bsides sf - automating security for the cloud

© 2012 CloudPassage Inc.

Automating Security for the Cloud

Why we all need to care…

Security B-Sides SF 2012

Rand [email protected]

@randwacker


whoami

Security

Cloud

UC Berkeley ✘ ✘

Oracle ✘

Amazon ✘

Sendmail …

IronPort ✘

Cisco ✘

CloudPassage ✘ ✘

Rand Wacker

@randwacker

[email protected]

Slides available soon on

community.cloudpassage.com


Agenda

1. Who Runs What in the Cloud

2. Cloud Security Differences

3. DevOps vs SecOps

4. Making Everyone Happy

5. The End


Who is running in the cloud?IT Server Admins Big Data Analysts


Who is running in the cloud?IT Server Admins

Big Data Analysts


What is running in the cloud?

Who:App-dev shops, integrators, Enterp. BU’s

Why:Fast, cheap, agile

Risks: Code stolen or hacked, live data theft

Development

Permanent Application Hosting

Who:SaaS providers, social media, gaming

Why: Scalable, elastic, ties costs to growth

Risks: Compliance, data theft, oper. disruptionWho:Big data, social, retail, life-sci, media

Why: Agility, speed, scale, “lease the spikes”

Risks: Intellectual property theft

TemporaryWorkloads


“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...”

- CISO, Fortune 500Name withheld upon request


Why Your Security Toolbox Doesn’t Work In The Cloud


www-1 www-2 www-3 www-4

Cloud Security Is Newprivate datacenter

public cloud



Cloud Security Is Newprivate datacenter

public cloud



Cloud Security Is Differentprivate datacenter

public cloud



www-4


public cloud

www-1 www-2 www-3


www-4


public cloud

www-1 www-2 www-3

www-4


Cloud Security Is Complex

Cloud Provider A

Cloud Provider B

Private Datacenter




Cloud Provider A

www-4

Cloud Provider B

Private Datacenter

www-1 www-2 www-3



Cloud Provider A

www-7

www-4

www-8

www-5

www-9

www-6

www-10

Cloud Provider B

Private Datacenter

www-1 www-2 www-3



Cloud Provider A

www-4 www-5 www-6

Cloud Provider B


Private Datacenter

www-1 www-2 www-3


Security Products Aren’t Adapting

Cloud Provider A

www-4 www-5 www-6 Cloud Provider B


Private Datacenter

www-1 www-2 www-3

Temporary & Elastic Deployments

Multiple CloudEnvironments

Metered Usage


Survey: Cloud Security Concerns

Enterprise security tools don't work in the cloud

Provider access to guest servers

Achieving compliance with PCI or other standards

Multi-tenancy of infrastructure or applications

Lack of perimeter defenses and/or network control

23%

24%

26%

40%

44%

Multiple Choice

Source: CloudPassage CloudSec Community Survey

Question: What security concerns are most important to you regarding public cloud computing?


Shared Responsibility Model

“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”

“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

EC2 Shared Responsibility Model Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Application of Security in IaaS

App Framework / App stack

Virtual Machine/OS

Hypervisor

Storage

Physical Network

Physical Facilities

Application Logic

API GUI

Compute

Ph

ysic

al

Se

cure

De

velo

pm

en

t L

ifecy

cle

File

/Re

cord

A

cce

ss C

on

tro

l

Au

diti

ng

/Pe

n T

est

ing

SIE

M

Enc

rypt

ion

Arc

hite

ctu

re/D

esi

gn

NID

S/N

IPS

Pa

cke

t F

ilte

ring

Pro

xy/M

iddl

ewar

eCo

nfig

ura

tion

Lo

ckd

ow

n

HID

S/H

IPS

Pro

xy/M

iddl

ewar

e

Au

the

ntic

atio

n

Fo

ren

sics

Enc

rypt

ion

NA

C

DLP

App

licat

ion

Whi

te L

istin

g

An

ti-V

irus

Virt

ual N

etw

ork

Pa

tch

ing

Customer

Provider


Survey: Cloud Security Practices

Open source or custom-de-veloped tools

Commercial Tool

My provider does it for me

Amazon Security Group

We're not securing our cloud servers

Source: CloudPassage CloudSec Community Survey

Question: How do you secure your cloud servers today?


How I Learned to Stop Worrying and Get DevOps to Love Security


What Is DevOps?

QA &

Site ReliabilitySoftw

are

Engi

neer

ing

IT Operations

DevOps


What Is DevOps?

QA &

Site ReliabilitySoftw

are

Engi

neer

ing

IT Operations

DevOps

SecurityOperations


Why Does DevOps Love Cloud?


Different Job Goals

DevOps

SecOps


Traditional DC Protection

DB

Load Balancer

Auth Server

App Server

DB

Firewall

Firewall

dmz dmz

corecore

Server Provisioning



DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

Firewall

Firewall

dmz dmz

corecore

Server Provisioning



DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

Firewall

Firewall

dmz dmz

corecore

Server Provisioning

Firewall Updates



DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

Firewall

Firewall

dmz dmz

corecore



DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

Firewall

dmz dmz

corecore

Firewall

Site Debugging!!!


Moving to the Cloud

Firewall

dmz dmz

corecore

Firewall

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB


Firewall

dmz dmz

corecore

Firewall

Moving to the Cloud

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

public cloud


Moving to the Cloud

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

public cloud


Protecting Cloud Servers

public cloud

Load Balancer

App Server

App Server

DB Master



public cloud

Load Balancer

App Server

App Server

DB Master

FW

FW FW

FW



public cloud

Load Balancer

FW

App Server

FW

App Server

FW

App Server

FW

DB Master

FW



public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

App Server

FW

DB Master

FW

DB Slave

FW


App Server

IP


public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW


Cloud Security Challenges

• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership

• Elasticity (not all servers are steady-state)– Cloud-bursting, stale servers, dynamic provisioning

• Scalability (handle variable workloads)– May have one dev server or 1,000 number-crunchers

• Portability (same controls must work anywhere)– Nobody wants multiple tools or IaaS provider lock-in


So our tools are broken and everyone hates us, now what?

With Gratitude: Hyperbole and a Half


Controlled by Hosting-

User

Controlled by

Hosting-Provider Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

The VM is the Unit of Control


The VM is the Unit of Scale

Physical Facilities

Hypervisor

Virtual Machine

Data

App Code

App Framework

Operating System

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Private Cloud IaaS Provider

The VM is the Unit of Portability


Thesis

In cloud environments, the intersection of

control, portability & scaleis always

the guest virtual-machine.


Secure the VM

Virtual Machine

Data

App Code

App Framework

OS


Secure the VM

Virtual Machine

Data

App Code

App Framework

OS

Secure the OS services and

configurations


Secure the VM

Virtual Machine

Data

App Code

App Framework

OSFWFW

Add host-based firewalls (inbound and

outbound) Secure the OS services and

configurations


Secure the VM

Virtual Machine

Data

App Code

App Framework

OSFWFW



configurations

Ensure application stacks are up-to-date

and locked down


Secure the VM

Virtual Machine

Data

App Code

App Framework

OSFWFW



configurations


and locked down

Continuously verify application code is

current and un-tampered


Secure the VM

Virtual Machine

Data

App Code

App Framework

OSFWFW



configurations


and locked down

Continuously verify application code is

current and un-tampered

Track sensitive data and prevent egress


Automate Policy Application

Virtual Machine

Data

App Code

App Framework

OSFWFW

FULLY AUTOMATE


Virtual Machine

Data

App Code

App Framework

OSFWFWVirtual Machine

Data

App Code

App Framework

OSFWFWVirtual Machine

Data

App Code

App Framework

OSFWFW

Automate Policy Application

Virtual Machine

Data

App Code

App Framework

OSFWFW

FULLY AUTOMATE


Separate Security Controls

Virtual Machine

Data

App Code

App Framework

OSFWFW

DevOps

SecOps


The Secure, Automated Cloud


Wrapping Up


Dynamic network access control

Configuration and package security

Server account visibility & control

Server compromise & intrusion alerting

Server forensics and security analytics

Integration & automation capabilities

Servers in hybrid and public clouds must be self-defending with highly automated controls like…

How To Secure Cloud Servers


Summary• There are people using cloud in your org…

• Cloud users often don’t understand security, and definitely don’t know their responsibility

• Cloud security is different, and hard

• The bad guys know this!

• Cloud has different points of control, leverage them!


Best Practices• Know who is running what, and where

• Read and understand what your provider does, and what you are responsible for

• Take extra precautions when moving servers outside your data center

• Start with public cloud, after that everything is easy!

• Focus on securing what you control


Wrapping Up

• Continue the discussion– Slides available:

community.cloudpassage.com

• Contact me– Email: [email protected]– Twitter: @randwacker

• We’re hiring!Expert in Security and/or Cloud?

– Email: [email protected]

BTW, We’re Hiring

!


Thank You!


What does CloudPassage do?

Firewall Management

Server Configurations

Server account Management

Compromise & intrusion alerting

Security & compliance auditing

Vulnerability Management

Security for virtual servers running in public and private clouds

Cloud adoption without fearFaster and easier complianceRepel attacks on your serversFree Basic version, 5 minutes

setup

bsides sf - automating security for the cloud

Technology