Fundamentals of Cloud & Cloud Security
Viresh SuriGlobalLogic16th December 2015 | DelhiInnerve - 2015
Next generation 1
Cloud Computing Fundamentals of
What is Cloud Computing?
Evolution of IT Computing Models
Next generation 4
The NIST Definition of Cloud ComputingCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
National Institute of Standards and Technology (NIST) www.nist.gov
Cloud Computing Taxonomy - NIST
Private(On-Premise)Infrastructure(as a Service)Platform(as a Service)Service ModelsStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationSoftware(as a Service)StorageServer HWNetworkingServersDatabasesVirtualizationRuntimesSecurity & IntegrationApplications
Managed by youManaged by vendor
Virtualization The Cloud Backbone
What is driving Cloud adoption ?
Enterprise challengesSpeed of provisioning constraints business executionDisaster Recovery, Fault Tolerance, High AvailabilityExisting hardware has reached end of serviceable life
Datacenter capacity limits are being reachedApplications & processes have variable demand
High Maintenance CostsSoftware License Costs
How Cloud helps Elastic CapacityInfinitely Scalable (Almost)Quick and Easy DeploymentProvisioning in MinutesBusiness Agility
No CapEx, only OpEx., Fine grained billing (hourly)Pay as You go
Leverage Global Scalability& DR
Be Free from IT Management Hassles
Metering, Monitoring, Alerts
Cloud ChallengesLegal & Compliance Security
Lack of Standards, Compatibility Reliability & Performance
A Snapshot of Cloud Providers
Azure + System Center + Windows Server gives a hybtid solutionOpenshift : PaaS from RedHatOffice 365 integration with existing on-prem directory services, Lync, Exchange Server, Sharepoint ServerNext generation 14
Holistic Migration Process
Public v/s Private Cloud DecisionKey QuestionPrivate Cloud PreferablePublic Cloud PreferableDemandConstantVariableGrowthPredictableUnpredictableUsersConcentratedDispersedCustomizationHighMinimal to noneData Privacy & SecurityStringent RequirementModerate RequirementPerformanceVery HighModerate to High
Cloud SecurityFundamentals of
Important Points to know Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application Attacks), 36 per cent (Suspicious Activity) and 27 per cent (Brute Force attacks) respectively over the previous year, while top attacks aimed at on-premises deployments remained relatively flat.
As per 2014 KPMG Cloud Security Report
When it comes to selecting a cloud solution, Security is the no. 1 concern
Compared to 2012 survey, security and data privacy are greater concerns than cost efficiency
Security is a lesser challenge now, compared to 2012. Cloud providers better prepared to secure data, and manage security breaches when they occur
Cyber attacks, Regulatory norms Next generation 18
CSAs Notorious 9 Security ThreatsData Breaches
Account or Service Hijacking
Denial of Service
Abuse of Cloud Services
Insufficient Due Diligence
Cyber attacks, Regulatory norms Next generation 19
Key Security Considerations in a Public Cloud
Network SecurityBuilt-in firewalls, control of network access to instances and subnets
Private / Dedicated Connectivity options from office / on-premises environments
Encryption in transit
Inventory and Configuration Management tools to identify resources, track to manage them
Template definition and management tools to create standard / pre-configured VMs
Deployment Tools to manage creation and decommissioning of resources as per org. standard
Data EncryptionAvailable for data at rest in Storage services
Flexible Key Management options, including Cloud Managed keys / self-managed keys
Hardware based cryptographic key storage options
APIs for you to integrate encryption and data protection with any service developed / deployed on the cloud
Access ControlCapabilities to define, enforce and manage user access policies across services
Identity and Access Management
Multifactor authentication, including hardware based authentication options
Integration and federation with corporate directories
Monitoring and LoggingDeep visibility into API calls, including Who ? What ? When ? From Where ?
Log aggregation, streamlining investigations, compliance reporting
Cloud Security Landscape
Cloud Security Comparison
state-of-the-industry public IaaS security research examines the following features:Shared Cloud Network: public IaaS environment where different cloud customers share the same cloud service subnet. In this model, each cloud server (VM) usually has a public IP address (permanent or temporary) as well as service IP address for the internal cloud service networkVirtual Private Cloud (VPC) Network: the IaaS provider supports an isolation of customers cloud deployments, such that a customer can have a private subnet that is not reachable from other customers cloud servers or from the public InternetFirewall: Collection of policies and rules to control the traffic allowed to and from a group of cloud servers or static IP AddressesIdentity-based accessmanagement: these are firewall rules based on user identity, allowing access of specific users to specific set of compute resourcesSecure extension: ability to securely connect enterprise sites to the cloud deployment (usually a virtual private network) via static IPSec connectionsSecure remote accessto individual server:the ability to access an individual machine (VM) using a secure protocol (like SSH or RDP); this type of remote access is usually based on credentials that are specific to a single user and a single serverRemote VPN access:the ability of the organizations employees to securely connect on demand to the cloud deployment remotely using VPN clients; this includes central authentication of the employees identity prior to gaining access to the cloud deployment (part or all of cloud servers)
Next generation 27
The Road AheadClouds are more prone to security attacks than on-perm deployments
Doesnt mean that those attacks are successful
Cloud Providers are better enabled to handle security now
2016 will be the first year when people choose cloud because of security benefits, and not elasticity / cost
However, stay cautious ! More serious attacks could be expected as well
Security in AWS
GxPISO 13485AS9100ISO/TS 16949
AWS Foundation ServicesComputeStorageDatabaseNetworking
AWS Global InfrastructureRegionsAvailability ZonesEdge LocationsClient-side Data EncryptionServer-side Data EncryptionNetwork Traffic ProtectionPlatform, Applications, Identity & Access ManagementOperating System, Network, & Firewall ConfigurationCustomer applications & contentCustomers
AWS CloudTrailCloudTrail records API calls on services, delivers detailed logs
Use Cases supported :Security Analysis : Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns
Track Changes to AWS Resources : Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes
Troubleshoot Operational Issues : Identify the most recent actions made to resources in your AWS account
Compliance Aid : Easier to demonstrate compliance with internal policies and regulatory standards
AWS ConfigAWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
Use Cases :Am I safe ? : Continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknessesWhere is the evidence ? : A complete inventory of all resources and their configuration attributes is available for any point in timeWhat will this change effect ? : Relationships between resources are understood, so that you can proactively assess change impactWhat has changed ? : You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
AWS Key Management ServiceA managed service that makes it easy for you to create, control, and use your encryption keys
Centralized view of all key usage in the organization
Uses HSMs to protect Key Security
Integrated with AWS CloudTrial to provide logs for all key usage for regulatory and compliance requirements
AWS IAMCentrally manage users, security credentials such as passwords, access keys, permissions, policies that control which AWS services and resources users can access
Allows creation of multiple AWS users, give them their own user name, password, access keys
AWS CloudHSMAllows protection of encryption keys within HSMs designed and validated to government standards for secure key management
Keys can be generated, managed and stored cryptographic keys such that they are accessible only by us
Allows regulatory compliance without compromising on application performance
CloudHSM instances are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances
AWS VPCAllows provisioning of logically isolated section of AWS cloud, where AWS resources can be launched in a virtual network defined by you
You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways
You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet
Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
AWS WAFAWS WAF is a web application firewall that helps protect your webapplications from common web exploits that could affect applicationavailability, compromise security, or consume excessive resources.
Gives you control over which traffic to allow or block to your webapplication by defining customizable web security rules.
You can use AWSWAF to create custom rules that block common attack patterns, such as SQLinjection or cross-site scripting, and rules that are designed for your specific application.
New rules can be deployed within minutes, letting you respondquickly to changing traffic patterns. Also, AWS WAF includes a full-featuredAPI that you can use to automate the creation, deployment, and maintenanceof web security rules.
AWS Inspector (Preview)Automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Automatically assesses applications for vulnerabilities or deviations from best practices.
After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.
Includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g. PCI DSS) and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.