prevention Security groups
Application firewall Third-party gateways or custom instances
Network address translation NAT instance
Boundary and domain router Virtual router
Virtual Private Network (VPN) appliance Virtual private gateway
Network Access Control (NAC) Not available
Network Intrusion Detection System (IDS) Third-party or custom instances
Subnet/VLAN via switches Subnets via routing tables
Corporate network/LAN Virtual private cloud
Disaster recovery via alternate site Disaster recovery via zone replication
5

7. Conventional Network Infrastructure
6
load balancer
switch
switch
integrated
security
device
storage array
databases
private
gateway
public
gateway
VPN
host servers
physical servers
server cluster
Internet
administrators
databases
Corporate data center
external service provider

8. Key Security Attributes
• Hardware-based firewall/IPS/VPN
• Subnets configured through switches
• Combination of physical and virtual hosts
• Separate gateway/point of integration for
connection to external entities
• Multiple options for deploying network-based
and host-based IDS/IPS, event monitoring,
and threat and vulnerability scanning
7

9. Infrastructure in the Cloud
8
routerInternet
gateway
Virtual Private
Gateway
instances
route table
elastic load
balancing
EBS
RDS
users
Internet
Availability Zone
security
group
VPC subnet
Availability Zone
instances
VPC subnet
RDS
S3
CloudWatch
EBS
S3
CloudWatch
security
group
security group
security group
corporate
data center
VPN

10. Key Security Attributes
• Virtual firewalls through security groups and ACLs
• Subnets through routing tables and virtual
gateways
• All hosts virtualized or delivered as service
• Private gateways for connections to customer
data center or external entities
• Limited network-based IDS/IPS
• Event monitoring and threat and vulnerability
scanning must be performed by customer or use
a third party service
9

11. Conventional Solution Architecture
web server database
server
application
server
router
security
appliance
network ids network idsnetwork ids
10
Internet

12. Solution Architecture in the Cloud
security
group
security
group
elastic load
balancer
application
server
security
group
web
server
routerInternet
gateway
database
server
alerts
CloudWatch
11

13. Intrusion Detection in the Cloud
• Conventional “in-line” IDS/IPS typically requires custom
configuration of an instance with multiple network
interfaces to route traffic through the IDS
12
router
route
tables
Internet
gateway
logs EBS S3
elastic load
balancer
instancesInstance with
dual interfaces
CloudWatch

14. Defensive Strategies
• Route public access through content and networking
services such as Akamai
– Optimized for web applications
– Greatly reduces external exposure of systems
• Enable secure point-to-point access with a virtual private
gateway
– Hardware-based endpoint at the cloud customer side
– Virtual endpoint on the cloud provider side
• Leverage asymmetric encryption for server/OS access
– Key pair generation is by default in AWS and an option in Azure
• Create dedicated VMs for administrative access (“jump
boxes”) and disable administrative channels/services like
SSH from any other source
13

15. Security Challenges in the Cloud
• Responsibility
– Customers deploying applications and data to the
cloud are responsible for securing what they deploy
• Log management and analysis
– VMs produce copious logs, written to central storage
area but not aggregated for analysis
– Logs need to be aggregated to facilitate review, often
using third party virtual appliances or services
– Firewall and virtual device logging/monitoring may be
limited or unavailable
14

16. Security Challenges in the Cloud
• Device authentication
– Little or no ability to perform checks like NAC scans or
MAC authentication
– Access filters can sometimes be applied through
separate services (e.g., geographic IP filter with AWS
CloudFront)
• Encryption
– Encryption of data at rest not natively supported in
some cloud products/services
– In many cases, OS-level or database encryption can be
enabled, but organizations still need to determine
how to manage keys
15

17. Summary
• Data center and application architectures can be
reproduced in cloud environments
• Some security capabilities seen as “standard” in
corporate data centers are not available or do not
operate the same way with cloud service providers
• If you deploy anything needing protection to a
cloud environment, you are responsible for
securing it
• Following cloud-specific defensive strategies
supports implementation of defense-in-depth
16

18. Questions
?
17

19. Contact Information
Dr. Stephen D. Gantz, DM
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
3501 University Blvd. East
Adelphi, MD 20783
stephen.gantz@faculty.umuc.edu
www.securityarchitecture.com
18