the practitioner's guide to cloud security
DESCRIPTION
My presentation from Cloud Expo Europe, London January 2013. Outlining which technologies could be leveraged today to secure an organization cloud infrastructure. 1. Responsibility 2. Strong Authentication 3. WAF 4. Log 5. Dynamic Cloud Server FirewallTRANSCRIPT
Dome9 – Secure Your Cloud™Dome9 – Secure Your Cloud™
CloudExpo Europe – London, January 2013
The Practitioners Guide to Cloud Security
London, January 2013
Zohar Alon@zoharalonCo-Founder & CEO
Dome9 – Secure Your Cloud™
Me, and my company
Zohar Alon – Co-Founder & CEOCreator of Check Point’s Provider-1 & SP product linesOver 20 years of security & IT experience.
Cloud Server Security Management Automate and centralize security across an unlimited
number of cloud, dedicated, and virtual private servers
Dome9 – Secure Your Cloud™
What’s this?
Dome9 – Secure Your Cloud™
1 day and 86,000 attempts later…
Dome9 – Secure Your Cloud™
There are more than 30 millionCloud, VPS & Dedicated Servers
Most of these servers are vulnerable to attack
– Admins leave ports open to connect to their servers– Hackers use these same open ports to gain access
Most of these servers’ security is unmanageable
– Sprawled across multiple private & public clouds– Operating systems are a virtual buffet
Most of the ‘available’ security doesn’t work– Service providers lack expertise & focus to build it– Security vendors have business models that don’t fit
and/or technology that doesn’t migrate and scale
Dome9 – Secure Your Cloud™
Who’s responsible for security?
Dome9 – Secure Your Cloud™
The Practitioners Guide
• Most don’t know who’s responsible for cloud security– 42% say they wouldn’t know if
their cloud was hacked– 39% think their provider would
tell them
• Security is everybody’s responsibility– accept and share it!
• Security is your responsibility– Deal with it!
Part 1 – Responsibility
31%
36%
33%
Customer Provider Both
Who’s Responsible?
Ponemon Cloud Security Research Study
Dome9 – Secure Your Cloud™
The Practitioners Guide
• If Anyone can login consider Multi-Factor authentication to harden access
• Simple mobile app integration, w/ QR code support & SMS backup
Part 2 – Authentication
Dome9 – Secure Your Cloud™
Dome9 – Secure Your Cloud™
Dome9 – Secure Your Cloud™
The Practitioners Guide
• WAF: Web Application Firewall– Protects Web services, sites and applications– Monitor the requests to the web layer– Brute-force Login, Span Bots, SQL injections, etc.
• Easy to enable – No Install!– Provides added security layer w/o overhead
• Every Web App Will Use one– CloudFlare, Incapsula or Akamai – Bonus I – site is faster– Bonus II – DDOS mitigation capabilities
Part 3 - WAF
Dome9 – Secure Your Cloud™
The Practitioners Guide
• You saw how many insights we get from the logs. You need to store and analyze them.
• We use several vendors for this – each for a different use-case:– Splunk & SplunkStorm– SumoLogic– Loggly – LogEntries
Part 4 – Log
Dome9 – Secure Your Cloud™
The Practitioners Guide
• Take Control on your security policies– You do much more when it comes to the office firewall
• Close All (admin) Ports – Open Dynamically– Open them only for whom, and for as long as is needed.
• Don’t rely on static scopes– Too much management overhead and risk.
• Aggregate & Centralize firewall management– Across regions, providers and applications
• At Dome9, we eat our own dog food– On Amazon, Verison’s Terrermark and Rackspace
Part 5 – Firewall
Dome9 – Secure Your Cloud™
What happened here?
Dome9 – Secure Your Cloud™
Dome9: How it WorksAutomated Cloud Server Security
Manage OS firewall (via Agent) and virtual firewall (via API) across all cloud servers
Enable on-demand, time-based secure access leases per server, source & time Automatically close server
access when lease expires
Stop attackers from targeting open admin ports via brute force attacks and exploits
Dome9 – Secure Your Cloud™
Multi-Cloud Management
Time-Based Controls
1-Click Secure Access
Dome9 Central Simplified Security Management
Dome9 – Secure Your Cloud™
Wrap Up
① Take Responsibility
② Harden Authentication
③ Use a Web Application Firewall
④ Log, Log, Log, Log, Log… and Analyze
⑤ Lockdown and Automate the Server Firewalls… with Dome9!
Dome9 – Secure Your Cloud™
Q&A
Dome9 – Secure Your Cloud™
References and Links
• Firewall Management Service:– http://www.dome9.com/– https://secure.dome9.com/account/register?code=ecommerc
e
• MyDigipass 2 Factor Authentication Service:– https://www.mydigipass.com/
• Log Management Services:– Splunk Storm Service - https://www.splunkstorm.com/– Loggly - http://loggly.com/– LogEntries - https://logentries.com/
• WAF Services:– CloudFlare - https://www.cloudflare.com/– Incapsula - http://www.incapsula.com/
• Cloud Security Study:http://www.dome9.com/wp-content/uploads/2011/11/Ponemon-Cloud-Security-Study.pdf