practical cloud security
TRANSCRIPT
![Page 2: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/2.jpg)
Agenda
• Background and Disclaimers
• Netflix in the Cloud
• Model-Driven Deployment Architecture
• APIs, Automation, and the Security Monkey
• Cloud Firewall and Connectivity Analysis
• Practical Cloud Security Gaps
Tuesday, October 11, 2011
![Page 3: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/3.jpg)
Background and Disclaimers
Tuesday, October 11, 2011
![Page 4: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/4.jpg)
Background and Disclaimers
Tuesday, October 11, 2011
![Page 5: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/5.jpg)
Background and Disclaimers
• No cloud definitions, but . . .
Tuesday, October 11, 2011
![Page 6: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/6.jpg)
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
Tuesday, October 11, 2011
![Page 7: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/7.jpg)
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
Tuesday, October 11, 2011
![Page 8: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/8.jpg)
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
• Guidance should be generally applicable
Tuesday, October 11, 2011
![Page 9: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/9.jpg)
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
• Guidance should be generally applicable
• Works in progress, still many problems to solve . . .
Tuesday, October 11, 2011
![Page 10: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/10.jpg)
Netflix in the Cloud
Tuesday, October 11, 2011
![Page 11: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/11.jpg)
Why is Netflix Using Cloud?
Tuesday, October 11, 2011
![Page 12: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/12.jpg)
!"#"$%&'#&($
Tuesday, October 11, 2011
![Page 13: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/13.jpg)
!"#"$%&'#&($
Netflix could not build data centers fast enough
Tuesday, October 11, 2011
![Page 14: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/14.jpg)
!"#"$%&'#&($
Netflix could not build data centers fast enoughCapacity requirements accelerating, unpredictable
Tuesday, October 11, 2011
![Page 15: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/15.jpg)
!"#"$%&'#&($
Netflix could not build data centers fast enoughCapacity requirements accelerating, unpredictableProduct launch spikes - iPhone, Wii, PS2, XBox
Tuesday, October 11, 2011
![Page 16: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/16.jpg)
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
![Page 17: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/17.jpg)
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
![Page 18: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/18.jpg)
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
![Page 19: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/19.jpg)
!"#"$%&#%'()"*"$+#,(
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
![Page 20: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/20.jpg)
netflix.com is now ~100% Cloud
Tuesday, October 11, 2011
![Page 21: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/21.jpg)
netflix.com is now ~100% Cloud
Remaining components being migrated
Tuesday, October 11, 2011
![Page 22: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/22.jpg)
Netflix Model-Driven Architecture
Tuesday, October 11, 2011
![Page 23: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/23.jpg)
Data Center Patterns
Tuesday, October 11, 2011
![Page 24: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/24.jpg)
Data Center Patterns
• Long-lived, non-elastic systems
Tuesday, October 11, 2011
![Page 25: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/25.jpg)
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
Tuesday, October 11, 2011
![Page 26: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/26.jpg)
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
Tuesday, October 11, 2011
![Page 27: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/27.jpg)
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
• ‘Snowflake phenomenon’
Tuesday, October 11, 2011
![Page 28: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/28.jpg)
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
• ‘Snowflake phenomenon’
• Difficult to sync or reproduce environments (e.g. test and prod)
Tuesday, October 11, 2011
![Page 29: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/29.jpg)
Cloud Patterns
Tuesday, October 11, 2011
![Page 30: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/30.jpg)
Cloud Patterns
• Ephemeral nodes
Tuesday, October 11, 2011
![Page 31: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/31.jpg)
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
Tuesday, October 11, 2011
![Page 32: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/32.jpg)
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
Tuesday, October 11, 2011
![Page 33: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/33.jpg)
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
• Orchestration vs. manual steps
Tuesday, October 11, 2011
![Page 34: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/34.jpg)
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
• Orchestration vs. manual steps
• Trivial to clone environments
Tuesday, October 11, 2011
![Page 35: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/35.jpg)
When Moving to the Cloud, Leave Old Ways Behind . . .
Tuesday, October 11, 2011
![Page 36: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/36.jpg)
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistake
Tuesday, October 11, 2011
![Page 37: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/37.jpg)
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistakeAdapt development, deployment, and management
models appropriately
Tuesday, October 11, 2011
![Page 38: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/38.jpg)
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistakeAdapt development, deployment, and management
models appropriately
Tuesday, October 11, 2011
![Page 39: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/39.jpg)
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 40: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/40.jpg)
Perforce
SCM
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 41: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/41.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 42: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/42.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Artifactory
BinaryRepository
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 43: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/43.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
Artifactory
BinaryRepository
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 44: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/44.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 45: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/45.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 46: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/46.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 47: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/47.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Instance
Live System!
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
![Page 48: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/48.jpg)
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Instance
Live System!
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Every change is a new pushTuesday, October 11, 2011
![Page 49: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/49.jpg)
Results
Tuesday, October 11, 2011
![Page 50: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/50.jpg)
Results
• No changes to running systems
Tuesday, October 11, 2011
![Page 51: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/51.jpg)
Results
• No changes to running systems
• No CMDB
Tuesday, October 11, 2011
![Page 52: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/52.jpg)
Results
• No changes to running systems
• No CMDB
• No systems management infrastructure
Tuesday, October 11, 2011
![Page 53: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/53.jpg)
Results
• No changes to running systems
• No CMDB
• No systems management infrastructure
• Fewer logins to prod systems
Tuesday, October 11, 2011
![Page 54: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/54.jpg)
Impact on Security
Tuesday, October 11, 2011
![Page 55: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/55.jpg)
Impact on Security
• File integrity monitoring
Tuesday, October 11, 2011
![Page 56: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/56.jpg)
Impact on Security
• File integrity monitoring
• User activity monitoring
Tuesday, October 11, 2011
![Page 57: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/57.jpg)
Impact on Security
• File integrity monitoring
• User activity monitoring
• Vulnerability management
Tuesday, October 11, 2011
![Page 58: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/58.jpg)
Impact on Security
• File integrity monitoring
• User activity monitoring
• Vulnerability management
• Patch management
Tuesday, October 11, 2011
![Page 59: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/59.jpg)
APIs, Automation, and the Security Monkey
Tuesday, October 11, 2011
![Page 60: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/60.jpg)
Common Challenges forSecurity Engineers
Tuesday, October 11, 2011
![Page 61: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/61.jpg)
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
Tuesday, October 11, 2011
![Page 62: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/62.jpg)
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
• Too many administrative interfaces and disconnected systems
Tuesday, October 11, 2011
![Page 63: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/63.jpg)
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
• Too many administrative interfaces and disconnected systems
• Too few options for scalable automation
Tuesday, October 11, 2011
![Page 64: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/64.jpg)
Enter the Cloud . . .
Tuesday, October 11, 2011
![Page 65: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/65.jpg)
How do you . . .
Tuesday, October 11, 2011
![Page 66: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/66.jpg)
How do you . . .• Add a user account?
Tuesday, October 11, 2011
![Page 67: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/67.jpg)
How do you . . .• Add a user account?
• Inventory systems?
Tuesday, October 11, 2011
![Page 68: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/68.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
Tuesday, October 11, 2011
![Page 69: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/69.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
Tuesday, October 11, 2011
![Page 70: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/70.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
Tuesday, October 11, 2011
![Page 71: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/71.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
Tuesday, October 11, 2011
![Page 72: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/72.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
Tuesday, October 11, 2011
![Page 73: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/73.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
Tuesday, October 11, 2011
![Page 74: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/74.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
• CreateSnapshot()
Tuesday, October 11, 2011
![Page 75: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/75.jpg)
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
• CreateSnapshot()
• DeactivateMFADevice()
Tuesday, October 11, 2011
![Page 76: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/76.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
Tuesday, October 11, 2011
![Page 77: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/77.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
Tuesday, October 11, 2011
![Page 78: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/78.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
Tuesday, October 11, 2011
![Page 79: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/79.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
Tuesday, October 11, 2011
![Page 80: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/80.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
• Firewall configuration checks
Tuesday, October 11, 2011
![Page 81: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/81.jpg)
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
• Firewall configuration checks
• User/group/policy monitoring
Tuesday, October 11, 2011
![Page 82: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/82.jpg)
Cloud Firewall and Connectivity Analysis
Tuesday, October 11, 2011
![Page 83: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/83.jpg)
Analyzing Traditional Firewalls
Tuesday, October 11, 2011
![Page 84: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/84.jpg)
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
Tuesday, October 11, 2011
![Page 85: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/85.jpg)
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
• Use tools like tcpdump, NetFlow, centralized logging to gather data
Tuesday, October 11, 2011
![Page 86: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/86.jpg)
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
• Use tools like tcpdump, NetFlow, centralized logging to gather data
• Review traffic patterns and optimize
Tuesday, October 11, 2011
![Page 87: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/87.jpg)
AWS Firewalls (Briefly)
Tuesday, October 11, 2011
![Page 88: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/88.jpg)
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
Tuesday, October 11, 2011
![Page 89: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/89.jpg)
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
Tuesday, October 11, 2011
![Page 90: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/90.jpg)
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
Tuesday, October 11, 2011
![Page 91: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/91.jpg)
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
• Chokepoints and sniffing are not possible
Tuesday, October 11, 2011
![Page 92: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/92.jpg)
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
• Chokepoints and sniffing are not possible
• Outbound connections not filterable (!)
Tuesday, October 11, 2011
![Page 93: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/93.jpg)
Security Group Analysis
Tuesday, October 11, 2011
![Page 94: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/94.jpg)
Security Group Analysis
• Use config and inventory to map reachability
Tuesday, October 11, 2011
![Page 95: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/95.jpg)
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
Tuesday, October 11, 2011
![Page 96: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/96.jpg)
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
Tuesday, October 11, 2011
![Page 97: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/97.jpg)
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
Tuesday, October 11, 2011
![Page 98: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/98.jpg)
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
• Rules that use “any” keyword
Tuesday, October 11, 2011
![Page 99: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/99.jpg)
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
• Rules that use “any” keyword
• Visualize config into data flow diagram
Tuesday, October 11, 2011
![Page 100: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/100.jpg)
Reachability & Violation Analysis
Tuesday, October 11, 2011
![Page 101: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/101.jpg)
Connectivity Analysis
Tuesday, October 11, 2011
![Page 102: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/102.jpg)
Connectivity Analysis
• Reachability shows what “can” communicate
Tuesday, October 11, 2011
![Page 103: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/103.jpg)
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
Tuesday, October 11, 2011
![Page 104: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/104.jpg)
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
• Take same approach, leverage APIs for firewall and inventory and combine with host data
Tuesday, October 11, 2011
![Page 105: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/105.jpg)
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
• Take same approach, leverage APIs for firewall and inventory and combine with host data
• Visualize data into connectivity diagram
Tuesday, October 11, 2011
![Page 106: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/106.jpg)
Connectivity Analysis
Tuesday, October 11, 2011
![Page 107: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/107.jpg)
‘Practical’ Cloud Security Gaps
Tuesday, October 11, 2011
![Page 108: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/108.jpg)
Common Security Product Model
Tuesday, October 11, 2011
![Page 109: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/109.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
Tuesday, October 11, 2011
![Page 110: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/110.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
Tuesday, October 11, 2011
![Page 111: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/111.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
Tuesday, October 11, 2011
![Page 112: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/112.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
Tuesday, October 11, 2011
![Page 113: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/113.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
• Push and pull approaches
Tuesday, October 11, 2011
![Page 114: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/114.jpg)
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
• Push and pull approaches
• Per node licensing
Tuesday, October 11, 2011
![Page 115: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/115.jpg)
“Thundering Herd”
Tuesday, October 11, 2011
![Page 116: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/116.jpg)
“Thundering Herd”
• Mass deployments
Tuesday, October 11, 2011
![Page 117: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/117.jpg)
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
Tuesday, October 11, 2011
![Page 118: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/118.jpg)
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
• Elasticity related to traffic spikes
Tuesday, October 11, 2011
![Page 119: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/119.jpg)
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
• Elasticity related to traffic spikes
• Licensing constraints
Tuesday, October 11, 2011
![Page 120: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/120.jpg)
Node Ephemerality and Service Abstraction
Tuesday, October 11, 2011
![Page 121: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/121.jpg)
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
Tuesday, October 11, 2011
![Page 122: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/122.jpg)
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
• Dealing with short-lived systems, IP and ID reuse
Tuesday, October 11, 2011
![Page 123: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/123.jpg)
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
• Dealing with short-lived systems, IP and ID reuse
• Event and log archives and data relationships
Tuesday, October 11, 2011
![Page 124: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/124.jpg)
Resource Usage Logging and Auditing
Tuesday, October 11, 2011
![Page 125: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/125.jpg)
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
Tuesday, October 11, 2011
![Page 126: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/126.jpg)
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
• Programmable infrastructure needs robust logging and auditing capabilities
Tuesday, October 11, 2011
![Page 127: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/127.jpg)
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
• Programmable infrastructure needs robust logging and auditing capabilities
• Can metering data be repurposed?
Tuesday, October 11, 2011
![Page 128: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/128.jpg)
Identity Integration
Tuesday, October 11, 2011
![Page 129: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/129.jpg)
Identity Integration
• Federation use cases
Tuesday, October 11, 2011
![Page 130: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/130.jpg)
Identity Integration
• Federation use cases
• On-instance credentials
Tuesday, October 11, 2011
![Page 131: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/131.jpg)
“Trusted Cloud”
Tuesday, October 11, 2011
![Page 132: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/132.jpg)
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
Tuesday, October 11, 2011
![Page 133: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/133.jpg)
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
Tuesday, October 11, 2011
![Page 134: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/134.jpg)
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
• Controlled execution
Tuesday, October 11, 2011
![Page 135: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/135.jpg)
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
• Controlled execution
• HSM in the cloud
Tuesday, October 11, 2011
![Page 137: Practical Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042515/5550fc97b4c9057b478b4ae4/html5/thumbnails/137.jpg)
References
• http://www.slideshare.net/adrianco
• http://aws.amazon.com
• http://techblog.netflix.com
• http://nordsecmob.tkk.fi/Thesisworks/Soren%20Bleikertz.pdf
• https://cloudsecurityalliance.org/
• http://www.nist.gov/itl/cloud/index.cfm
Tuesday, October 11, 2011