Cloud Security Practices and Principles
-
Upload
sumo-logic -
Category
Technology
-
view
200 -
download
1
Transcript of Cloud Security Practices and Principles
! An opportunity to simplify and increase security ! Misunderstood ! A vic0m of FUD – Take 0me to examine it? – Or DOOM?
! Fearing what you do not understand is reasonable from an IT perspec9ve. But this is worth the 9me to understand.
The Public Cloud Is:
Sumo Logic Confiden0al 2
! You have people on your staff who know way too much about waMage, and BTUs and rack density and how raised, exactly, the floor needs to be
! So you think in certain ways: – Hardware rotates and depreciates on a fixed 36-‐month cycle
– This is the mix of RAM, Disk, and CPU I have to work with – This is how many waMs we've got – And this is the bandwidth capacity of the datacenter
The Old World
Sumo Logic Confiden0al 3
! Trying to insert yourself in the process run by ping power and pipe guys
! Dealing with span ports ! Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…
! And probably never did ! We do lots of things in this business where we transit public space, and we take steps to secure that transit
Where Does This Leave You?
Sumo Logic Confiden0al 4
! Cloud compu0ng is truly a different paradigm with different rules and different logic
A New World
Sumo Logic Confiden0al 5
The Old World Cloud Compu9ng
Precise Control Sta0s0cs
Scripts and Capacity Planning Spreadsheets
Feedback Loops/Auto-‐scaling
36-‐month Refresh Cycles Bids for Spot Instances
Physical Control Process, Automa0on, Design
! What security professionals are looking for is control ! You can achieve control in the cloud, by playing a new game
! “The highest form of generalship is to thwart your enemies plans.” –Sun Tzu
But The FUD!
Sumo Logic Confiden0al 6
! Not needing to regularly review firewall rule ordering as part of your opera0onal process, as one example
! Instrument ! Gather data ! Design your rules ! Iterate from the whiteboard ! Not a live firewall console ! For instance J
What’s In It For Me?
Sumo Logic Confiden0al 7
! In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion
! Your code is your infrastructure ! Your SDLC can now be brought to bear on areas tradi0onally out-‐of-‐sync with your security posture
! Scale to massive sizes without having to worry about things like firewall rule ordering, op0miza0on or audit as part of your opera0onal cycle
! Your security will become fractal, and embedded in every layer of your system.
Design Design Design
Sumo Logic Confiden0al 8
! What are your primi0ves? ! I/O, Memory, Storage, Compute, and Code ! Data – At Rest, in Mo0on, and in Use
! Access control – Monitoring tools, third-‐party apps, troubleshoo0ng tools
! Interfaces/APIs – Clean, Minimal, Authen0cated, Validated
The Primi0ves
Sumo Logic Confiden0al 9
! Each of those must be thought of on its own and in combina0on with the other components it interacts with
! It is both that simple and that complicated.
Minimalism
Sumo Logic Confiden0al 10
! That simplicity gives you the power to understand everything
! Every protocol ! Every interface ! If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts
! Understand your state changes ! Bring that understanding to bear through development
! And you can aMain Emergent Security
Understand Everything
Sumo Logic Confiden0al 11
! Your en0re infrastructure is your code-‐base ! There is no gap between the opera0onal physical layer and the sojware that runs on top of it.
! Machine and network failures are just excep0ons to be caught and handled
! Your infrastructure can now evolve and support your system
! because it is the system
With Automa0on, All Things are Possible
Sumo Logic Confiden0al 12
! Register all of your VMs services, IPs, and ports ! Automa0cally build firewall policies based on that ! Re-‐build and distribute ssl/tls keys ! Whenever you want ! HIDS, HFW and File Integrity Checkers configured with instance tags
! Unit test everything ! Allowing security to keep up with your product
Like What?
Sumo Logic Confiden0al 13
! You know… like we do… on the Internet ;) ! At rest and in mo0on. ! Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory. – When the instance dies, the key dies with it.
! Longer-‐lived data should be stored away from the keys that secure it – If the data is par0cularly sensi0ve, Securely wipe the data before spinning down the disk and giving it back to the pool
Encrypt It All
Sumo Logic Confiden0al 14
! Allow only expected connec0ons ! Front-‐end web-‐applica0ons need to accept connec0ons from anyone in the world – (but it's more likely only your load balancer does)
! As part of your infrastructure as sojware design – Know what needs to talk to what
• on what port and under what circumstances, – And only allow that,
• everything else is bit-‐bucketed and alerted on.
! In sojware-‐driven cloud-‐based deployments, there is no longer any excuse for any other way of doing it
Default Deny Nirvana
Sumo Logic Confiden0al 15
! The public u0lity model of cloud compu0ng brings substan0al advantages of scalability and automa0on which can be leveraged by informa0on security professionals
! As a result, a more secure service can be built on the public cloud for less investment than in a tradi0onal data center
! Just remember your fundamentals ! And always shoot the messenger
Conclusion
Sumo Logic Confiden0al 16
! Download our white paper, Building Secure Services in the Cloud: www.sumologic.com/resources/
! Register for Sumo Logic Free www.freesumo.com
! Contact [email protected] or [email protected]
Q&A and Next Steps
Sumo Logic Confiden0al 17