Upload
rightscale
View
1.239
Download
0
Tags:
Embed Size (px)
DESCRIPTION
RightScale Conference Santa Clara 2011 - With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Ed Laczynski, VP of Cloud Strategy and Architecture at Datapipe, will demonstrate a working IDS solution in a public cloud.
Citation preview
Managing Cloud Security: Intrusion Detection Services in a Public Cloud
Datapipe Cloud Services Stack
2
Comprehensive Security
3
“Strong security controls are a requirement for many
mission-critical IT workloads. Customers demand that
service providers address security as they move IT
infrastructure to fully elastic public cloud environments”
- Joel Friedman, Datapipe CSO
“Strong security controls are a requirement for many
mission-critical IT workloads. Customers demand that
service providers address security as they move IT
infrastructure to fully elastic public cloud environments”
- Joel Friedman, Datapipe CSO
IDS
2 Factor Authentication
Vulnerability Scanning
Integrity Monitoring
Configuration Assessment (Tripwire)
Firewall
Antivirus
Web Application Firewall
TDE – Transparent Database Encryption
4
Broad Cloud Adoption: Inhibitors
Public Cloud Security ComplexitySecurity solutions must be built specifically for public cloud
5
PUBLIC CLOUD SECURITY
REQUIREMENTS
elastic scaling
virtualized computing
management automation
self-service provisioning
third-party ownership
managed operations
utility pricing
Page 5
Provisioning API
Management API
Virtual Appliances & Host Agents
IDS for Cloud
LM for Cloud
VA for Cloud
Enabling:• Traffic monitoring via
software-based network taps• Log collection via a software agents• Virtual appliances based data collection • Host agents that continuously track the
state of monitored instances• Automated software and configuration
deployment via internal management APIs• Multi-tenant aware provisioning API for
integration with service provider
for
Amazon Web Services
Provides:• Auto-scaling by tracking IP addresses of protected hosts • Load balancing & fail over between appliances• Transport-level data encryption • Centralized resource authorization via certificates
Page 6
Alert Logic for Amazon EC2
Datapipe IDS for EC2: Setup Process
+ + +Install software packages and virtual appliances
Deploy certificates
VPN Transport
API Integration
SOCUITM LM
CMS
Components
8
Collection/Cloud Management System
Security Portal Incident
Customer EC2 Environment
9
Attack Scenario
VPN Transport
Attacker(me)
10Sample Footer Here
11