Securing Servers in Public and Hybrid Clouds

Securing Servers in Public and Hybrid Clouds Leveraging RightScale and CloudPassage Dec 15, 2011 Watch the video of this webinar

Your Panel Today Host Phil Cox , Director, Security and Compliance, RightScale @sec_prof Presenting Uri Budnik , Director, ISV Partner Program, RightScale. @uribudnik Carson Sweet , CEO of CloudPassage. @carsonsweet Q&A Will Eschen , Account Executive, RightScale Please use the “Questions” window to ask questions any time!

Agenda Introduction Security and Compliance in the Cloud – How are they Different? Model for Securing Cloud-based Hosting Environments Demo Deployment of Integrated Solution Q&A

CloudPassage Background Select Customers Recent Awards Production users since July 2010 Publicly accessible since Jan 2011 Commercial release Oct 2011 Halo TM Solution 132 customers 2,154 servers secured 1,273,986 scans completed Early Adoption Founded January 2010 Team of 27 security specialists Backed by Benchmark Capital Company Background

Cloud Changes the Balance Servers used to be highly isolated Bad guys clearly on the outside Layers of perimeter security Poor configurations were tolerable private datacenter public cloud www-1 www-2 www-3 www-4

Cloud Changes the Balance Servers used to be highly isolated Bad guys clearly on the outside Layers of perimeter security Poor configurations were tolerable Cloud servers more exposed Outside of perimeter protections Little network control or visibility No idea who’s next door private datacenter public cloud www-1 www-2 www-3 www-4

Cloud Changes the Balance Servers used to be highly isolated Bad guys clearly on the outside Layers of perimeter security Poor configurations were tolerable Cloud servers more exposed Outside of perimeter protections Little network control or visibility No idea who’s next door Sprawling, multiplying exposures Rapidly growing attack surface area More servers = more vulnerabilities More servers ≠ more people private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10

Cloud Changes the Balance Servers used to be highly isolated Bad guys clearly on the outside Layers of perimeter security Poor configurations were tolerable Cloud servers more exposed Outside of perimeter protections Little network control or visibility No idea who’s next door Sprawling, multiplying exposures Rapidly growing attack surface area More servers = more vulnerabilities More servers ≠ more people Fraudsters target cloud servers Softer targets to penetrate No perimeter defenses to thwart Elasticity = more botnet to sell private datacenter public cloud www-1 www-2 www-3 www-7 www-4 www-8 www-5 www-9 www-6 www-10

Your Servers… Your Responsibility Direct from Amazon AWS Customer Responsibility Provider Responsibility “… the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “ it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes (2011) Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System

CloudPassage Halo was purpose-built to actively protect servers in any cloud. RightScale can ensure secure server configurations across multiple clouds .

Halo GhostPorts two-factor access control Halo REST API for integration & automation Halo is a security Software-as-a-Service providing all you need to secure your cloud servers . Halo TM Functional Capabilities Dynamic network access control Configuration and package security Server account visibility & control Server compromise & intrusion alerting

Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Halo Daemon Policies, Commands, Reports www-1 Halo www-1

Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Policies & Commands www-1

Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Results & Updates Halo www-1

Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo www-1 State and Event Analysis

Compute Grid User Portal https RESTful API Gateway https CloudPassage Halo Policies, Commands, Reports www-1 Halo Alerts, Reports and Trending www-1

100% Multi-Cloud Capable Single pane of glass across hosting models Scales and bursts with dynamic cloud environments Not dependant on chokepoints, static networks or fixed IPs Agnostic to cloud provider, hypervisor or hardware

Features & Pricing Dynamic network access control ✔ ✔ Server compromise & intrusion alerting ✔ ✔ Configuration and software security ✔ ✔ Server account visibility & control ✔ ✔ REST API access ✔ GhostPorts multi-factor authentication ✔ Data storage One day Two years Maximum scanning frequency Daily Hourly Servers protected Up to 25 Unlimited FREE $0.10/hour

Getting Started Register and setup Halo Up to 25 servers are free Evaluation keys are available to unlock pro features Optimize your Halo configuration Set up some server groups & a firewall policy Explore base policies provided by CloudPassage Get answers and tips at community.cloudpassage.com Deploy Halo via RightScript Ensures consistent deployment of Halo across all servers Offers additional visibility and remediation alternatives

RightScale Integration Installation of Halo via RightScript Load your Halo API key into RightScale as a credential Add the CloudPassage Halo RightScript to your server templates All launched servers will automatically have CloudPassage Halo activated Easy, consistent security!

RightScale Real Customers, Real Deployments, Real Benefits Managed Cloud Deployments for 4 Years — globally More than 45,000 users; launched more than 3MM servers! Powering the largest production deployments on the cloud

What do we Mean by Cloud Computing? RightScale

RightScale Manages IaaS Clouds RightScale

Dynamic configuration Abstract role and behavior from cloud infrastructure Predictable deployment Cloud agnostic / portable Object-oriented programming for sysadmins ServerTemplates

Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (CentOS 5.4) MySQL 5.0.36 (Ubuntu 8.10) MySQL 5.0.36 (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) My ASP appserver (windows 2008) My ASP.net (windows 2008) – security update 1 My ASP.net (windows 2008) – security update 8 SharePoint v4 (windows 2003) – 32bit SharePoint v4 (windows 2003) –64bit SharePoint v4.5 (windows 2003) –64bit … Configuring servers through bundling Images: A set of configuration directives that will install and configure software on top of the base image Configuring servers with ServerTemplates: CentOS 5.2 CentOS 5.4 Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007 Base Image Very few and basic

Integrated approach that puts together all the parts needed to architect single & multi-server deployments ServerTemplates VS.

CloudPassage / RightScale Integration Demo

Find Out More Web Resources: RightScale.com/partners/isv/CloudPassage.php Right Scale.com/webinars Right Scale.com/whitepapers Community.CloudPassage.com Blogs: Blog.RightScale.com Follow us on Twitter @secprof @uribudnik @carsonsweet @cloudpassage @rightscale

Thank you!!! Contact Information CloudPassage Team info@ cloudpassage.com [email_address] (415) 886-3020 RightScale [email_address] (866) 720-0208 phil @rightscale.com

Data Security We will cover … Common data exposure vectors Security benefits of centralized management Unique security needs associated with hybrid and cross-cloud environments

Biggest real risks to data in the cloud? The same things as when your data were not in the cloud. Poor application security leading to Injection Poor system configurations, leading to system compromised Poor application configuration leading to application compromise Poor user habits leading to compromised credentials, that are then used to access data

Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In Transit

We must protect data “In Transit” Why? You do not want the bad guys to see or modify your data You can ’t guarantee the path your data will take You may have regulatory or contractual requirements to do so Risk Sniffing along the path Modification of existing data Injection of new data Common Solutions Application Transport (SSL & TLS) VPN (SSL, IPSEC, PPTP, L2TP) App level data encryption (custom) Map of Internet Traffic

We must protect data “At Rest” Why? Same as previous: You do not want unauthorized Disclosure Modification Injection Risks Intrusion into Instance/Guest exposes data on its filesystem Cloud provider access to ephemeral storage (e.g., EBS, SWIFT) Cloud provider access to other storage options (e.g., S3, CloudFiles) Common Solutions Protection offered by running operating system (Access Control Lists) *Encryption (and Key Management)* SLA and Policies/Processes of the Cloud provider

We must protect data while “In Process” Why? Same as previous: You do not want unauthorized Disclosure Modification Injection Risk Data is in clear in the memory of the Instance Privileged users on a system can read memory Hypervisor has access to instance memory Common Solutions Protect the system that is processing Protect the hypervisor running the Instance Limit administrative users

Where RightScale shines RightScale can be used to ensure that poor system and application configurations are not what cause you to lose your data Use RightScale to: Require data to be transmitted securely Require data be stored securely Ensure systems are appropriately patched and configured to minimize exposures The core technologies are RightImages ServerTemplates RightScripts Repo’s and Mirrors Security Motto: “Build it secure, keep it secure!”

Build it Secure Known Configurations Start with Multi-Cloud Images Build with ServerTemplates Modify with RightScripts Build from Frozen Repos What How Use Trusted Images Script the install and configuration Trusted Repository

Keep it Secure What Update the Operating System Update the applications Validate the configuration How You can use the same mechanism as in your enterprise *OR* Use operational RightScripts to do it for you *OR* Use a partner ISV that specializes in that service

Hybrid/cross cloud security concerns Cloud functionality differences This is the biggest concern in a non-homogeneous environment Security features are different in scope and implementation for basically all different cloud orchestration technologies Identity and Access Management features differ Log levels and information differ Applying consistent builds throughout Think of the term “security group”, then define what that means in all the clouds you will use? How do you manage them consistently? Physical protections will differ from provider to provider You will need to take this into consideration when looking at controls to implement

Securing Servers in Public and Hybrid Clouds

More Related Content

What's hot (20)

Similar to Securing Servers in Public and Hybrid Clouds (20)

More from RightScale (20)

Recently uploaded (20)

Securing Servers in Public and Hybrid Clouds

Editor's Notes