Automating Security for the Cloud - Make it Easy, Make it Safe
-
Upload
cloudpassage -
Category
Technology
-
view
852 -
download
0
Transcript of Automating Security for the Cloud - Make it Easy, Make it Safe
© 2012 CloudPassage Inc.
Automating Security for the
Cloud
Make it easy, make it safe.
Rand [email protected]
@randwacker We’re
Hiring!
© 2012 CloudPassage Inc.
whoami
Security Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
IronPort/ScanSafe ✘ ✘
Cisco ✘
CloudPassage ✘ ✘
Rand Wacker
@randwacker
Slides available soon on
community.cloudpassage.com
© 2012 CloudPassage Inc.
Shared Responsibility Model
“…the customer should assume
responsibility and management of, but not
limited to, the guest operating system.. and
associated application software...”
“…it is possible for customers to enhance
security and/or meet more stringent
compliance requirements with the addition of
host based firewalls, host based
intrusion detection/prevention,
encryption and key management.”
Amazon Web Services: Overview of Security
Processes
EC2 Shared Responsibility Model Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2012 CloudPassage Inc.
Survey: Cloud Security Practices
Open source or custom-developed
tools
Commercial Tool
My provider does it for me
Amazon Security Group
We're not securing our cloud servers
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
© 2012 CloudPassage Inc.
Cloud Security Challenges
Cloud Provider A
www-4 www-5 www-6Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary &
Dynamic Deployments
Multiple Cloud
Environments
Metered Usage
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load
Balancer
Auth
Server
App
Server
DB
Load
Balancer
App
Server
DB
Firewal
l
dmz dmz
corecore
Firewal
l
© 2012 CloudPassage Inc.
Moving to the Cloud
DB
Load
Balancer
Auth
Server
App
Server
DB
Load
Balancer
App
Server
DB
Firewal
l
dmz dmz
corecore
Firewal
l
© 2012 CloudPassage Inc.
Firewal
l
dmz dmz
corecore
Firewal
l
Moving to the Cloud
DB
Load
Balancer
Auth
Server
App
Server
DB
Load
Balancer
App
Server
DB
public cloud
© 2012 CloudPassage Inc.
Cloud Servers at Risk
public cloud
Load
Balancer
App
Server
App
Server
DB
Master
© 2012 CloudPassage Inc.
Firewalling in the Cloud
public cloud
Load
Balancer
Halo
FW
App
Server
Halo
FW
App
Server
Halo
FW
DB
Master
Halo
FW
© 2012 CloudPassage Inc.
Firewalling in the Cloud
public cloud
Load
Balancer
Halo
FW
App
Server
Halo
FW
App
Server
Halo
FW
Load
Balancer
Halo
FW
App
Server
Halo
FW
DB
Master
Halo
FW
DB
Slave
Halo
FW
© 2012 CloudPassage Inc.
App
Server
IP
Firewalling in the Cloud
public cloud
Load
Balancer
Halo
FW
App
Server
Halo
FW
App
Server
Halo
FW
Load
Balancer
Halo
FW
App
Server
Halo
FW
DB
Master
Halo
FW
DB
Slave
Halo
FW
© 2012 CloudPassage Inc.
Firewalling in the Cloud
public cloud
Load
Balancer
Halo
FW
App
Server
Halo
FW
App
Server
Halo
FW
Load
Balancer
Halo
FW
DB
Master
Halo
FW
DB
Slave
Halo
FW
App
Server
IP
© 2012 CloudPassage Inc.
Multi-Cloud Firewalling
US West Cloud
Private Datacenter
App
Server
Halo
FW
App
Server
Halo
FW
US East Cloud
App
Server
Halo
FW
App
Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
© 2012 CloudPassage Inc.
Multi-Cloud Firewalling
US West Cloud
Private Datacenter
App
Server
Halo
FW
App
Server
Halo
FW
US East Cloud
App
Server
Halo
FW
App
Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
© 2012 CloudPassage Inc.
Lessons to Learn
Whatever firewall options you have, use them
Make sure your firewall rules are updated
quickly
Plan for the future, because you will be multi-
cloud
© 2012 CloudPassage Inc.
Meet Jed the Web Designer
Jed is highly mobile
Jed still uses FTP
You hired Jed for design skills, not technical
acumen
How do you avoid Jed’s FTP access becoming a
gaping hole in your server?
© 2012 CloudPassage Inc.
Manual Options - PITA
MANUALLY turn FTP server on and off when
Jed needs access?
MANUALLY activate and deactivate account
for Jed when he needs access?
MANUALLY change firewall rules when Jed
needs access?
MANUALLY make Jed’s transfer for him?
© 2012 CloudPassage Inc.
Halo Multi-Factor Cloud Auth
Prevent brute force attacks on
SSH and web applications
YubiKey-generated one-time
password
No batteries or moving parts
© 2012 CloudPassage Inc.
Using Multi-Factor Auth
Halo Grid
Clo
ud
Pa
ssa
ge
Ha
lo
https
DB
Server
Halo
FW
© 2012 CloudPassage Inc.
Using Multi-Factor Auth
Halo Grid
https
Clo
ud
Pa
ssa
ge
Ha
lo
DB
Server
Halo
FW
© 2012 CloudPassage Inc.
REMEMBER: Delete Jed!!!
Halo Grid
Clo
ud
Pa
ssa
ge
Ha
lo
DB
Server
Halo
FW
UserPortal
https
RESTfulAPI Gateway
https
Remove GhostPorts Access,
Local Server Accounts
De-provision Jed
© 2012 CloudPassage Inc.
Lessons to Learn
You may behave securely, but does everyone
who works for you?
Security that complicates daily tasks
will be circumvented
Make sure to clean up after others
© 2012 CloudPassage Inc.
Automatable Security Tasks
• Scan for recent vulnerabilities of installed software packages.
• Verify firewall rules match policy.
• Alert administrators of missing server.
• Get a report of every server that a user *does not* have an account on.
• Get a report of every server that a user has an account on.
• Get alerted if a new cloud server gets created.
• Monitor for unauthorized/unexpected changes to application code files.
• Make sure that init.d startup scripts can't be tampered with by non-root users.
• Find server accounts that don’t have passwords (it happens).
• Get a report of every server that a user *does not* have an account on.
Many, many more at
community.cloudpassage.com
© 2012 CloudPassage Inc.
Moral of the Story
• Security of your cloud servers is your
responsibility
• Security risks in the cloud are real
(just check your logs)
• Security automation isn’t just a best
practice, it makes your life easier
© 2012 CloudPassage Inc.
Dynamic firewall &
access control
Configuration and
package security
Server account
visibility & control
Server compromise &
intrusion alerting
Server forensics and
security analytics
Integration & automation
capabilities
Servers in hybrid and public clouds must be self-
defending with highly automated controls like…
How To Secure Cloud Servers
© 2012 CloudPassage Inc.
Try Halo FREE - 5 Minute Setup
Register for Halo at
cloudpassage.com/register
Configure security policies
in Halo web portal
Install Halo daemons on
cloud servers
© 2012 CloudPassage Inc.
In Closing
• CloudPassage Installfest March 28th!
– Helpful cloud security advice! Pizza! Beer!
– Free tickets: cloudpassage.eventbrite.com
• Ask Questions!
– Lots More Info: community.cloudpassage.com
– Small Bits of Info: @cloudpassage
• We’re hiring!
Expert in Security and/or Cloud?
DevOps, Rails, UX, Freemium Marketing
– Email: [email protected]
We’re
Hiring!
© 2012 CloudPassage Inc.
What does CloudPassage do?Security for virtual servers running in public and private clouds
Cloud adoption without fear
Faster and easier compliance
Repel attacks on your servers
Free Basic version, 5 minutes setup
Dynamic firewall
management
Configuration and
vulnerability scanning
Server access and
privilege management
Server & cloud event
alerting
Security & compliance
auditing
Server integrity &
intrusion alerting
© 2012 CloudPassage Inc.
How It Works
Halo Grid
• Halo Daemon
– Ultra light-weight software
– Installed on server image
– Automatically provisioned
• Halo Grid
– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo
Daemons
www-1
www-1
Halo
Halo
Daemon