SlideShare a Scribd company logo
1 of 22
REBUILDING FOR
THE CLOUD

HOW CLOUD ARCHITECTURE CAN IMPROVE
APPLICATION SECURITY
INTRO
AGENDA
Definitions (brief, I promise)
Cloud Benefits
Cloud Security Concepts
Moving applications to the cloud, wrong way
Moving applications to the cloud, right way
Please do ask questions!
CLOUD [kloud]
noun
NIST Definition (AKA SP800-145)
  •   On demand, self-service
  •   Broad network access
  •   Resource pooling
  •   Rapid elasticity
  •   Measured (read: billable) service
INFORMATION SECURITY
[in-fer-mey-shuhn si-kyoor-i-tee]
noun
Protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction.


See Also: Job Security
Artist: Tyler, 11. Dortmund, Germany
CLOUD BENEFITS
Main benefit: Flexibility


Possible benefit: Cost savings
CLOUD SECURITY
CLIFF NOTES


• Trust nobody
• Encrypt everything
• Expect service issues
WHAT’S WRONG WITH FORKLIFTING?
FORKLIFTING…
“Datacenter” application to the cloud:
• Can’t trust what you used to
• Datacenter apps usually not flexible
• Confidentiality, Integrity, Availability all handled differently
ENTERPRISE vs CLOUD
HOW ABOUT PAAS?
LEVERAGING CLOUD
ARCHITECTURE
How can we (gently) re-architect to take advantage of the
cloud?
• Network
• Web server
• Application Server
• Database server
• Don’t forget audit/forensics!
NETWORK
Good: Limit by IP


Better: Allow administration via
VPN only


Best: Admin interface on separate
host, VPN only




                                    Artist: Jonathan, Age 7 Heidelberg, Germany
WEB/APP SERVER
Good: Load balancing, “Basic” hardening (IP ACLs, only
accept GET/POST, server tuned for large loads). SSL’s cheap
nowadays


Better: Build Web Application Firewalls and reverse caches
into your IaaS (mod_security’s free)


Best: Use 3rd party services to handle load and minimize
security issues (CDNs like Akamai, Cloudflare)


Required: Input filtering, output encoding.
DATASTORE
Good: Place DBs on separate host from application.


Better: Place DBs in separate datacenters, and replicate


Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB,
ElasticSearch)


Required: Encrypt data-at-rest
NOSQL SECURITY?
• Many NOSQL systems turn off
  even authentication
• Data labeling or granular access
  needs to be handled in
  application.




                                     Artist: Luca, Italy
INTER-PROCESS
COMMUNICATION
                  Good: Whatever you’ve dreamt up,
                  (cloud bullhorn?) at least encrypt it.


                  Better: Use open protocols for
                  communication between nodes.
                  Make sure encryption is enabled!


                  Best: Consider using message
                  queues.


   Required, in case you missed it: encryption.
LOGGING & FORENSICS
What happens to logs when our scalable architecture…
scales down?


Cloud really really requires centralized logging, monitoring,
and management.


Also, consider erase vs. overwrite
WHAT HAVE WE
BUILT?
• Scalable solution
• No single point of failure
• Healthy caution of all those around us (filtering/encoding)
• Data stored and transmitted safely
• And a nice set of audit logs for when Bad Things happen
LEARN MORE
Cloud Security Alliance
OWASP Cloud top 10
THANKS AND
CONTACT INFO

“Bad People” drawings from http://badpeopleproject.org


Follow me on twitter: @johnlkinsella

More Related Content

Viewers also liked

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?QATestLab
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wiresAjinkya Patel
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.pptHiralal Pawar
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueRavikanth lakkakula
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to archesHILLFORT
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in constructionSARASWATI PATHARIYA
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsChris Saint-Amant
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in BriefAnthony Dehnashi
 

Viewers also liked (8)

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wires
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.ppt
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance technique
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to arches
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in construction
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in Brief
 

More from John Kinsella

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 

More from John Kinsella (11)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

  • 1. REBUILDING FOR THE CLOUD HOW CLOUD ARCHITECTURE CAN IMPROVE APPLICATION SECURITY
  • 3. AGENDA Definitions (brief, I promise) Cloud Benefits Cloud Security Concepts Moving applications to the cloud, wrong way Moving applications to the cloud, right way Please do ask questions!
  • 4. CLOUD [kloud] noun NIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
  • 5. INFORMATION SECURITY [in-fer-mey-shuhn si-kyoor-i-tee] noun Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. See Also: Job Security
  • 6. Artist: Tyler, 11. Dortmund, Germany
  • 7. CLOUD BENEFITS Main benefit: Flexibility Possible benefit: Cost savings
  • 8. CLOUD SECURITY CLIFF NOTES • Trust nobody • Encrypt everything • Expect service issues
  • 9. WHAT’S WRONG WITH FORKLIFTING?
  • 10. FORKLIFTING… “Datacenter” application to the cloud: • Can’t trust what you used to • Datacenter apps usually not flexible • Confidentiality, Integrity, Availability all handled differently
  • 13. LEVERAGING CLOUD ARCHITECTURE How can we (gently) re-architect to take advantage of the cloud? • Network • Web server • Application Server • Database server • Don’t forget audit/forensics!
  • 14. NETWORK Good: Limit by IP Better: Allow administration via VPN only Best: Admin interface on separate host, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
  • 15. WEB/APP SERVER Good: Load balancing, “Basic” hardening (IP ACLs, only accept GET/POST, server tuned for large loads). SSL’s cheap nowadays Better: Build Web Application Firewalls and reverse caches into your IaaS (mod_security’s free) Best: Use 3rd party services to handle load and minimize security issues (CDNs like Akamai, Cloudflare) Required: Input filtering, output encoding.
  • 16. DATASTORE Good: Place DBs on separate host from application. Better: Place DBs in separate datacenters, and replicate Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB, ElasticSearch) Required: Encrypt data-at-rest
  • 17. NOSQL SECURITY? • Many NOSQL systems turn off even authentication • Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
  • 18. INTER-PROCESS COMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
  • 19. LOGGING & FORENSICS What happens to logs when our scalable architecture… scales down? Cloud really really requires centralized logging, monitoring, and management. Also, consider erase vs. overwrite
  • 20. WHAT HAVE WE BUILT? • Scalable solution • No single point of failure • Healthy caution of all those around us (filtering/encoding) • Data stored and transmitted safely • And a nice set of audit logs for when Bad Things happen
  • 21. LEARN MORE Cloud Security Alliance OWASP Cloud top 10
  • 22. THANKS AND CONTACT INFO “Bad People” drawings from http://badpeopleproject.org Follow me on twitter: @johnlkinsella

Editor's Notes

  1. Service: Infrastructure, Platform, Software as a serviceDeployment: Private, community, public, hybrid
  2. So for each one of these things I’ll try to break it down into GOOD – BETTER – BEST.
  3. Some of these points fit better for IaaS, this is one of them
  4. Load balancing – linux virtual server“best” – I’m expecting/wanting resistance to some of these points – I believe CDN/NoSQL/Message Queues have security value from a scalability POV, but they’re not slam-dunk arguments.
  5. RabbitMQ or ActiveMQ