View
478
Download
0
Embed Size (px)
DESCRIPTION
Dyn Director of Security Chris Brenton prepared these slides as part of a webinar on how to move your data center to the cloud.
Citation preview
How to Move Your Data CenterTo A Cloud InfrastructureJanuary 22, 2014
Chris BrentonDirector of Security
Pg. 2 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Your Presenter
Chris Brenton - Director of Security@Chris_Brenton
Pg. 3 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What We’ll Cover
• Background on industry trends
• Strengths and weaknesses of each cloud
service and deployment model
• Security options
Pg. 4 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
New Era of Computing
• Mainframe/mini = Generation 1
• PC client/server = Generation 2
• Hybrid cloud = Generation 3– No single deployment model– Hit its stride in 2010
Pg. 5 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
An Automotive Analogy• The 1960s:
o Easy to work ono Extremely inefficient (poor power and mileage)
Pg. 6 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
An Automotive Analogy• The 1980’s:
o Change fluids and that’s about ito 50% improvement in power and
mileage
Pg. 7 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
An Automotive Analogy• The 2000s:
o Outsource just about everything to specialists
o 200%+ improvement in power and mileage
Pg. 8 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Private or Public Cloud Infrastructure?
• Private -- Do it all yourself
o You maintain control and all responsibility
o You need to staff accordinglyo Greater flexibility
Pg. 9 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Private or Public Cloud Infrastructure?
• Public -- Outsource to specialists
o Easier to focus on core product(s)o Less staffing concernso Speed of scale
Pg. 10 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Definitions: Tenant and Provider
• Tenanto Entity consuming the resource(s)o This could be your customerso This could be other internal workgroups
Pg. 11 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Definitions: Tenant and Provider
• Providero Entity managing the resource(s)o This could be your Operations
groupo This could be a 3rd party company
Pg. 12 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Gen2 Computing
Pg. 13 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Gen3 Computing
Pg. 14 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Gen3 Computing SMB
Pg. 15 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Déjà vu – Laptops As A Model• We’ve dealt with mobile workloads in the past
Pg. 16 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Déjà vu – Laptops As A Model• We’ve dealt with mobile workloads in the past
• Workstations used to only reside on desks
Pg. 17 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Déjà vu – Laptops As A Model• We’ve dealt with mobile workloads in the past
• Workstations used to only reside on desks• Laptops opened up the possibility of working
from anywhere
Pg. 18 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Déjà vu – Laptops As A Model• Security needed to change from being network
based to host based
Pg. 19 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Déjà vu – Laptops As A Model• Security needed to change from being network
based to host based
• Expect similar to occur with mobile workloads– Shared resources means host based
technology must be reworked prior to use
Pg. 20 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Models
• Infrastructure as a Service (IaaS)o Provider supplies platformo Tenant loads OS and all apps
Pg. 21 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Models
• Platform as a Service (PaaS)o Provider supplies platform and stacko Tenant provides custom apps
Pg. 22 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Models
• Software as a Service (SaaS)o Provider supplies OS, stack and appso Tenant hits the ground running
Pg. 23 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Model Examples• IaaS
o Amazon Web Services (AWS)o Rackspace Cloud Hosting
Pg. 24 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Model Examples• IaaS
o Amazon Web Services (AWS)o Rackspace Cloud Hosting
• PaaSo Original Microsoft Azureo VMware Cloud Foundry
Pg. 25 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Cloud Model Examples• SaaS
o Dyno Salesforce
Pg. 26 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Deployment Model Tradeoffs
• IaaSo Provider generates the lowest level
environmento More work for tenant to deploy appo More tenant control to implement
security
Pg. 27 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Deployment Model Tradeoffs• SaaS
o Nearly turnkey solution for app deploymento Least amount of tenant control and
flexibility
Pg. 28 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Deployment Model Tradeoffs• PaaS
o Sits in the middle
Pg. 29 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Delineation of Responsibility
Pg. 30 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What Are My Security Options?
Pg. 31 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Extending The LAN Into The Cloud
Pg. 32 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
LAN Extended Challenges• Increases load on corporate link
o Today we’re mobileo Limits public cloud scaling
• Increase load on perimeter infrastructure
Pg. 33 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
LAN Extended Challenges• Negates network benefits
o Provider load balancingo Multi-peer pointso Geo-location DNS o Higher latency
• No protection within virtual infrastructure
Pg. 34 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Virtual Appliance Management
Pg. 35 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Virtual Appliance Architecture
Pg. 36 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What About Introspection?
• Hypervisor based securityo Has visibility into all VMs
Pg. 37 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What About Introspection?
• Hypervisor based securityo Has visibility into all VMs
• Single point of managemento For a specific hypervisor deployment
Pg. 38 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What About Introspection?
• Do you want other tenants to have access to your hypervisor?
Pg. 39 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
What About Introspection?
• Do you want other tenants to have access to your hypervisor?
• Do you want your provider to have non-auditable access to your VMs?o Can break segregation of duties
Pg. 40 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Host-Based Architecture
Consistent architecture (and risk abatement) regardless of deployment
Pg. 41 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Why Host Based Firewalls?
• Tenant controlled– Provider gains no additional access
Pg. 42 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Why Host Based Firewalls?
• Tenant controlled– Provider gains no additional access
• Supported across all cloud infrastructures
Pg. 43 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Why Host Based Firewalls?
• Tenant controlled– Provider gains no additional access
• Supported across all cloud infrastructures• Consistent management across all cloud
deployments
Pg. 44 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Why Host Based Firewalls?
• Tenant controlled– Provider gains no additional access
• Supported across all cloud infrastructures• Consistent management across all cloud
deployments• Security is portable with the VM
Pg. 45 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Why Host Based Firewalls?
• Tenant controlled– Provider gains no additional access
• Supported across all cloud infrastructures• Consistent management across all cloud
deployments• Security is portable with the VM• Mitigate potential risks from vswitch or VLANs
Pg. 46 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Consistency is Key to Security• Customization is common in small
business
Pg. 47 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Consistency is Key to Security• Customization is common in small business
• Focus is on getting the product to market– “We’ll worry about maintaining it later”
Pg. 48 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Consistency is Key to Security• Enterprise needs to play “the long game”
Pg. 49 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Consistency is Key to Security• Enterprise needs to play “the long game”
• “Snowflakes” can be an inhibitoro Reduces available resources for
innovationo Can easily stunt an organizations
ability to scale
Pg. 50 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
One Off Server Deployment
Pg. 51 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
VM Cloning
Pg. 52 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Clones Should All Have• Patches to the same level
Pg. 53 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Clones Should All Have• Patches to the same level
• Identical configuration settings
Pg. 54 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Clones Should All Have• Patches to the same level
• Identical configuration settings• Same system accounts
Pg. 55 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Clones Should All Have• Patches to the same level
• Identical configuration settings• Same system accounts• The same processes running in
memory
Pg. 56 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Clones Should All Have• Patches to the same level
• Identical configuration settings• Same system accounts• The same processes running in
memory• Usually no reason to logon– Update master and re-clone
Pg. 57 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
VM Clone Security = Spot The Difference Game
Pg. 58 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Spot The Difference
GoldMaster
Has an additionallistening port open
Pg. 59 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
GoldMaster
1 login successfulon first try
Spot The Difference
Pg. 60 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Spot The Difference
GoldMaster
Missing 3 patches Missing 3 patches
Missing 3 patches
Pg. 61 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
VM Clone Security
• Can identify positive exceptions, not just negative ones
oSuccessful logino Increased patch level
Pg. 62 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
VM Clone Security
• Can simplify server securityo No more one off auditing!o Far easier to ID variations that matter
Pg. 63 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton
Questions?
Chris Brenton - Director of Security@Chris_Brenton