bsides sf - automating security for the cloud
TRANSCRIPT
![Page 1: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/1.jpg)
© 2012 CloudPassage Inc.
Automating Security for the Cloud
Why we all need to care…
Security B-Sides SF 2012
Rand [email protected]
@randwacker
![Page 2: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/2.jpg)
© 2012 CloudPassage Inc.
whoami
Security
Cloud
UC Berkeley ✘ ✘
Oracle ✘
Amazon ✘
Sendmail …
IronPort ✘
Cisco ✘
CloudPassage ✘ ✘
Rand Wacker
@randwacker
Slides available soon on
community.cloudpassage.com
![Page 3: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/3.jpg)
© 2012 CloudPassage Inc.
Agenda
1. Who Runs What in the Cloud
2. Cloud Security Differences
3. DevOps vs SecOps
4. Making Everyone Happy
5. The End
![Page 4: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/4.jpg)
© 2012 CloudPassage Inc.
Who is running in the cloud?IT Server Admins Big Data Analysts
![Page 5: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/5.jpg)
© 2012 CloudPassage Inc.
Who is running in the cloud?IT Server Admins
Big Data Analysts
![Page 6: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/6.jpg)
© 2012 CloudPassage Inc.
What is running in the cloud?
Who:App-dev shops, integrators, Enterp. BU’s
Why:Fast, cheap, agile
Risks: Code stolen or hacked, live data theft
Development
Permanent Application Hosting
Who:SaaS providers, social media, gaming
Why: Scalable, elastic, ties costs to growth
Risks: Compliance, data theft, oper. disruptionWho:Big data, social, retail, life-sci, media
Why: Agility, speed, scale, “lease the spikes”
Risks: Intellectual property theft
TemporaryWorkloads
![Page 7: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/7.jpg)
© 2012 CloudPassage Inc.
“We didn’t think we had cloud servers. Then we checked our developers’ expense reports for AWS...”
- CISO, Fortune 500Name withheld upon request
![Page 8: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/8.jpg)
© 2012 CloudPassage Inc.
Why Your Security Toolbox Doesn’t Work In The Cloud
![Page 9: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/9.jpg)
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
![Page 10: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/10.jpg)
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
![Page 11: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/11.jpg)
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
www-1 www-2 www-3 www-4
![Page 12: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/12.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3 www-4
![Page 13: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/13.jpg)
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
![Page 14: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/14.jpg)
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
![Page 15: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/15.jpg)
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
www-4
![Page 16: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/16.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
Cloud Provider B
Private Datacenter
www-1 www-2 www-3 www-4
![Page 17: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/17.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4
Cloud Provider B
Private Datacenter
www-1 www-2 www-3
![Page 18: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/18.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-7
www-4
www-8
www-5
www-9
www-6
www-10
Cloud Provider B
Private Datacenter
www-1 www-2 www-3
![Page 19: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/19.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
![Page 20: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/20.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
![Page 21: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/21.jpg)
© 2012 CloudPassage Inc.
Security Products Aren’t Adapting
Cloud Provider A
www-4 www-5 www-6 Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary & Elastic Deployments
Multiple CloudEnvironments
Metered Usage
![Page 22: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/22.jpg)
© 2012 CloudPassage Inc.
Survey: Cloud Security Concerns
Enterprise security tools don't work in the cloud
Provider access to guest servers
Achieving compliance with PCI or other standards
Multi-tenancy of infrastructure or applications
Lack of perimeter defenses and/or network control
23%
24%
26%
40%
44%
Multiple Choice
Source: CloudPassage CloudSec Community Survey
Question: What security concerns are most important to you regarding public cloud computing?
![Page 23: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/23.jpg)
© 2012 CloudPassage Inc.
Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
EC2 Shared Responsibility Model Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
![Page 24: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/24.jpg)
Application of Security in IaaS
App Framework / App stack
Virtual Machine/OS
Hypervisor
Storage
Physical Network
Physical Facilities
Application Logic
API GUI
Compute
Ph
ysic
al
Se
cure
De
velo
pm
en
t L
ifecy
cle
File
/Re
cord
A
cce
ss C
on
tro
l
Au
diti
ng
/Pe
n T
est
ing
SIE
M
Enc
rypt
ion
Arc
hite
ctu
re/D
esi
gn
NID
S/N
IPS
Pa
cke
t F
ilte
ring
Pro
xy/M
iddl
ewar
eCo
nfig
ura
tion
Lo
ckd
ow
n
HID
S/H
IPS
Pro
xy/M
iddl
ewar
e
Au
the
ntic
atio
n
Fo
ren
sics
Enc
rypt
ion
NA
C
DLP
App
licat
ion
Whi
te L
istin
g
An
ti-V
irus
Virt
ual N
etw
ork
Pa
tch
ing
Customer
Provider
![Page 25: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/25.jpg)
© 2012 CloudPassage Inc.
Survey: Cloud Security Practices
Open source or custom-de-veloped tools
Commercial Tool
My provider does it for me
Amazon Security Group
We're not securing our cloud servers
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
![Page 26: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/26.jpg)
© 2012 CloudPassage Inc.
![Page 27: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/27.jpg)
© 2012 CloudPassage Inc.
![Page 28: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/28.jpg)
© 2012 CloudPassage Inc.
How I Learned to Stop Worrying and Get DevOps to Love Security
![Page 29: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/29.jpg)
© 2012 CloudPassage Inc.
What Is DevOps?
QA &
Site ReliabilitySoftw
are
Engi
neer
ing
IT Operations
DevOps
![Page 30: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/30.jpg)
© 2012 CloudPassage Inc.
What Is DevOps?
QA &
Site ReliabilitySoftw
are
Engi
neer
ing
IT Operations
DevOps
SecurityOperations
![Page 31: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/31.jpg)
© 2012 CloudPassage Inc.
Why Does DevOps Love Cloud?
![Page 32: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/32.jpg)
© 2012 CloudPassage Inc.
Different Job Goals
DevOps
SecOps
![Page 33: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/33.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
![Page 34: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/34.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
![Page 35: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/35.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
Server Provisioning
Firewall Updates
![Page 36: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/36.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
Firewall
dmz dmz
corecore
![Page 37: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/37.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
![Page 38: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/38.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
![Page 39: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/39.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
![Page 40: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/40.jpg)
© 2012 CloudPassage Inc.
Traditional DC Protection
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
Firewall
dmz dmz
corecore
Firewall
Site Debugging!!!
![Page 41: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/41.jpg)
© 2012 CloudPassage Inc.
Moving to the Cloud
Firewall
dmz dmz
corecore
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
![Page 42: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/42.jpg)
© 2012 CloudPassage Inc.
Firewall
dmz dmz
corecore
Firewall
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
![Page 43: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/43.jpg)
© 2012 CloudPassage Inc.
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
![Page 44: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/44.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
![Page 45: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/45.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
![Page 46: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/46.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
![Page 47: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/47.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
![Page 48: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/48.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
App Server
App Server
DB Master
FW
FW FW
FW
![Page 49: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/49.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
App Server
FW
DB Master
FW
![Page 50: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/50.jpg)
© 2012 CloudPassage Inc.
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
App Server
FW
DB Master
FW
DB Slave
FW
![Page 51: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/51.jpg)
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
![Page 52: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/52.jpg)
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
![Page 53: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/53.jpg)
© 2012 CloudPassage Inc.
App Server
IP
Protecting Cloud Servers
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
![Page 54: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/54.jpg)
© 2012 CloudPassage Inc.
Cloud Security Challenges
• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)– Cloud-bursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)– May have one dev server or 1,000 number-crunchers
• Portability (same controls must work anywhere)– Nobody wants multiple tools or IaaS provider lock-in
![Page 55: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/55.jpg)
© 2012 CloudPassage Inc.
So our tools are broken and everyone hates us, now what?
![Page 56: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/56.jpg)
With Gratitude: Hyperbole and a Half
![Page 57: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/57.jpg)
© 2012 CloudPassage Inc.
Controlled by Hosting-
User
Controlled by
Hosting-Provider Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
The VM is the Unit of Control
![Page 58: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/58.jpg)
© 2012 CloudPassage Inc.
The VM is the Unit of Scale
Physical Facilities
Hypervisor
Virtual Machine
Data
App Code
App Framework
Operating System
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
![Page 59: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/59.jpg)
© 2012 CloudPassage Inc.
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Private Cloud IaaS Provider
The VM is the Unit of Portability
![Page 60: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/60.jpg)
© 2012 CloudPassage Inc.
Thesis
In cloud environments, the intersection of
control, portability & scaleis always
the guest virtual-machine.
![Page 61: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/61.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OS
![Page 62: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/62.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OS
Secure the OS services and
configurations
![Page 63: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/63.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
![Page 64: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/64.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
![Page 65: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/65.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
Continuously verify application code is
current and un-tampered
![Page 66: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/66.jpg)
© 2012 CloudPassage Inc.
Secure the VM
Virtual Machine
Data
App Code
App Framework
OSFWFW
Add host-based firewalls (inbound and
outbound) Secure the OS services and
configurations
Ensure application stacks are up-to-date
and locked down
Continuously verify application code is
current and un-tampered
Track sensitive data and prevent egress
![Page 67: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/67.jpg)
© 2012 CloudPassage Inc.
Automate Policy Application
Virtual Machine
Data
App Code
App Framework
OSFWFW
FULLY AUTOMATE
![Page 68: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/68.jpg)
© 2012 CloudPassage Inc.
Virtual Machine
Data
App Code
App Framework
OSFWFWVirtual Machine
Data
App Code
App Framework
OSFWFWVirtual Machine
Data
App Code
App Framework
OSFWFW
Automate Policy Application
Virtual Machine
Data
App Code
App Framework
OSFWFW
FULLY AUTOMATE
![Page 69: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/69.jpg)
© 2012 CloudPassage Inc.
Separate Security Controls
Virtual Machine
Data
App Code
App Framework
OSFWFW
DevOps
SecOps
![Page 70: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/70.jpg)
© 2012 CloudPassage Inc.
The Secure, Automated Cloud
![Page 71: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/71.jpg)
© 2012 CloudPassage Inc.
Wrapping Up
![Page 72: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/72.jpg)
© 2012 CloudPassage Inc.
Dynamic network access control
Configuration and package security
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analytics
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
How To Secure Cloud Servers
![Page 73: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/73.jpg)
© 2012 CloudPassage Inc.
Summary• There are people using cloud in your org…
• Cloud users often don’t understand security, and definitely don’t know their responsibility
• Cloud security is different, and hard
• The bad guys know this!
• Cloud has different points of control, leverage them!
![Page 74: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/74.jpg)
© 2012 CloudPassage Inc.
Best Practices• Know who is running what, and where
• Read and understand what your provider does, and what you are responsible for
• Take extra precautions when moving servers outside your data center
• Start with public cloud, after that everything is easy!
• Focus on securing what you control
![Page 75: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/75.jpg)
© 2012 CloudPassage Inc.
Wrapping Up
• Continue the discussion– Slides available:
community.cloudpassage.com
• Contact me– Email: [email protected]– Twitter: @randwacker
• We’re hiring!Expert in Security and/or Cloud?
– Email: [email protected]
BTW, We’re Hiring
!
![Page 76: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/76.jpg)
© 2012 CloudPassage Inc.
Thank You!
![Page 77: BSides SF - Automating Security for the Cloud](https://reader035.vdocuments.site/reader035/viewer/2022062420/55d511bdbb61eb632e8b46a5/html5/thumbnails/77.jpg)
© 2012 CloudPassage Inc.
What does CloudPassage do?
Firewall Management
Server Configurations
Server account Management
Compromise & intrusion alerting
Security & compliance auditing
Vulnerability Management
Security for virtual servers running in public and private clouds
Cloud adoption without fearFaster and easier complianceRepel attacks on your serversFree Basic version, 5 minutes
setup