Cloud Security Prac0ces and Principles
Joan Pepin
! An opportunity to simplify and increase security
! Misunderstood
! A vic0m of FUD
– Take 0me to examine it?
– Or DOOM?
! Fearing what you do not understand is reasonable
from an IT perspec9ve. But this is worth the 9me to understand.
! You have people on your staff who know way too
much about waMage, and BTUs and rack density and how raised, exactly, the floor needs to be
! So you think in certain ways:
– Hardware rotates and depreciates on a fixed 36-‐month
cycle
– This is the mix of RAM, Disk, and CPU I have to work with
– This is how many waMs we've got
– And this is the bandwidth capacity of the datacenter
! Trying to insert yourself in the process run by ping
power and pipe guys
! Dealing with span ports
! Dealing with legacy compromises and legacy
infrastructure that no longer matches your security requirements…
! And probably never did
! We do lots of things in this business where we transit
public space, and we take steps to secure that transit
! Cloud compu0ng is truly a different paradigm with
different rules and different logic
A New World
The Old World Cloud Compu9ng
Precise Control Sta0s0cs Scripts and Capacity Planning
Spreadsheets Feedback Loops/Auto-‐scaling
36-‐month Refresh Cycles Bids for Spot Instances
! What security professionals are looking for is control ! You can achieve control in the cloud, by playing a
new game
! “The highest form of generalship is to thwart your
enemies plans.” –Sun Tzu
! Not needing to regularly review firewall rule ordering
as part of your opera0onal process, as one example
! Instrument ! Gather data
! Design your rules
! Iterate from the whiteboard ! Not a live firewall console ! For instance J
! In the cloud you have the tools to design, implement
and refine your policies, controls and enforcement in a centralized fashion
! Your code is your infrastructure
! Your SDLC can now be brought to bear on areas
tradi0onally out-‐of-‐sync with your security posture
! Scale to massive sizes without having to worry about
things like firewall rule ordering, op0miza0on or audit as part of your opera0onal cycle
! Your security will become fractal, and embedded in
every layer of your system.
! What are your primi0ves?
! I/O, Memory, Storage, Compute, and Code ! Data
– At Rest, in Mo0on, and in Use
! Access control
– Monitoring tools, third-‐party apps, troubleshoo0ng tools
! Interfaces/APIs
– Clean, Minimal, Authen0cated, Validated
! Each of those must be thought of on its own and in
combina0on with the other components it interacts with
! It is both that simple and that complicated.
! That simplicity gives you the power to understand
everything
! Every protocol ! Every interface
! If you want to achieve true and full Default Deny on
everything, everywhere, this is where it starts
! Understand your state changes
! Bring that understanding to bear through
development
! Your en0re infrastructure is your code-‐base
! There is no gap between the opera0onal physical
layer and the sojware that runs on top of it.
! Machine and network failures are just excep0ons to
be caught and handled
! Your infrastructure can now evolve and support your
system
! because it is the system
! Register all of your VMs services, IPs, and ports ! Automa0cally build firewall policies based on that ! Re-‐build and distribute ssl/tls keys
! Whenever you want
! HIDS, HFW and File Integrity Checkers configured
with instance tags
! Unit test everything
! Allowing security to keep up with your product
! You know… like we do… on the Internet ;) ! At rest and in mo0on.
! Any data that is ephemeral can be kept on encrypted
ephemeral storage with keys can simply be kept in memory.
– When the instance dies, the key dies with it.
! Longer-‐lived data should be stored away from the
keys that secure it
– If the data is par0cularly sensi0ve, Securely wipe the data
before spinning down the disk and giving it back to the pool
! Allow only expected connec0ons
! Front-‐end web-‐applica0ons need to accept
connec0ons from anyone in the world
– (but it's more likely only your load balancer does)
! As part of your infrastructure as sojware design
– Know what needs to talk to what
• on what port and under what circumstances,
– And only allow that,
• everything else is bit-‐bucketed and alerted on.
! In sojware-‐driven cloud-‐based deployments, there is
! The public u0lity model of cloud compu0ng brings
substan0al advantages of scalability and automa0on which can be leveraged by informa0on security
professionals
! As a result, a more secure service can be built on the
public cloud for less investment than in a tradi0onal data center
! Just remember your fundamentals
! And always shoot the messenger
! Download our white paper, Building Secure Services in the
Cloud: www.sumologic.com/resources/
! Register for Sumo Logic Free www.freesumo.com
! Contact [email protected] or [email protected]