Back to video results

December 24, 2014

Cloud Security Practices and Principles

Cloud Security Practices and Principles from Sumo Logic

The Public Cloud Is:

  • An opportunity to simplify and increase security
  • Misunderstood
  • A victim of FUD
    • Take time to examine it?
    • Or DOOM?
  • Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand.

The Old World

  • You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be
  • So you think in certain ways:
    • Hardware rotates and depreciates on a fixed 36-month cycle
    • This is the mix of RAM, Disk, and CPU I have to work with
    • This is how many watts we’ve got
    • And this is the bandwidth capacity of the datacenter

Where Does This Leave You?

  • Trying to insert yourself in the process run by ping power and pipe guys
  • Dealing with span ports
  • Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…
  • And probably never did
  • We do lots of things in this business where we transit public space, and we take steps to secure that transit

A New World

Cloud computing is truly a different paradigm with different rules and different logic
The Old World Cloud Computing
  • Precise Control
  • Scripts and Capacity Planning Spreadsheets
  • 36-month Refresh Cycles
  • Physical Control
  • Statistics
  • Feedback Loops/Auto-scaling
  • Bids for Spot Instances
  • Process, Automation, Design

But the FUD!

  • What security professionals are looking for is control
  • You can achieve control in the cloud, by playing a new game
  • The highest form of generalship is to thwart your enemies plans.” - Sun Tzu

What’s In It for Me?

  • Not needing to regularly review firewall rule ordering as part of your operational process, as one example
  • Instrument
  • Gather data
  • Design your rules
  • Iterate from the whiteboard
  • Not a live firewall console

Design Design Design

  • In the cloud, you have the tools to design, implement, and refine your policies, controls, and enforcement in a centralized fashion
  • Your code is your infrastructure
  • Your SDLC can now be brought to bear on areas traditionally out-of-sync with your security posture
  • Scale to massive sizes without having to worry about things like firewall rule ordering, optimization, or audit as part of your operational cycle
  • Your security will become fractal, and embedded in every layer of your system

The Primitives

  • What are your primitives?
  • I/O, Memory, Storage, Compute, and Code
  • Data
    • At Rest, in Motion, and in Use
  • Access control
    • Monitoring tools, third-party apps, troubleshooting tools
  • Interfaces/APIs
    • Clean, Minimal, Authenticated, Validated

Minimalism

  • Each of those must be thought of on its own and in combination with the other components it interacts with
  • It is both that simple and that complicated

Understand Everything

  • That simplicity gives you the power to understand everything
  • Every protocol
  • Every interface
  • If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts
  • Understand your state changes
  • Bring that understanding to bear through development
  • And you can attain Emergent Security

With Automation, All Things are Possible

  • Your entire infrastructure is your code-base
  • There is no gap between the operational physical layer and the software that runs on top of it
  • Machine and network failures are just exceptions to be caught and handled
  • Your infrastructure can now evolve and support your system because it is the system

Like What?

  • Register all of your VMs services, IPs, and ports
  • Automatically build firewall policies based on that
  • Re-build and distribute ssl/tls keys
  • Whenever you want
  • HIDS, HFW and File Integrity Checkers configured with instance tags
  • Unit test everything
  • Allowing security to keep up with your product

Encrypt It All

  • You know… like we do… on the Internet
  • At rest and in motion
  • Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory
    • When the instance dies, the key dies with it
  • Longer-lived data should be stored away from the keys that secure it
    • If the data is particularly sensitive, securely wipe the data before spinning down the disk and giving it back to the pool

Default Deny Nirvana

  • Allow only expected connections
  • Front-end web-applications need to accept connections from anyone in the world
    • but it’s more likely only your load balancer does
  • As part of your infrastructure as software design
    • Know what needs to talk to what
      • On what port and under what circumstances
    • And only allow that
      • Everything else is bit-bucketed and alerted on
  • In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it

Conclusion

  • The public utility model of cloud computing brings substantial advantages of scalability and automation, which can be leveraged by information security professionals
  • As a result, a more secure service can be built on the public cloud for less investment than in a traditional data center
  • Just remember your fundamentals
  • And always shoot the messenger

Q&A and Next Steps

Categories