Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic.

Similar presentations

Presentation on theme: "Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic."— Presentation transcript:

1 Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic

2 Director of Security – Sumo Logic Director of Research – Dell/SecureWorks – 9 years MSSP Technical Staff – MIT LL Who are you? Sumo Logic2

3 An opportunity to simplify and increase security – Through Automation – And solid design principles Misunderstood – Risk model vs. hosting – Risk model vs. other public utility models A victim of FUD – Take time to examine it? – Or DOOM? The Public Cloud is Sumo Logic3

4 Fearing what you do not understand is reasonable from an IT perspective. But this is worth the time to understand – I see Anti-Cloud Policies – With no solid Risk Assessment Is this technological conservatism? – Which is common and natural in security – But can lead to out of sync security postures Or an emotional reaction? – Dont move my cheese – Get off of my cloud! Why the Bad Rap? Sumo Logic4

5 You have people on your staff who know way too much about wattage, and BTUs and rack density and how raised, exactly, the floor needs to be – Limits your thinking – Causes gaps The new world is very different – Scripts and capacity planning spreadsheets -> feedback loops/auto-scaling – 36-month refresh-cycles -> bids for spot instances – Physical control -> process, automation, and design Old World / New World Sumo Logic5

6 In the cloud you have the tools to design, implement and refine your policies, controls and enforcement in a centralized fashion – Your code is your infrastructure – Your SDLC can now be brought to bear on areas traditionally out-of-sync with your security posture Scale to massive sizes without having to worry about things like firewall rule ordering, optimization or audit as part of your operational cycle – Your security will become fractal, and embedded in every layer of your system. Design Design Design Sumo Logic6

7 You are operating in a complete information environment – Like the internet – Or the PSTN Its all about the fundamentals of system thinking and design – I/O – Storage – RAM – Compute – Code Fundamentals Sumo Logic7

8 Each of those must be thought of on its own and in combination with the other components it interacts with – And you have the tools to do that – With infrastructure as code It is both that simple and that complicated. – So design your security in at every layer – Test it, instrument it, and iterate it Minimalism Sumo Logic8

9 Data – Encrypted At Rest, in Motion, and in Use Access control – Monitoring tools, third-party apps, troubleshooting tools Interfaces/APIs – Clean, Minimal, Authenticated, Validated I/O, Memory, Storage, and Compute – Encrypted, limited, controlled The Primitives Sumo Logic9

10 Thinking of your entire infrastructure as part of your code-base changes the game completely – Always in pace – Always relevant There is no longer a gap or disconnect between the operational physical layer and the software that runs on top of it – Firewalls everywhere? – HIPS Everywhere? Adaptive security infrastructure With Automation, All Things are Possible Sumo Logic10

11 Register all of your VMs services, IPs, and ports – Automatically build firewall policies based on that Re-build and distribute SSL/TLS keys – Whenever you want HIDS, HFW and File Integrity Checkers configured with instance tags – Tags for lots of things Everything unit tested – Allowing security to keep up with your product Like What? Sumo Logic11

12 Your system has I/O, storage, memory and network underneath it, as well as your software components – And you can control and iterate that continuously – Leveraging IaaS providers APIs Think about every place that information is exchanged, transferred or transformed and do the right thing there. – Engage the developers – Check in code DTRT Sumo Logic12

13 Simplicity gives you the power to understand everything – Every protocol – Every interface If you want to achieve true and full Default Deny on everything, everywhere, this is where it starts – Understand your protocols – Understand your stack And you can attain Emergent Security – Develop and follow standards Understand Everything Sumo Logic13

14 If this is input, sanitize it. If it is storage, network or memory encrypt it. If it is output you are feeding back to your customer or another component, sanitize that too Don't trust client-side verification, enforce everything at every layer… How? Sumo Logic14

15 Allow only expected connections Front-end web-applications need to accept connections from anyone in the world – (but it's more likely only your load balancer does) As part of your infrastructure as software design – Know what needs to talk to what on what port and under what circumstances – And only allow that everything else is bit-bucketed and alerted on. In software-driven cloud-based deployments, there is no longer any excuse for any other way of doing it Default Deny Nirvana Sumo Logic15

16 You know… like we do… on the Internet ;) At rest, in motion, and in use – Any data that is ephemeral can be kept on encrypted ephemeral storage with keys can simply be kept in memory – When the instance dies, the key dies with it. Longer-lived data should be stored away from the keys that secure it – If the data is particularly sensitive, securely wipe the data before spinning down the disk and giving it back to the pool Encrypt it all… Sumo Logic16

Download ppt "Cloud Security Practices and Principles Joan Pepin Director of Security Sumo Logic."

Similar presentations

Ads by Google