Upload
glen-roberts-cissp
View
673
Download
1
Tags:
Embed Size (px)
Citation preview
2
Pervasive Software Global Software Company
• Tens of thousands of users across the globe
• Operations in Americas, EMEA, Asia
• ~250 employees
Strong Financials • $49 million revenue (trailing 12-month)
• 43 consecutive quarters of profitability
• $40 million in the bank
• 22 consecutive quarters of active share buyback
• NASDAQ: PVSW since 1997
Leader in Data Innovation • 24% of top-line revenue re-invested in R&D
• Software to manage, integrate and analyze data, in the cloud or on-premises, throughout the entire data lifecycle
3
Jason Wagner
Platform Manager Pervasive DataCloud2 • Management of DataCloud2
architecture, engineering, and operations teams
• 11 years experience in system administration, web services and integration architectures
• Previously: – CRM and Business Intelligence Platforms
at Roche Tissue Diagnostics – Integration Solutions Architecture at
Pervasive Software
4
Pervasive DataCloud2
• Integration Platform as a Service (iPaaS) • Hosted Design Service to build and test
integration connectivity and workflows • Management Console and API access to deploy,
schedule, and execute integration jobs • Elastic job execution service to scale up and
down with customer needs and blackbox their own SaaS and on-premise integration applications
5
Pervasive DataCloud2
DataCloud2 provides a secure and intuitive way to Design, Deploy and Manage both SaaS to SaaS or SaaS to On-premise
SaaS ISV’s SI Enterprise IT
6
Cloud Application
SaaS<->SaaS Integration
Legend Administration & Configuration (No Customer Data) Customer Data Flow
Integration Developers & End Users
7
Cloud Application
Legend Administration & Configuration (No Customer Data) Customer Data Flow
SaaS<->On-Premise Integration
Integration Developers & End Users
9
Our “Security” Mission
1. Protect Customers and Infrastructure from External Threats
2. Protect Customers and Infrastructure from Internal Threats
3. Protect Customers and Infrastructure from Each Other
10
Protection from External Threats
• Strict Firewall Rules • OS Event Monitoring • API Usage Monitoring • Vulnerability Scanning • Breach Protocol • Disaster Recovery Plan
11
Strict Firewall Rules
• Make sure firewall changes are not taken lightly – challenging for us because our customers expect to connect to MANY different endpoints
• Minimize the number of cloud boxes that are exposed – continual audit of WHY? REALLY?
• Elastically allocated resources are the most susceptible, so we are very cautious to lock down inbound ports on these – even from our own internal network access, e.g. Jump Servers
12
Strict Firewall Rules (layered security groups)
Elastic Load Balancer
1
Core Web and Application Servers
2
Job Scheduling and Queuing Service
3
Elastic Worker Nodes
(Job Processors)
4
5 6
Job Execution Data
Storage
13
ERP/CRM
Database
Message Q
Onramp Framework
Aggregate Join Transform Match Record linkage
Data prep Schedule Partner mgmt Reformat Validate Profile
Data collect
Reports
Deploy Monitor
Firewall
Customers with on-premise apps
Analyze
Load
Strict Firewall Rules (protecting customer on-prem resources)
14
OS Event Monitoring
• Collect and monitor OS events for any changes to permissions or alerts
• Some of the system events we are interested in: – Failed login attempts – Successful login attempts – User access changes – Group access changes
15
API Usage Monitoring
• Collect and monitor API usage for many kinds of statistics
• Some of the statistics we are interested in: – Failed login attempts – Failed object access attempts – Activity volume by operation – Activity volume by user
16
Other Types of Monitoring
• Collect and monitor other types of statistics
• Some of the statistics we are interested in: – Web page reads and write attempts – Database activity, SQL injection – URL modification, XSS
17
Vulnerability Scanning
• Regular intrusive and DoS attack simulations during maintenance windows
• Include scans as part of SDLC and any significant change to staging or production environments
• We use several popular services for external scans, as well as our own “DoS/Brute Agent”
18
Breach Protocol
• Have breach protocol well-documented and easy to find to prevent knee-jerk or panic reactions
• Suspected/confirmed breach (red flag) – Quarantine/Triage/Investigation – Notification/Transparency/Lessons Learned
• Limiting breach exposure
– Data Encryption – Monitoring/Auditing – Contractual Language
19
Disaster Recovery Plan
• It is important to be well-documented and spelled-out contractually (whatever the plan is)
• Disaster recovery is more than just geographic catastrophe and redundancy, but also: – How do you recover from significant outage caused by
malicious activity? – How do you recover from a vendor outage? Amazon?
Rackspace? – How do you respond if critical/confidential data is lost
or compromised?
20
Protection from Internal Threats
• Sometimes Well-intentioned • Operational Run Book • Periodic and Spot Check Audits • Access Activation/Deactivation Protocols • Segregation of Duties/Change Control • Shared Passwords
21
Operational Run Book
• Regular, weekly reports from all security related tools: – Cloud Firewall Configurations – OS and API Monitoring Logs – IDS/IPS Reports – Availability and Performance Metrics – Deployment/Patch/Source CM Reports – Incident Reports – Vulnerability Scan Report
• Good to have when you are auditor or auditee
22
Internal Audits
• Three types of audits to consider: Scheduled, event-driven, and random spot check
• Some of the things we are interested in: – Cloud Firewall changes reconcile with approved
change log – User permissions reconcile with approved change log – Approved change log is properly documented (WHY?
REALLY?) – Customer usage rates fall within “expected” range
23
Access Activation/Deactivation Protocol • Work closely with Corporate IT and HR to
document roles, functions, and who has access to what…
• Build matrices of access/permission changes based on role and procedures that must take place whenever someone leaves or joins the team/company
• Don’t forget to account for contractors….
24
Segregation of Duties/CM
• Identify conflicts between engineering and operations – Formal escalation process – Protocol for engineering access to production systems
• Enforce change control for security sensitive
changes – Cloud Firewall modifications – User or group access privileges – Any kind of software or hardware patch in production
25
Shared Keys/Passwords
• AVOID, but make sure shared password reset events are well-known/documented (Access Activation/Deactivation Protocol)
• There are tools to assist – We have had success with LastPass “secretly” sharing passwords, i.e. the end user does not know the password and it can be revoked from their LastPass account at any time
26
Protecting Our Customers and Infrastructure from Each Other • Service and Data Availability • Multi-Tenancy on Elastic Resources • Handling Agents and Clients • Alerts and Error Reporting • Contract Language
27
Service and Data Availability
• Public Trust Site – We try to be as transparent as possible with our external monitors, without actually publishing the exact checks/procedures
• Internally make sure we have a pulse on real time volumes – if in danger of NOT scaling, that could be a security risk to us and our customers
• Data Integrity – this can get complex when you start dealing with highly scalable data stores that may not be inherently relational
29
Multi-Tenancy on Elastic Resources
• This is a challenge for us due to the power and flexibility of our product – we have to limit cloud functionality vs. on-premise use
• We encrypt any kind of identifying information – that we know about
• We spend a lot of resources “cleaning” up after jobs are executed – we have to plan for some loss of concurrency and efficiency because of the continual need to prop up and tear down…
30
Agents and Clients
• We our own managed clients called agents for on-premise connectivity, which typically are connecting and communicating to the “integrating” apps as well as DataCloud2
• Adds another dimension to what we have to track in terms of not only users that are connecting, but WHAT and WHERE are they connecting from?
• What about custom DataCloud2 clients built by customers?
31
Alerts and Error Reporting
• Challenge for us is that our customers have all kinds of different projects and metrics they are interested in
• How are customers notified of different events they may be interested in?
• It is possible that integration logs may have confidential information – especially if they are customized by the user/developer (see contract)
32
Contract Language
• How we behave is well-documented: – Breach Notification Policy – Backup Policy and Remedies – Data Redundancy Policy – Service Redundancy Policy – History and Log Archival
• Customer data storage policy
– Types Allowed, HIPAA? – How do you audit that your customers are compliant? – Encrypt all? Or just what is necessary? (see contract)