life in the cloud - owasp€¦ · • automate, automate, automate • focus on your unique...

42
Life in the Cloud A Service Provider’s View Michael Smith [email protected] Security Evangelist 1 Friday, November 12, 2010

Upload: others

Post on 16-Jun-2020

19 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Life in the CloudA Service Provider’s View

Michael Smith [email protected] Evangelist

1Friday, November 12, 2010

Page 2: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

2Friday, November 12, 2010

Page 3: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Because this is a Cloud Security Talk

Cloud is:• On-demand self-service• Broad network access• Resource pooling• Rapid elasticity• Measured service

--CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1

3Friday, November 12, 2010

Page 4: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What the Cloud Security Alliance Says

“Cloud computing is about gracefully losing control while maintaining accountability even if the

operational responsibility falls upon one or more third parties.”

--CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1

4Friday, November 12, 2010

Page 5: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What the Cloud Security Alliance Says

“Cloud computing is about gracefully losing control while maintaining accountability even if the

operational responsibility falls upon one or more third parties.”

--CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1

But...CSA Guidance is customer-centric and cloud is, by

nature, provider-centric.

4Friday, November 12, 2010

Page 6: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What the Cloud Providers Say*

• We have a SAS-70 (but we won’t let you see the results or the assertions)

• We have a ton of big customers, so you can trust us (and maybe you can talk to them)

• The cloud is more secure!

*Self Excluded

5Friday, November 12, 2010

Page 7: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What the Cloud Providers Say*

• We have a SAS-70 (but we won’t let you see the results or the assertions)

• We have a ton of big customers, so you can trust us (and maybe you can talk to them)

• The cloud is more secure!

Source:cornify.com

Trust Me!

*Self Excluded

5Friday, November 12, 2010

Page 8: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

So Really....

• What drives a cloud provider’s security program?• How does a good cloud security program look?• What does a cloud tenant need security-wise to

build inside of a particular cloud?• How does the cloud provider protect themselves

from customer security problems?

6Friday, November 12, 2010

Page 9: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

The “Proper Landing Attitude”

Security of the cloud solution is a joint responsibility between the customer and the service

provider.

Please act accordingly.

7Friday, November 12, 2010

Page 10: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

8Friday, November 12, 2010

Page 11: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Security Program Considerations

• Avoid DNS--”Does Not Scale”• Build secure infrastructure• Automate, automate, automate• Provide self-service capabilities wherever possible• Meet 75% of customers’ requirements with

organic platform features• Meet 25% of customers’ requirements with add-

on modules

9Friday, November 12, 2010

Page 12: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Security Program Considerations

• Avoid DNS--”Does Not Scale”• Build secure infrastructure• Automate, automate, automate• Provide self-service capabilities wherever possible• Meet 75% of customers’ requirements with

organic platform features• Meet 25% of customers’ requirements with add-

on modules

= “Reduce the one-off costs per customer while building a security program that

scales.”

9Friday, November 12, 2010

Page 13: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

The Akamai Cloud: Largest Distributed Computing Platform in the World

• 73,000+ Servers• 1,600+ Locations• 70 Countries

• All branches of the US Military• 85 of the top 100 online retailers• 9 of the top 10 anti-virus companies• 29 of the top 30 M&E companies

• 4.5+ Tbps, 15-25% of web traffic• 10+ Million transactions per second

10Friday, November 12, 2010

Page 14: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What Drives the Akamai Platform?

2010:3.5 Tbps

2018:100 Tbps

11Friday, November 12, 2010

Page 15: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

12Friday, November 12, 2010

Page 16: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Security Governance

• Policy framework established around ISO 27002 framework

• Policies established by Sr. Director of InfoSec • Evaluated annually by 3rd party security consulting firm• Executive report available upon request

• Quarterly reporting to CEO and staff on state of security

13Friday, November 12, 2010

Page 17: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Compliance

• PCI DSS certified Level 1 merchant service provider• Annual 3rd party audit• Annual penetration testing• Quarterly vulnerability assessments

• Annual ISO27002 gap analysis (Foundstone)• 2009 rating: 92% compliance against the standard

• US Government• DHS Authorization to Operate (NIST SP 800-37)• USAF Assessment

14Friday, November 12, 2010

Page 18: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Risk Management

• Risk management activities conducted throughout the product lifecycle

• Vulnerabilities evaluated in two models• Probability (Common Vulnerability Scoring System)• Damage (Severity/Actor evaluation)

• Risks categorized by area of influence• Security (Threats)• Scaling (Growth)• Bulletproofing (Human error)

15Friday, November 12, 2010

Page 19: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Physical/Environmental Security

• SSL network:• Safe combo locks on racks• In-rack cameras reporting intrusion events directly to

Akamai NOCC

• Network deployed in professional colocation facilities with industry standard environmental controls

• Software controls for key management to minimize physical attack surface

16Friday, November 12, 2010

Page 20: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Secure Key Management: “KMI”

256-bit AES

encrypted messages

DSA authenticated

256-bit AES

connections

End UserEnd User

Audit Server

Key Generation

Edge Server

Key Distribution

17Friday, November 12, 2010

Page 21: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Operations Management

• Each application reports telemetry in real time into distributed reporting infrastructure

• Data aggregation feeds into autonomic management systems, alert infrastructure• Autonomic systems act to mitigate faults• Alerts trigger human actions to recover root causes• (e.g., system failures trigger mapping rebalancing

network-wide, while alerts trigger human recovery efforts to restore a machine to service)

18Friday, November 12, 2010

Page 22: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Real Time Event Management: Query

AggregatorAlert

server

Akamai NOCC

19Friday, November 12, 2010

Page 23: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Access Control Management

20Friday, November 12, 2010

Page 24: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Access Control Management

Access Gateway

Server

Encrypted Authenticated

Connection Encrypted Authenticated

Connection

Access Grant Capabilities:

Location

Time window

Frequency

Type of target system

2-factor authentication

21Friday, November 12, 2010

Page 25: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Software Development

• All system components (OS, kernel, applications), as well as configuration are treated as “software”

• Software components developed with automated configuration utilities

• Vulnerabilities and patches deployed as new software images

• “Change once, deploy often”

22Friday, November 12, 2010

Page 26: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Software Deployment: “NetDeploy”

Software repositoryDeveloper

System

Quality

Assurance

Network

Operations

Akamai Akamai

Akamai

while (1){

serve_bits();

log_hits();}

Config

80.67.64.112 EdgeSuite Server

12.129.72.181 Top Level NS

64.215.169.143 SSL Server

23Friday, November 12, 2010

Page 27: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Release Type

Phase1->2

Phase2->3

Customer Config

15 mins 20 mins

System Config

30 min 2 hours

Standard Software Release

24 hours 24 hours

Phase 1:

One Machine

Phase 2:

Subset (< 1/8th

)

the network

Phase 3:

Entire Network

Zoning

24Friday, November 12, 2010

Page 28: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 AkamaiAkamai Confidential: Not for Release

Security and the Sales Lifecycle

• First Encounter:• Information Security Management System Focus Sheet• Security Capabilities Focus Sheet• Customer-provided questionnaire• Introductory security meeting

• Due Diligence Phase (requires NDA):• BITS SIG http://www.sharedassessments.org/ • Executive Summary of ISO 27002 Assessment• More Detailed Meeting

• Audit/Assessment Phase:• Audit support• Compliance modules

25Friday, November 12, 2010

Page 29: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

26Friday, November 12, 2010

Page 30: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Features, Products, and Configurations

• Controls provided to all customers• Controls provided as an additional product• Controls configured by customer• Controls on roadmap• Controls not provided

27Friday, November 12, 2010

Page 31: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

28Friday, November 12, 2010

Page 32: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

I can do some things (including security) that you can’t do

easily or at all.

29Friday, November 12, 2010

Page 33: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

I have tools to help you meet your security and compliance

goals.

30Friday, November 12, 2010

Page 34: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

Right-to-Audit is DNS.

31Friday, November 12, 2010

Page 35: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

I need you to audit your portal users.

32Friday, November 12, 2010

Page 36: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

I provide traffic logs and need you to review them.

33Friday, November 12, 2010

Page 37: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

Your standard Terms and Conditions are DNS.

34Friday, November 12, 2010

Page 38: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

What I Want You to Know

When you set up an insecure configuration, it impacts my

security.

35Friday, November 12, 2010

Page 39: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

36Friday, November 12, 2010

Page 40: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Cloud Customers

• “Know Thyself” and what you can put in a cloud• Business processes• Data types

• Understand the delineation of responsibilities• By control• By component

• Get a roadmap brief• Changing support• New features, products, and capabilities

• Make decisions based on cost, benefit, and risk

37Friday, November 12, 2010

Page 41: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Cloud Providers

• Automate, automate, automate• Focus on your unique security capabilities

• Availability through massive redundancy• Security automation• Security that scales with demand

• Build a standards-based security program (!=SAS-70 for most cases)

• Delineation of responsibility is how you protect yourself

• Build compliance products to meet the last 25%

“I showed you mine, you show me yours”

38Friday, November 12, 2010

Page 42: Life in the Cloud - OWASP€¦ · • Automate, automate, automate • Focus on your unique security capabilities • Availability through massive redundancy • Security automation

Securing a Better Internet © 2010 Akamai

Agenda

Cloud is Secure, Right?

Building a Cloud Security Program

Security Program Case Study

Features, Products, and Configurations

What I Want You to Know

Summary

39Friday, November 12, 2010