Defending Applications In the Cloud

Architecting Layered Security Solutions in Cloud Computing Environments

0

Agenda

• Introductions and context

• Conventional solution architecture

• Moving solutions to the cloud

• Intrusion detection and prevention in the cloud

• Defensive strategies

• Security challenges in the cloud

1

Introductions

• Opinions on this topic are informed by three perspectives: – Current position as Chief Security and Privacy Officer

for a health IT services firm that operates systems in conventional data centers and cloud computing environments

– Adjunct professor at UMUC teaching courses in information assurance, particularly Intrusion Detection and Prevention

– Experience as a government contractor architecting, implementing, and securing federal and state systems

2

Context

• Rapid adoption of cloud computing models across most (if not all) industry sectors – Infrastructure as a Service (IaaS) – Platform as a Service (PaaS) – Software as a Service (SaaS)

• Security is a prominent area of concern for organizations moving systems, data, and services to the cloud

• Well accepted network security practices, tools, and architecture patterns do not always transfer directly to the cloud

3

Security Architecture

• Specifics vary widely, but conventional security architecture solutions reflect a “defense in depth” approach with typical elements including: – Network firewalls – Intrusion detection and prevention systems – Physical or logical subnets (VLANs) – Identity and access management – Threat and vulnerability scanners – Audit logging and monitoring – Event correlation/security information and event

management – Disaster recovery

4

Network Security

Conventional Data Center Cloud Service Provider

Packet filtering firewall Network ACL; Security groups

Stateful inspection/intrusion prevention Security groups

Application firewall Third-party gateways or custom instances

Network address translation NAT instance

Boundary and domain router Virtual router

Virtual Private Network (VPN) appliance Virtual private gateway

Network Access Control (NAC) Not available

Network Intrusion Detection System (IDS) Third-party or custom instances

Subnet/VLAN via switches Subnets via routing tables

Corporate network/LAN Virtual private cloud

Disaster recovery via alternate site Disaster recovery via zone replication

5

Conventional Network Infrastructure

6

load balancer

switch

switch

integrated

security

device storage array

databases

private

gateway

public

gateway

VPN

host servers

physical servers

server cluster

Internet

administrators

databases

Corporate data center

external service provider

Key Security Attributes

• Hardware-based firewall/IPS/VPN

• Subnets configured through switches

• Combination of physical and virtual hosts

• Separate gateway/point of integration for connection to external entities

• Multiple options for deploying network-based and host-based IDS/IPS, event monitoring, and threat and vulnerability scanning

7

Infrastructure in the Cloud

8

router Internet

gateway

Virtual Private

Gateway

instances

route table

elastic load

balancing

EBS

RDS

users

Internet

Availability Zone

security

group VPC subnet

Availability Zone

instances

VPC subnet

RDS

S3

CloudWatch

EBS

S3

CloudWatch

security

group

security group

security group

corporate

data center

VPN

Key Security Attributes

• Virtual firewalls through security groups and ACLs

• Subnets through routing tables and virtual gateways

• All hosts virtualized or delivered as service

• Private gateways for connections to customer data center or external entities

• Limited network-based IDS/IPS

• Event monitoring and threat and vulnerability scanning must be performed by customer or use a third party service

9

Conventional Solution Architecture

web server database

server application

server

router

security

appliance

network ids network ids network ids

10

Internet

Solution Architecture in the Cloud

security

group

security

group

elastic load

balancer

application

server

security

group

web

server

router Internet

gateway

database

server

alerts CloudWatch

11

Intrusion Detection in the Cloud

• Conventional “in-line” IDS/IPS typically requires custom configuration of an instance with multiple network interfaces to route traffic through the IDS

12

router route

tables Internet

gateway

logs EBS S3

elastic load

balancer

instances Instance with

dual interfaces

CloudWatch

Defensive Strategies

• Route public access through content and networking services such as Akamai – Optimized for web applications – Greatly reduces external exposure of systems

• Enable secure point-to-point access with a virtual private gateway – Hardware-based endpoint at the cloud customer side – Virtual endpoint on the cloud provider side

• Leverage asymmetric encryption for server/OS access – Key pair generation is by default in AWS and an option in Azure

• Create dedicated VMs for administrative access (“jump boxes”) and disable administrative channels/services like SSH from any other source

13

Security Challenges in the Cloud

• Responsibility – Customers deploying applications and data to the

cloud are responsible for securing what they deploy

• Log management and analysis – VMs produce copious logs, written to central storage

area but not aggregated for analysis

– Logs need to be aggregated to facilitate review, often using third party virtual appliances or services

– Firewall and virtual device logging/monitoring may be limited or unavailable

14

Security Challenges in the Cloud

• Device authentication – Little or no ability to perform checks like NAC scans or

MAC authentication – Access filters can sometimes be applied through

separate services (e.g., geographic IP filter with AWS CloudFront)

• Encryption – Encryption of data at rest not natively supported in

some cloud products/services – In many cases, OS-level or database encryption can be

enabled, but organizations still need to determine how to manage keys

15

Summary

• Data center and application architectures can be reproduced in cloud environments

• Some security capabilities seen as “standard” in corporate data centers are not available or do not operate the same way with cloud service providers

• If you deploy anything needing protection to a cloud environment, you are responsible for securing it

• Following cloud-specific defensive strategies supports implementation of defense-in-depth

16

Questions

?

17

Contact Information

Dr. Stephen D. Gantz, DM CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO

Professor of Information Assurance

The Graduate School

University of Maryland University College

3501 University Blvd. East

Adelphi, MD 20783

stephen.gantz@faculty.umuc.edu

www.securityarchitecture.com

18