Embed Size (px)
DESCRIPTION
With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Misha Govshteyn, VP of Emerging Products at Alert Logic will present a new approach for a an IDS solution in a public cloud.
Citation preview
Managing Cloud Security: Intrusion Detection in Public Cloud Environments
2
Introduction
• About the presenter− Misha Govshteyn− Founder & VP of Emerging Products at Alert Logic
• Our topic today:− Deploying Network Intrusion Detection technologies in Amazon
EC2 environment
Datapipe Cloud Services Stack
3
Comprehensive Security
4
“Strong security controls are a requirement for many
mission-critical IT workloads. Customers demand that
service providers address security as they move IT
infrastructure to fully elastic public cloud environments”
- Joel Friedman, Datapipe CSO
“Strong security controls are a requirement for many
mission-critical IT workloads. Customers demand that
service providers address security as they move IT
infrastructure to fully elastic public cloud environments”
- Joel Friedman, Datapipe CSO
IDS
2 Factor Authentication
Vulnerability Scanning
Integrity Monitoring
Configuration Assessment (Tripwire)
Firewall
Antivirus
Web Application Firewall
TDE – Transparent Database Encryption
5
Why detect intrusions?
Do you want to know if your webservers are making connections to botnet command & control servers?
Do you want to know if someone is running a vulnerability scan on you without your knowledge?
Do you trust that your development teams and software vendors have eliminated 100% of SQL injection or other common attacks?
6
Broad Cloud Adoption: Inhibitors
Public Cloud Security ComplexitySecurity solutions must be built specifically for public cloud
7
PUBLIC CLOUD SECURITY
REQUIREMENTS
elastic scaling
management automation
self-service provisioning
third-party ownership
managed operations
utility pricing
Page 7
Traditional “Big Box” Security Appliances are
Dead
=
8
• Lack of network introspection facilities such as SPAN1• Ephemeral networking means IP addresses cannot be
used as host identifiers2• Services must be tightly coupled to provisioning systems
via API to support auto-scaling and role-based management3
AWS environment challenges
Building a scalable security cloud service requires new solutions specifically designed to operate for cloud environments
9
Soft-Tap Architecture Unique approach to network security monitoring in EC2
eth0
eth1
eth0
eth1
eth0
eth1
eth0
eth1
eth0
eth1
VPN Transport
Soft Tap
Soft Tap
Soft Tap
Soft TapIDS
vpnvpn vpn vpn vpn
Provisioning API
Management API
Virtual Appliances & Host Agents
IDS for Cloud
LM for Cloud
VA for Cloud
Enabling:• Traffic monitoring via
software-based network taps• Log collection via a software agents• Virtual appliances based data collection • Host agents that continuously track the
state of monitored instances• Automated software and configuration
deployment via internal management APIs• Multi-tenant aware provisioning API for
integration with service provider
for
Amazon Web Services
Provides:• Auto-scaling by tracking IP addresses of protected hosts • Load balancing & fail over between appliances• Transport-level data encryption • Centralized resource authorization via certificates
Page 10
Alert Logic for Amazon EC2
Components
11
Collection/Cloud Management System
Security Portal Incident
Customer EC2 Environment
Datapipe IDS for EC2: Setup Process
+ + +Install software packages and virtual appliances
Deploy certificates
VPN Transport
API Integration
SOCUITM LM
CMS
13
VPN Transport
Attack Scenario
Attacker(me)
SQL Injection Attack(this time unsuccessful)
14
What happens next
Incident identified by correlation
engine
Threat level escalated to 60
out of 100
Notification sent to Datapipe
security
Incident investigated by Alert Logic SOC
Incident remediated by
Datapipe security team
Attacker blocked at the firewall
15
Availability
• In beta today with select customers
• Available as a managed service for AWS customers exclusively through Datapipe in early 2012
• RightScale enabled: bundled into ServerTemplates for automation
• Auto-scaling support coming soon
• Available as a self-service solution for AWS and other public clouds from Alert Logic in 1H 2012
Questions?Contact: @mgbits
