Cloud Security Practices and PrinciplesJoan PepinDirector of Security

Sumo Logic

Director of Security – Sumo Logic

Director of Research– Dell/SecureWorks– 9 years MSSP

Technical Staff– MIT LL

Who are you?

Sumo Logic 2

An opportunity to simplify and increase security– Through Automation– And solid design principles

Misunderstood– Risk model vs. hosting– Risk model vs. other public utility models

A victim of FUD– Take time to examine it?– Or DOOM?

The Public Cloud is

Sumo Logic 3

Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand– I see Anti-Cloud Policies – With no solid Risk Assessment

Is this technological conservatism?– Which is common and natural in security– But can lead to out of sync security postures

Or an emotional reaction?– Don’t move my cheese– Get off of my cloud!

Why the Bad Rap?

Sumo Logic 4

You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be– Limits your thinking– Causes gaps

The new world is very different– Scripts and capacity planning spreadsheets -> feedback

loops/auto-scaling– 36-month refresh-cycles -> bids for spot instances– Physical control -> process, automation, and design

Old World / New World

Sumo Logic 5

In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion– Your code is your infrastructure– Your SDLC can now be brought to bear on areas

traditionally out-of-sync with your security posture

Scale to massive sizes without having to worry about things like firewall rule ordering, optimization or audit as part of your operational cycle– Your security will become fractal, and embedded in every

layer of your system.

Design Design Design

Sumo Logic6

You are operating in a complete information environment– Like the internet– Or the PSTN

It’s all about the fundamentals of system thinking and design– I/O– Storage– RAM– Compute– Code

Fundamentals

Sumo Logic 7

Each of those must be thought of on its own and in combination with the other components it interacts with– And you have the tools to do that– With infrastructure as code

It is both that simple and that complicated.– So design your security in at every layer– Test it, instrument it, and iterate it

Minimalism

Sumo Logic 8

Data– Encrypted At Rest, in Motion, and in Use

Access control– Monitoring tools, third-party apps, troubleshooting tools

Interfaces/APIs– Clean, Minimal, Authenticated, Validated

I/O, Memory, Storage, and Compute– Encrypted, limited, controlled

The Primitives

Sumo Logic 9

Thinking of your entire infrastructure as part of your code-base changes the game completely– Always in pace– Always relevant

There is no longer a gap or disconnect between the operational physical layer and the software that runs on top of it– Firewalls everywhere?– HIPS Everywhere?

Adaptive security infrastructure

With Automation, All Things are Possible

Sumo Logic 10

Register all of your VMs services, IPs, and ports– Automatically build firewall policies based on that

Re-build and distribute SSL/TLS keys– Whenever you want

HIDS, HFW and File Integrity Checkers configured with instance tags– Tags for lots of things

Everything unit tested– Allowing security to keep up with your product

Like What?

Sumo Logic 11

Your system has I/O, storage, memory and network underneath it, as well as your software components– And you can control and iterate that continuously– Leveraging IaaS providers’ APIs

Think about every place that information is exchanged, transferred or transformed and do the right thing there. – Engage the developers– Check in code

DTRT

Sumo Logic 12

Simplicity gives you the power to understand everything– Every protocol– Every interface

If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts– Understand your protocols– Understand your stack

And you can attain Emergent Security– Develop and follow standards

Understand Everything

Sumo Logic 13

If this is input, sanitize it. If it is storage, network or memory encrypt it. If it is output you are feeding back to your customer or another component, sanitize that tooDon't trust client-side verification, enforce everything at every layer…

How?

Sumo Logic 14

Allow only expected connections Front-end web-applications need to accept connections from anyone in the world– (but it's more likely only your load balancer does)

As part of your infrastructure as software design– Know what needs to talk to what

• on what port and under what circumstances

– And only allow that • everything else is bit-bucketed and alerted on.

In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it

Default Deny Nirvana

Sumo Logic 15

You know… like we do… on the Internet ;)At rest, in motion, and in use– Any data that is ephemeral can be kept on encrypted

ephemeral storage with keys can simply be kept in memory

– When the instance dies, the key dies with it.

Longer-lived data should be stored away from the keys that secure it– If the data is particularly sensitive, securely wipe the data

before spinning down the disk and giving it back to the pool

Encrypt it all…

Sumo Logic 16