Cloud Security Practices and PrinciplesJoan PepinDirector of Security
Sumo Logic
Director of Security – Sumo Logic
Director of Research– Dell/SecureWorks– 9 years MSSP
Technical Staff– MIT LL
Who are you?
Sumo Logic 2
An opportunity to simplify and increase security– Through Automation– And solid design principles
Misunderstood– Risk model vs. hosting– Risk model vs. other public utility models
A victim of FUD– Take time to examine it?– Or DOOM?
The Public Cloud is
Sumo Logic 3
Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand– I see Anti-Cloud Policies – With no solid Risk Assessment
Is this technological conservatism?– Which is common and natural in security– But can lead to out of sync security postures
Or an emotional reaction?– Don’t move my cheese– Get off of my cloud!
Why the Bad Rap?
Sumo Logic 4
You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be– Limits your thinking– Causes gaps
The new world is very different– Scripts and capacity planning spreadsheets -> feedback
loops/auto-scaling– 36-month refresh-cycles -> bids for spot instances– Physical control -> process, automation, and design
Old World / New World
Sumo Logic 5
In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion– Your code is your infrastructure– Your SDLC can now be brought to bear on areas
traditionally out-of-sync with your security posture
Scale to massive sizes without having to worry about things like firewall rule ordering, optimization or audit as part of your operational cycle– Your security will become fractal, and embedded in every
layer of your system.
Design Design Design
Sumo Logic6
You are operating in a complete information environment– Like the internet– Or the PSTN
It’s all about the fundamentals of system thinking and design– I/O– Storage– RAM– Compute– Code
Fundamentals
Sumo Logic 7
Each of those must be thought of on its own and in combination with the other components it interacts with– And you have the tools to do that– With infrastructure as code
It is both that simple and that complicated.– So design your security in at every layer– Test it, instrument it, and iterate it
Minimalism
Sumo Logic 8
Data– Encrypted At Rest, in Motion, and in Use
Access control– Monitoring tools, third-party apps, troubleshooting tools
Interfaces/APIs– Clean, Minimal, Authenticated, Validated
I/O, Memory, Storage, and Compute– Encrypted, limited, controlled
The Primitives
Sumo Logic 9
Thinking of your entire infrastructure as part of your code-base changes the game completely– Always in pace– Always relevant
There is no longer a gap or disconnect between the operational physical layer and the software that runs on top of it– Firewalls everywhere?– HIPS Everywhere?
Adaptive security infrastructure
With Automation, All Things are Possible
Sumo Logic 10
Register all of your VMs services, IPs, and ports– Automatically build firewall policies based on that
Re-build and distribute SSL/TLS keys– Whenever you want
HIDS, HFW and File Integrity Checkers configured with instance tags– Tags for lots of things
Everything unit tested– Allowing security to keep up with your product
Like What?
Sumo Logic 11
Your system has I/O, storage, memory and network underneath it, as well as your software components– And you can control and iterate that continuously– Leveraging IaaS providers’ APIs
Think about every place that information is exchanged, transferred or transformed and do the right thing there. – Engage the developers– Check in code
DTRT
Sumo Logic 12
Simplicity gives you the power to understand everything– Every protocol– Every interface
If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts– Understand your protocols– Understand your stack
And you can attain Emergent Security– Develop and follow standards
Understand Everything
Sumo Logic 13
If this is input, sanitize it. If it is storage, network or memory encrypt it. If it is output you are feeding back to your customer or another component, sanitize that tooDon't trust client-side verification, enforce everything at every layer…
How?
Sumo Logic 14
Allow only expected connections Front-end web-applications need to accept connections from anyone in the world– (but it's more likely only your load balancer does)
As part of your infrastructure as software design– Know what needs to talk to what
• on what port and under what circumstances
– And only allow that • everything else is bit-bucketed and alerted on.
In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it
Default Deny Nirvana
Sumo Logic 15
You know… like we do… on the Internet ;)At rest, in motion, and in use– Any data that is ephemeral can be kept on encrypted
ephemeral storage with keys can simply be kept in memory
– When the instance dies, the key dies with it.
Longer-lived data should be stored away from the keys that secure it– If the data is particularly sensitive, securely wipe the data
before spinning down the disk and giving it back to the pool
Encrypt it all…
Sumo Logic 16