covering my iaas - sector · •used by business users for email, office automation, crm, erp, etc....
TRANSCRIPT
![Page 1: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/1.jpg)
Covering my IaaS: Security and Extendingthe DatacenterBrian Bourne
Tadd Axon
![Page 2: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/2.jpg)
• Tadd Axon - Holds a Bachelor of Business Administration with a minor in Spanish from Wilfrid Laurier University. Went to school with every intention of becoming an accountant (CMA, if you’re curious)
• Brian Bourne – A management guy still trying to be technical.
About Us
![Page 3: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/3.jpg)
Cloud Basics
![Page 4: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/4.jpg)
• Applications delivered to the consumer running from the provider’s infrastructure.
• Used by business users for email, office automation, CRM, ERP, etc.
• IDC Numbers: $993M in 2013 growing to $2.04B in 2017
Software as a Service – SaaS
• A computing platform typically including operating system, programming language execution environment, database and web services.
• Used by developers and application providers.
• IDC Numbers: $105M in 2013 growing to $554M in 2017
Platform as a Service - PaaS
• The provisioning of processing, storage, networks or other fundamental computer resources where the consumer can run arbitrary software
• Used by IT administrators
• IDC Numbers: $62M in 2013 growing to $372M in 2017
Infrastructure as a Service - IaaS
Cloud Defined
* Also note that private hosted solutions were $170M in 2013 growing to $554M in 2017
![Page 5: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/5.jpg)
Public: Shared services or resources provided by a third party and available to many participants or tenants.
• Community Cloud – Participation limited to specific demographic.
Private: Cloud computing resources open to just the owner. Can be hosted on-premise or off.
Hybrid: Cloud computer resources spread between your own systems and a third party’s resources.
Cloud Defined
![Page 6: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/6.jpg)
IAAS is three building blocks
Storage Network Compute
Infrastructure as a Service Detailed
• All IaaS services fit into one of these buckets
• Operational SLAs backed by contract
• Certain levels of regulatory compliance and security backed by contract
![Page 7: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/7.jpg)
Bottomless storage (NetApp, StorSimple,
etc)
Backup (CommVault, Veeam,
etc)
DR Plans (Hot-Hot, Hot-Cold,
HyperV Recover Manager, VMWare
vCloud Hybrid Service)
Extended Datacenter
•Treat the cloud provider like another one of your own datacenters
Typical IaaS Deployment Scenarios
![Page 8: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/8.jpg)
Network
![Page 9: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/9.jpg)
Networks are all virtual (Software Defined)
Optional MPLS-like connectivity
VPN Connectivity
• Site to Cloud
• Multi-Site to Cloud
• Point to Cloud
• Cloud to Cloud (Within Cloud and Cross-Provider)
Load BalancingTraffic
Management
Content Delivery
Network *
Network Architecture
![Page 10: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/10.jpg)
• Traditional “data in transit” concerns
• Traditional “end point attack vector” concerns
• Egress Monitoring
• Traditional security zones that you have in your current DC are not simple to implement in cloud• Getting progressively simpler
• Short list of supported on premise hardware for VPN scenarios• Can always be made to work but you better understand
IKE proposals and possibly BGP
Security Considerations
![Page 11: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/11.jpg)
Security Mitigations
• Manual ACLs on host or network layers as supported
• Host-based controls such as IPS and local firewall
• Network isolation (varies by provider)
• Protect data in transit (VPN or host IPSec rules)
• Pick your algorithms carefully
• Careful management of cloud to Internet gateways and endpoint mapping
![Page 12: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/12.jpg)
Storage
![Page 13: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/13.jpg)
Bottomless pit of storage
• How much do you want to spend (this billing cycle)?
Highly Available Storage
• Great for availability (varying degrees of redundancy)
• Marginally increased attack surface
At rest protection:
• Base physical layer crypto by cloud provider
• Managed destruction
Storage Architecture
“All your storage are belong to API”
• Encryption of your data (file, blob, VHD, whatever) is another matter
![Page 14: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/14.jpg)
• Access to tenant = (usually) unfettered access to storage
• Data sovereignty / regulatory requirements• Spoiler: Really a BC only problem
• Contract wording and commitments
• Data remnants, replicas and backups (who knows where they go)
Security Considerations
![Page 15: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/15.jpg)
• Management of API keys and certs is paramount• Role based access control models are evolving• “Third Party” products and services to encrypt
workload data• Volume-level Crypto
• Leveraging O/S features or vendor specific toolkits
• Item Level Crypto • Traditional encryption options• Digital rights management solutions
• Application Containerization• Worry about:
• Who has access to keys (on premise or in cloud)
Mitigations
![Page 16: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/16.jpg)
Compute
![Page 17: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/17.jpg)
• Virtual machines• Multiple OSes available
• Some with pre-loaded software• DBMS, ERP, Configuration Management…
• “Official” and “Community” contributed images
• Bring/Brew your own image
• Virtual appliances• Load balancers, application proxies, firewall
• Available in (nearly) any flavour and any size
Compute
![Page 18: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/18.jpg)
• Who built that image?
• Who manages patch level?
• Traditional firewall solutions will not work
• Multiple network connections can be difficult or impossible
• VM to VM attacks and Hypervisor to VM attacks
• “Normal” considerations for any internet connected machine
• Provider side attacks• Provider initiated
• Fallout from a provider hack
Compute Considerations
![Page 19: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/19.jpg)
• “Normal” protections (AV, HIDS/HIPS, etc)
• Host hardening is critical
• Domain isolation and network isolation
• Careful care of image management for VMs
• Service-level ACLs on VM endpoints
• End point monitoring
• Single NIC, WAF and reverse proxy solutions
Compute Mitigations
![Page 20: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/20.jpg)
Control Plane
![Page 21: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/21.jpg)
• Overall lack of granularity of delegation
• Remember the unix “all or nothing” problem?
• Major players are making moves to enable RBAC
• “Maturing”
• Serious degree of trust required for cloud admin
• At the VM level, normal controls for O/S, application platform are still available
Control Plane Realities
![Page 22: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/22.jpg)
Summary
![Page 23: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/23.jpg)
• IaaS brings many advantages operationally
• IaaS also brings some security challenges• Some of these are old
• Some of these are new
• The extended datacenter model makes “traditional” security good practices even more important
• Encryption becomes a more interesting proposition
• Key management practices become more critical
In Summary
![Page 24: Covering my IaaS - SecTor · •Used by business users for email, office automation, CRM, ERP, etc. •IDC Numbers: $993M in 2013 growing to $2.04B in 2017 Software as a Service –SaaS](https://reader036.vdocuments.site/reader036/viewer/2022071021/5fd517488cb4a53efa30bfb2/html5/thumbnails/24.jpg)
Contact Us:
• Tadd Axon• @grey_area
• Brian Bourne• @brianbourne
Questions & Answers
THE END