day1 1645 track2 session markeysteven-c. - securing dbs in cloud v12
DESCRIPTION
fsgTRANSCRIPT
-
Securing Databases in the Cloud
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud EssentialsPrincipal, nControl, LLCAdjunct ProfessorPresident, Cloud Security Alliance Delaware Valley Chapter (CSA-DelVal)
-
Presentation OverviewCloud OverviewDatabase OverviewBig Data OverviewCloud-Based DB SolutionsSecuring Cloud-Based DB SolutionsVulnerabilities Found in Cloud-Based OfferingsSecuring Your Relational Cloud-Based OfferingsSecuring Your Non-Relational Cloud-Based OfferingsPrivacy & Data Protection for Cloud-Based DBsCase Study: MySQL & SimpleDB in the Cloud
Securing Databases in the Cloud
-
Source: NIST
-
Service Delivery ModelsSource: Swain Techs
-
Source: Matthew Gardiner, Computer Associates
-
Securing Databases in the CloudDatabase OverviewDatabase Management SystemsRelational Database Management Systems (RDBMS)Object-Oriented Database Management Systems (OODBMS)Non-Relational, Distributed DB Mgmt Systems (NRDBMS)Not only Structured Query Language (NoSQL)Online Transaction Processing (OLTP)Real-time Data WarehousingOnline Analytical Processing (OLAP)Operational Data Stores (ODS)Enterprise Data Warehouse (EDW)
-
Securing Databases in the CloudDatabase OverviewOnline Analytical Processing (OLAP)Business Intelligence (BI)Data MiningReportingOLAP
-
Securing Databases in the CloudDatabase OverviewOLAP (Continued)Business Intelligence (BI) (Continued)OLAP (Continued)Relational OLAP (ROLAP)Multi-Dimensional OLAP (MOLAP)Hybrid OLAP (HOLAP)
OLTPODSEDW (Data Marts)BI (Data Mining)
OLTPODSEDW (Data Marts)BI (Reporting)
OLTPODSEDW (Data Marts)BI (OLAP)
-
Securing Databases in the CloudBig Data OverviewAggregated Data From the Following Sources:TraditionalSensorySocialAggregatorsPredominantly: NRDBMSColumn Family Stores: Cassandra (FB), BigTable (Google), HBase (Apache)Key-Values Stores: App Engine DataStore (Google), DynamoDB & SimpleDB (AWS)Document Databases: CouchDB, MongoDBGraph Databases: Neo4J
-
Securing Databases in the CloudBig Data OverviewSerial ProcessingHadoopHadoop Distributed File System (HDFS)Hive DWPig Querying LanguageRiakParallel ProcessingHadoopDBAnalyticsGoogle MapReduceApache MapReduceSplunk (for Security Information / Event Management [SIEM])
-
Source: Cloudera
-
Source: Wikispaces
-
Source: Google
-
Source: Cloudera
-
Securing Databases in the CloudCloud-Based Database SolutionsPaaSDBaaSForce.comIntuit QuickBaseAmazon Web Services (AWS) Relational Database Service (RDS) Oracle 11g / MySQLDynamoDBSimpleDBGoogle App EngineDatastoreOracle Public Cloud11g
-
Securing Databases in the CloudCloud-Based Database SolutionsIaaSBuild MySQL, Microsoft SQL Server, or Oracle 11g InstanceLeverage Compute Node & Storage Node EffectivelyAWS Elastic Compute Cloud (EC2) AWS Elastic Block Store (EBS)OpenStack Compute (Nova)OpenStack Storage (Swift)
-
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsGeneral Cloud ServiceMiddleware VulnerabilitiesOpen / Java Database Connectivity (ODBC / JDBC) Attacks Database VulnerabilitiesImproper (Logical) Access ControlsChange / Configuration ManagementBackupsMulti-TenancyVirtualization VulnerabilitiesInsecure Hypervisor / Management BackplaneHyperjacking Rogue HypervisorVirtual Machine (VM) Theft Data LossVM Hopping One VM to AnotherVM Sprawl Unmanaged (Legacy VMs)VM Escape One VM to Another
-
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsGeneral Cloud Service (Continued)Internal (Cloud Service Provider) Attack Vectors:Legacy AccountsAutomate Provisioning / De-ProvisioningLack of Segregation / Separation of DutiesLightweight Directory Access Protocol (LDAP) InjectionApplication Vulnerabilities:SQL InjectionCross-Site Scripting (XSS)Cross-Site Request Forgery (XSRF)
-
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsIaaSInfrastructure:Improper Physical Access ControlsChange / Configuration ManagementPhysical Separation of Compute & Storage NodesPerformance DegradationBackupsVM Backup Location, JurisdictionData File Backup Location, JurisdictionOperating System (OS):Improper (Logical) & Physical Access ControlsChange / Configuration Management
-
Source: Flickr
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaSSIEMLogical Segregation / Separation of Duties (DBA, Developer)Enforce Logical Access ControlsVirtual FirewallsEncryptionEnforce Compliance Encryption Requirements for Data Public Key Infrastructure (PKI): Remote & Application AccessKey ManagementUser Rights Management (URM)Identity & Access Management (IAM)
-
Securing Databases in the CloudSource: Chris Brenton
-
Securing Databases in the CloudSource: FireRack
-
Securing Databases in the CloudSource: Chris Brenton
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSource: Chappell & Associates
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaS (Continued)Backups & Disaster Recovery Physically / Geographically Separate Build RTO & RPO Into SLARegularly Test (Semi-Annually)Application & Middleware-level SecurityWeb Application Firewalls (WAF) / ProxyXML FirewallsSecurity Development Lifecycle (SDL)Static Application Security Testing (SAST)Dynamic Application Security testing (DAST)
-
Securing Databases in the CloudSource: Imperva
-
Securing Databases in the CloudSource: SANS
-
Securing Databases in the CloudSource: Microsoft
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaS (Continued)AWS RDS Oracle 11g & Java Apache Tomcat EC2 Scenario:Setup VPC Public & Private via NAT w/ IPSec VPN Setup App Security GroupBuild Public App Instance on EC2 w/ Java & Apache TomcatSetup DB Security Group w/ App Security Group AddedBuild Private AWS RDS Oracle 11g DBLeverage PL/SQL Audit Triggers for ComplianceLeverage CloudWatch for App & DB InstancesLeverage Prepared Statements & Error / Exception Handling
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSServer / InfrastructurePhysical Access ControlsHypervisor / Management BackplaneGrouping Segmenting VMsGeneralization Leveraging a Template Aspect-Oriented Management TieringAutomation ProvisioningAir Gapping Siloed Virtual Networks (VLANs)
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSOSOS Firewalls (Windows)Patching / Configuration Management (Chef / Puppet)PKI Encryption Key ManagementLogical Access ControlsAnti-Virus (AV)Authentication, Authorization & Accounting (AAA)IAMVulnerability Assessment ScanningAmazon Elastic Compute Cloud (EC2) Instance: CloudInspect
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSource: CORE
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseBackupsURMSegregation / Separation of DutiesVulnerability ScanningMcAfee Database Security Scanner (DSS) for MS SQL AzureDatabase Activity Monitoring (DAM)Database FirewallIAM
-
Securing Databases in the CloudInternetAWS CloudEBSEBSEBSEBSEBSEBSEBS SnapshotEBS SnapshotEBS SnapshotEBS SnapshotEBS SnapshotSource: Amazon
-
Securing Databases in the CloudSource: McAfee
-
Securing Databases in the CloudSource: Application Security
-
Securing Databases in the CloudSource: Oracle
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseLAMP Stack & phpMyAdmin Scenario:Setup VPC Public & Private via NATSetup App Security GroupBuild Public App Instance on EC2 w/ LAP & phpMyAdminSetup DB Security Group w/ App Security Group AddedBuild Private MySQL DB Instance on EC2 w/ Encrypted EBSLeverage CloudWatch for App & DB Instances
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSStoragePKI Encryption Key ManagementLogical Access ControlsRBAC Groups (OpenStack Swift)Authentication, Authorization & Accounting (AAA)IAMMonitoringInformation GovernanceLifecycle
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
-
Source: OASIS
-
Source: Intuit
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
-
Source: OASIS
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
-
Source: Apache
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
-
Source: OASIS
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
-
Securing Databases in the CloudSource: Microsoft
-
Source: Chappell & Associates
-
Securing Databases in the CloudSource: Microsoft
-
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSApplication & MiddlewareWAF / ProxyXML FirewallSDLSASTDAST
-
Securing Databases in the CloudSecuring NRDBMS Cloud-Based DB SolutionsGeneralFocus on Application / Middleware-Level SecuritySQL Injections Are Still PossibleLeverage Application IAM for NRDBMS URMLeverage Application & System Logging for AAASegregation of DutiesRead / Write NamespacesRead-Only NamespacesSpecificDocumentConsistency AssuranceKey / ValueEnsure Referential Integrity
-
Securing Databases in the Cloud
-
Securing Databases in the Cloud
-
Securing Databases in the CloudPrivacy & Data Protection for Cloud-Based DBsJurisdictions*Regional: EU DPANational: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe HarborStatutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227Data Flow & Jurisdictional AdherenceData Sharing with Third PartiesPseudonymization / De-IdentificationConsent & Notices Contract ClausesModel ContractsPrivacy Best PracticesGenerally Accepted Privacy Principles (GAPP)
* Not all inclusive.
-
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudBackgroundSMB Healthcare Service Provider (HIPAA Business Associate) Providing Services for Larger HIPAA Covered EntitiesFall 2011 ProjectDriversCost SavingsHIPAA / HITECH ComplianceMore Cost Effective & Simplistic BCP / DRP PlanningParse Out Non-Protected Health Information (PHI)
-
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudTechnologiesAWS: EC2EBSSimple Storage Service (S3)SimpleDBLinux (Ubuntu AMI), Apache, MySQL, & PHP (LAMP) StackOpenLDAPSplunkLimitationsSkill-Sets (AWS EC2, SimpleDB)Risk PostureVendor Management
-
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudRisksVendor Lock-InAWS EC2 and / or SimpleDBLegal Concerns Lack of Bargaining PowerService Level Agreements (SLAs)Data Security & Privacy ConcernsGeographic JurisdictionBusiness Continuity / AvailabilityDataCom CircuitsVariable CostsData Transfer
-
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudLessons LearnedCloud Strategy / Roadmap MattersAvailability Issues w/ SimpleDBLearning CurveSimpleDBElastic Block Store (EBS)Not as Cost Effective as First ThoughtBackups & S3Next StepsLeveraging NoSQL for More Log DataEnhanced use of Splunk for SIEMSplunk to the Cloud (on AWS EC2)
-
Presentation Take-AwaysDatabases in the Cloud are Here to StaySecure Cloud-Based DBs Through Defense-in-DepthApplication / DatabaseMiddlewareOS (Virtual) InfrastructureStay Abreast of New Technologies / ServicesBig DataFederated IdentitiesSecuring Databases in the Cloud
-
Questions?ContactEmail: [email protected]: markes1LI: http://www.linkedin.com/in/smarkeyCSA-DelVal: http://www.csadelval.org/
*********************************Veracode, Acunetix*modsecurityZED Proxy**************http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*****http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
******realm************************