© 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
System Center 2012 R2 Overview
Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.
Infrastructure as a Service (IaaS) Amazon EC2
The future of Desktops Transform Your Desktop with Virtualization.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Unified Logs and Reporting for Hybrid Centralized Management
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.
WHAT IS PRIVATE CLOUD? Michał Jędrzejczak Główny Architekt Rozwiązań Infrastruktury IT
Additional SugarCRM details for complete, functional, and portable deployment.
System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Hands-On Microsoft Windows Server 2008
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 7 2/23/2015.
Windows Azure Conference 2014 Running Docker on Windows Azure.
Cloud as a Service Chetan Shinde Column Software Technologies Pvt. Ltd.
M.A.Doman Short video intro Model for enabling the delivery of computing as a SERVICE.
Information Assurance Program Manager U.S. Army Europe and Seventh Army Information Assurance in Large-Scale Practice International Scientific NATO PfP/PWP.
Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.
= WEEKS, MONTHS, YEARS OF DELAYED APPLICATION VALUE MISSED REVENUE OPPORTUNITIES, INCREASED COST AND RISK DEV QA PACKAGE COMMERCIAL SOFTWARE CUSTOM APPLICATION.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
1 The Fast(est) Path to Building a Private/Hybrid Cloud October 25th, 2011 Paul Mourani RightScale.
From Virtualization Management to Private Cloud with SCVMM 2012 Dan Stolts Sr. IT Pro Evangelist Microsoft Corporation
WINDOWS AZURE Scott Guthrie Corporate Vice President Windows Azure
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
AUTOMATING DAAS DESKTOPS WITH CITRIX CORTEX Tony Sanchez WW Alliances Solutions Architecture Citrix Systems Inc SESSION CODE: CLI415 (c) 2011 Microsoft.
Microsoft Management Seminar Series SMS 2003 Change Management.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Datalayer Notebook Allows Data Scientists to Play with Big Data, Build Innovative Models, and Share Results Easily on Microsoft Azure MICROSOFT AZURE ISV.
Microsoft Azure Active Directory. AD Microsoft Azure Active Directory.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.
“ For A Moment, I Had A Feeling Of Total Security. Then Someone Said Cloud! “
Zentera Guardia Fabric ™ Securely Connects Client-Server Apps between Microsoft Azure, Enterprise Datacenters & Other Public Clouds MICROSOFT AZURE ISV.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
Applying the CIS Critical Security Controls to the Cloud
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
 Cloud Computing technology basics Platform Evolution Advantages  Microsoft Windows Azure technology basics Windows Azure – A Lap around the platform.
© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.
Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.
Commvault and Nutanix October Changing IT landscape Today’s Challenges Datacenter Complexity Building for Scale Managing disparate solutions.
Deep Security and VMware NSX Advanced Security Framework for the Software-Defined Data Center Anand Patil National Sales Manager, SDDC CONFIDENTIAL1.
Clouding with Microsoft Azure
If it’s not automated, it’s broken!
Prof. Jong-Moon Chung’s Lecture Notes at Yonsei University
Containers as a Service with Docker to Extend an Open Platform
Avenues International Inc.
Critical Security Controls
Hybrid Management and Security
Docker Birthday #3.
Infrastructure as a Service
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Securing Cloud-Native Applications Jason Schmitt CEO
Managing Clouds with VMM
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Containers on Azure Peter Lasne Sr. Software Development Engineer
06 | SQL Server and the Cloud
Presentation transcript:

© 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand #CloudFairSeattle - #CloudSec

© 2012 CloudPassage Inc. 2 What does CloudPassage do? Firewall Automation Multi-Factor Authentication Account Management Security Event Alerting Configuration Security Vulnerability Scanning Security for virtual servers running in public and private clouds File Integrity Monitoring API Automation

© 2012 CloudPassage Inc. 3 Topics for Today Why the cloud makes security hard Who is responsible for the security of your cloud servers Security and compliance in the cloud: Technical realities Firewall and Access Control Server/Host Integrity Make your life easier through cloud security automation

© 2012 CloudPassage Inc. 4 Cloud Business Benefits and Challenges

© 2012 CloudPassage Inc. 5 CISO Goals Moving to Cloud Reduce Costs Increase Agility Reduce Risk - Legal & Regulatory - Business Continuity - Brand Protection ✔ ✔ ?

© 2012 CloudPassage Inc. 6 IaaS is Incredibly Dynamic Cloud Provider A Cloud Provider B Use only what you need Pay only for what you use Easily span providers www-1www-2www-3 www-4www-5www-6www-7 www-4www-5www-6www-7

© 2012 CloudPassage Inc. 7 Varied (usually no) network access Creating servers takes almost zero time Server location can change frequently www-7www-6 IaaS Radically Changes IT Ops Public Cloud Private Datacenter www-5 www-4 www-3www-2 www-1 www-2www-3 www-4www-5www-6www-7 Gold Master

© 2012 CloudPassage Inc. 8 Cloud Breaks Traditional Security Technologies

© 2012 CloudPassage Inc. 9 www-1www-2www-3www-4 Cloud Security is New private datacenter public cloud www-1www-2www-3www-4

© 2012 CloudPassage Inc. 10 www-4 Cloud Security is Different private datacenter public cloud www-1www-2www-3www-4

© 2012 CloudPassage Inc. 11 Cloud Security Is Complex Cloud Provider A www-7 www-4 www-8 www-5 www-9 www-6 www-10 Cloud Provider B www-7www-8www-9www-10 Private Datacenter www-1www-2www-3 www-4

© 2012 CloudPassage Inc. 12 Security Products Aren’t Adapting Cloud Provider A www-7 www-4 www-8 www-5 www-9 www-6 www-10 Cloud Provider B www-7www-8www-9www-10 Private Datacenter www-1www-2www-3 www-4 No Network Access Temporary & Elastic Deployments Multiple Cloud Environments

© 2012 CloudPassage Inc. 13 Cloud Security Responsibility

© 2012 CloudPassage Inc. 14 Survey: Cloud Security Practices Source: CloudPassage CloudSec Community Survey Question: How do you secure your cloud servers today?

© 2012 CloudPassage Inc. 15 Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Cloud Security Responsibility Customer Responsibility Provider Responsibility AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...” “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes

© 2012 CloudPassage Inc. 16

© 2012 CloudPassage Inc. 17 Organizational Ostracism QA & Site Reliability Software Engineering IT Operations DevOps Security Operations

© 2012 CloudPassage Inc. 18 Different Job Goals DevOps SecOps

© 2012 CloudPassage Inc. 19 Traditional DC Operations DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l Waiting for Server Provisioning… Delays in Firewall Updates… Typically 6 weeks to tip up a new server

© 2012 CloudPassage Inc. 20 Why DevOps Loves the Cloud

© 2012 CloudPassage Inc. 21 Securing Cloud Deployments Whether in a private datacenter or a public cloud, server security is your responsibility, so know your security business drivers: Compliance Continuity Brand Architect your systems to solve these problems in public, private, and hybrid deployments, specifically: Perimeter & Access Control Server Integrity & Intrusion Detection

© 2012 CloudPassage Inc. 22 Mapping Compliance to the Cloud: Firewalling Without Network Control

© 2012 CloudPassage Inc. 23 PCI Controls Summary

© 2012 CloudPassage Inc. 24 Traditional DC Firewalling DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l ! !

© 2012 CloudPassage Inc. 25 Moving to the Cloud DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l

© 2012 CloudPassage Inc. 26 dmz core Firewal l DB Load Balancer Auth Server App Server DB Load Balancer App Server DB Moving to the Cloud public cloud

© 2012 CloudPassage Inc. 27 DB Load Balancer App Server Moving to the Cloud Auth Server DB Load Balancer DB public cloud ! ! ! !

© 2012 CloudPassage Inc. 28 public cloud Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW DB Master FW

© 2012 CloudPassage Inc. 29 public cloud Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

© 2012 CloudPassage Inc. 30 public cloud App Server IP Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

© 2012 CloudPassage Inc. 31 public cloud App Server IP Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW

© 2012 CloudPassage Inc. 32 Lessons to Learn Whatever firewall options you have, use them Make sure your firewall rules are updated quickly and automatically Plan for the future, because you will be multi-cloud

© 2012 CloudPassage Inc. 33 Mapping Compliance to the Cloud: Securing Highly Dynamic Servers

© 2012 CloudPassage Inc. 34 PCI Controls Summary

© 2012 CloudPassage Inc. 35 Traditional DC Operations Model private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses www-3 www-4 www-2 www-1 ! ! www-2 ! ! www-3 ! ! www-4 ! !

© 2012 CloudPassage Inc. 36 www-1 Capacity is highly dynamic Cloud Operations Model www-3 www-4 www-2 www Gold Master

© 2012 CloudPassage Inc. 37 Cloud Operations Model Capacity is highly dynamic Servers are short lived www-3 www-2 ! ! www-4 www-2 www-1 www Gold Master public cloud

© 2012 CloudPassage Inc. 38 www www-2 www-1 Cloud Operations Model Gold Master www-1 ! ! www-2 ! ! Capacity is highly dynamic Servers are short lived www ! !

© 2012 CloudPassage Inc. 39 Cloud Operations Model Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www-3 www-1 ! ! www-2 ! ! www-4 ? ? www-2www-1 www ! !

© 2012 CloudPassage Inc. 40 Cloud Operations Model Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www-3 www-1 ! ! www-2 ! ! www-4 ? ? www-2www-1 www ! ! What does server security mean in this environment?

© 2012 CloudPassage Inc. 41 Ensuring Cloud Server Integrity www-3 www-1 ! ! www-2 ! ! www-4www-2www-1

© 2012 CloudPassage Inc. 42 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ?

© 2012 CloudPassage Inc. 43 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly

© 2012 CloudPassage Inc. 44 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! ! ! Monitor business code for unintended or malicious changes

© 2012 CloudPassage Inc. 45 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! ! ! Monitor business code for unintended or malicious changes Automate management and monitoring of these critical operational security points

© 2012 CloudPassage Inc. 46 Lessons to Learn Embrace the flexibility of the cloud; re-think operations Secure your server integrity by keeping images up-to-date and monitor closely for changes Know what areas of security you are responsible for and automate them heavily

© 2012 CloudPassage Inc. 47 Automating Cloud Security

© 2012 CloudPassage Inc. 48 Cloud Security Challenges Inconsistent Control (you don’t own everything) –The only thing you can count on is guest VM ownership Elasticity (not all servers are steady-state) –Cloud-bursting, stale servers, dynamic provisioning Scalability (handle variable workloads) –May have one dev server or 1,000 number-crunchers Portability (same controls must work anywhere) –Nobody wants multiple tools or IaaS provider lock-in

© 2012 CloudPassage Inc. 49 Thesis In cloud environments, the intersection of control, portability & scale is always the guest virtual-machine.

© 2012 CloudPassage Inc. 50 Controlled by Hosting-User Controlled by Hosting- Provider Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System The VM is the Unit of Control

© 2012 CloudPassage Inc. 51 The VM is the Unit of Scale Physical Facilities Hypervisor Virtual Machine Data App Code App Framework Operating System Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System

© 2012 CloudPassage Inc. 52 Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Private CloudIaaS Provider The VM is the Unit of Portability

© 2012 CloudPassage Inc. 53 Secure the VM Virtual Machine Data App Code App Framework OS Track sensitive data and prevent egress Ensure application stacks are up-to-date and locked down FW Provision host-based firewalls (inbound and outbound) Secure the OS services and configurations Continuously verify applications code is current and un-tampered Automate, Automate, Automate

© 2012 CloudPassage Inc. 54 Separate Security Controls Virtual Machine Data App Code App Framework OS FW DevOps SecOps

© 2012 CloudPassage Inc. 55 VM Approach Enables CloudSec Consistent enforcement –Same security controls will work everywhere Handles highly dynamic environments –No need to tell configure external systems as VMs clone Very, very scalable –Distribute firewall and security processing across all nodes Portable across public/private/hybrid clouds –Works everywhere you run a virtual server ✔ ✔ ✔ ✔

© 2012 CloudPassage Inc. 56 Summary and Best Practices

© 2012 CloudPassage Inc. 57 How To Secure Cloud Servers Dynamic firewall & access control Server account visibility & control Server compromise & intrusion alerting Server forensics and security analysis Servers in hybrid and public clouds must be self- defending with highly automated controls like… Configuration and package security Integration & automation capabilities

© 2012 CloudPassage Inc. 58 Best Practices Read and understand what your provider does, and what you are responsible for Take extra precautions when moving servers outside your data center Start with public cloud, after that everything is easy! Focus on securing what you can control

© 2012 CloudPassage Inc. 59 CloudPassage Automates Cloud Security

© 2012 CloudPassage Inc. 60 Cloud Security With Halo

© 2012 CloudPassage Inc. 61 How It Works Halo Daemon Ultra light-weight software Installed on server image Automatically provisioned Halo Grid Elastic compute grid Hosted by CloudPassage Does the heavy lifting for the Halo Daemons Halo Grid www-1 Halo

© 2012 CloudPassage Inc. 62 www-4 Halo www-3 Halo Alerts, Reports and Trending Compute Grid User Portal https RESTful API Gateway https Policies, Commands, Reports www-1 Halo www-2 Halo CloudPassa ge Halo

© 2012 CloudPassage Inc. 63 Try Halo FREE - 5 Minute Setup Register at cloudpassage.com Configure security policies in Halo web portal Install daemons on cloud servers Free for 25 servers !

© 2012 CloudPassage Inc. 64 In Closing

© 2012 CloudPassage Inc. 65 Moral of the Story Security of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security automation isn’t just a best practice, it makes your life easier

© 2012 CloudPassage Inc. 66 The End Ask questions! –Lots more info: community.cloudpassage.com –Small bits of Tell me what you think! We’re hiring! DevOps, Rails, UX, SecOps, etc… BTW, We’re Hiring!

© 2012 CloudPassage Inc. 67 Thank You! #CloudFairSeattle - #CloudFairSeattle - #CloudSec

© 2012 CloudPassage Inc. 68 Halo Integration API

© 2012 CloudPassage Inc. 69 Halo Reduces Your Workload Things you DON’T need to script with CloudPassage Halo Managed Automatically Add new server to policy group Remove firewall policies when servers are retired Scan for vulnerabilities of installed software packages Many, many more… Monitored Continually Verify firewall rules match policy Alert administrators of missing servers Monitor critical server configuration files for security posture Many, many more…

© 2012 CloudPassage Inc. 70 Adding New Server Accounts RESTful API Gateway private datacenter Corporate Directory Enterprise Provisionin g System Security Operations Portal www-1 Halo www-2 Halo public cloud https CloudPassa ge Halo GhostPorts Access, Local Server Accounts Halo Grid

© 2012 CloudPassage Inc. 71 Other Cool Halo/API Tricks Set password reset requirements for a server user account. Find server accounts that don't have passwords (it happens) Find those spooky root-owned setuid files. Generate alerts if PID files go missing. Generate an alert if someone is in a group they shouldn't be in (like wheel). Generate massively detailed reports of server configuration status for auditors (keep 'em busy for weeks). Get a report of every server that a user *does not* have an account on. Get a report of every server that a user has an account on. Get alerted if a new cloud server gets created. Learn what process that TCP/IP port is bound to. Make sure that init.d startup scripts can't be tampered with by non-root users. Make sure that services are not running with excessive privileges. Monitor servers to detect old user accounts that should have been cleaned up, but might have gotten missed. Many, many more at community.cloudpassage.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.