why the cloud is more secure than your existing systems
DESCRIPTION
Talk presented by Ernest Mueller at LASCON 2010 on cloud computing security and why it's likely that the cloud is more secure than what you're doing right now.TRANSCRIPT
![Page 1: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/1.jpg)
Why The Cloud Is More Secure Than Your Existing Systems
Ernest Mueller National Instruments theagileadmin.com [email protected] @ernestmueller
![Page 2: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/2.jpg)
What is the cloud?
![Page 3: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/3.jpg)
The Grand Unified Theory
(ISP -> colo) + virtualization + HPC + (AJAX + SOA -> REST APIs) = IaaS
IDE/4GLs + EAI + SaaS + IaaS = PaaS
((web site -> web app) -> ASP) + virtualization + fast network + [RIA browsers && mobile] = SaaS
[IaaS | PaaS | SaaS ] + [ devops | open source | noSQL ] = cloud
![Page 4: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/4.jpg)
Infrastructure as a Service
Amazon EC2, Rackspace, VMWare, Verizon, Terremark, IBM, everyone else
with a data center
Move infrastructure off premise, focus on value added operations
Usually multitenant virtualized hosting, REST API driven near-instant
provisioning to scale, utility billing
![Page 5: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/5.jpg)
Software as a Service
Salesforce.com, Google Apps, Zoho, MobileMe, everyone else with some
developers
Bringing the convenience of consumer apps to the world of business apps
You’ve been doing this forever (ADT/Paychex, credit card
processors)
![Page 6: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/6.jpg)
Platform as a Service
force.com, Microsoft Azure, Google App Engine, Heroku, Code2Cloud
Develop apps without needing to mess with the plumbing
The most newfangled
![Page 7: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/7.jpg)
Other Cloud Things
Private Cloud Virtual Private Cloud Hybrid Cloud/Cloudbursting This Cloud, That Cloud
cloud + mobile + social + agile = EaaS?
![Page 8: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/8.jpg)
“Cloud? I’ve been doing that since 1988. It’s just the same old thing with a new name."
- Technohipster
![Page 9: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/9.jpg)
Pretty new:multitenantmassively scalableelastic self provisioningpay as you go
Resulting benefits:agilityeconomy of scalelow initial investmentscalable cost/opexresilienceeasy delivery
Not new:virtualizationoutsourcingintegrationinterwebz
![Page 10: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/10.jpg)
Centralization -> Delegation, Federation• "I own it all and control it all" is a myth• Auditable standards, open protocols• SLAs are worthless when it matters• “Cloud computing is about gracefully losing control while maintaining accountability” -CSA
Outsourcing is Scary!
• Not Hosted Here Syndrome• SLAs/contracts vs. "firing someone"• Enemy ninjas• Legal discovery
![Page 11: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/11.jpg)
“I'd rather trust someone I've never met than the guys in IT.”
- Developer
![Page 12: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/12.jpg)
Are You This Guy?
![Page 13: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/13.jpg)
Too bad!
Gartner reports that 39% of respondents worldwide are budgeting money to spend on cloud
Cloud computing is already 10% of total IT services budgets
Cloud is the future of computing
If you make it into security “versus” business outcome – you lose!
Luckily, it doesn’t have to be that way
Sure, there’s security stuff to manage around the cloud, just like anything
But here’s why the cloud can improve your security posture, and how it can help you do your job!
![Page 14: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/14.jpg)
Amazon AWS Example
Globally distributed data centers with multiple availability zones per region
Data centers: unmarked separate buildings, biometrics, access logging. SAS 70 Type II, ISO 27001 in progress
S3 Storage: highly redundant storage, control over global distribution
Disks are zeroed out post-use EC2 Instances: image based VMs
![Page 15: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/15.jpg)
More AWS
Security Groups – like a software firewall integrated down to the hypervisor
Amazon ops staff can’t see within your VM or memory
VPC for private only instances Key crypto for machine access Multifactor auth available “Bring your own key”
![Page 16: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/16.jpg)
More AWS
Employee vetting procedures Big security department Other products - RDS, SNS,
SimpleDB, SQS, monitoring, CDN, etc.
Via a console or API, you instantiate instances from images, provision storage and network, set access keys, make copies, terminate assets
![Page 17: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/17.jpg)
Challenges
Highly Dynamic - IP addresses, number of servers, etc. change at will
Key Management Image Management Encryption of stored data (“Do it”) Identity Management Poindextery Cross-VM Attacks People Who Don’t Get It Yet Enthusiasm + Immature Vendors
![Page 18: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/18.jpg)
“But you said the cloud’s more secure, man!”
- You
![Page 19: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/19.jpg)
You have to ask – “More secure than what?”
It’s less secure than your mental model of the perfectly secure system
Which does not exist really – you need to compare it to the real security you have going in your current shop as it stands and see if it’s better or worse.
In many cases it’s better.
![Page 20: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/20.jpg)
![Page 21: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/21.jpg)
the proof is in the pudding
mmm… pudding
let’s see how the cloud and one large IT shop compare
![Page 22: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/22.jpg)
in IT, our online catalog 30 day availability: 98.59%
in the cloud, 30 day availability: 100.0%
![Page 23: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/23.jpg)
in IT, our internal DMZ implementation – 5 years and counting
in the cloud – a defined DMZ around every single server role
![Page 24: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/24.jpg)
in IT, our DR plan is “Pray”
in the cloud, the time to have our entire system built from scratch in another region is 2 hours
![Page 25: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/25.jpg)
in IT, our transport security can be described by “telnet’s secure, right?” and “HTTPS? Not in our version of Oracle!”
in the cloud, SSL is everywhere, all logins are certed
![Page 26: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/26.jpg)
in IT, we have to “scan” to “discover” our assets and their OS levels
in the cloud, we create our systems from a defined model programmatically
![Page 27: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/27.jpg)
in the cloud, we alert if anyone logs into a server, it’s so rare
in the cloud, if a box is suspect we crumple it up and throw it away (you can make a copy)
![Page 28: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/28.jpg)
![Page 29: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/29.jpg)
is this an unfair comparison?
what is “fair?”
the only meaningful question is “with my new app, where objectively is it better off?”
![Page 30: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/30.jpg)
the cloud gives superpowers to the little guy
intense resilience
cloud backup
near automatic DR
open standards
APIs and scale drive self service
![Page 31: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/31.jpg)
many cloud providers have more security staff than you do
you benefit from the security requirements of all their other
customers
managed security service integration is a compelling product
security is a differentiator in the space and suppliers are chasing it
![Page 32: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/32.jpg)
better architecture – “sharing is the devil”
utility billing drives sunsetting of old apps/systems
security SaaS products make enterprise level security accessible
acknowledges reality – devices, networks, data are everywhere
![Page 33: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/33.jpg)
the cloud age
post "perimeter"post "SLA"
post "server"post "web page"
![Page 34: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/34.jpg)
“You can run, but you’ll just die tired.”
- Me
![Page 35: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/35.jpg)
The Cloud Friendly Ghost
![Page 36: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/36.jpg)
how can you be cloud friendly?
automationself service
collaboration fix the tools
extend your reachmake encryption easy
focus on outcomes
![Page 37: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/37.jpg)
From CIA to API
Remember “port knocking?” With model driven automation
(“infrastructure as code”) you can create firewall holes, provision user accounts, etc. in real time and remove them once they’re done being used
If it’s self service, it’s more auditable than “ask a network admin”
![Page 38: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/38.jpg)
DevOps (+Sec)
Increased trend driven by agile development towards tight collaboration between developers and operations staff
Be the “security buddy” Embed with projects, don’t be a seagull By understanding, be understood How secure are things usually when
people and teams all work separately?
![Page 39: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/39.jpg)
Tool Time
Dynamic nature of cloud poses challenges for old tools
Encryption is still stupid hard – check out grendel, and maybe homomorphic encryption will rescue us
Note all the “Security as a Service” offerings springing up- was spam filtering and scanning, now it’s code analysis (Veracode, Fortify), IAM (PingIdentity), virus scan (McAfee), etc.
![Page 40: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/40.jpg)
In Closing
Focus on real security Naturally it’ll take time for
compliance standards to get with the times – but don’t assume it can’t be compliant – some of your auditors have actually heard of VMs and know what to do
FUD doesn’t benefit anyone – figuring out how to “make it happen” – securely – benefits everyone.
![Page 41: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/41.jpg)
try it –you’ll like it
![Page 42: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/42.jpg)
Cloud Security Resources
Cloud Security Alliance (cloudsecurityalliance.org)
Security Guidance for Critical Areas in Cloud Computing (http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf)
ENISA Cloud Computing Risk Assessment (http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment )
![Page 43: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/43.jpg)
Cloud Security Resources
Book: Cloud Security and Privacy (Mather, Kumraswamy, Latif) - Yay!
Book: Cloud Security (Krutz, Vines) - Boo!
Jericho Forum (jerichoforum.org)
Amazon Security Center (aws.amazon.com/security)
Austin Cloud User Group (acug.cloudug.org)
![Page 44: Why the cloud is more secure than your existing systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54b6d2de4a7959703e8b4587/html5/thumbnails/44.jpg)
theagileadmin.com