Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
•Als PPTX, PDF herunterladen•
1 gefällt mir•803 views
Nebula Director of Security Research Bryan D. Payne explains why the cloud requires a different approach to application-level security at Cloud Computing Expo Santa Clara 2012.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
Ähnlich wie Beyond the Hype: Understanding Cloud Security by Bryan D. Payne (20)
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
- 1. Beyond the Hype: Understanding Cloud Security for Your Application Bryan D. Payne
- 2. To the Learn all Security This is cloud! about cloud concerns hard! Bryan D. Payne, Director of Security Research 2 @bdpsecurity
- 3. Trust guest Cloud Attackers? network? provider My How to access Where is security my instances? my data? policies? Is there a Other cloud right way? Etc… tenants Bryan D. Payne, Director of Security Research 3 @bdpsecurity
- 4. Computer Security: What We Know Better Worse Design for security from the start Retrofit security when it’s important Understand your threats Just make it secure Understand your goals Seriously, just add some security Pervasive security culture That paranoid guy has it under control Bryan D. Payne, Director of Security Research 4 @bdpsecurity
- 5. Security Requires A Good Foundation Bryan D. Payne, Director of Security Research 5 @bdpsecurity
- 6. Security Needs System-Level Thinking Bryan D. Payne, Director of Security Research 6 @bdpsecurity
- 7. Example: Gene Sequence Analysis • Variable workload • Sensitive patient data + • Regulatory compliance • Computational integrity • Multiple tenants • Billing Bryan D. Payne, Director of Security Research 7 @bdpsecurity
- 8. 4 SECURITY QUESTIONS Bryan D. Payne, Director of Security Research 8 @bdpsecurity
- 9. 1. What are you protecting? • Data • Computation • CIA – Confidentiality – Integrity – Availability Bryan D. Payne, Director of Security Research 9 @bdpsecurity
- 10. 2. What is your risk tolerance? • Mindset • Budget • Repercussions Bryan D. Payne, Director of Security Research 10 @bdpsecurity
- 11. 3. What are your threats? • Adware • Botnets • Spyware • Corporate Espionage • Nation State Attacks • Curious Neighbor Bryan D. Payne, Director of Security Research 11 @bdpsecurity
- 12. 4. What is your attack surface? • Network architecture • Cloud provider • Software config • API Usage • Users / Admins Bryan D. Payne, Director of Security Research 12 @bdpsecurity
- 13. CLOUD SECURITY Bryan D. Payne, Director of Security Research 13 @bdpsecurity
- 14. Public or Private (or Hybrid)? Inside / Outside Firewall Hardware / software control protect Policy / regulation allow public? Professional management risk Can’t choose your neighbors Physical control Insight into software stack threats APIs available on the Internet Architectural specificity surface Bryan D. Payne, Director of Security Research 14 @bdpsecurity
- 15. What IaaS Provider? protect risk threats surface Bryan D. Payne, Director of Security Research 15 @bdpsecurity
- 16. Key Points • Get IaaS-layer security from provider • Choose wisely, based on your needs Bryan D. Payne, Director of Security Research 16 @bdpsecurity
- 17. CLOUD APPLICATION SECURITY Bryan D. Payne, Director of Security Research 17 @bdpsecurity
- 18. What Does Your App Look Like? Bryan D. Payne, Director of Security Research 18 @bdpsecurity
- 19. Access to App: Who and How? Other cloud tenants (e.g., guest network) Cloud admin Bryan D. Payne, Director of Security Research 19 @bdpsecurity
- 20. Protecting App Data Bryan D. Payne, Director of Security Research 20 @bdpsecurity
- 21. Protecting App Computation Bryan D. Payne, Director of Security Research 21 @bdpsecurity
- 22. Unique Cloud App Security Concerns • Entropy is hard to come by • Be careful with reusing images • Rapid, code-driven deployment – Keys stored inside your app, be careful • Data persistence is tricky Bryan D. Payne, Director of Security Research 22 @bdpsecurity
- 23. Key Points • Custom security is always hard • The right IaaS platform can help • Follow the community • Cloud isn’t Legacy Bryan D. Payne, Director of Security Research 23 @bdpsecurity
- 24. PUTTING IT ALL TOGETHER Bryan D. Payne, Director of Security Research 24 @bdpsecurity
- 25. Cloud Provider Is Key • Understand what you need • Get the security you need at this level • Don’t do this yourself Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research 25 @bdpsecurity
- 26. Cloud App Security is Specialized • Unique security concerns • Get expert help, if needed Protecting? Risk tolerance? Threats? Attack surface? Bryan D. Payne, Director of Security Research 26 @bdpsecurity
- 27. Trends to Watch For • OpenStack Security Group https://launchpad.net/~openstack-ossg • Cloud Attestation http://wiki.openstack.org/OpenAttestation http://code.google.com/p/vmitools/ • Attack Surface Research https://cloudsecurityalliance.org/research/big-data/ Bryan D. Payne, Director of Security Research 27 @bdpsecurity
- 28. Bryan D. Payne bryan.payne@nebula.com @bdpsecurity http://www.bryanpayne.org 28
Hinweis der Redaktion
- This slide should be done graphically showing a timeline with the above events on them. Ideally, reveal the timeline one step at a time, leading up to something funny (but tasteful!) for the final point
- Before we get our hands too dirty, let’s think about what we mean by security!
- The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
- The idea of this slide is to drill home the concept that security must come from the bottom up. In the cloud world, this means that you can’t – for example – trust inter-tenant isolation if you don’t trust the cloud software. You can’t trust the cloud software if you don’t trust the cloud provider. Etc…
- Introduce a running example that we will use for the rest of the presentation. Tom is tasked with transitioning an internal corporate application into the cloud. The application has the following characteristics: highly variable workload requirements, sensitive data, different tenants need strict firewalling for compliance reasons, etc. Working example could be a gene sequencing system in a hospital of the future?? We will then use this to understand the security questions you need to be asking as you think about the cloud.
- For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
- Understand what you are trying to protect. And what would be the consequences if your protection failed. Think about CIA (confidentiality, integrity, availability) and think about the various pieces of your system (all of the pieces of your cloud application, data in various forms / places, what parts need to be accessible to whom, what parts need to be private, etc)
- How bad would it be if you had a security breach. How much are you willing to spend to prevent such a breach. Are you a state-run intelligence agency? Or are you hosting a family blog?
- Who are you worried about breaking your security? The kid next door? Typical malware? Targeted corporate espionage from a competitor. Nation state level attacker?
- Where in your system are you potentially vulnerable to attack. This could be from within the cloud. From the cloud provider. From a vulnerability in your cloud app. From a social engineering attack on your cloud account. From someone that finds a vulnerability in the cloud APIs and steals your credentials. Etc…
- For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
- Discuss security tradeoffs (professionally maintained, but out in the open vs. behind your firewall and optionally professionally maintained) (auditability differences) (…)
- If private, are you setting it up yourself? Or are you choosing a canned solution? If the former, do you have the expertise to get the security properties you need? If the later, does your provider offer the security you need? How can you verify any of this? Discuss different options (AWS, Rackspace, HP, Nebula, OpenStack, Eucalyptus,OpenCloud, ???). Can your cloud prove that it is running the right software to you? Can your cloud allow you to monitor your own instances (network traffic, host monitoring, related logs from cloud services, etc)?
- “Security rapidly becoming a differentiator”, “Understand what you need and ensure you get that from your provider”, “Lots of choices”, “avoiding lock-in is always a plus”
- For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
- 2-3 pictures of different cloud application architectures
- 2-3 pictures of different cloud application architectures
- 2-3 pictures of different cloud application architectures
- 2-3 pictures of different cloud application architectures
- For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.
- For each of the following 5 questions, I’m thinking we should just have a slide with the question and one graphic / icon that depicts the question. Then, in the next section we can bring back the icons to demonstrate thinking about these 5 security questions as we make decisions about a cloud deployment.