• No results found

Cloud Security Prac0ces and Principles

N/A
N/A
Protected

Academic year: 2021

Share "Cloud Security Prac0ces and Principles"

Copied!
17
0
0

Loading.... (view fulltext now)

Full text

(1)

Cloud  Security  Prac0ces  and  Principles    

Joan  Pepin  

(2)

!   An  opportunity  to  simplify  and  increase  security  

!   Misunderstood  

!   A  vic0m  of  FUD  

–  Take  0me  to  examine  it?  

–  Or  DOOM?  

!   Fearing  what  you  do  not  understand  is  reasonable  

from  an  IT  perspec9ve.  But  this  is  worth  the  9me  to   understand.  

(3)

!   You  have  people  on  your  staff  who  know  way  too  

much  about  waMage,  and  BTUs  and  rack  density  and   how  raised,  exactly,  the  floor  needs  to  be  

!   So  you  think  in  certain  ways:  

–  Hardware  rotates  and  depreciates  on  a  fixed  36-­‐month  

cycle  

–  This  is  the  mix  of  RAM,  Disk,  and  CPU  I  have  to  work  with  

–  This  is  how  many  waMs  we've  got  

–  And  this  is  the  bandwidth  capacity  of  the  datacenter  

(4)

!   Trying  to  insert  yourself  in  the  process  run  by  ping  

power  and  pipe  guys  

!   Dealing  with  span  ports    

!   Dealing  with  legacy  compromises  and  legacy  

infrastructure  that  no  longer  matches  your  security   requirements…  

!   And  probably  never  did  

!   We  do  lots  of  things  in  this  business  where  we  transit  

public  space,  and  we  take  steps  to  secure  that  transit  

 

(5)

!   Cloud  compu0ng  is  truly  a  different  paradigm  with  

different  rules  and  different  logic    

 

A  New  World  

The  Old  World   Cloud  Compu9ng  

Precise  Control   Sta0s0cs   Scripts  and  Capacity  Planning  

Spreadsheets   Feedback  Loops/Auto-­‐scaling  

36-­‐month  Refresh  Cycles   Bids  for  Spot  Instances  

(6)

!   What  security  professionals  are  looking  for  is  control   !   You  can  achieve  control  in  the  cloud,  by  playing  a  

new  game    

     

!   “The  highest  form  of  generalship  is  to  thwart  your  

enemies  plans.”  –Sun  Tzu  

 

(7)

!   Not  needing  to  regularly  review  firewall  rule  ordering  

as  part  of  your  opera0onal  process,  as  one  example  

!   Instrument   !   Gather  data  

!   Design  your  rules  

!   Iterate  from  the  whiteboard   !   Not  a  live  firewall  console   !   For  instance  J  

(8)

!   In  the  cloud  you  have  the  tools  to  design,  implement  

and  refine  your  policies,  controls  and  enforcement  in   a  centralized  fashion  

!   Your  code  is  your  infrastructure  

!   Your  SDLC  can  now  be  brought  to  bear  on  areas  

tradi0onally  out-­‐of-­‐sync  with  your  security  posture  

!   Scale  to  massive  sizes  without  having  to  worry  about  

things  like  firewall  rule  ordering,  op0miza0on  or   audit  as  part  of  your  opera0onal  cycle  

!   Your  security  will  become  fractal,  and  embedded  in  

every  layer  of  your  system.  

(9)

!   What  are  your  primi0ves?  

!   I/O,  Memory,  Storage,  Compute,  and  Code   !   Data  

–  At  Rest,  in  Mo0on,  and  in  Use  

!   Access  control  

–  Monitoring  tools,  third-­‐party  apps,  troubleshoo0ng  tools  

!   Interfaces/APIs  

–  Clean,  Minimal,  Authen0cated,  Validated  

(10)

!   Each  of  those  must  be  thought  of  on  its  own  and  in  

combina0on  with  the  other  components  it  interacts   with  

!   It  is  both  that  simple  and  that  complicated.  

(11)

!   That  simplicity  gives  you  the  power  to  understand  

everything  

!   Every  protocol   !   Every  interface  

!   If  you  want  to  achieve  true  and  full  Default  Deny  on  

everything,  everywhere,  this  is  where  it  starts  

!   Understand  your  state  changes  

!   Bring  that  understanding  to  bear  through  

development  

(12)

!   Your  en0re  infrastructure  is  your  code-­‐base    

!   There  is  no  gap  between  the  opera0onal  physical  

layer  and  the  sojware  that  runs  on  top  of  it.  

!   Machine  and  network  failures  are  just  excep0ons  to  

be  caught  and  handled  

!   Your  infrastructure  can  now  evolve  and  support  your  

system    

!   because  it  is  the  system  

(13)

!   Register  all  of  your  VMs  services,  IPs,  and  ports   !   Automa0cally  build  firewall  policies  based  on  that   !   Re-­‐build  and  distribute  ssl/tls  keys  

!   Whenever  you  want  

!   HIDS,  HFW  and  File  Integrity  Checkers  configured  

with  instance  tags  

!   Unit  test  everything  

!   Allowing  security  to  keep  up  with  your  product  

(14)

!   You  know…  like  we  do…  on  the  Internet  ;)   !   At  rest  and  in  mo0on.  

!   Any  data  that  is  ephemeral  can  be  kept  on  encrypted  

ephemeral  storage  with  keys  can  simply  be  kept  in   memory.    

–  When  the  instance  dies,  the  key  dies  with  it.  

!   Longer-­‐lived  data  should  be  stored  away  from  the  

keys  that  secure  it  

–  If  the  data  is  par0cularly  sensi0ve,  Securely  wipe  the  data  

before  spinning  down  the  disk  and  giving  it  back  to  the   pool  

(15)

!   Allow  only  expected  connec0ons    

!   Front-­‐end  web-­‐applica0ons  need  to  accept  

connec0ons  from  anyone  in  the  world  

–  (but  it's  more  likely  only  your  load  balancer  does)  

!   As  part  of  your  infrastructure  as  sojware  design  

–  Know  what  needs  to  talk  to  what    

•  on  what  port  and  under  what  circumstances,    

–  And  only  allow  that,    

•  everything  else  is  bit-­‐bucketed  and  alerted  on.    

!   In  sojware-­‐driven  cloud-­‐based  deployments,  there  is  

(16)

!   The  public  u0lity  model  of  cloud  compu0ng  brings  

substan0al  advantages  of  scalability  and  automa0on   which  can  be  leveraged  by  informa0on  security  

professionals  

!   As  a  result,  a  more  secure  service  can  be  built  on  the  

public  cloud  for  less  investment  than  in  a  tradi0onal   data  center  

!   Just  remember  your  fundamentals  

!   And  always  shoot  the  messenger  

(17)

!   Download  our  white  paper,  Building  Secure  Services  in  the  

Cloud:  www.sumologic.com/resources/      

!   Register  for  Sumo  Logic  Free  www.freesumo.com  

!   Contact  [email protected]  or  [email protected]    

 

References

Related documents

This course has two aims: to provide students with an understanding of key theoretical, conceptual and policy debates related to mental health and well-being in the 'global south'

On roll call the following members were present: Jane Boyle, Paul Stock, Jim Hessel, Daniel Call, Dick Weller and Lee Baranowski. Also present was Julia Bennett, Court Reporter

Şiirsel dehanın muazzam bir ürünü olduğu için saygı duyulur, çünkü başka türler kendisine şiir sanatında daha uygun bir yer bulamamıştır. Lakin, bir tarihi tablo yani

bath Insulation heating elements time-symbol delay-symbol (delayed switch-on) hold-symbol (hold time) alarm-symbol SET key monitor temperature indication temperature

A special case of manifolds which contain essential (i.e., incompressible non-boundary parallel) annuli are exterior spaces of connected sums of knots in S 3.. These manifolds

The minimum goal of platform management in a high availability system is to provide monitoring and control required for the detection, diagnosis, isolation, recovery, and repair

Figure 5.6 Airway hyper-reactivity following depletion of alveolar macrophages 150 Figure 5.7 Pulmonary inflammation following clodronate treatment 151 Figure 5.8 Lung

Ensuring Financial Sustainability: In addition to verifying that the organization is meeting its budget targets, the board should look beyond periodic financial reports to