Sign up for a live Kubernetes or DevSecOps demo

Click here
Back to video results

December 24, 2014

Cloud Security Practices and Principles

Cloud Security Practices and Principles from Sumo Logic

The Public Cloud Is:

  • An opportunity to simplify and increase security
  • Misunderstood
  • A victim of FUD
    • Take time to examine it?
    • Or DOOM?
  • Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand.

The Old World

  • You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be
  • So you think in certain ways:
    • Hardware rotates and depreciates on a fixed 36-month cycle
    • This is the mix of RAM, Disk, and CPU I have to work with
    • This is how many watts we’ve got
    • And this is the bandwidth capacity of the datacenter

Where Does This Leave You?

  • Trying to insert yourself in the process run by ping power and pipe guys
  • Dealing with span ports
  • Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…
  • And probably never did
  • We do lots of things in this business where we transit public space, and we take steps to secure that transit

A New World

Cloud computing is truly a different paradigm with different rules and different logic
The Old World Cloud Computing
  • Precise Control
  • Scripts and Capacity Planning Spreadsheets
  • 36-month Refresh Cycles
  • Physical Control
  • Statistics
  • Feedback Loops/Auto-scaling
  • Bids for Spot Instances
  • Process, Automation, Design

But the FUD!

  • What security professionals are looking for is control
  • You can achieve control in the cloud, by playing a new game
  • The highest form of generalship is to thwart your enemies plans.” - Sun Tzu

What’s In It for Me?

  • Not needing to regularly review firewall rule ordering as part of your operational process, as one example
  • Instrument
  • Gather data
  • Design your rules
  • Iterate from the whiteboard
  • Not a live firewall console

Design Design Design

  • In the cloud, you have the tools to design, implement, and refine your policies, controls, and enforcement in a centralized fashion
  • Your code is your infrastructure
  • Your SDLC can now be brought to bear on areas traditionally out-of-sync with your security posture
  • Scale to massive sizes without having to worry about things like firewall rule ordering, optimization, or audit as part of your operational cycle
  • Your security will become fractal, and embedded in every layer of your system

The Primitives

  • What are your primitives?
  • I/O, Memory, Storage, Compute, and Code
  • Data
    • At Rest, in Motion, and in Use
  • Access control
    • Monitoring tools, third-party apps, troubleshooting tools
  • Interfaces/APIs
    • Clean, Minimal, Authenticated, Validated

Minimalism

  • Each of those must be thought of on its own and in combination with the other components it interacts with
  • It is both that simple and that complicated

Understand Everything

  • That simplicity gives you the power to understand everything
  • Every protocol
  • Every interface
  • If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts
  • Understand your state changes
  • Bring that understanding to bear through development
  • And you can attain Emergent Security

With Automation, All Things are Possible

  • Your entire infrastructure is your code-base
  • There is no gap between the operational physical layer and the software that runs on top of it
  • Machine and network failures are just exceptions to be caught and handled
  • Your infrastructure can now evolve and support your system because it is the system

Like What?

  • Register all of your VMs services, IPs, and ports
  • Automatically build firewall policies based on that
  • Re-build and distribute ssl/tls keys
  • Whenever you want
  • HIDS, HFW and File Integrity Checkers configured with instance tags
  • Unit test everything
  • Allowing security to keep up with your product

Encrypt It All

  • You know… like we do… on the Internet
  • At rest and in motion
  • Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory
    • When the instance dies, the key dies with it
  • Longer-lived data should be stored away from the keys that secure it
    • If the data is particularly sensitive, securely wipe the data before spinning down the disk and giving it back to the pool

Default Deny Nirvana

  • Allow only expected connections
  • Front-end web-applications need to accept connections from anyone in the world
    • but it’s more likely only your load balancer does
  • As part of your infrastructure as software design
    • Know what needs to talk to what
      • On what port and under what circumstances
    • And only allow that
      • Everything else is bit-bucketed and alerted on
  • In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it

Conclusion

  • The public utility model of cloud computing brings substantial advantages of scalability and automation, which can be leveraged by information security professionals
  • As a result, a more secure service can be built on the public cloud for less investment than in a traditional data center
  • Just remember your fundamentals
  • And always shoot the messenger

Q&A and Next Steps

Categories