securing your data in the cloud
DESCRIPTION
Introduction to data security in the cloud.TRANSCRIPT
Securing your Data in the Cloud
Omer TrajmanSr. Dir. for Cloud and Virtualization
Vertica [email protected]
Something old…Something new
• Before we jump in what do we mean “Cloud?”
• Oh….and what do we mean “securing?”
• Plus ça change…
• Tools of the trade
• Key takeaways
2
What is….Cloud?
• What are Cloud Services?Other Peoples’ Software
• What are Cloud Platforms?Other Peoples’ Frameworks
• What is Cloud Infrastructure?Other Peoples’ Hardware
3
Security is a Tradeoff
“Security costs money, but it also costs in time, convenience, capabilities,…”
-Bruce Schneier
• Assess how important it is to secure your data
• What are the risks with in-house and cloud?
• Why not keep it under your mattress?
4
Data Security 101
• Confidential and Proprietary
• Secure Communications
• On Disk Encryption
• Private Key Cryptography
• Timeliness of Data
5
History of Keeping Secrets
• Greeks use coded messages during wartime• Manuscript for the Deciphering Cryptographic
Messages was written circa 800 AD• Computer Science was nurtured during the
World Wars to keep communications secure• In 1970 IBM invented DES for the NIST to
support secure financial transactions• In 1976 Diffie and Hellman introduced
asymmetric key exchange
6
What do we keep Secure Today?
• Most Security and Military Information
• Some Financial Data
• Some Personal Information
• Some Business Information
7
Tools of the Trade
• Key AlgorithmsAES, Blowfish, RSA, DH
• Encryption in PlacePGP, FileVault, Firmware
• Secure TransmissionSSL, VPN, SSH
• FirewallsComes with your OS
8
Securing the Cloud
• Create a VPN
• Firewall the host
• Encrypt the disk
Consider where to keep sensitive data
9
Virtual Private Network
• Why– Secure communication between your enterprise and cloud
infrastructure
• What– OpenVPN, Checkpoint, Cisco, CohesiveFT
VPN
10
Virtual Private Network
• How– VPN Server in your enterprise– Cloud machine configure to connect over VPN to a server
in your enterprise – Client keys deployed to cloud machines
• Challenges– Provisioning VPN client software– Key management for Cloud machines– Failover if Cloud machines fail
11
• Why– Guard against intrusion, enforce network policies
• What– IaaS provided, OS Built-in, Checkpoint
Firewall
VPN
12
Firewall
• How– For IaaS there is an API (e.g. Amazon EC2 groups) that
controls network access– Linux Firewall or iptables configuration
• Challenges– Complex port requirements (e.g. ssh internally and
https externally)– Subtleties in configuration files can lead to a
susceptible host
13
Encryption
• Why– Prevent malicious or accidental data leaks
• What– Truecrypt, Encfs, CryptoFS, NTFS Encryption
1, Jonathan2, Susan3, David 03Wea91ab
05841fe1oFVDxa2x99G 14
Encryption
• How– DIY – install an encrypted volume on the host– May come as an IaaS option
• Challenges– Key management– Complicates host setup– Incremental backup/recovery
15
What about Securing Resources?
• Don’t use passwords (use public/private keys)• Open minimal ports (use dedicated servers)
• Monitor your system (tripwire, OSSEC)• Use configuration tools (FireHOL, Bastille)• Keep Backups (and keep them secure)
Client Server Data
16
Future Developments
• Cloud offerings are constantly changing
• Management as a Service providers will
facilitate setup configurations
• Security will become an integrated offering
• Best practices for Cloud security are growing
out of enterprise and web security expertise17
Key Takeaways
• Security is a trade off
• Use the same tools in the cloud
• VPN, Firewall, Encrypt…Detect and Backup
• Look for solutions from your provider
• Check your service agreement
18
References• Twenty Rules for Amazon Cloud Security
(George Reese, O’Reilly)• Three tools to help you configure iptables
(Chris Lynch, Linux.com)• Disk Encryption Tools for Linux
(Justin Krelc and Ed Tittel, All about Linux)• VPN labs• Amazon Security Whitepaper
thank you – [email protected]