Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand

Published byPhillip Black Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand"— Presentation transcript:

1 © 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand Wacker rand@cloudpassage.com @cloudpassage #CloudFairSeattle - #CloudSec

2 © 2012 CloudPassage Inc. 2 What does CloudPassage do? Firewall Automation Multi-Factor Authentication Account Management Security Event Alerting Configuration Security Vulnerability Scanning Security for virtual servers running in public and private clouds File Integrity Monitoring API Automation

3 © 2012 CloudPassage Inc. 3 Topics for Today Why the cloud makes security hard Who is responsible for the security of your cloud servers Security and compliance in the cloud: Technical realities Firewall and Access Control Server/Host Integrity Make your life easier through cloud security automation

4 © 2012 CloudPassage Inc. 4 Cloud Business Benefits and Challenges

5 © 2012 CloudPassage Inc. 5 CISO Goals Moving to Cloud Reduce Costs Increase Agility Reduce Risk - Legal & Regulatory - Business Continuity - Brand Protection ✔ ✔ ?

6 © 2012 CloudPassage Inc. 6 IaaS is Incredibly Dynamic Cloud Provider A Cloud Provider B Use only what you need Pay only for what you use Easily span providers www-1www-2www-3 www-4www-5www-6www-7 www-4www-5www-6www-7

7 © 2012 CloudPassage Inc. 7 Varied (usually no) network access Creating servers takes almost zero time Server location can change frequently www-7www-6 IaaS Radically Changes IT Ops Public Cloud Private Datacenter www-5 www-4 www-3www-2 www-1 www-2www-3 www-4www-5www-6www-7 Gold Master

8 © 2012 CloudPassage Inc. 8 Cloud Breaks Traditional Security Technologies

9 © 2012 CloudPassage Inc. 9 www-1www-2www-3www-4 Cloud Security is New private datacenter public cloud www-1www-2www-3www-4

10 © 2012 CloudPassage Inc. 10 www-4 Cloud Security is Different private datacenter public cloud www-1www-2www-3www-4

11 © 2012 CloudPassage Inc. 11 Cloud Security Is Complex Cloud Provider A www-7 www-4 www-8 www-5 www-9 www-6 www-10 Cloud Provider B www-7www-8www-9www-10 Private Datacenter www-1www-2www-3 www-4

12 © 2012 CloudPassage Inc. 12 Security Products Aren’t Adapting Cloud Provider A www-7 www-4 www-8 www-5 www-9 www-6 www-10 Cloud Provider B www-7www-8www-9www-10 Private Datacenter www-1www-2www-3 www-4 No Network Access Temporary & Elastic Deployments Multiple Cloud Environments

13 © 2012 CloudPassage Inc. 13 Cloud Security Responsibility

14 © 2012 CloudPassage Inc. 14 Survey: Cloud Security Practices Source: CloudPassage CloudSec Community Survey Question: How do you secure your cloud servers today?

15 © 2012 CloudPassage Inc. 15 Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Cloud Security Responsibility Customer Responsibility Provider Responsibility AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...” “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes

16 © 2012 CloudPassage Inc. 16

17 © 2012 CloudPassage Inc. 17 Organizational Ostracism QA & Site Reliability Software Engineering IT Operations DevOps Security Operations

18 © 2012 CloudPassage Inc. 18 Different Job Goals DevOps SecOps

19 © 2012 CloudPassage Inc. 19 Traditional DC Operations DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l Waiting for Server Provisioning… Delays in Firewall Updates… Typically 6 weeks to tip up a new server

20 © 2012 CloudPassage Inc. 20 Why DevOps Loves the Cloud

21 © 2012 CloudPassage Inc. 21 Securing Cloud Deployments Whether in a private datacenter or a public cloud, server security is your responsibility, so know your security business drivers: Compliance Continuity Brand Architect your systems to solve these problems in public, private, and hybrid deployments, specifically: Perimeter & Access Control Server Integrity & Intrusion Detection

22 © 2012 CloudPassage Inc. 22 Mapping Compliance to the Cloud: Firewalling Without Network Control

23 © 2012 CloudPassage Inc. 23 PCI Controls Summary

24 © 2012 CloudPassage Inc. 24 Traditional DC Firewalling DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l ! !

25 © 2012 CloudPassage Inc. 25 Moving to the Cloud DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz core Firewal l

26 © 2012 CloudPassage Inc. 26 dmz core Firewal l DB Load Balancer Auth Server App Server DB Load Balancer App Server DB Moving to the Cloud public cloud

27 © 2012 CloudPassage Inc. 27 DB Load Balancer App Server Moving to the Cloud Auth Server DB Load Balancer DB public cloud ! ! ! !

28 © 2012 CloudPassage Inc. 28 public cloud Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW DB Master FW

29 © 2012 CloudPassage Inc. 29 public cloud Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

30 © 2012 CloudPassage Inc. 30 public cloud App Server IP Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

31 © 2012 CloudPassage Inc. 31 public cloud App Server IP Dynamic Cloud Firewalling Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW

32 © 2012 CloudPassage Inc. 32 Lessons to Learn Whatever firewall options you have, use them Make sure your firewall rules are updated quickly and automatically Plan for the future, because you will be multi-cloud

33 © 2012 CloudPassage Inc. 33 Mapping Compliance to the Cloud: Securing Highly Dynamic Servers

34 © 2012 CloudPassage Inc. 34 PCI Controls Summary

35 © 2012 CloudPassage Inc. 35 Traditional DC Operations Model private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses www-3 www-4 www-2 www-1 ! ! www-2 ! ! www-3 ! ! www-4 ! !

36 © 2012 CloudPassage Inc. 36 www-1 Capacity is highly dynamic Cloud Operations Model www-3 www-4 www-2 www Gold Master

37 © 2012 CloudPassage Inc. 37 Cloud Operations Model Capacity is highly dynamic Servers are short lived www-3 www-2 ! ! www-4 www-2 www-1 www Gold Master public cloud

38 © 2012 CloudPassage Inc. 38 www www-2 www-1 Cloud Operations Model Gold Master www-1 ! ! www-2 ! ! Capacity is highly dynamic Servers are short lived www ! !

39 © 2012 CloudPassage Inc. 39 Cloud Operations Model Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www-3 www-1 ! ! www-2 ! ! www-4 ? ? www-2www-1 www ! !

40 © 2012 CloudPassage Inc. 40 Cloud Operations Model Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www-3 www-1 ! ! www-2 ! ! www-4 ? ? www-2www-1 www ! ! What does server security mean in this environment?

41 © 2012 CloudPassage Inc. 41 Ensuring Cloud Server Integrity www-3 www-1 ! ! www-2 ! ! www-4www-2www-1

42 © 2012 CloudPassage Inc. 42 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ?

43 © 2012 CloudPassage Inc. 43 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly

44 © 2012 CloudPassage Inc. 44 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! ! ! Monitor business code for unintended or malicious changes

45 © 2012 CloudPassage Inc. 45 Ensuring Cloud Server Integrity Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly www-3 www-1 ! ! www-2 ! ! www-4www-2www-1 ? ? ? ? ! ! ! ! Monitor business code for unintended or malicious changes Automate management and monitoring of these critical operational security points

46 © 2012 CloudPassage Inc. 46 Lessons to Learn Embrace the flexibility of the cloud; re-think operations Secure your server integrity by keeping images up-to-date and monitor closely for changes Know what areas of security you are responsible for and automate them heavily

47 © 2012 CloudPassage Inc. 47 Automating Cloud Security

48 © 2012 CloudPassage Inc. 48 Cloud Security Challenges Inconsistent Control (you don’t own everything) –The only thing you can count on is guest VM ownership Elasticity (not all servers are steady-state) –Cloud-bursting, stale servers, dynamic provisioning Scalability (handle variable workloads) –May have one dev server or 1,000 number-crunchers Portability (same controls must work anywhere) –Nobody wants multiple tools or IaaS provider lock-in

49 © 2012 CloudPassage Inc. 49 Thesis In cloud environments, the intersection of control, portability & scale is always the guest virtual-machine.

50 © 2012 CloudPassage Inc. 50 Controlled by Hosting-User Controlled by Hosting- Provider Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System The VM is the Unit of Control

51 © 2012 CloudPassage Inc. 51 The VM is the Unit of Scale Physical Facilities Hypervisor Virtual Machine Data App Code App Framework Operating System Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System

52 © 2012 CloudPassage Inc. 52 Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System Private CloudIaaS Provider The VM is the Unit of Portability

53 © 2012 CloudPassage Inc. 53 Secure the VM Virtual Machine Data App Code App Framework OS Track sensitive data and prevent egress Ensure application stacks are up-to-date and locked down FW Provision host-based firewalls (inbound and outbound) Secure the OS services and configurations Continuously verify applications code is current and un-tampered Automate, Automate, Automate

54 © 2012 CloudPassage Inc. 54 Separate Security Controls Virtual Machine Data App Code App Framework OS FW DevOps SecOps

55 © 2012 CloudPassage Inc. 55 VM Approach Enables CloudSec Consistent enforcement –Same security controls will work everywhere Handles highly dynamic environments –No need to tell configure external systems as VMs clone Very, very scalable –Distribute firewall and security processing across all nodes Portable across public/private/hybrid clouds –Works everywhere you run a virtual server ✔ ✔ ✔ ✔

56 © 2012 CloudPassage Inc. 56 Summary and Best Practices

57 © 2012 CloudPassage Inc. 57 How To Secure Cloud Servers Dynamic firewall & access control Server account visibility & control Server compromise & intrusion alerting Server forensics and security analysis Servers in hybrid and public clouds must be self- defending with highly automated controls like… Configuration and package security Integration & automation capabilities

58 © 2012 CloudPassage Inc. 58 Best Practices Read and understand what your provider does, and what you are responsible for Take extra precautions when moving servers outside your data center Start with public cloud, after that everything is easy! Focus on securing what you can control

59 © 2012 CloudPassage Inc. 59 CloudPassage Automates Cloud Security

60 © 2012 CloudPassage Inc. 60 Cloud Security With Halo

61 © 2012 CloudPassage Inc. 61 How It Works Halo Daemon Ultra light-weight software Installed on server image Automatically provisioned Halo Grid Elastic compute grid Hosted by CloudPassage Does the heavy lifting for the Halo Daemons Halo Grid www-1 Halo

62 © 2012 CloudPassage Inc. 62 www-4 Halo www-3 Halo Alerts, Reports and Trending Compute Grid User Portal https RESTful API Gateway https Policies, Commands, Reports www-1 Halo www-2 Halo CloudPassa ge Halo

63 © 2012 CloudPassage Inc. 63 Try Halo FREE - 5 Minute Setup Register at cloudpassage.com Configure security policies in Halo web portal Install daemons on cloud servers Free for 25 servers !

64 © 2012 CloudPassage Inc. 64 In Closing

65 © 2012 CloudPassage Inc. 65 Moral of the Story Security of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security automation isn’t just a best practice, it makes your life easier

66 © 2012 CloudPassage Inc. 66 The End Ask questions! –Lots more info: community.cloudpassage.com –Small bits of info: @cloudpassage Tell me what you think! –Email:rand@cloudpassage.com –Twitter:@randwacker We’re hiring! DevOps, Rails, UX, SecOps, etc… –Email:jobs@cloudpassage.com BTW, We’re Hiring!

67 © 2012 CloudPassage Inc. 67 Thank You! Rand Wacker rand@cloudpassage.com @randwacker @cloudpassage #CloudFairSeattle - #CloudSec @cloudpassage #CloudFairSeattle - #CloudSec

68 © 2012 CloudPassage Inc. 68 Halo Integration API

69 © 2012 CloudPassage Inc. 69 Halo Reduces Your Workload Things you DON’T need to script with CloudPassage Halo Managed Automatically Add new server to policy group Remove firewall policies when servers are retired Scan for vulnerabilities of installed software packages Many, many more… Monitored Continually Verify firewall rules match policy Alert administrators of missing servers Monitor critical server configuration files for security posture Many, many more…

70 © 2012 CloudPassage Inc. 70 Adding New Server Accounts RESTful API Gateway private datacenter Corporate Directory Enterprise Provisionin g System Security Operations Portal www-1 Halo www-2 Halo public cloud https CloudPassa ge Halo GhostPorts Access, Local Server Accounts Halo Grid

71 © 2012 CloudPassage Inc. 71 Other Cool Halo/API Tricks Set password reset requirements for a server user account. Find server accounts that don't have passwords (it happens) Find those spooky root-owned setuid files. Generate alerts if PID files go missing. Generate an alert if someone is in a group they shouldn't be in (like wheel). Generate massively detailed reports of server configuration status for auditors (keep 'em busy for weeks). Get a report of every server that a user *does not* have an account on. Get a report of every server that a user has an account on. Get alerted if a new cloud server gets created. Learn what process that TCP/IP port is bound to. Make sure that init.d startup scripts can't be tampered with by non-root users. Make sure that services are not running with excessive privileges. Monitor servers to detect old user accounts that should have been cleaned up, but might have gotten missed. Many, many more at community.cloudpassage.com

Download ppt "© 2012 CloudPassage Inc. Automating Security for the Cloud Simplifying Security and Compliance for IaaS Rand"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Www.cleo.com Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.
Infrastructure as a Service (IaaS) Amazon EC2

Infrastructure as a Service (IaaS) Amazon EC2
The future of Desktops Transform Your Desktop with Virtualization.

The future of Desktops Transform Your Desktop with Virtualization.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.

Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.
WHAT IS PRIVATE CLOUD? Michał Jędrzejczak Główny Architekt Rozwiązań Infrastruktury IT

WHAT IS PRIVATE CLOUD? Michał Jędrzejczak Główny Architekt Rozwiązań Infrastruktury IT
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.

System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.

Similar presentations

Ads by Google