Upload
rightscale
View
1.277
Download
2
Tags:
Embed Size (px)
Citation preview
Cloud Management Platform
Securing Servers in Public and Hybrid Clouds
Leveraging RightScale and CloudPassageDec 15, 2011
Watch the video of this webinar
# 2
Cloud Management Platform
Your Panel TodayHost•Phil Cox, Director, Security and Compliance, RightScale @sec_prof
Presenting•Uri Budnik, Director, ISV Partner Program, RightScale. @uribudnik•Carson Sweet, CEO of CloudPassage. @carsonsweet
Q&A•Will Eschen, Account Executive, RightScale
Please use the “Questions” window to ask questions any time!
# 3
Cloud Management Platform
Agenda• Introduction• Security and Compliance in the Cloud – How are they Different?• Model for Securing Cloud-based Hosting Environments• Demo Deployment of Integrated Solution• Q&A
www.cloudpassage.com
Recent Awards
CloudPassage Background
Select Customers
Production users since July 2010Publicly accessible since Jan 2011
Commercial release Oct 2011
HaloTM Solution
132 customers2,154 servers secured
1,273,986 scans completed
Early Adoption
Founded January 2010Team of 27 security specialistsBacked by Benchmark Capital
Company Background
www.cloudpassage.com
Cloud Changes the Balance
private datacenter
public cloud
www-1 www-2 www-3 www-4
• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were
tolerable
www.cloudpassage.com
Cloud Changes the Balance
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were
tolerable
• Cloud servers more exposed• Outside of perimeter protections• Little network control or visibility• No idea who’s next door
www-4
www.cloudpassage.com
Cloud Changes the Balance
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were tolerable
• Cloud servers more exposed• Outside of perimeter protections• Little network control or visibility• No idea who’s next door
• Sprawling, multiplying exposures• Rapidly growing attack surface area• More servers = more vulnerabilities• More servers ≠ more people
www-7
www-4
www-8
www-5
www-9
www-6
www-10
www.cloudpassage.com
Cloud Changes the Balance
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were tolerable
• Cloud servers more exposed• Outside of perimeter protections• Little network control or visibility• No idea who’s next door
• Sprawling, multiplying exposures• Rapidly growing attack surface area• More servers = more vulnerabilities• More servers ≠ more people
• Fraudsters target cloud servers• Softer targets to penetrate• No perimeter defenses to thwart• Elasticity = more botnet to sell
www-7
www-4
www-8
www-5
www-9
www-6
www-10
www.cloudpassage.com
Your Servers… Your Responsibility
Direct from Amazon AWS
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical FacilitiesPhysical Facilities
HypervisorHypervisor
Compute & StorageCompute & Storage
Shared NetworkShared Network
Virtual Machine
DataData
App CodeApp Code
App FrameworkApp Framework
Operating SystemOperating System
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011)
CloudPassage Halo was purpose-built to actively
protect servers in any cloud.
RightScale can ensure secure server configurations
across multiple clouds.
www.cloudpassage.com
Dynamic network access control
Configuration and package security
Server account visibility & control
Server compromise & intrusion alerting
Halo GhostPorts two-factor access control
Halo REST API for integration & automation
Halo is a security Software-as-a-Service providing all you need to secure your cloud servers.
HaloTM Functional Capabilities
www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPassa
ge
Halo
Halo Daemon
Policies,Commands, Reports
www-1
HaloHalo
www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPassa
ge
Halo
Policies,Commands, Reports
www-1
HaloHalo
Policies & Commands
www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPassa
ge
Halo
Policies,Commands, Reports
www-1
Results & Updates
HaloHalo
www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPassa
ge
Halo
Policies,Commands, Reports
www-1
HaloHalo
State and Event
Analysis
www.cloudpassage.com
Alerts, Reports and Trending www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPassa
ge
Halo
Policies,Commands, Reports
www-1
HaloHalo
www.cloudpassage.com
100% Multi-Cloud Capable
Single pane of glass across hosting models
• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed
IPs• Agnostic to cloud provider, hypervisor or hardware
www.cloudpassage.com
Features & Pricing
Dynamic network access control ✔ ✔
Server compromise & intrusion alerting ✔ ✔
Configuration and software security ✔ ✔
Server account visibility & control ✔ ✔
REST API access ✔
GhostPorts multi-factor authentication ✔
Data storage One dayTwo
years
Maximum scanning frequency Daily Hourly
Servers protected Up to 25Unlimite
d
FREE $0.10/hour
www.cloudpassage.com
Getting Started
• Register and setup Halo• Up to 25 servers are free• Evaluation keys are available to unlock pro features
• Optimize your Halo configuration• Set up some server groups & a firewall policy• Explore base policies provided by CloudPassage• Get answers and tips at community.cloudpassage.com
• Deploy Halo via RightScript• Ensures consistent deployment of Halo across all
servers• Offers additional visibility and remediation alternatives
www.cloudpassage.com
RightScale Integration
• Installation of Halo via RightScript
• Load your Halo API key into RightScale as a credential
• Add the CloudPassage Halo RightScript to your server templates
• All launched servers will automatically have CloudPassage Halo activated
• Easy, consistent security!
# 24
Cloud Management Platform
RightScale Real Customers, Real Deployments, Real Benefits
• Managed Cloud Deployments for 4 Years — globally• More than 45,000 users; launched more than 3MM servers!• Powering the largest production deployments on the cloud
# 28
Cloud Management Platform
• Dynamic configuration
• Abstract role and behavior from cloud infrastructure
• Predictable deployment
• Cloud agnostic / portable
• Object-oriented programming for sysadmins
ServerTemplates
# 29
Cloud Management Platform
Parenthesis: What are ServerTemplates?
Custom MySQL 5.0.24 (CentOS 5.2)Custom MySQL 5.0.24 (CentOS 5.2)
Custom MySQL 5.0.24 (CentOS 5.4)Custom MySQL 5.0.24 (CentOS 5.4)
MySQL 5.0.36 (CentOS 5.4)MySQL 5.0.36 (CentOS 5.4)
MySQL 5.0.36 (Ubuntu 8.10)MySQL 5.0.36 (Ubuntu 8.10)
MySQL 5.0.36 (Ubuntu 8.10) 64bitMySQL 5.0.36 (Ubuntu 8.10) 64bit
Frontend Apache 1.3 (Ubuntu 8.10)Frontend Apache 1.3 (Ubuntu 8.10)
Frontend Apache 2.0 (Ubuntu 9.10) - patchedFrontend Apache 2.0 (Ubuntu 9.10) - patched
CMS v1.0 (CentOS 5.4)CMS v1.0 (CentOS 5.4)
CMS v1.1 (CentOS 5.4)CMS v1.1 (CentOS 5.4)
My ASP appserver (windows 2008)My ASP appserver (windows 2008)
My ASP.net (windows 2008) – security update 1My ASP.net (windows 2008) – security update 1
My ASP.net (windows 2008) – security update 8My ASP.net (windows 2008) – security update 8
SharePoint v4 (windows 2003) – 32bitSharePoint v4 (windows 2003) – 32bit
SharePoint v4 (windows 2003) –64bitSharePoint v4 (windows 2003) –64bit
SharePoint v4.5 (windows 2003) –64bitSharePoint v4.5 (windows 2003) –64bit
…
Configuring serversthrough bundling Images:
A set of configuration directives that will install
and configure software on top of the base image
Configuring serverswith ServerTemplates:
CentOS 5.2CentOS 5.2
CentOS 5.4CentOS 5.4Ubuntu 8.10Ubuntu 8.10
Ubuntu 9.10Ubuntu 9.10Win 2003Win 2003
Win 2007Win 2007
Base ImageVery few and basic
Base ImageVery few and basic
# 30
Cloud Management Platform
• Integrated approach that puts together all the parts needed to architect single & multi-server deployments
VS.
ServerTemplates
# 32
Cloud Management Platform
Find Out More• Web Resources:
• RightScale.com/partners/isv/CloudPassage.php • RightScale.com/webinars• RightScale.com/whitepapers• Community.CloudPassage.com
• Blogs:• Blog.RightScale.com
• Follow us on Twitter• @secprof• @uribudnik• @carsonsweet• @cloudpassage• @rightscale
# 33
Cloud Management Platform
Thank you!!! Contact Information•CloudPassage Team
• [email protected]• [email protected]• (415) 886-3020
•RightScale• [email protected]• (866) 720-0208• [email protected]
# 35
Cloud Management Platform
Data Security• We will cover …
• Common data exposure vectors
• Security benefits of centralized management
• Unique security needs associated with hybrid and cross-cloud environments
# 36
Cloud Management Platform
Biggest real risks to data in the cloud?• The same things as when your data were not in the cloud.
• Poor application security leading to Injection• Poor system configurations, leading to system compromised• Poor application configuration leading to application compromise• Poor user habits leading to compromised credentials, that are then used to
access data
# 37
Cloud Management Platform
Common data exposure vectors in the cloud
In Process
At Rest
In Transit
Data is typically exposed in the following three states:
Cloud Management Platform
# 38
We must protect data “In Transit”• Why?
• You do not want the bad guys to see or modify your data
• You can’t guarantee the path your data will take
• You may have regulatory or contractual requirements to do so
• Risk• Sniffing along the path• Modification of existing data• Injection of new data
• Common Solutions• Application Transport (SSL & TLS)• VPN (SSL, IPSEC, PPTP, L2TP)• App level data encryption (custom)
Map of Internet Traffic
# 39
Cloud Management Platform
We must protect data “At Rest”• Why? Same as previous: You do not want unauthorized
• Disclosure• Modification• Injection
• Risks• Intrusion into Instance/Guest exposes data on its filesystem• Cloud provider access to ephemeral storage (e.g., EBS, SWIFT)• Cloud provider access to other storage options (e.g., S3, CloudFiles)
• Common Solutions• Protection offered by running operating system (Access Control Lists)• *Encryption (and Key Management)*• SLA and Policies/Processes of the Cloud provider
# 40
Cloud Management Platform
We must protect data while “In Process”• Why? Same as previous: You do not want
unauthorized• Disclosure• Modification• Injection
• Risk• Data is in clear in the memory of the Instance• Privileged users on a system can read memory• Hypervisor has access to instance memory
• Common Solutions• Protect the system that is processing• Protect the hypervisor running the Instance• Limit administrative users
# 41
Cloud Management Platform
Where RightScale shines• RightScale can be used to ensure that poor system and application
configurations are not what cause you to lose your data• Use RightScale to:
• Require data to be transmitted securely• Require data be stored securely• Ensure systems are appropriately patched and configured to minimize exposures
• The core technologies are• RightImages• ServerTemplates• RightScripts• Repo’s and Mirrors
• Security Motto: “Build it secure, keep it secure!”
# 42
Cloud Management Platform
Build it Secure
Use Trusted Images Script the install and configuration
TrustedRepository
KnownConfigurations
Start withMulti-Cloud
Images
Build withServerTemplates
Modify withRightScripts
Build fromFrozen Repos
What
How
# 43
Cloud Management Platform
Keep it Secure• What
• Update the Operating System• Update the applications• Validate the configuration
• How• You can use the same mechanism as in your enterprise
• *OR*
• Use operational RightScripts to do it for you• *OR*
• Use a partner ISV that specializes in that service
# 44
Cloud Management Platform
Hybrid/cross cloud security concerns• Cloud functionality differences
• This is the biggest concern in a non-homogeneous environment• Security features are different in scope and implementation for basically all
different cloud orchestration technologies• Identity and Access Management features differ• Log levels and information differ
• Applying consistent builds throughout• Think of the term “security group”, then define what that means in all the clouds
you will use?• How do you manage them consistently?
• Physical protections will differ from provider to provider• You will need to take this into consideration when looking at controls to
implement