Access video
Cloud Security Practices and Principles from Sumo Logic
The Public Cloud Is:
- An opportunity to simplify and increase security
- Misunderstood
- A victim of FUD
- Take time to examine it?
- Or DOOM?
- Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand.
The Old World
- You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be
- So you think in certain ways:
- Hardware rotates and depreciates on a fixed 36-month cycle
- This is the mix of RAM, Disk, and CPU I have to work with
- This is how many watts we’ve got
- And this is the bandwidth capacity of the datacenter
Where Does This Leave You?
- Trying to insert yourself in the process run by ping power and pipe guys
- Dealing with span ports
- Dealing with legacy compromises and legacy infrastructure that no longer matches your security requirements…
- And probably never did
- We do lots of things in this business where we transit public space, and we take steps to secure that transit
A New World
Cloud computing is truly a different paradigm with different rules and different logicThe Old World | Cloud Computing |
|
|
But the FUD!
- What security professionals are looking for is control
- You can achieve control in the cloud, by playing a new game
- The highest form of generalship is to thwart your enemies plans.” - Sun Tzu
What’s In It for Me?
- Not needing to regularly review firewall rule ordering as part of your operational process, as one example
- Instrument
- Gather data
- Design your rules
- Iterate from the whiteboard
- Not a live firewall console
Design Design Design
- In the cloud, you have the tools to design, implement, and refine your policies, controls, and enforcement in a centralized fashion
- Your code is your infrastructure
- Your SDLC can now be brought to bear on areas traditionally out-of-sync with your security posture
- Scale to massive sizes without having to worry about things like firewall rule ordering, optimization, or audit as part of your operational cycle
- Your security will become fractal, and embedded in every layer of your system
The Primitives
- What are your primitives?
- I/O, Memory, Storage, Compute, and Code
- Data
- At Rest, in Motion, and in Use
- Access control
- Monitoring tools, third-party apps, troubleshooting tools
- Interfaces/APIs
- Clean, Minimal, Authenticated, Validated
Minimalism
- Each of those must be thought of on its own and in combination with the other components it interacts with
- It is both that simple and that complicated
Understand Everything
- That simplicity gives you the power to understand everything
- Every protocol
- Every interface
- If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts
- Understand your state changes
- Bring that understanding to bear through development
- And you can attain Emergent Security
With Automation, All Things are Possible
- Your entire infrastructure is your code-base
- There is no gap between the operational physical layer and the software that runs on top of it
- Machine and network failures are just exceptions to be caught and handled
- Your infrastructure can now evolve and support your system because it is the system
Like What?
- Register all of your VMs services, IPs, and ports
- Automatically build firewall policies based on that
- Re-build and distribute ssl/tls keys
- Whenever you want
- HIDS, HFW and File Integrity Checkers configured with instance tags
- Unit test everything
- Allowing security to keep up with your product
Encrypt It All
- You know… like we do… on the Internet
- At rest and in motion
- Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory
- When the instance dies, the key dies with it
- Longer-lived data should be stored away from the keys that secure it
- If the data is particularly sensitive, securely wipe the data before spinning down the disk and giving it back to the pool
Default Deny Nirvana
- Allow only expected connections
- Front-end web-applications need to accept connections from anyone in the world
- but it’s more likely only your load balancer does
- As part of your infrastructure as software design
- Know what needs to talk to what
- On what port and under what circumstances
- And only allow that
- Everything else is bit-bucketed and alerted on
- Know what needs to talk to what
- In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it
Conclusion
- The public utility model of cloud computing brings substantial advantages of scalability and automation, which can be leveraged by information security professionals
- As a result, a more secure service can be built on the public cloud for less investment than in a traditional data center
- Just remember your fundamentals
- And always shoot the messenger
Q&A and Next Steps
- Download our white paper, Building Secure Services in the Cloud: www.sumologic.com/resources
- Register for Sumo Logic free www.freesumo.com
- Contact joan@sumologic.com or info@sumologic.com