View
553
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.
Citation preview
Application Security Forum - 2013Western Switzerland
15-16 octobre 2013 - Y-Parc / Yverdon-les-Bainshttp://www.appsec-forum.ch
Security and cloud migration
Christophe SahutCorporate Infrastructure Architect / SGS
2
SGS in a few words
3
Agenda
SaaS experience
IaaS experience
Reminder: your (security) responsibility
4
Application
Data
Runtime
Middleware
OS
Virtualization
Servers
Storage
Networking
Application
Data
Runtime
Middleware
OS
Virtualization
Servers
Storage
Networking
Application
Data
Runtime
Middleware
OS
Virtualization
Servers
Storage
Networking
IaaS PaaS SaaS
5
SaaS experience
6
Use case
Application fulfilling (most?) business needs
Price/user/month – OPEX
Side effect of ignoring this is shadow IT
Hopefully, …
7
… there are authentication requirements
8
Solution: SAML 2.0
In two words– Identity Provider on premise acting as a web proxy to
the authentication source (AD, LDAP, SQL…)– Generates and signs authentication tokens– Send them to the SaaS service to prove the user has
been authenticated– You’re loggued in
Enable Single Sign-On with SaaS services
9
Nice solution but…
Tricky to setup in multi-forests AD environments
Not always easy to configure depending on SPs
Must be highly available
10
And what about (de)provisionning?
Provisioning can be done on the fly following authentication (and authorization)– Works fine but de-provisioning is still a challenge– Reminder: you pay per user
Resource (user, group…) CRUD via web services not widely deployed yet
http://www.simplecloud.info/
11
Other concerns
Data is by definition fully understood by the SaaS provider– Profiling (or worst) : “used for statistics and UX”– Contracts say provider will not
if you ask them not toif they say so, it must be true
Data is (sometimes) encrypted on disksBut SaaS provider manages the portal to access it (…)
12
IaaS experience
13
Example: AWS
14
Connect to the management console
15
Then
Create Virtual Private Clouds (VPC)– Network, route tables, gateways– Virtual machines– Load balancers– Storage, snapshots– Managed databases– …
In a given location
16
Source: http://aws.amazon.com/articles/9982940049271604
Example
17
Use segmentation/filtering
Network ACLs Security groups
(OS firewalls) (3rd party network firewalls)
18
VPC created. And then?
Decide how to integrate it in existing infrastructure
1) Keep it external• Completely separate infrastructure
2) Link it to datacenters / WAN• Consider the VPC as a new site on the WAN
19
1) Keep it external
Corporate Data center
Load balancerWeb Servers Database
Internet
Bastion
20
Use bastion hosts– RDP/SSH from known IPs, strong authentication,
logging/auditing
VPC entry point opened only for the service provided
21
2) Link it to datacenters / WAN
Corporate Data center
Load balancer Web Servers DatabaseVPN
Bastion
22
Use a VPN (or leased line)– Decide if you want a public or private VPC
One more Internet access vs private datacenter extension
– Be careful to the network range and routingVPC part of the WAN
– Wizard on AWS to setup dual-VPN to on-premise VPN concentrator
– Setup firewall rules on both sides (drop all, then think)
23
What we did on IaaS
VPC in different locations, VPNs– SAML tests (WIF, mod_mellon,…)– New versions of software on isolated networks
S3, load balancing, managed databases, DNS zone delegation, CDN, datawarehouse, PaaS …
More and more providers come with an AWS backend and we can evaluate what they do
24
Example of IaaS security benefit
Launch/rebuild infrastructures in minutes– With code like this:
Configure this way networks, VPN, security groups, create instances, fetch data from a GIT repository, configure load balancers…
25
Code the infrastructure
With specific cloud toolsCloudformation in AWS
With scripting with CLI toolsBash, Powershell …
With SDKs (.net, java,…), cloud API libraries (libcloud…), abstraction tools (Rightscale…) …
And versioning!
26
Example use case
Defacement/intrusion on a IaaS-based website– Fire new infrastructure clone– Enable verbose logging– Redirect traffic (via DNS, load balancers…) to the new
infrastructure– Identify attack, implement protection/blackhole– Isolate hacked infrastructure– Run forensic analysis– Get a coffee
27
Questions?
28
Merci/Thank you!
Contact:
@csahut
Slides: http://slideshare.net/ASF-WS/presentations