bsides sf - automating security for the cloud
TRANSCRIPT
© 2012 CloudPassage Inc.
Automating Security for the Cloud
Why we all need to care…
Security B-Sides SF 2012
Rand [email protected]
@randwacker
© 2012 CloudPassage Inc.
whoami
Security
Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
Sendmail …
IronPort ✘
Cisco ✘
CloudPassage ✘ ✘
Rand Wacker
@randwacker
Slides available soon on
community.cloudpassage.com
© 2012 CloudPassage Inc.
Agenda
1. Who Runs What in the Cloud
2. Cloud Security Differences
3. DevOps vs SecOps
4. Making Everyone Happy
5. The End
© 2012 CloudPassage Inc.
Who is running in the cloud?IT Server Admins Big Data Analysts
© 2012 CloudPassage Inc.
Who is running in the cloud?IT Server Admins
Big Data Analysts
© 2012 CloudPassage Inc.
What is running in the cloud?
Who:App-dev shops, integrators, Enterp. BU’s
Why:Fast, cheap, agile
Risks: Code stolen or hacked, live data theft
Development
Permanent Application Hosting
Who:SaaS providers, social media, gaming
Why: Scalable, elastic, ties costs to growth
Risks: Compliance, data theft, oper. disruptionWho:Big data, social, retail, life-sci, media
Why: Agility, speed, scale, “lease the spikes”
Risks: Intellectual property theft
TemporaryWorkloads
© 2012 CloudPassage Inc.
“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...”
- CISO, Fortune 500Name withheld upon request
© 2012 CloudPassage Inc.
Why Your Security Toolbox Doesn’t Work In The Cloud
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
www-1 www-2 www-3 www-4
© 2012 CloudPassage Inc.
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3 www-4
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
www-4
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
Cloud Provider B
Private Datacenter
www-1 www-2 www-3 www-4
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4
Cloud Provider B
Private Datacenter
www-1 www-2 www-3
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-7
www-4
www-8
www-5
www-9
www-6
www-10
Cloud Provider B
Private Datacenter
www-1 www-2 www-3
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
© 2012 CloudPassage Inc.
Security Products Aren’t Adapting
Cloud Provider A
www-4 www-5 www-6 Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary & Elastic Deployments
Multiple CloudEnvironments
Metered Usage
© 2012 CloudPassage Inc.
Survey: Cloud Security Concerns
Enterprise security tools don't work in the cloud
Provider access to guest servers
Achieving compliance with PCI or other standards
Multi-tenancy of infrastructure or applications
Lack of perimeter defenses and/or network control
23%
24%
26%
40%
44%
Multiple Choice
Source: CloudPassage CloudSec Community Survey
Question: What security concerns are most important to you regarding public cloud computing?
© 2012 CloudPassage Inc.
Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
EC2 Shared Responsibility Model Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Application of Security in IaaS
App Framework / App stack
Virtual Machine/OS
Hypervisor
Storage
Physical Network
Physical Facilities
Application Logic
API GUI
Compute
Ph
ysic
al
Se
cure
De
velo
pm
en
t L
ifecy
cle
File
/Re
cord
A
cce
ss C
on
tro
l
Au
diti
ng
/Pe
n T
est
ing
SIE
M
Enc
rypt
ion
Arc
hite
ctu
re/D
esi
gn
NID
S/N
IPS
Pa
cke
t F
ilte
ring
Pro
xy/M
iddl
ewar
eCo
nfig
ura
tion
Lo
ckd
ow
n
HID
S/H
IPS
Pro
xy/M
iddl
ewar
e
Au
the
ntic
atio
n
Fo
ren
sics
Enc
rypt
ion
NA
C
DLP
App
licat
ion
Whi
te L
istin
g
An
ti-V
irus
Virt
ual N
etw
ork
Pa
tch
ing
Customer
Provider
© 2012 CloudPassage Inc.
Survey: Cloud Security Practices
Open source or custom-de-veloped tools
Commercial Tool
My provider does it for me
Amazon Security Group
We're not securing our cloud servers
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
© 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
How I Learned to Stop Worrying and Get DevOps to Love Security
© 2012 CloudPassage Inc.
What Is DevOps?
QA &
Site ReliabilitySoftw
are
Engi
neer
ing
IT Operations
DevOps
© 2012 CloudPassage Inc.
What Is DevOps?
QA &
Site ReliabilitySoftw
are
Engi
neer
ing
IT Operations
DevOps
SecurityOperations
© 2012 CloudPassage Inc.
Why Does DevOps Love Cloud?
© 2012 CloudPassage Inc.
Different Job Goals
DevOps
SecOps
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
Firewall Updates
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
© 2012 CloudPassage Inc.
Moving to the Cloud
Firewall
dmz dmz
corecore
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
© 2012 CloudPassage Inc.
Firewall
dmz dmz
corecore
Firewall
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
© 2012 CloudPassage Inc.
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
FW
FW FW
FW
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
App Server
FW
DB Master
FW
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
App Server
FW
DB Master
FW
DB Slave
FW
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
© 2012 CloudPassage Inc.
Cloud Security Challenges
• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)– Cloud-bursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)– May have one dev server or 1,000 number-crunchers
• Portability (same controls must work anywhere)– Nobody wants multiple tools or IaaS provider lock-in
© 2012 CloudPassage Inc.
So our tools are broken and everyone hates us, now what?
With Gratitude: Hyperbole and a Half
© 2012 CloudPassage Inc.
Controlled by Hosting-
User
Controlled by
Hosting-Provider Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
The VM is the Unit of Control
© 2012 CloudPassage Inc.
The VM is the Unit of Scale
Physical Facilities
Hypervisor
Virtual Machine
Data
App Code
App Framework
Operating System
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2012 CloudPassage Inc.
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Private Cloud IaaS Provider
The VM is the Unit of Portability
© 2012 CloudPassage Inc.
Thesis
In cloud environments, the intersection of
control, portability & scaleis always
the guest virtual-machine.
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OS
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OS
Secure the OS services and
configurations
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
Continuously verify application code is
current and un-tampered
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
Continuously verify application code is
current and un-tampered
Track sensitive data and prevent egress
© 2012 CloudPassage Inc.
Automate Policy Application
Virtual Machine
Data
App Code
App Framework
OSFWFW
FULLY AUTOMATE
© 2012 CloudPassage Inc.
Virtual Machine
Data
App Code
App Framework
OSFWFWVirtual Machine
Data
App Code
App Framework
OSFWFWVirtual Machine
Data
App Code
App Framework
OSFWFW
Automate Policy Application
Virtual Machine
Data
App Code
App Framework
OSFWFW
FULLY AUTOMATE
© 2012 CloudPassage Inc.
Separate Security Controls
Virtual Machine
Data
App Code
App Framework
OSFWFW
DevOps
SecOps
© 2012 CloudPassage Inc.
The Secure, Automated Cloud
© 2012 CloudPassage Inc.
Wrapping Up
© 2012 CloudPassage Inc.
Dynamic network access control
Configuration and package security
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analytics
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
How To Secure Cloud Servers
© 2012 CloudPassage Inc.
Summary• There are people using cloud in your org…
• Cloud users often don’t understand security, and definitely don’t know their responsibility
• Cloud security is different, and hard
• The bad guys know this!
• Cloud has different points of control, leverage them!
© 2012 CloudPassage Inc.
Best Practices• Know who is running what, and where
• Read and understand what your provider does, and what you are responsible for
• Take extra precautions when moving servers outside your data center
• Start with public cloud, after that everything is easy!
• Focus on securing what you control
© 2012 CloudPassage Inc.
Wrapping Up
• Continue the discussion– Slides available:
community.cloudpassage.com
• Contact me– Email: [email protected]– Twitter: @randwacker
• We’re hiring!Expert in Security and/or Cloud?
– Email: [email protected]
BTW, We’re Hiring
!
© 2012 CloudPassage Inc.
Thank You!
© 2012 CloudPassage Inc.
What does CloudPassage do?
Firewall Management
Server Configurations
Server account Management
Compromise & intrusion alerting
Security & compliance auditing
Vulnerability Management
Security for virtual servers running in public and private clouds
Cloud adoption without fearFaster and easier complianceRepel attacks on your serversFree Basic version, 5 minutes
setup