Securing Servers in Public and Hybrid Clouds

Cloud Management Platform

Securing Servers in Public and Hybrid Clouds

Leveraging RightScale and CloudPassageDec 15, 2011

Watch the video of this webinar

# 2


Your Panel TodayHost•Phil Cox, Director, Security and Compliance, RightScale @sec_prof

Presenting•Uri Budnik, Director, ISV Partner Program, RightScale. @uribudnik•Carson Sweet, CEO of CloudPassage. @carsonsweet

Q&A•Will Eschen, Account Executive, RightScale

Please use the “Questions” window to ask questions any time!

# 3


Agenda• Introduction• Security and Compliance in the Cloud – How are they Different?• Model for Securing Cloud-based Hosting Environments• Demo Deployment of Integrated Solution• Q&A

www.cloudpassage.com

Recent Awards

CloudPassage Background

Select Customers

Production users since July 2010Publicly accessible since Jan 2011

Commercial release Oct 2011

HaloTM Solution

132 customers2,154 servers secured

1,273,986 scans completed

Early Adoption

Founded January 2010Team of 27 security specialistsBacked by Benchmark Capital

Company Background




Cloud Changes the Balance

private datacenter

public cloud

www-1 www-2 www-3 www-4

• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were

tolerable



private datacenter

public cloud

www-1 www-2 www-3

• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were

tolerable

• Cloud servers more exposed• Outside of perimeter protections• Little network control or visibility• No idea who’s next door

www-4



private datacenter

public cloud

www-1 www-2 www-3

• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were tolerable


• Sprawling, multiplying exposures• Rapidly growing attack surface area• More servers = more vulnerabilities• More servers ≠ more people

www-7

www-4

www-8

www-5

www-9

www-6

www-10



private datacenter

public cloud

www-1 www-2 www-3

• Servers used to be highly isolated• Bad guys clearly on the outside• Layers of perimeter security• Poor configurations were tolerable


• Sprawling, multiplying exposures• Rapidly growing attack surface area• More servers = more vulnerabilities• More servers ≠ more people

• Fraudsters target cloud servers• Softer targets to penetrate• No perimeter defenses to thwart• Elasticity = more botnet to sell

www-7

www-4

www-8

www-5

www-9

www-6

www-10


Your Servers… Your Responsibility

Direct from Amazon AWS

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical FacilitiesPhysical Facilities

HypervisorHypervisor

Compute & StorageCompute & Storage

Shared NetworkShared Network

Virtual Machine

DataData

App CodeApp Code

App FrameworkApp Framework

Operating SystemOperating System

“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011)

CloudPassage Halo was purpose-built to actively

protect servers in any cloud.

RightScale can ensure secure server configurations

across multiple clouds.


Dynamic network access control

Configuration and package security

Server account visibility & control

Server compromise & intrusion alerting

Halo GhostPorts two-factor access control

Halo REST API for integration & automation

Halo is a security Software-as-a-Service providing all you need to secure your cloud servers.

HaloTM Functional Capabilities


www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPassa

ge

Halo

Halo Daemon

Policies,Commands, Reports

www-1

HaloHalo


www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPassa

ge

Halo


www-1

HaloHalo

Policies & Commands


www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPassa

ge

Halo


www-1

Results & Updates

HaloHalo


www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPassa

ge

Halo


www-1

HaloHalo

State and Event

Analysis


Alerts, Reports and Trending www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPassa

ge

Halo


www-1

HaloHalo


100% Multi-Cloud Capable

Single pane of glass across hosting models

• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed

IPs• Agnostic to cloud provider, hypervisor or hardware


Features & Pricing

Dynamic network access control ✔ ✔

Server compromise & intrusion alerting ✔ ✔

Configuration and software security ✔ ✔

Server account visibility & control ✔ ✔

REST API access ✔

GhostPorts multi-factor authentication ✔

Data storage One dayTwo

years

Maximum scanning frequency Daily Hourly

Servers protected Up to 25Unlimite

d

FREE $0.10/hour


Getting Started

• Register and setup Halo• Up to 25 servers are free• Evaluation keys are available to unlock pro features

• Optimize your Halo configuration• Set up some server groups & a firewall policy• Explore base policies provided by CloudPassage• Get answers and tips at community.cloudpassage.com

• Deploy Halo via RightScript• Ensures consistent deployment of Halo across all

servers• Offers additional visibility and remediation alternatives


RightScale Integration

• Installation of Halo via RightScript

• Load your Halo API key into RightScale as a credential

• Add the CloudPassage Halo RightScript to your server templates

• All launched servers will automatically have CloudPassage Halo activated

• Easy, consistent security!

# 24


RightScale Real Customers, Real Deployments, Real Benefits

• Managed Cloud Deployments for 4 Years — globally• More than 45,000 users; launched more than 3MM servers!• Powering the largest production deployments on the cloud

# 25


What do we Mean by Cloud Computing?RightScale

# 26


RightScale Manages IaaS CloudsRightScale

# 27


Complete Systems Management

# 28


• Dynamic configuration

• Abstract role and behavior from cloud infrastructure

• Predictable deployment

• Cloud agnostic / portable

• Object-oriented programming for sysadmins

ServerTemplates

# 29


Parenthesis: What are ServerTemplates?

Custom MySQL 5.0.24 (CentOS 5.2)Custom MySQL 5.0.24 (CentOS 5.2)

Custom MySQL 5.0.24 (CentOS 5.4)Custom MySQL 5.0.24 (CentOS 5.4)

MySQL 5.0.36 (CentOS 5.4)MySQL 5.0.36 (CentOS 5.4)

MySQL 5.0.36 (Ubuntu 8.10)MySQL 5.0.36 (Ubuntu 8.10)

MySQL 5.0.36 (Ubuntu 8.10) 64bitMySQL 5.0.36 (Ubuntu 8.10) 64bit

Frontend Apache 1.3 (Ubuntu 8.10)Frontend Apache 1.3 (Ubuntu 8.10)

Frontend Apache 2.0 (Ubuntu 9.10) - patchedFrontend Apache 2.0 (Ubuntu 9.10) - patched

CMS v1.0 (CentOS 5.4)CMS v1.0 (CentOS 5.4)

CMS v1.1 (CentOS 5.4)CMS v1.1 (CentOS 5.4)

My ASP appserver (windows 2008)My ASP appserver (windows 2008)

My ASP.net (windows 2008) – security update 1My ASP.net (windows 2008) – security update 1

My ASP.net (windows 2008) – security update 8My ASP.net (windows 2008) – security update 8

SharePoint v4 (windows 2003) – 32bitSharePoint v4 (windows 2003) – 32bit

SharePoint v4 (windows 2003) –64bitSharePoint v4 (windows 2003) –64bit

SharePoint v4.5 (windows 2003) –64bitSharePoint v4.5 (windows 2003) –64bit

…

Configuring serversthrough bundling Images:

A set of configuration directives that will install

and configure software on top of the base image

Configuring serverswith ServerTemplates:

CentOS 5.2CentOS 5.2

CentOS 5.4CentOS 5.4Ubuntu 8.10Ubuntu 8.10

Ubuntu 9.10Ubuntu 9.10Win 2003Win 2003

Win 2007Win 2007

Base ImageVery few and basic

Base ImageVery few and basic

# 30


• Integrated approach that puts together all the parts needed to architect single & multi-server deployments

VS.

ServerTemplates

CloudPassage / RightScale

Integration Demo

# 32


Find Out More• Web Resources:

• RightScale.com/partners/isv/CloudPassage.php • RightScale.com/webinars• RightScale.com/whitepapers• Community.CloudPassage.com

• Blogs:• Blog.RightScale.com

• Follow us on Twitter• @secprof• @uribudnik• @carsonsweet• @cloudpassage• @rightscale

# 33


Thank you!!! Contact Information•CloudPassage Team

• [email protected]• [email protected]• (415) 886-3020

•RightScale• [email protected]• (866) 720-0208• [email protected]

# 34


Additional Slides

# 35


Data Security• We will cover …

• Common data exposure vectors

• Security benefits of centralized management

• Unique security needs associated with hybrid and cross-cloud environments

# 36


Biggest real risks to data in the cloud?• The same things as when your data were not in the cloud.

• Poor application security leading to Injection• Poor system configurations, leading to system compromised• Poor application configuration leading to application compromise• Poor user habits leading to compromised credentials, that are then used to

access data

# 37


Common data exposure vectors in the cloud

In Process

At Rest

In Transit

Data is typically exposed in the following three states:


# 38

We must protect data “In Transit”• Why?

• You do not want the bad guys to see or modify your data

• You can’t guarantee the path your data will take

• You may have regulatory or contractual requirements to do so

• Risk• Sniffing along the path• Modification of existing data• Injection of new data

• Common Solutions• Application Transport (SSL & TLS)• VPN (SSL, IPSEC, PPTP, L2TP)• App level data encryption (custom)

Map of Internet Traffic

# 39


We must protect data “At Rest”• Why? Same as previous: You do not want unauthorized

• Disclosure• Modification• Injection

• Risks• Intrusion into Instance/Guest exposes data on its filesystem• Cloud provider access to ephemeral storage (e.g., EBS, SWIFT)• Cloud provider access to other storage options (e.g., S3, CloudFiles)

• Common Solutions• Protection offered by running operating system (Access Control Lists)• *Encryption (and Key Management)*• SLA and Policies/Processes of the Cloud provider

# 40


We must protect data while “In Process”• Why? Same as previous: You do not want

unauthorized• Disclosure• Modification• Injection

• Risk• Data is in clear in the memory of the Instance• Privileged users on a system can read memory• Hypervisor has access to instance memory

• Common Solutions• Protect the system that is processing• Protect the hypervisor running the Instance• Limit administrative users

# 41


Where RightScale shines• RightScale can be used to ensure that poor system and application

configurations are not what cause you to lose your data• Use RightScale to:

• Require data to be transmitted securely• Require data be stored securely• Ensure systems are appropriately patched and configured to minimize exposures

• The core technologies are• RightImages• ServerTemplates• RightScripts• Repo’s and Mirrors

• Security Motto: “Build it secure, keep it secure!”

# 42


Build it Secure

Use Trusted Images Script the install and configuration

TrustedRepository

KnownConfigurations

Start withMulti-Cloud

Images

Build withServerTemplates

Modify withRightScripts

Build fromFrozen Repos

What

How

# 43


Keep it Secure• What

• Update the Operating System• Update the applications• Validate the configuration

• How• You can use the same mechanism as in your enterprise

• *OR*

• Use operational RightScripts to do it for you• *OR*

• Use a partner ISV that specializes in that service

# 44


Hybrid/cross cloud security concerns• Cloud functionality differences

• This is the biggest concern in a non-homogeneous environment• Security features are different in scope and implementation for basically all

different cloud orchestration technologies• Identity and Access Management features differ• Log levels and information differ

• Applying consistent builds throughout• Think of the term “security group”, then define what that means in all the clouds

you will use?• How do you manage them consistently?

• Physical protections will differ from provider to provider• You will need to take this into consideration when looking at controls to

implement

Technology

Securing Servers in Public and Hybrid Clouds