Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.
-
Upload
landon-york -
Category
Documents
-
view
217 -
download
1
Transcript of Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.
![Page 1: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/1.jpg)
Cloud Security Practices and PrinciplesJoan PepinDirector of Security
Sumo Logic
![Page 2: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/2.jpg)
Director of Security – Sumo Logic
Director of Research– Dell/SecureWorks– 9 years MSSP
Technical Staff– MIT LL
Who are you?
Sumo Logic 2
![Page 3: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/3.jpg)
An opportunity to simplify and increase security– Through Automation– And solid design principles
Misunderstood– Risk model vs. hosting– Risk model vs. other public utility models
A victim of FUD– Take time to examine it?– Or DOOM?
The Public Cloud is
Sumo Logic 3
![Page 4: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/4.jpg)
Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand– I see Anti-Cloud Policies – With no solid Risk Assessment
Is this technological conservatism?– Which is common and natural in security– But can lead to out of sync security postures
Or an emotional reaction?– Don’t move my cheese– Get off of my cloud!
Why the Bad Rap?
Sumo Logic 4
![Page 5: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/5.jpg)
You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be– Limits your thinking– Causes gaps
The new world is very different– Scripts and capacity planning spreadsheets -> feedback
loops/auto-scaling– 36-month refresh-cycles -> bids for spot instances– Physical control -> process, automation, and design
Old World / New World
Sumo Logic 5
![Page 6: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/6.jpg)
In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion– Your code is your infrastructure– Your SDLC can now be brought to bear on areas
traditionally out-of-sync with your security posture
Scale to massive sizes without having to worry about things like firewall rule ordering, optimization or audit as part of your operational cycle– Your security will become fractal, and embedded in every
layer of your system.
Design Design Design
Sumo Logic6
![Page 7: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/7.jpg)
You are operating in a complete information environment– Like the internet– Or the PSTN
It’s all about the fundamentals of system thinking and design– I/O– Storage– RAM– Compute– Code
Fundamentals
Sumo Logic 7
![Page 8: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/8.jpg)
Each of those must be thought of on its own and in combination with the other components it interacts with– And you have the tools to do that– With infrastructure as code
It is both that simple and that complicated.– So design your security in at every layer– Test it, instrument it, and iterate it
Minimalism
Sumo Logic 8
![Page 9: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/9.jpg)
Data– Encrypted At Rest, in Motion, and in Use
Access control– Monitoring tools, third-party apps, troubleshooting tools
Interfaces/APIs– Clean, Minimal, Authenticated, Validated
I/O, Memory, Storage, and Compute– Encrypted, limited, controlled
The Primitives
Sumo Logic 9
![Page 10: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/10.jpg)
Thinking of your entire infrastructure as part of your code-base changes the game completely– Always in pace– Always relevant
There is no longer a gap or disconnect between the operational physical layer and the software that runs on top of it– Firewalls everywhere?– HIPS Everywhere?
Adaptive security infrastructure
With Automation, All Things are Possible
Sumo Logic 10
![Page 11: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/11.jpg)
Register all of your VMs services, IPs, and ports– Automatically build firewall policies based on that
Re-build and distribute SSL/TLS keys– Whenever you want
HIDS, HFW and File Integrity Checkers configured with instance tags– Tags for lots of things
Everything unit tested– Allowing security to keep up with your product
Like What?
Sumo Logic 11
![Page 12: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/12.jpg)
Your system has I/O, storage, memory and network underneath it, as well as your software components– And you can control and iterate that continuously– Leveraging IaaS providers’ APIs
Think about every place that information is exchanged, transferred or transformed and do the right thing there. – Engage the developers– Check in code
DTRT
Sumo Logic 12
![Page 13: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/13.jpg)
Simplicity gives you the power to understand everything– Every protocol– Every interface
If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts– Understand your protocols– Understand your stack
And you can attain Emergent Security– Develop and follow standards
Understand Everything
Sumo Logic 13
![Page 14: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/14.jpg)
If this is input, sanitize it. If it is storage, network or memory encrypt it. If it is output you are feeding back to your customer or another component, sanitize that tooDon't trust client-side verification, enforce everything at every layer…
How?
Sumo Logic 14
![Page 15: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/15.jpg)
Allow only expected connections Front-end web-applications need to accept connections from anyone in the world– (but it's more likely only your load balancer does)
As part of your infrastructure as software design– Know what needs to talk to what
• on what port and under what circumstances
– And only allow that • everything else is bit-bucketed and alerted on.
In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it
Default Deny Nirvana
Sumo Logic 15
![Page 16: Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.](https://reader035.fdocuments.us/reader035/viewer/2022062511/55146db3550346b0158b4ec7/html5/thumbnails/16.jpg)
You know… like we do… on the Internet ;)At rest, in motion, and in use– Any data that is ephemeral can be kept on encrypted
ephemeral storage with keys can simply be kept in memory
– When the instance dies, the key dies with it.
Longer-lived data should be stored away from the keys that secure it– If the data is particularly sensitive, securely wipe the data
before spinning down the disk and giving it back to the pool
Encrypt it all…
Sumo Logic 16