Cloud Security Practices and Principles

Cloud Security Prac0ces and Principles

Joan Pepin Director of Security

Sumo Logic Confiden0al

!   An opportunity to simplify and increase security !   Misunderstood !   A vic0m of FUD –  Take 0me to examine it? –  Or DOOM?

!   Fearing what you do not understand is reasonable from an IT perspec9ve. But this is worth the 9me to understand.

The Public Cloud Is:

Sumo Logic Confiden0al 2

!   You have people on your staff who know way too much about waMage, and BTUs and rack density and how raised, exactly, the floor needs to be

!   So you think in certain ways: –  Hardware rotates and depreciates on a fixed 36-‐month cycle

–  This is the mix of RAM, Disk, and CPU I have to work with –  This is how many waMs we've got –  And this is the bandwidth capacity of the datacenter

The Old World


!   Trying to insert yourself in the process run by ping power and pipe guys

!   Dealing with span ports !   Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…

!   And probably never did !   We do lots of things in this business where we transit public space, and we take steps to secure that transit

Where Does This Leave You?


!   Cloud compu0ng is truly a different paradigm with different rules and different logic

A New World


The Old World Cloud Compu9ng

Precise Control Sta0s0cs

Scripts and Capacity Planning Spreadsheets

Feedback Loops/Auto-‐scaling

36-‐month Refresh Cycles Bids for Spot Instances

Physical Control Process, Automa0on, Design

!   What security professionals are looking for is control !   You can achieve control in the cloud, by playing a new game

!   “The highest form of generalship is to thwart your enemies plans.” –Sun Tzu

But The FUD!


!   Not needing to regularly review firewall rule ordering as part of your opera0onal process, as one example

!   Instrument !   Gather data !   Design your rules !   Iterate from the whiteboard !   Not a live firewall console !   For instance J

What’s In It For Me?


!   In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion

!   Your code is your infrastructure !   Your SDLC can now be brought to bear on areas tradi0onally out-‐of-‐sync with your security posture

!   Scale to massive sizes without having to worry about things like firewall rule ordering, op0miza0on or audit as part of your opera0onal cycle

!   Your security will become fractal, and embedded in every layer of your system.

Design Design Design


!   What are your primi0ves? !   I/O, Memory, Storage, Compute, and Code !   Data –  At Rest, in Mo0on, and in Use

!   Access control – Monitoring tools, third-‐party apps, troubleshoo0ng tools

!   Interfaces/APIs –  Clean, Minimal, Authen0cated, Validated

The Primi0ves


!   Each of those must be thought of on its own and in combina0on with the other components it interacts with

!   It is both that simple and that complicated.

Minimalism


!   That simplicity gives you the power to understand everything

!   Every protocol !   Every interface !   If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts

!   Understand your state changes !   Bring that understanding to bear through development

!   And you can aMain Emergent Security

Understand Everything


!   Your en0re infrastructure is your code-‐base !   There is no gap between the opera0onal physical layer and the sojware that runs on top of it.

!   Machine and network failures are just excep0ons to be caught and handled

!   Your infrastructure can now evolve and support your system

!   because it is the system

With Automa0on, All Things are Possible


!   Register all of your VMs services, IPs, and ports !   Automa0cally build firewall policies based on that !   Re-‐build and distribute ssl/tls keys !   Whenever you want !   HIDS, HFW and File Integrity Checkers configured with instance tags

!   Unit test everything !   Allowing security to keep up with your product

Like What?


!   You know… like we do… on the Internet ;) !   At rest and in mo0on. !   Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory. – When the instance dies, the key dies with it.

!   Longer-‐lived data should be stored away from the keys that secure it –  If the data is par0cularly sensi0ve, Securely wipe the data before spinning down the disk and giving it back to the pool

Encrypt It All


!   Allow only expected connec0ons !   Front-‐end web-‐applica0ons need to accept connec0ons from anyone in the world –  (but it's more likely only your load balancer does)

!   As part of your infrastructure as sojware design –  Know what needs to talk to what

•  on what port and under what circumstances, –  And only allow that,

•  everything else is bit-‐bucketed and alerted on.

!   In sojware-‐driven cloud-‐based deployments, there is no longer any excuse for any other way of doing it

Default Deny Nirvana


!   The public u0lity model of cloud compu0ng brings substan0al advantages of scalability and automa0on which can be leveraged by informa0on security professionals

!   As a result, a more secure service can be built on the public cloud for less investment than in a tradi0onal data center

!   Just remember your fundamentals !   And always shoot the messenger

Conclusion


!   Download our white paper, Building Secure Services in the Cloud: www.sumologic.com/resources/

!   Register for Sumo Logic Free www.freesumo.com

!   Contact [email protected] or [email protected]

Q&A and Next Steps


Technology

Cloud Security Practices and Principles