security for saas/cloud (and innerspace) roy ellis [email protected]
TRANSCRIPT
Security for Saas/Cloud(and InnerSpace)
© 2012 Progress Software Corporation. All rights reserved.2
Insecurity in the Cloud
Fearing security deficiencies is one of the biggest reasons people aren’t moving to the Cloud
Is the Public Cloud more or less secure?
Who’s job is security in the Cloud?
How do I secure my Application in the Cloud?
• (or in my local environment?)
© 2012 Progress Software Corporation. All rights reserved.3
Is the Cloud more or less secure?
YES!
Of course, it all depends on you…
© 2012 Progress Software Corporation. All rights reserved.4
Security is never complete
Security is a process, but a solution • Requires a set of defined goals and
exclusions• Requires monitoring• Requires updating as technology and system
access evolve
Protecting vital data via security is a multiple step approach using:• Environment• Process
• Hardware• Software
© 2012 Progress Software Corporation. All rights reserved.5
Who’s job is security in the Cloud?
Security of your application in the Cloud is a partnership between you and your Cloud provider
Think of it as a Marriage and get a prenup!
Both partners have specific jobs and responsibilities
Make sure you know what the Cloud provider does
And know what YOU must do
© 2012 Progress Software Corporation. All rights reserved.6
Who’s job is security in the Cloud?
Security is your responsibility
© 2012 Progress Software Corporation. All rights reserved.7
Security in Amazon’s Cloud
Amazon clearly defines it’s responsibilities for security in the cloud
“Since AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment.
AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use.
The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes.
While customers don’t communicate their use and configurations to AWS, AWS does communicate its security and control environment relevant to customers.”
From “Amazon Web Services: Risk and Compliance May 2011”
© 2012 Progress Software Corporation. All rights reserved.8
Security in Amazon’s Cloud
Amazon White Papers for Security
Amazon Web Services Overview of Security Processes
Security Best Practices
Creating a HIPAA-Compliant Medical Data Applications with AWS
AWS Risk and Compliance
PCI DSS Level 1 Compliance
http://aws.amazon.com/security/
© 2012 Progress Software Corporation. All rights reserved.9
Security in Amazon’s Cloud
Amazon Certifications for Security
SAS70 Type II SOC 1/SSAE 16/ISAE 3402
• Statement of Auditing Standards (Auditing of AWS modifications)
• Service Organization Controls 1 (Auditing of AWS Controls)
PCI DSS Level 1
• Payment Card Industry Data Security Standard
ISO 27001
• Information Security Management Standard (ISMS)
FISMA – Moderate & Low Level
• Federal Information Security Management Act
© 2012 Progress Software Corporation. All rights reserved.10
Security in Amazon’s Cloud
Amazon Certifications for Security
ITAR
• International Traffic in Arms Compliance (for USGov)
FIPS 140-2
• Federal Information Processing Standard (for USGov)
HIPAA
Healthcare Information Privacy Accountability Act
http://aws.amazon.com/security/
© 2012 Progress Software Corporation. All rights reserved.11
Physical Security
Handled by Amazon
Access to the building/hardware limited
• Non-descript facilities
• Extensive setback w/military grade perimeter control
• Multi-level human and video surveillance, etc
Employee controls
• Account provisioning, no access until added
• Account review, every 90 days must re-approve
• Access removal, immediate
• Strict heavy weighted password policy
Environmental Safeguards
• Fire Detection and Suppression
• Power
• Climate and Temperature
© 2012 Progress Software Corporation. All rights reserved.12
Infrastructure Security
Handled by Amazon
Software cycle
• Peer reviews
• Testing
• Approval
Change Management
• Phased deployment to lowest impact or single system
• Scheduled – no downtime
• Self-audits
Infrastructure implementation
• Highly modified Xen hypervisor (VM server)
• Amazon has years of managing the infrastructure
© 2012 Progress Software Corporation. All rights reserved.13
Data Lifecycle Security(Confidentiality/Integrity/Availability- CIA)
EC2 SLA of 99.95% availability
Backups – optionally available from Amazon
• EBS – redundancy but no backups provided
• S3 (Simple Storage Service)
– 99.99999% integrity guarantee
– 99.99% availability guarantee
Storage Device Decommissioning
• Security accepted decommissioning methods or actual destruction
– DoD 5220.00-M “National Industrial Security Program Operating Manual”
– NIST 800-88 “Guidelines for Media Sanitization”
Fault Separation
• 3, 4, 5, 6, 7 separate Regions around the world
• At least 2 Availability Zones in each Region
© 2012 Progress Software Corporation. All rights reserved.14
Firewalls – Managing your machines
Firewalls – your responsibility w/help from Amazon
1st defense against intrusion and internet attacks
Amazon gives you firewall tools – Security Groups
• No ports open by default
• Ports you open can be IP address limited
Security Groups can be set up to create a DMZ
• Open the ports 80 (web) and 443 (https) to the world in 1 Security Group
– Port 443 & IP address access 0.0.0.0/0 (anyone can access)
• Open ports from web server to Application server with IP address limited to only the web server machine
– Port 5162:UDP & IP address access <web.server.ip.address>/32
– Port 3055:TCP & IP address access <web.server.ip.address>/32
© 2012 Progress Software Corporation. All rights reserved.15
Inner Security Zone
Firewalls – Managing your machines
Client
Amazon Firewall
Security GroupPort 80/443IP Address0.0.0.0/0
Security Group Firewall
Web Server 168.2.10.3Internal IP 10.24.3.5
Security GroupPort 5162 Port 3055IP Address 10.24.3.5/32
DMZWebSpeed & DB
Terminal Server 168.2.10.3Internal IP 10.24.3.5
AppServer & DB
© 2012 Progress Software Corporation. All rights reserved.16
Controlling access for management
Maintenance access – your responsibility w/help from Amazon
SSH (port 22)
• Need your x.509 certificate for validation
• Password connection disallowed by default
• SSH has encrypted communication
Remote Desktop on Windows (port 3389)
• Need to decrypt your personal certificate for password
• Remote Desktop uses encrypted communication
Best Practices
• Only allow access to 1 machine of your deployment
• Limit access to your IP address only
• Keep port closed unless managing the machine
• Connect to all other machines from behind the firewall
© 2012 Progress Software Corporation. All rights reserved.17
Controlling access for management
From “Amazon Web Services Overview for Security Processes”
© 2012 Progress Software Corporation. All rights reserved.18
Network Security – your responsibility
HTTPS
• For web communication
SSL
• For web communication from client to AppServer
• Needed elsewhere?
– It’s your setup
– It’s your call
Performance latency?
• Using HTTPS/SSL will cause performance degradation
• Only encrypt information that is sensitive
– Use different AppServers w/SSL for sensitive data
© 2012 Progress Software Corporation. All rights reserved.19
Application Authentication – your responsibility
Some 3rd party authentication recommendations
• LDAP
• Active Directories
• Kerberos
• Multi-Factor Authentication
• Require complex passwords!
ABL Client-Principal
• Current and future OpenEdge products rely on Client-Principal (multi-tenancy, auditing)
• A cryptographically “sealed” security token
• Container for authenticated credentials
– user, password, domain info, etc.
• Once sealed the client-principal is read-only
• Can be used by all ABL application components
– ABL Session, DB connection
© 2012 Progress Software Corporation. All rights reserved.20
Securely managing your application – your responsibility
OpenEdge Explorer and OpenEdge Management
• Has its own user authentication
The AdminServer has security settings
• “Require Username” and “Admin Groups”
Separation of Development and Production
• The internal developer threat to your production system
• Different machines, networks, ports, everything
Keep your operating system up-to-date
• Download and install critical system updates
• Install and configure system firewall
© 2012 Progress Software Corporation. All rights reserved.21
Securing your application – your responsibility
Protect your intellectual property (application code)
• Employ encryption (file or file system level)
• Utilize O/S and user access limitation
The basics of runtime
• DBAuthkey (RCODEKEY)- ensure code running against the DB was compiled to use that DB
• Runtime table and column access controls
• Operating system file security settings, etc.
© 2012 Progress Software Corporation. All rights reserved.22
Securing your data – your responsibility
Protect your data
• Employ encryption
• Utilize O/S and user access limitation
OpenEdge Auditing - since OpenEdge 10.1A
• Satisfies most government and regulatory requirements- like a camera in a retail store (won’t stop theft but can ID the thief)
• Audit database events
– Create
– Update
– Delete
– Schema changes
– User authentication
– Utilities (dump, load, etc.)
– Application-defined events
© 2012 Progress Software Corporation. All rights reserved.23
Securing your data
Data Encryption – your responsibility
OpenEdge 10.2B Transparent Data Encryption
• Option for Enterprise Database: At-Rest Encryption
– Storage area and individual object level
– Data secure on-disk, backup, and binary dump
– Data is unencrypted In-Memory = (up to) normal speed
• Secure Key Store and Key Management
– Change keys on-line
• Industry standard encryptions
– AES, DES, triple DES, etc.
No application changes for TDE!
© 2012 Progress Software Corporation. All rights reserved.24
Securing your data
<SSL>
Database on Disk
Encrypted Messages
Backups Dump/Load
Encrypted Data
Encrypted Data
Encrypted Data
Shared Memory
ServerClient
A High-Level View of Encryption
© 2012 Progress Software Corporation. All rights reserved.25
OpenEdge Database Encryptable Objects
Type IDatabase Storage Area
Tables
LOBs
Indexes
Entire area encrypted
Securing your data
Type IIDatabase Storage Area
Object-level encryption
Table
Index
LOB
LOBIndex
LOB Table
LOB Table
Index Table
IndexLOB
Index
Table
© 2012 Progress Software Corporation. All rights reserved.26
Securing your data
Key Store• Database Master Key (DMK)• DMK Admin/User Passphrase• Manual/Automatic Authentication on DB start
Encryption Policy Area• Encryption Policies - What (object) & how (cipher)
DatabaseFiles
Encrypted Data
Shared MemoryBuffer Pool(plain text block)
Read I/O
Decrypt
Key Store
Policy Area
Write I/O
Encrypt
&
Database Storage Engine
© 2012 Progress Software Corporation. All rights reserved.27
Securing your OpenEdge Application
Other considerations…
Disaster Recovery
• Securing your data from catastrophic loss (soft and hard failures)
Database Replication & Replication Plus
• Replicate to up to 2 databases at the same time
• Quick failover to backup databases
Exit Strategy
• How do you get your data back if you want to end your partnership?
– Have a plan
– Get agreement in writing from provider
© 2012 Progress Software Corporation. All rights reserved.28
Isolating Sharing
Better economy of scaleSimpler managementTarget like-customersLeast cost to serve
Easier customization, securitySimpler throttling controlTarget dissimilar customersNo transformation
Tenant2 Tenant3
App App App
DB DB DB
Infra. Infra. Infra.
Tenant1
Isolated Tenancy
Tenant1 Tenant2 Tenant3
App
DB
Infrastructure
Shared Tenancy
Tenant1 Tenant2 Tenant3
App App App
DB DB DB
Infrastructure
Infrastructure Tenancy
Tenant1 Tenant2 Tenant3
DB DB DB
Infrastructure
App
ApplicationTenancy
Multi-Tenancy
© 2012 Progress Software Corporation. All rights reserved.29
Progress Arcade and the “Road to the Cloud”
PublicClouds
PrivateClouds
“Back roads” “Expressway”
How much Time, Money, Resources? 12 Clicks
• Wizard-like process• Single-source billing
• Cloud agnostic• Common user experience
• No vendor lock-in
© 2012 Progress Software Corporation. All rights reserved.30
Progress Arcade
Cloud Deployment Flexibility
© 2012 Progress Software Corporation. All rights reserved.31
Progress Arcade
© 2012 Progress Software Corporation. All rights reserved.32
Progress Arcade - Free Community Resources
Network and discuss all things SaaS and cloud with others just
like you
With just a few clicks take a test-drive of applications and
solutions provided by Progress
TRYSHARE BROWSE
Visit our virtual marketplace of complementary
products & services
© 2012 Progress Software Corporation. All rights reserved.33
Progress Arcade - Premium Resources
Configure and prepare your
application for the cloud quickly
and easily
Offer prospects the ability to demonstrate
your products in the cloud
DEMOSTAGE DEPLOY
Deploy your production
application in the cloud with just a few simple clicks
© 2012 Progress Software Corporation. All rights reserved.34
Links, documents, other stuff you might want to know…
Amazon’s Web Security information
• http://aws.amazon.com/security/
2011 Security Webinar “Briefcase”
• Including streaming playback of the webinar
• Many security white papers
• http://communities.progress.com/pcom/docs/DOC-106849
Introduction to Arcade
• Tomorrow at 8:30 AM, Concord Room
• http://arcade.progress.com/