security for saas/cloud (and innerspace) roy ellis [email protected]

Security for Saas/Cloud(and InnerSpace)

Roy [email protected]

© 2012 Progress Software Corporation. All rights reserved.2

Insecurity in the Cloud

Fearing security deficiencies is one of the biggest reasons people aren’t moving to the Cloud

Is the Public Cloud more or less secure?

Who’s job is security in the Cloud?

How do I secure my Application in the Cloud?

• (or in my local environment?)


Is the Cloud more or less secure?

YES!

Of course, it all depends on you…


Security is never complete

Security is a process, but a solution • Requires a set of defined goals and

exclusions• Requires monitoring• Requires updating as technology and system

access evolve

Protecting vital data via security is a multiple step approach using:• Environment• Process

• Hardware• Software



Security of your application in the Cloud is a partnership between you and your Cloud provider

Think of it as a Marriage and get a prenup!

Both partners have specific jobs and responsibilities

Make sure you know what the Cloud provider does

And know what YOU must do



Security is your responsibility


Security in Amazon’s Cloud

Amazon clearly defines it’s responsibilities for security in the cloud

“Since AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment.

AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use.

The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes.

While customers don’t communicate their use and configurations to AWS, AWS does communicate its security and control environment relevant to customers.”

From “Amazon Web Services: Risk and Compliance May 2011”



Amazon White Papers for Security

Amazon Web Services Overview of Security Processes

Security Best Practices

Creating a HIPAA-Compliant Medical Data Applications with AWS

AWS Risk and Compliance

PCI DSS Level 1 Compliance

http://aws.amazon.com/security/






Amazon Certifications for Security

SAS70 Type II SOC 1/SSAE 16/ISAE 3402

• Statement of Auditing Standards (Auditing of AWS modifications)

• Service Organization Controls 1 (Auditing of AWS Controls)

PCI DSS Level 1

• Payment Card Industry Data Security Standard

ISO 27001

• Information Security Management Standard (ISMS)

FISMA – Moderate & Low Level

• Federal Information Security Management Act



Amazon Certifications for Security

ITAR

• International Traffic in Arms Compliance (for USGov)

FIPS 140-2

• Federal Information Processing Standard (for USGov)

HIPAA

Healthcare Information Privacy Accountability Act





Physical Security

Handled by Amazon

Access to the building/hardware limited

• Non-descript facilities

• Extensive setback w/military grade perimeter control

• Multi-level human and video surveillance, etc

Employee controls

• Account provisioning, no access until added

• Account review, every 90 days must re-approve

• Access removal, immediate

• Strict heavy weighted password policy

Environmental Safeguards

• Fire Detection and Suppression

• Power

• Climate and Temperature


Infrastructure Security

Handled by Amazon

Software cycle

• Peer reviews

• Testing

• Approval

Change Management

• Phased deployment to lowest impact or single system

• Scheduled – no downtime

• Self-audits

Infrastructure implementation

• Highly modified Xen hypervisor (VM server)

• Amazon has years of managing the infrastructure


Data Lifecycle Security(Confidentiality/Integrity/Availability- CIA)

EC2 SLA of 99.95% availability

Backups – optionally available from Amazon

• EBS – redundancy but no backups provided

• S3 (Simple Storage Service)

– 99.99999% integrity guarantee

– 99.99% availability guarantee

Storage Device Decommissioning

• Security accepted decommissioning methods or actual destruction

– DoD 5220.00-M “National Industrial Security Program Operating Manual”

– NIST 800-88 “Guidelines for Media Sanitization”

Fault Separation

• 3, 4, 5, 6, 7 separate Regions around the world

• At least 2 Availability Zones in each Region


Firewalls – Managing your machines

Firewalls – your responsibility w/help from Amazon

1st defense against intrusion and internet attacks

Amazon gives you firewall tools – Security Groups

• No ports open by default

• Ports you open can be IP address limited

Security Groups can be set up to create a DMZ

• Open the ports 80 (web) and 443 (https) to the world in 1 Security Group

– Port 443 & IP address access 0.0.0.0/0 (anyone can access)

• Open ports from web server to Application server with IP address limited to only the web server machine

– Port 5162:UDP & IP address access <web.server.ip.address>/32

– Port 3055:TCP & IP address access <web.server.ip.address>/32


Inner Security Zone

Firewalls – Managing your machines

Client

Amazon Firewall

Security GroupPort 80/443IP Address0.0.0.0/0

Security Group Firewall

Web Server 168.2.10.3Internal IP 10.24.3.5

Security GroupPort 5162 Port 3055IP Address 10.24.3.5/32

DMZWebSpeed & DB

Terminal Server 168.2.10.3Internal IP 10.24.3.5

AppServer & DB


Controlling access for management

Maintenance access – your responsibility w/help from Amazon

SSH (port 22)

• Need your x.509 certificate for validation

• Password connection disallowed by default

• SSH has encrypted communication

Remote Desktop on Windows (port 3389)

• Need to decrypt your personal certificate for password

• Remote Desktop uses encrypted communication

Best Practices

• Only allow access to 1 machine of your deployment

• Limit access to your IP address only

• Keep port closed unless managing the machine

• Connect to all other machines from behind the firewall


Controlling access for management

From “Amazon Web Services Overview for Security Processes”


Network Security – your responsibility

HTTPS

• For web communication

SSL

• For web communication from client to AppServer

• Needed elsewhere?

– It’s your setup

– It’s your call

Performance latency?

• Using HTTPS/SSL will cause performance degradation

• Only encrypt information that is sensitive

– Use different AppServers w/SSL for sensitive data


Application Authentication – your responsibility

Some 3rd party authentication recommendations

• LDAP

• Active Directories

• Kerberos

• Multi-Factor Authentication

• Require complex passwords!

ABL Client-Principal

• Current and future OpenEdge products rely on Client-Principal (multi-tenancy, auditing)

• A cryptographically “sealed” security token

• Container for authenticated credentials

– user, password, domain info, etc.

• Once sealed the client-principal is read-only

• Can be used by all ABL application components

– ABL Session, DB connection


Securely managing your application – your responsibility

OpenEdge Explorer and OpenEdge Management

• Has its own user authentication

The AdminServer has security settings

• “Require Username” and “Admin Groups”

Separation of Development and Production

• The internal developer threat to your production system

• Different machines, networks, ports, everything

Keep your operating system up-to-date

• Download and install critical system updates

• Install and configure system firewall


Securing your application – your responsibility

Protect your intellectual property (application code)

• Employ encryption (file or file system level)

• Utilize O/S and user access limitation

The basics of runtime

• DBAuthkey (RCODEKEY)- ensure code running against the DB was compiled to use that DB

• Runtime table and column access controls

• Operating system file security settings, etc.


Securing your data – your responsibility

Protect your data

• Employ encryption

• Utilize O/S and user access limitation

OpenEdge Auditing - since OpenEdge 10.1A

• Satisfies most government and regulatory requirements- like a camera in a retail store (won’t stop theft but can ID the thief)

• Audit database events

– Create

– Update

– Delete

– Schema changes

– User authentication

– Utilities (dump, load, etc.)

– Application-defined events


Securing your data

Data Encryption – your responsibility

OpenEdge 10.2B Transparent Data Encryption

• Option for Enterprise Database: At-Rest Encryption

– Storage area and individual object level

– Data secure on-disk, backup, and binary dump

– Data is unencrypted In-Memory = (up to) normal speed

• Secure Key Store and Key Management

– Change keys on-line

• Industry standard encryptions

– AES, DES, triple DES, etc.

No application changes for TDE!


Securing your data

<SSL>

Database on Disk

Encrypted Messages

Backups Dump/Load

Encrypted Data

Encrypted Data

Encrypted Data

Shared Memory

ServerClient

A High-Level View of Encryption


OpenEdge Database Encryptable Objects

Type IDatabase Storage Area

Tables

LOBs

Indexes

Entire area encrypted

Securing your data

Type IIDatabase Storage Area

Object-level encryption

Table

Index

LOB

LOBIndex

LOB Table

LOB Table

Index Table

IndexLOB

Index

Table


Securing your data

Key Store• Database Master Key (DMK)• DMK Admin/User Passphrase• Manual/Automatic Authentication on DB start

Encryption Policy Area• Encryption Policies - What (object) & how (cipher)

DatabaseFiles

Encrypted Data

Shared MemoryBuffer Pool(plain text block)

Read I/O

Decrypt

Key Store

Policy Area

Write I/O

Encrypt

&

Database Storage Engine


Securing your OpenEdge Application

Other considerations…

Disaster Recovery

• Securing your data from catastrophic loss (soft and hard failures)

Database Replication & Replication Plus

• Replicate to up to 2 databases at the same time

• Quick failover to backup databases

Exit Strategy

• How do you get your data back if you want to end your partnership?

– Have a plan

– Get agreement in writing from provider


Isolating Sharing

Better economy of scaleSimpler managementTarget like-customersLeast cost to serve

Easier customization, securitySimpler throttling controlTarget dissimilar customersNo transformation

Tenant2 Tenant3

App App App

DB DB DB

Infra. Infra. Infra.

Tenant1

Isolated Tenancy

Tenant1 Tenant2 Tenant3

App

DB

Infrastructure

Shared Tenancy


App App App

DB DB DB

Infrastructure

Infrastructure Tenancy


DB DB DB

Infrastructure

App

ApplicationTenancy

Multi-Tenancy


Progress Arcade and the “Road to the Cloud”

PublicClouds

PrivateClouds

“Back roads” “Expressway”

How much Time, Money, Resources? 12 Clicks

• Wizard-like process• Single-source billing

• Cloud agnostic• Common user experience

• No vendor lock-in


Progress Arcade

Cloud Deployment Flexibility


Progress Arcade


Progress Arcade - Free Community Resources

Network and discuss all things SaaS and cloud with others just

like you

With just a few clicks take a test-drive of applications and

solutions provided by Progress

TRYSHARE BROWSE

Visit our virtual marketplace of complementary

products & services


Progress Arcade - Premium Resources

Configure and prepare your

application for the cloud quickly

and easily

Offer prospects the ability to demonstrate

your products in the cloud

DEMOSTAGE DEPLOY

Deploy your production

application in the cloud with just a few simple clicks


Links, documents, other stuff you might want to know…

Amazon’s Web Security information

• http://aws.amazon.com/security/

2011 Security Webinar “Briefcase”

• Including streaming playback of the webinar

• Many security white papers

• http://communities.progress.com/pcom/docs/DOC-106849

Introduction to Arcade

• Tomorrow at 8:30 AM, Concord Room

• http://arcade.progress.com/



http://communities.progress.com/pcom/docs/DOC-106849

http://communities.progress.com/pcom/docs/DOC-106849

http://arcade.progress.com/

security for saas/cloud (and innerspace) roy ellis [email protected]

Documents

complete security

progress software corporation

security sas70 type

cloud provider

public cloud

responsibility slide

aws aws risk

comsecurity slide