defending applications in the cloud: architecting layered security solutions in cloud computing...
Post on 05-Aug-2015
129 Views
Preview:
TRANSCRIPT
Defending Applications In the Cloud
Architecting Layered Security Solutions in Cloud Computing Environments
0
Agenda
• Introductions and context
• Conventional solution architecture
• Moving solutions to the cloud
• Intrusion detection and prevention in the cloud
• Defensive strategies
• Security challenges in the cloud
1
Introductions
• Opinions on this topic are informed by three perspectives: – Current position as Chief Security and Privacy Officer
for a health IT services firm that operates systems in conventional data centers and cloud computing environments
– Adjunct professor at UMUC teaching courses in information assurance, particularly Intrusion Detection and Prevention
– Experience as a government contractor architecting, implementing, and securing federal and state systems
2
Context
• Rapid adoption of cloud computing models across most (if not all) industry sectors – Infrastructure as a Service (IaaS) – Platform as a Service (PaaS) – Software as a Service (SaaS)
• Security is a prominent area of concern for organizations moving systems, data, and services to the cloud
• Well accepted network security practices, tools, and architecture patterns do not always transfer directly to the cloud
3
Security Architecture
• Specifics vary widely, but conventional security architecture solutions reflect a “defense in depth” approach with typical elements including: – Network firewalls – Intrusion detection and prevention systems – Physical or logical subnets (VLANs) – Identity and access management – Threat and vulnerability scanners – Audit logging and monitoring – Event correlation/security information and event
management – Disaster recovery
4
Network Security
Conventional Data Center Cloud Service Provider
Packet filtering firewall Network ACL; Security groups
Stateful inspection/intrusion prevention Security groups
Application firewall Third-party gateways or custom instances
Network address translation NAT instance
Boundary and domain router Virtual router
Virtual Private Network (VPN) appliance Virtual private gateway
Network Access Control (NAC) Not available
Network Intrusion Detection System (IDS) Third-party or custom instances
Subnet/VLAN via switches Subnets via routing tables
Corporate network/LAN Virtual private cloud
Disaster recovery via alternate site Disaster recovery via zone replication
5
Conventional Network Infrastructure
6
load balancer
switch
switch
integrated
security
device storage array
databases
private
gateway
public
gateway
VPN
host servers
physical servers
server cluster
Internet
administrators
databases
Corporate data center
external service provider
Key Security Attributes
• Hardware-based firewall/IPS/VPN
• Subnets configured through switches
• Combination of physical and virtual hosts
• Separate gateway/point of integration for connection to external entities
• Multiple options for deploying network-based and host-based IDS/IPS, event monitoring, and threat and vulnerability scanning
7
Infrastructure in the Cloud
8
router Internet
gateway
Virtual Private
Gateway
instances
route table
elastic load
balancing
EBS
RDS
users
Internet
Availability Zone
security
group VPC subnet
Availability Zone
instances
VPC subnet
RDS
S3
CloudWatch
EBS
S3
CloudWatch
security
group
security group
security group
corporate
data center
VPN
Key Security Attributes
• Virtual firewalls through security groups and ACLs
• Subnets through routing tables and virtual gateways
• All hosts virtualized or delivered as service
• Private gateways for connections to customer data center or external entities
• Limited network-based IDS/IPS
• Event monitoring and threat and vulnerability scanning must be performed by customer or use a third party service
9
Conventional Solution Architecture
web server database
server application
server
router
security
appliance
network ids network ids network ids
10
Internet
Solution Architecture in the Cloud
security
group
security
group
elastic load
balancer
application
server
security
group
web
server
router Internet
gateway
database
server
alerts CloudWatch
11
Intrusion Detection in the Cloud
• Conventional “in-line” IDS/IPS typically requires custom configuration of an instance with multiple network interfaces to route traffic through the IDS
12
router route
tables Internet
gateway
logs EBS S3
elastic load
balancer
instances Instance with
dual interfaces
CloudWatch
Defensive Strategies
• Route public access through content and networking services such as Akamai – Optimized for web applications – Greatly reduces external exposure of systems
• Enable secure point-to-point access with a virtual private gateway – Hardware-based endpoint at the cloud customer side – Virtual endpoint on the cloud provider side
• Leverage asymmetric encryption for server/OS access – Key pair generation is by default in AWS and an option in Azure
• Create dedicated VMs for administrative access (“jump boxes”) and disable administrative channels/services like SSH from any other source
13
Security Challenges in the Cloud
• Responsibility – Customers deploying applications and data to the
cloud are responsible for securing what they deploy
• Log management and analysis – VMs produce copious logs, written to central storage
area but not aggregated for analysis
– Logs need to be aggregated to facilitate review, often using third party virtual appliances or services
– Firewall and virtual device logging/monitoring may be limited or unavailable
14
Security Challenges in the Cloud
• Device authentication – Little or no ability to perform checks like NAC scans or
MAC authentication – Access filters can sometimes be applied through
separate services (e.g., geographic IP filter with AWS CloudFront)
• Encryption – Encryption of data at rest not natively supported in
some cloud products/services – In many cases, OS-level or database encryption can be
enabled, but organizations still need to determine how to manage keys
15
Summary
• Data center and application architectures can be reproduced in cloud environments
• Some security capabilities seen as “standard” in corporate data centers are not available or do not operate the same way with cloud service providers
• If you deploy anything needing protection to a cloud environment, you are responsible for securing it
• Following cloud-specific defensive strategies supports implementation of defense-in-depth
16
top related