Cloud Security Practices and Principles

Cloud Security Practices and Principles from Sumo Logic

The Public Cloud Is:

• An opportunity to simplify and increase security
• Misunderstood
• A victim of FUD
  • Take time to examine it?
  • Or DOOM?
• Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand.

The Old World

• You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be
• So you think in certain ways:
  • Hardware rotates and depreciates on a fixed 36-month cycle
  • This is the mix of RAM, Disk, and CPU I have to work with
  • This is how many watts we’ve got
  • And this is the bandwidth capacity of the datacenter

Where Does This Leave You?

• Trying to insert yourself in the process run by ping power and pipe guys
• Dealing with span ports
• Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…
• And probably never did
• We do lots of things in this business where we transit public space, and we take steps to secure that transit

A New World

Cloud computing is truly a different paradigm with different rules and different logic

The Old World	Cloud Computing
Precise Control Scripts and Capacity Planning Spreadsheets 36-month Refresh Cycles Physical Control	Statistics Feedback Loops/Auto-scaling Bids for Spot Instances Process, Automation, Design

But the FUD!

• What security professionals are looking for is control
• You can achieve control in the cloud, by playing a new game
• The highest form of generalship is to thwart your enemies plans.” - Sun Tzu

What’s In It for Me?

• Not needing to regularly review firewall rule ordering as part of your operational process, as one example
• Instrument
• Gather data
• Design your rules
• Iterate from the whiteboard
• Not a live firewall console

Design Design Design

• In the cloud, you have the tools to design, implement, and refine your policies, controls, and enforcement in a centralized fashion
• Your code is your infrastructure
• Your SDLC can now be brought to bear on areas traditionally out-of-sync with your security posture
• Scale to massive sizes without having to worry about things like firewall rule ordering, optimization, or audit as part of your operational cycle
• Your security will become fractal, and embedded in every layer of your system

The Primitives

• What are your primitives?
• I/O, Memory, Storage, Compute, and Code
• Data
  • At Rest, in Motion, and in Use
• Access control
  • Monitoring tools, third-party apps, troubleshooting tools
• Interfaces/APIs
  • Clean, Minimal, Authenticated, Validated

Minimalism

• Each of those must be thought of on its own and in combination with the other components it interacts with
• It is both that simple and that complicated

Understand Everything

• That simplicity gives you the power to understand everything
• Every protocol
• Every interface
• If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts
• Understand your state changes
• Bring that understanding to bear through development
• And you can attain Emergent Security

With Automation, All Things are Possible

• Your entire infrastructure is your code-base
• There is no gap between the operational physical layer and the software that runs on top of it
• Machine and network failures are just exceptions to be caught and handled
• Your infrastructure can now evolve and support your system because it is the system

Like What?

• Register all of your VMs services, IPs, and ports
• Automatically build firewall policies based on that
• Re-build and distribute ssl/tls keys
• Whenever you want
• HIDS, HFW and File Integrity Checkers configured with instance tags
• Unit test everything
• Allowing security to keep up with your product

Encrypt It All

• You know… like we do… on the Internet
• At rest and in motion
• Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory
  • When the instance dies, the key dies with it
• Longer-lived data should be stored away from the keys that secure it
  • If the data is particularly sensitive, securely wipe the data before spinning down the disk and giving it back to the pool

Default Deny Nirvana

• Allow only expected connections
• Front-end web-applications need to accept connections from anyone in the world
  • but it’s more likely only your load balancer does
• As part of your infrastructure as software design
  • Know what needs to talk to what
    • On what port and under what circumstances
  • And only allow that
    • Everything else is bit-bucketed and alerted on
• In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it

Conclusion

• The public utility model of cloud computing brings substantial advantages of scalability and automation, which can be leveraged by information security professionals
• As a result, a more secure service can be built on the public cloud for less investment than in a traditional data center
• Just remember your fundamentals
• And always shoot the messenger

Q&A and Next Steps

• Download our white paper, Building Secure Services in the Cloud: www.sumologic.com/resources
• Register for Sumo Logic free www.freesumo.com
• Contact joan@sumologic.com or info@sumologic.com