Download - The Practitioners Guide to Cloud Security
Dome9 – Secure Your Cloud™Dome9 – Secure Your Cloud™
CloudExpo Europe – London, January 2013
The Practitioners Guide to Cloud Security
London, January 2013
Zohar Alon@zoharalonCo-Founder & CEO
Dome9 – Secure Your Cloud™
Me, and my company
Zohar Alon – Co-Founder & CEOCreator of Check Point’s Provider-1 & SP product linesOver 20 years of security & IT experience.
Cloud Server Security Management Automate and centralize security across an unlimited
number of cloud, dedicated, and virtual private servers
Dome9 – Secure Your Cloud™
What’s this?
Dome9 – Secure Your Cloud™
1 day and 86,000 attempts later…
Dome9 – Secure Your Cloud™
There are more than 30 millionCloud, VPS & Dedicated Servers
Most of these servers are vulnerable to attack
– Admins leave ports open to connect to their servers– Hackers use these same open ports to gain access
Most of these servers’ security is unmanageable
– Sprawled across multiple private & public clouds– Operating systems are a virtual buffet
Most of the ‘available’ security doesn’t work– Service providers lack expertise & focus to build it– Security vendors have business models that don’t fit
and/or technology that doesn’t migrate and scale
Dome9 – Secure Your Cloud™
Who’s responsible for security?
Dome9 – Secure Your Cloud™
The Practitioners Guide
• Most don’t know who’s responsible for cloud security– 42% say they wouldn’t know if
their cloud was hacked– 39% think their provider would
tell them
• Security is everybody’s responsibility– accept and share it!
• Security is your responsibility– Deal with it!
Part 1 – Responsibility
31%
36%
33%
Customer Provider Both
Who’s Responsible?
Ponemon Cloud Security Research Study
Dome9 – Secure Your Cloud™
The Practitioners Guide
• If Anyone can login consider Multi-Factor authentication to harden access
• Simple mobile app integration, w/ QR code support & SMS backup
Part 2 – Authentication
Dome9 – Secure Your Cloud™
Dome9 – Secure Your Cloud™
Dome9 – Secure Your Cloud™
The Practitioners Guide
• WAF: Web Application Firewall– Protects Web services, sites and applications– Monitor the requests to the web layer– Brute-force Login, Span Bots, SQL injections, etc.
• Easy to enable – No Install!– Provides added security layer w/o overhead
• Every Web App Will Use one– CloudFlare, Incapsula or Akamai – Bonus I – site is faster– Bonus II – DDOS mitigation capabilities
Part 3 - WAF
Dome9 – Secure Your Cloud™
The Practitioners Guide
• You saw how many insights we get from the logs. You need to store and analyze them.
• We use several vendors for this – each for a different use-case:– Splunk & SplunkStorm– SumoLogic– Loggly – LogEntries
Part 4 – Log
Dome9 – Secure Your Cloud™
The Practitioners Guide
• Take Control on your security policies– You do much more when it comes to the office firewall
• Close All (admin) Ports – Open Dynamically– Open them only for whom, and for as long as is needed.
• Don’t rely on static scopes– Too much management overhead and risk.
• Aggregate & Centralize firewall management– Across regions, providers and applications
• At Dome9, we eat our own dog food– On Amazon, Verison’s Terrermark and Rackspace
Part 5 – Firewall
Dome9 – Secure Your Cloud™
What happened here?
Dome9 – Secure Your Cloud™
Dome9: How it WorksAutomated Cloud Server Security
Manage OS firewall (via Agent) and virtual firewall (via API) across all cloud servers
Enable on-demand, time-based secure access leases per server, source & time Automatically close server
access when lease expires
Stop attackers from targeting open admin ports via brute force attacks and exploits
Dome9 – Secure Your Cloud™
Multi-Cloud Management
Time-Based Controls
1-Click Secure Access
Dome9 Central Simplified Security Management
Dome9 – Secure Your Cloud™
Wrap Up
① Take Responsibility
② Harden Authentication
③ Use a Web Application Firewall
④ Log, Log, Log, Log, Log… and Analyze
⑤ Lockdown and Automate the Server Firewalls… with Dome9!
Dome9 – Secure Your Cloud™
Q&A
Dome9 – Secure Your Cloud™
References and Links
• Firewall Management Service:– http://www.dome9.com/– https://secure.dome9.com/account/register?code=ecommerc
e
• MyDigipass 2 Factor Authentication Service:– https://www.mydigipass.com/
• Log Management Services:– Splunk Storm Service - https://www.splunkstorm.com/– Loggly - http://loggly.com/– LogEntries - https://logentries.com/
• WAF Services:– CloudFlare - https://www.cloudflare.com/– Incapsula - http://www.incapsula.com/
• Cloud Security Study:http://www.dome9.com/wp-content/uploads/2011/11/Ponemon-Cloud-Security-Study.pdf