This "mini" version of my CSA Congress talk about building a secure cloud was given at the San Francisco Cloud Security Meetup in November, 2011.I got some great feedback while giving this talk, and will be applying it to an updated version of this deck which will be released during the CSA Congress, November 15th and 16th 2011.
Text of Securing the Cloud
1. Building a Secure Cloud SF Cloud Security Meetup 11/3/0211
4. Why? From http://www.ece.cmu.edu/~koopman/des_s99/sw_reliability/
5. Required functionality
Highly available infrastructure (HVM+Net+Storage)
6. Security Monitoring
Centralized log management is a must.
As the cloud grows, the amount of data to process will be huge.
You need a system with relatively low false-positive rate.
7. Building a secure cloud
Setup hardware lab first, if possible
Move to production
8. Practice Makes Perfect
If you do this right, you will build, tear down, and rebuild this cloud several times as you learn from your (and your vendors) mistakes.
9. Who Do You Trust?
Who do you trust to build your secure cloud?
3 rd party security/cloud professionals
Vendor support staff?
10. Who Do You Trust From a vendors website:
11. Who Do You Trust?
12. Setup Basics
Harden Hypervisor OS
Use an automation suite
13. Selecting a Cloud Platform
Create a list of possible packages
Look for security features in each
Legwork how have the maintainers treated security?
Pick two or three to test out
Trial period is mandatory .
14. Trial Period
15. Trial Period
Install while monitoring
Understand results of installation
16. Review Software
If youre lucky, your chosen software is either open-source or is at least human-readable.
Some things to look at:
Cronjobs or other automated processes
17. Review Software
What does this code do to my already hardened system? Are firewalls disabled, or security measures removed?
What new software (and potential vulnerabilities) does it install?
What exactly is the code doing?
Is the application more trusting than it should be?
Where was the developer lazy?
18. Code Review
19. Monitor The Installation
The installation environment is yours control it.
Capture a log of the installation process
Make sure IDS capture any changes made during installation
With your initial security configuration, the initial installation will probably not be successful.
20. Review Gathered Intelligence
Review the results of the install
Look for errors during installation
Some can be fixed by loosening security controls
Some must be fixed by vendor
21. Test Security
Standard security testing scenario: The app is insecure, question is if you have enough resources to find the weakness.
Low-hanging fruit: SQL Injection, XSS, lack of encryption, default values