Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.
How to Improve Threat Detection & Simplify Security Operations
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
1. Beyond the Hype: Understanding Cloud
Security for Your Application
Bryan D. Payne
2. To the Learn all Security This is
cloud! about cloud concerns hard!
Bryan D. Payne, Director of Security Research
2
@bdpsecurity
3. Trust guest
Cloud Attackers?
network?
provider
My How to access Where is
security my instances? my data?
policies?
Is there a
Other cloud right way? Etc…
tenants
Bryan D. Payne, Director of Security Research
3
@bdpsecurity
4. Computer Security: What We Know
Better Worse
Design for security from the start Retrofit security when it’s important
Understand your threats Just make it secure
Understand your goals Seriously, just add some security
Pervasive security culture That paranoid guy has it under control
Bryan D. Payne, Director of Security Research
4
@bdpsecurity
5. Security Requires A Good Foundation
Bryan D. Payne, Director of Security Research
5
@bdpsecurity
7. Example: Gene Sequence Analysis
• Variable workload
• Sensitive patient data
+ • Regulatory compliance
• Computational integrity
• Multiple tenants
• Billing
Bryan D. Payne, Director of Security Research
7
@bdpsecurity
8. 4 SECURITY QUESTIONS
Bryan D. Payne, Director of Security Research
8
@bdpsecurity
9. 1. What are you protecting?
• Data
• Computation
• CIA
– Confidentiality
– Integrity
– Availability
Bryan D. Payne, Director of Security Research
9
@bdpsecurity
10. 2. What is your risk tolerance?
• Mindset
• Budget
• Repercussions
Bryan D. Payne, Director of Security Research
10
@bdpsecurity
11. 3. What are your threats?
• Adware
• Botnets
• Spyware
• Corporate Espionage
• Nation State Attacks
• Curious Neighbor
Bryan D. Payne, Director of Security Research
11
@bdpsecurity
12. 4. What is your attack surface?
• Network architecture
• Cloud provider
• Software config
• API Usage
• Users / Admins
Bryan D. Payne, Director of Security Research
12
@bdpsecurity
13. CLOUD SECURITY
Bryan D. Payne, Director of Security Research
13
@bdpsecurity
14. Public or Private (or Hybrid)?
Inside / Outside Firewall
Hardware / software control
protect
Policy / regulation allow public?
Professional management
risk Can’t choose your neighbors
Physical control
Insight into software stack
threats
APIs available on the Internet
Architectural specificity
surface
Bryan D. Payne, Director of Security Research
14
@bdpsecurity
15. What IaaS Provider?
protect
risk
threats
surface
Bryan D. Payne, Director of Security Research
15
@bdpsecurity
16. Key Points
• Get IaaS-layer security from provider
• Choose wisely, based on your needs
Bryan D. Payne, Director of Security Research
16
@bdpsecurity
22. Unique Cloud App Security Concerns
• Entropy is hard to come by
• Be careful with reusing images
• Rapid, code-driven deployment
– Keys stored inside your app, be careful
• Data persistence is tricky
Bryan D. Payne, Director of Security Research
22
@bdpsecurity
23. Key Points
• Custom security is always hard
• The right IaaS platform can help
• Follow the community
• Cloud isn’t Legacy
Bryan D. Payne, Director of Security Research
23
@bdpsecurity
24. PUTTING IT ALL TOGETHER
Bryan D. Payne, Director of Security Research
24
@bdpsecurity
25. Cloud Provider Is Key
• Understand what you need
• Get the security you need at this level
• Don’t do this yourself
Protecting? Risk tolerance? Threats? Attack surface?
Bryan D. Payne, Director of Security Research
25
@bdpsecurity
26. Cloud App Security is Specialized
• Unique security concerns
• Get expert help, if needed
Protecting? Risk tolerance? Threats? Attack surface?
Bryan D. Payne, Director of Security Research
26
@bdpsecurity
27. Trends to Watch For
• OpenStack Security Group
https://launchpad.net/~openstack-ossg
• Cloud Attestation
http://wiki.openstack.org/OpenAttestation
http://code.google.com/p/vmitools/
• Attack Surface Research
https://cloudsecurityalliance.org/research/big-data/
Bryan D. Payne, Director of Security Research
27
@bdpsecurity
28. Bryan D. Payne
bryan.payne@nebula.com
@bdpsecurity
http://www.bryanpayne.org
28
Hinweis der Redaktion
This slide should be done graphically showing a timeline with the above events on them. Ideally, reveal the timeline one step at a time, leading up to something funny (but tasteful!) for the final point
Before we get our hands too dirty, let’s think about what we mean by security!
The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
Introduce a running example that we will use for the rest of the presentation. Tom is tasked with transitioning an internal corporate application into the cloud. The application has the following characteristics: highly variable workload requirements, sensitive data, different tenants need strict firewalling for compliance reasons, etc. Working example could be a gene sequencing system in a hospital of the future?? We will then use this to understand the security questions you need to be asking as you think about the cloud.
For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
Understand what you are trying to protect. And what would be the consequences if your protection failed. Think about CIA (confidentiality, integrity, availability) and think about the various pieces of your system (all of the pieces of your cloud application, data in various forms / places, what parts need to be accessible to whom, what parts need to be private, etc)
How bad would it be if you had a security breach. How much are you willing to spend to prevent such a breach. Are you a state-run intelligence agency? Or are you hosting a family blog?
Who are you worried about breaking your security? The kid next door? Typical malware? Targeted corporate espionage from a competitor. Nation state level attacker?
Where in your system are you potentially vulnerable to attack. This could be from within the cloud. From the cloud provider. From a vulnerability in your cloud app. From a social engineering attack on your cloud account. From someone that finds a vulnerability in the cloud APIs and steals your credentials. Etc…
For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
Discuss security tradeoffs (professionally maintained, but out in the open vs. behind your firewall and optionally professionally maintained) (auditability differences) (…)
If private, are you setting it up yourself? Or are you choosing a canned solution? If the former, do you have the expertise to get the security properties you need? If the later, does your provider offer the security you need? How can you verify any of this? Discuss different options (AWS, Rackspace, HP, Nebula, OpenStack, Eucalyptus,OpenCloud, ???). Can your cloud prove that it is running the right software to you? Can your cloud allow you to monitor your own instances (network traffic, host monitoring, related logs from cloud services, etc)?
“Security rapidly becoming a differentiator”, “Understand what you need and ensure you get that from your provider”, “Lots of choices”, “avoiding lock-in is always a plus”
For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
2-3 pictures of different cloud application architectures
2-3 pictures of different cloud application architectures
2-3 pictures of different cloud application architectures
2-3 pictures of different cloud application architectures
For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.