• No results found

Brought to you by: Cloud Security

N/A
N/A
Protected

Academic year: 2021

Share "Brought to you by: Cloud Security"

Copied!
26
0
0

Loading.... (view fulltext now)

Full text

(1)

Cloud Security

(2)
(3)
(4)

Introduction

Sam Quigley

Principal at Emerose Advisory Services, a consultancy focused on helping both startups and enterprise customers think through web and cloud security issues.

http://emerose.com/Jake Kaldenbaugh

Principal & Founder of CloudStrategies – a consultancy helping both enterprise customers & vendors strategize on Cloud adoption:

Change Management, Vendor Selection, Market Mapping, Positioning & Business Development.

http://www.cloudstrategies.com/Mike Masnick, Moderator

CEO, Floor64, builder of insight platforms, editor of the Techdirt blog

(5)

Today’s Webinar

Introduction

No, not another definition

Real-World Approaches

Trends/Predictions

Three Topics: Control, the Perimeter, and APIs

Managing Risk in the Cloud

More Information

(6)

Yes, another Cloud Computing Definition!

Cloud is not a “what”, it’s a “how”:

…an architectural reformation of how

computing is acquired, provisioned,

consumed and owned (or not)…

…an abstraction of application load from

the physical infrastructure and the

utilization of the output…

(7)

The Cloud Spectrum

The flavors of Cloud define the “what”:

IaaS

PaaS

SaaS

AmazonGoGridLinodeRackspaceOthers…AppEngineAzureEngineYardForce.comHerokuGoogle AppsSalesforceTaleo, Workday,

many, many more…

Compute Compute Compute App Framework App Framework

(8)

Cloud Today = Two Markets

Cloud workloads are more about “what”:

Cloud

Forward

Vs.

Cloud

Backward

“Sexy” stuff

“New” web biz modelsEnterprise: Mostly

Marketing

Platforms: Ruby on Rails, RESTful, Python, PHP, AJAX, etc…“Legacy” stuffIncrementalEnterprise: IT DrivenPlatforms: Microsoft, VMWare, Oracle, Citrix, etc…

(9)

Trends/Predictions

Pure cloud will dominate in the long term

 Simple economies of scale

 “Utility” model for computing (commoditization)  Full Enterprise adoption: Still a long way off

New companies and startups will adopt quickly

 More agile, less constrained by legacy systems

 Can architect applications from scratch  Smaller budgets, fewer non-cloud options  Appirio stated mission: Serverless company

(10)

Real-World Approaches

“Private Clouds”

 Deployment of virtualization, APIs internally

 Respects investments recently made by enterprises in refreshed DCs (won’t be abandoned anytime soon)  Security advantage in that leverages in-place security

paradigms

“Hybrid Clouds”

 Some things stored/processed in (public/private) cloud  Other things stored/processed internally

(11)

Three Problems in Cloud Security

Loss of Control

No More Boundaries

(12)

Loss of Control

Outsourced Management, not Responsibility

 Cloud providers guarantee at most availability  Confidentiality and integrity of data not covered  Businesses still liable for breaches

Complete Reliance on Providers

 (Usually) Few technical details on provider security  (Usually) No right to audit/test provider defenses  Hard to leverage existing security infrastructure

(13)

Loss of Control

Scary, Not Necessarily Bad

 Cloud providers’ scale can deliver better security more cheaply

Requires (Re-)Alignment of Risks with Business

 As much an opportunity as a challenge

“If your security practices suck in the physical realm,

you’ll be delighted by the surprising lack of change

when you move to Cloud.” – Christopher Hoff

(14)

De-Perimeterization

Traditional IT security: “Firewall It and Forget It”

 No more separation between attackers & defenders

Client-Side Security

 Traditionally, endpoints were “inside” the firewall  Now, employees want to use iPhones, iPads, home

computers …

Shift to Application/Web Security

 Still a new field, not well understood  Standards changing fast
(15)

De-Perimeterization

The Perimeter Was an Illusion Anyway

 Laptops, WiFi, USB keys, etc.…

 Firewalls (almost) always allow HTTP  Does nothing to stop insider threats

New Focus on What Matters

 The Data

 The Application

New Areas of Research

 “Self-defending data”
(16)

API Security

APIs Used for Communication Service Providers

 Integration with internal apps, other service providers  Mashups, content syndication, etc

New Surface Area for Attackers

 What information does your API leak?  New forms of attack

High-Profile Weaknesses

 2008 MySpace / Paris Hilton photo hack  Flickr and AWS v1 signatures

(17)

API Security

Emerging Standards

 SAML, WS-*

 OAuth (and its variants)

No Silver Bullets

 Fundamentally a question of business logic and application requirements

(18)

Compliance

Audit standards

 Mismatch between auditor expectations and cloud realities

 Audits are the pain of security when things aren't going wrong

(19)

The Law

Law might not seem like a security issue

 But legal issues are a big deal for security these days  “Legally” defensible, rather than just strategically

defensible

Legal issues:

 4th Amendment questions – still unsettled

 “Third party doctrine”

 Standard for review

 International regulations:

 EU Privacy rules, US safe harbor

(20)

More Information

• Cloud Security Alliance

 Comprehensive guidance for deploying to the cloud

 cloudsecurityalliance.org

• Cloud Audit

 Standardized API for reporting audit results  cloudaudit.org

• Additional resources

 Whitepapers, this presentation

www.techdirt.com/iti/resources.php

 Amazon’s Security Whitepaper:

http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf

 Oracle Solaris Operating System — Optimized for the Intel® Xeon® Processor 5600 and 7500 series:

(21)

Discussion

(22)
(23)

Emerging Vendors

• VMWare

 Yes! Emerging! Have yet to launch vClouds

• Amazon

• PaaS Platform Providers • Point Technology Vendors

 Unisys: Stealth

 Barracuda: Purewire

 HP: Cloud Assure

 Qualys

 Enstratus

• Note: Security delivered by SaaS is not in our discussion (i.e. AppRiver – secure email)

(24)

Amazon’s Security Profile

Completed SAS70 Type II – “audit of controls”

Customers have built HIPAA compliant applications

Security is designed in throughout: design > launch

 Threat modeling, Risk assessments, Static code analysis,

Recurring Penetration analysis

Physical Security:

 Non-descript buildings, perimeter, ingress points  Intrusion detection systems – not virtual!

 2x2 authentication for Data Center floors  Security escort at all times

(25)

Amazon’s Security Profile

Network Security

 DDoS Attack Prevention: proprietary methods, multi-homing

 Man in the Middle Attack Prevention: APIs available via SSL-protected endpoints

 AMIs autogenerate new SSH host certifications on first boot

 Port Scans prohibited, Packet Sniffing not possible

 All inbound ports closed by default

(26)

Amazon’s Security Profile

• Virtual Private Cloud

 Enterprise can connect to a set of isolated AWS compute resources by VPN

 Allows extension of existing management resources such as security

services, firewalls and intrusion detection services to include AWS

 E2E network isolation thru IP address range & routing all traffic through industry-standard encrypted IPsec VPN.

• EC2 Security

 Multiple levels: OS of host, virtual instance, firewall and signed API calls (X.509 cert or secret key, can SSL encrypt)

 Highly customized Xen hypervisor: guest OS has no access to CPU

cloudsecurityalliance.org cloudaudit.org www.techdirt.com/iti/resources.php http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf http://bit.ly/cHKGWi

References

Related documents

For out-of-network physician services provided to an insured that do not include an assignment of benefits, or provided to an uninsured patient, such patient may submit the

It may also present identity difficulties, as Innes, et al, (2007) suggest, due to a perceived separation between an Australian and a Muslim identity, particularly for those

publication procedures; instead, the SSAC delivered an interim advisory to the ICANN Security Team. The ICANN Security Team took immediate action. This section, jointly contributed

If you want to file a complaint involving access to care, quality of care, communication issues with your primary care provider, or unpaid medical bills and you are enrolled in

Malcolm X leefde in een periode waar- in niet z i j n ideeën maar die van Martin Luther King gemeengoed waren onder de zwarten.. "Integration i s a sham!" De poging om

Adopting a Foucauldian genealogical approach I explore the ways in which a specific widening participation initiative, that of Adult Learners’ Week (ALW), has been used by

The web is good for searching and collecting information. However, many people want to do more, like start projects and collaborate with others online. Designing the web to