Upload
svforum-cloud-sig
View
858
Download
1
Embed Size (px)
DESCRIPTION
Dave Asprey of Trend Micro discusses how to improve security in cloud-based applications
Citation preview
Copyright 2009 Trend Micro Inc.
Encryption in the public cloud: Security techniques
Dave Asprey • VP Cloud Security
@daveasprey (cloud + virtual security tweets)
Copyright 2009 Trend Micro Inc.
Your speaker
Dave AspreyVP, Cloud SecurityCloud & Virtualization [email protected] @daveaspreycloudsecurity.trendmicro.com Linkedin.com/in/asprey
BackgroundBlue Coat - VP TechnologyCitrix - Strategic Planning, Virtualization BusinessNetscaler – Dir PMExodus/Savvis – Dir PM & Strategy execSpeedera/Akamai – Sr. Dir PM3Com – Web IT guyUC Santa Cruz – Ran Web & Internet Engineering Program Author, PWC Tech Forecast: Systems & Network Mgt + Scaling
Trend Micro Confidential04/09/23 2
Copyright 2009 Trend Micro Inc.
Data Privacy Concerns in the Cloud
Data is stored in plain text
Virtual volumes can move without the owners knowledge
Little ability to audit or monitor access to resources or data
Hypervisors and storage are shared with other users
Storage devices contain residual data
Copyright 2009 Trend Micro Inc.
Amazon Web Services™ Customer Agreement
4
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security,
protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption
technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you
use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption,
deletion, destruction or loss of any of Your Content or Applications.
Translation: If it gets hacked, it’s your fault.
Trend Micro Confidential04/09/23
http://aws.amazon.com/agreement/#7 (23 November 2010)
Copyright 2009 Trend Micro Inc. 5
Security and privacy higher than Sum (performance, immaturity, regulatory compliance)
Gartner (April 2010)
Security: the #1 Cloud Challenge
Classification 04/09/23
Copyright 2009 Trend Micro Inc.Classification 04/09/23 6
Use encrypted, self-defending hosts
Shared StorageShared
Firewall
Virtual Servers
Shared network inside the firewall
Shared firewall – Lowest common
denominator – less fine grained control
Multiple customers on one physical server –
potential for attacks via the hypervisor
Shared storage – is customer segmentation secure against attack?
Easily copied machine images – who else has
your server?
Doesn’t matter – the edge of my virtual
machine is protectedDoesn’t matter – treat the LAN as public
Doesn’t matter – treat the LAN as public
Doesn’t matter – They can start my server but
only I can unlock my data
Doesn’t matter – My data is encrypted
Internet
Copyright 2009 Trend Micro Inc.
Advice
Encrypt network traffic
Use only encrypted file systems for block devices
Encrypt everything in shared storage
Only allow decryption keys to enter the cloud during decryption
Only authentication credential in VMs = key to decrypt file system key
Trend Micro Confidential04/09/23 7
Copyright 2009 Trend Micro Inc.
More advice
At instance startup, fetch encrypted file system key
No password-based authentication for shell access
No allowed passwords for sudo access (!)
Make regular backups off-cloud
Trend Micro Confidential04/09/23 8
Copyright 2009 Trend Micro Inc.
Even more advice
Minimize # of services per VM instance (goal = 1)
Only open ports you need
Specify source addresses & only allow HTTP global access
Keep sensitive data in a separate database
Trend Micro Confidential04/09/23 9
Copyright 2009 Trend Micro Inc.
Final advice
Use host-based intrusion detection system
Use system hardening tools
Write better applications!
Trend Micro Confidential04/09/23 10
Copyright 2009 Trend Micro Inc.
Thank You. Questions?
Dave Asprey
VP Cloud Security
@daveasprey
cloudsecurity.trendmicro.com
Props to: George Reese & O’Reilly BlogTrend Micro Confidential04/09/23 11