Cloud Security Practices and Principles Joan Pepin Director of Security

1
Cloud Security Practices and PrinciplesJoan
PepinDirector of Security
2
Who are you?

• Director of Security
• Sumo Logic
• Director of Research
• Dell/SecureWorks
• 9 years MSSP
• Technical Staff
• MIT LL

3
The Public Cloud is

• An opportunity to simplify and increase security
• Through Automation
• And solid design principles
• Misunderstood
• Risk model vs. hosting
• Risk model vs. other public utility models
• A victim of FUD
• Take time to examine it?
• Or DOOM?

4
Why the Bad Rap?

• Fearing what you do not understand is reasonable
  from an IT perspective. But this is worth the
  time to understand
• I see Anti-Cloud Policies
• With no solid Risk Assessment
• Is this technological conservatism?
• Which is common and natural in security
• But can lead to out of sync security postures
• Or an emotional reaction?
• Dont move my cheese
• Get off of my cloud!

5
Old World / New World

• You have people on your staff who know way too
  much about wattage, and BTUs and rack density and
  how raised, exactly, the floor needs to be
• Limits your thinking
• Causes gaps
• The new world is very different
• Scripts and capacity planning spreadsheets -gt
  feedback loops/auto-scaling
• 36-month refresh-cycles -gt bids for spot
  instances
• Physical control -gt process, automation, and
  design

6
Design Design Design

• In the cloud you have the tools to design,
  implement and refine your policies, controls and
  enforcement in a centralized fashion
• Your code is your infrastructure
• Your SDLC can now be brought to bear on areas
  traditionally out-of-sync with your security
  posture
• Scale to massive sizes without having to worry
  about things like firewall rule ordering,
  optimization or audit as part of your operational
  cycle
• Your security will become fractal, and embedded
  in every layer of your system.

7
Fundamentals

• You are operating in a complete information
  environment
• Like the internet
• Or the PSTN
• Its all about the fundamentals of system
  thinking and design
• I/O
• Storage
• RAM
• Compute
• Code

8
Minimalism

• Each of those must be thought of on its own and
  in combination with the other components it
  interacts with
• And you have the tools to do that
• With infrastructure as code
• It is both that simple and that complicated.
• So design your security in at every layer
• Test it, instrument it, and iterate it

9
The Primitives

• Data
• Encrypted At Rest, in Motion, and in Use
• Access control
• Monitoring tools, third-party apps,
  troubleshooting tools
• Interfaces/APIs
• Clean, Minimal, Authenticated, Validated
• I/O, Memory, Storage, and Compute
• Encrypted, limited, controlled

10
With Automation, All Things are Possible

• Thinking of your entire infrastructure as part of
  your code-base changes the game completely
• Always in pace
• Always relevant
• There is no longer a gap or disconnect between
  the operational physical layer and the software
  that runs on top of it
• Firewalls everywhere?
• HIPS Everywhere?
• Adaptive security infrastructure

11
Like What?

• Register all of your VMs services, IPs, and ports
• Automatically build firewall policies based on
  that
• Re-build and distribute SSL/TLS keys
• Whenever you want
• HIDS, HFW and File Integrity Checkers configured
  with instance tags
• Tags for lots of things
• Everything unit tested
• Allowing security to keep up with your product

12
DTRT

• Your system has I/O, storage, memory and network
  underneath it, as well as your software
  components
• And you can control and iterate that continuously
• Leveraging IaaS providers APIs
• Think about every place that information is
  exchanged, transferred or transformed and do the
  right thing there.
• Engage the developers
• Check in code

13
Understand Everything

• Simplicity gives you the power to understand
  everything
• Every protocol
• Every interface
• If you want to achieve true and full Default Deny
  on everything, everywhere, this is where it
  starts
• Understand your protocols
• Understand your stack
• And you can attain Emergent Security
• Develop and follow standards

14
How?

• If this is input, sanitize it.
• If it is storage, network or memory encrypt it.
• If it is output you are feeding back to your
  customer or another component, sanitize that too
• Don't trust client-side verification, enforce
  everything at every layer

15
Default Deny Nirvana

• Allow only expected connections
• Front-end web-applications need to accept
  connections from anyone in the world
• (but it's more likely only your load balancer
  does)
• As part of your infrastructure as software design
• Know what needs to talk to what
• on what port and under what circumstances
• And only allow that
• everything else is bit-bucketed and alerted on.
• In software-driven cloud-based deployments, there
  is no longer any excuse for any other way of
  doing it

16
Encrypt it all

• You know like we do on the Internet )
• At rest, in motion, and in use
• Any data that is ephemeral can be kept on
  encrypted ephemeral storage with keys can simply
  be kept in memory
• When the instance dies, the key dies with it.
• Longer-lived data should be stored away from the
  keys that secure it
• If the data is particularly sensitive, securely
  wipe the data before spinning down the disk and
  giving it back to the pool