Application Security Forum - 2013Western Switzerland

15-16 octobre 2013 - Y-Parc / Yverdon-les-Bainshttp://www.appsec-forum.ch

Security and cloud migration

Christophe SahutCorporate Infrastructure Architect / SGS

2

SGS in a few words

3

Agenda

SaaS experience

IaaS experience

Reminder: your (security) responsibility

4

Application

Data

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Application

Data

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Application

Data

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

IaaS PaaS SaaS

5

SaaS experience

6

Use case

Application fulfilling (most?) business needs

Price/user/month – OPEX

Side effect of ignoring this is shadow IT

Hopefully, …

7

… there are authentication requirements

8

Solution: SAML 2.0

In two words– Identity Provider on premise acting as a web proxy to

the authentication source (AD, LDAP, SQL…)– Generates and signs authentication tokens– Send them to the SaaS service to prove the user has

been authenticated– You’re loggued in

Enable Single Sign-On with SaaS services

9

Nice solution but…

Tricky to setup in multi-forests AD environments

Not always easy to configure depending on SPs

Must be highly available

10

And what about (de)provisionning?

Provisioning can be done on the fly following authentication (and authorization)– Works fine but de-provisioning is still a challenge– Reminder: you pay per user

Resource (user, group…) CRUD via web services not widely deployed yet

http://www.simplecloud.info/

11

Other concerns

Data is by definition fully understood by the SaaS provider– Profiling (or worst) : “used for statistics and UX”– Contracts say provider will not

if you ask them not toif they say so, it must be true

Data is (sometimes) encrypted on disksBut SaaS provider manages the portal to access it (…)

12

IaaS experience

13

Example: AWS

14

Connect to the management console

15

Then

Create Virtual Private Clouds (VPC)– Network, route tables, gateways– Virtual machines– Load balancers– Storage, snapshots– Managed databases– …

In a given location

16

Source: http://aws.amazon.com/articles/9982940049271604

Example

17

Use segmentation/filtering

Network ACLs Security groups

(OS firewalls) (3rd party network firewalls)

18

VPC created. And then?

Decide how to integrate it in existing infrastructure

1) Keep it external• Completely separate infrastructure

2) Link it to datacenters / WAN• Consider the VPC as a new site on the WAN

19

1) Keep it external

Corporate Data center

Load balancerWeb Servers Database

Internet

Bastion

20

Use bastion hosts– RDP/SSH from known IPs, strong authentication,

logging/auditing

VPC entry point opened only for the service provided

21

2) Link it to datacenters / WAN

Corporate Data center

Load balancer Web Servers DatabaseVPN

Bastion

22

Use a VPN (or leased line)– Decide if you want a public or private VPC

One more Internet access vs private datacenter extension

– Be careful to the network range and routingVPC part of the WAN

– Wizard on AWS to setup dual-VPN to on-premise VPN concentrator

– Setup firewall rules on both sides (drop all, then think)

23

What we did on IaaS

VPC in different locations, VPNs– SAML tests (WIF, mod_mellon,…)– New versions of software on isolated networks

S3, load balancing, managed databases, DNS zone delegation, CDN, datawarehouse, PaaS …

More and more providers come with an AWS backend and we can evaluate what they do

24

Example of IaaS security benefit

Launch/rebuild infrastructures in minutes– With code like this:

Configure this way networks, VPN, security groups, create instances, fetch data from a GIT repository, configure load balancers…

25

Code the infrastructure

With specific cloud toolsCloudformation in AWS

With scripting with CLI toolsBash, Powershell …

With SDKs (.net, java,…), cloud API libraries (libcloud…), abstraction tools (Rightscale…) …

And versioning!

26

Example use case

Defacement/intrusion on a IaaS-based website– Fire new infrastructure clone– Enable verbose logging– Redirect traffic (via DNS, load balancers…) to the new

infrastructure– Identify attack, implement protection/blackhole– Isolate hacked infrastructure– Run forensic analysis– Get a coffee

27

Questions?

28

Merci/Thank you!

Contact:

@csahut

Slides: http://slideshare.net/ASF-WS/presentations