cloud security practices and principles

Cloud Security Prac0ces and Principles

Joan Pepin Director of Security

Sumo Logic Confiden0al

!   An opportunity to simplify and increase security !   Misunderstood !   A vic0m of FUD –  Take 0me to examine it? –  Or DOOM?

!   Fearing what you do not understand is reasonable from an IT perspec9ve. But this is worth the 9me to understand.

The Public Cloud Is:

Sumo Logic Confiden0al 2

!   You have people on your staff who know way too much about waMage, and BTUs and rack density and how raised, exactly, the floor needs to be

!   So you think in certain ways: –  Hardware rotates and depreciates on a fixed 36-‐month cycle

–  This is the mix of RAM, Disk, and CPU I have to work with –  This is how many waMs we've got –  And this is the bandwidth capacity of the datacenter

The Old World


!   Trying to insert yourself in the process run by ping power and pipe guys

!   Dealing with span ports !   Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…

!   And probably never did !   We do lots of things in this business where we transit public space, and we take steps to secure that transit

Where Does This Leave You?


!   Cloud compu0ng is truly a different paradigm with different rules and different logic

A New World


The Old World Cloud Compu9ng

Precise Control Sta0s0cs

Scripts and Capacity Planning Spreadsheets

Feedback Loops/Auto-‐scaling

36-‐month Refresh Cycles Bids for Spot Instances

Physical Control Process, Automa0on, Design

!   What security professionals are looking for is control !   You can achieve control in the cloud, by playing a new game

!   “The highest form of generalship is to thwart your enemies plans.” –Sun Tzu

But The FUD!


!   Not needing to regularly review firewall rule ordering as part of your opera0onal process, as one example

!   Instrument !   Gather data !   Design your rules !   Iterate from the whiteboard !   Not a live firewall console !   For instance J

What’s In It For Me?


!   In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion

!   Your code is your infrastructure !   Your SDLC can now be brought to bear on areas tradi0onally out-‐of-‐sync with your security posture

!   Scale to massive sizes without having to worry about things like firewall rule ordering, op0miza0on or audit as part of your opera0onal cycle

!   Your security will become fractal, and embedded in every layer of your system.

Design Design Design


!   What are your primi0ves? !   I/O, Memory, Storage, Compute, and Code !   Data –  At Rest, in Mo0on, and in Use

!   Access control – Monitoring tools, third-‐party apps, troubleshoo0ng tools

!   Interfaces/APIs –  Clean, Minimal, Authen0cated, Validated

The Primi0ves


!   Each of those must be thought of on its own and in combina0on with the other components it interacts with

!   It is both that simple and that complicated.

Minimalism


!   That simplicity gives you the power to understand everything

!   Every protocol !   Every interface !   If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts

!   Understand your state changes !   Bring that understanding to bear through development

!   And you can aMain Emergent Security

Understand Everything


!   Your en0re infrastructure is your code-‐base !   There is no gap between the opera0onal physical layer and the sojware that runs on top of it.

!   Machine and network failures are just excep0ons to be caught and handled

!   Your infrastructure can now evolve and support your system

!   because it is the system

With Automa0on, All Things are Possible


!   Register all of your VMs services, IPs, and ports !   Automa0cally build firewall policies based on that !   Re-‐build and distribute ssl/tls keys !   Whenever you want !   HIDS, HFW and File Integrity Checkers configured with instance tags

!   Unit test everything !   Allowing security to keep up with your product

Like What?


!   You know… like we do… on the Internet ;) !   At rest and in mo0on. !   Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory. – When the instance dies, the key dies with it.

!   Longer-‐lived data should be stored away from the keys that secure it –  If the data is par0cularly sensi0ve, Securely wipe the data before spinning down the disk and giving it back to the pool

Encrypt It All


!   Allow only expected connec0ons !   Front-‐end web-‐applica0ons need to accept connec0ons from anyone in the world –  (but it's more likely only your load balancer does)

!   As part of your infrastructure as sojware design –  Know what needs to talk to what

•  on what port and under what circumstances, –  And only allow that,

•  everything else is bit-‐bucketed and alerted on.

!   In sojware-‐driven cloud-‐based deployments, there is no longer any excuse for any other way of doing it

Default Deny Nirvana


!   The public u0lity model of cloud compu0ng brings substan0al advantages of scalability and automa0on which can be leveraged by informa0on security professionals

!   As a result, a more secure service can be built on the public cloud for less investment than in a tradi0onal data center

!   Just remember your fundamentals !   And always shoot the messenger

Conclusion


!   Download our white paper, Building Secure Services in the Cloud: www.sumologic.com/resources/

!   Register for Sumo Logic Free www.freesumo.com

!   Contact [email protected] or [email protected]

Q&A and Next Steps


cloud security practices and principles

Technology

primi0ves sumo logic

old world sumo logic

new world sumo logic

dierent logic

cloud security prac0ces

public cloud

security posture

security professionals