Upload
mike-kavis
View
728
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation for a webinar on 6/21/12 for the Atlantic Provinces Chapter of ISACA
Citation preview
The Evolution of a Secure CloudJune 21, 2012
Mike Kavis
VP of Architecture, Inmar
The Atlantic Provinces Chapter of ISACAPresents
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Your Speaker
Mike Kavis has been architecting solutions in the cloud since 2008 and was the CTO for startup M-Dot Network which won the 2010 AWS Startup Challenge. Mike is now the VP of Architecture for Inmar who purchased M-Dot in 2011 and is responsible for Inmar’s Digital Promotions PaaS at Inmar.
2
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Some things might be better on premise!
3
Source: http://geekandpoke.typepad.com/
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Digital Publisher
Inmar’s Digital Promotion PaaS
Brand
Point of Sale
Retailer Clearinghouse Mfg. Agent
Inmar’s Offer Network Exchange
Digital Offers
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Continuous maturity & increased security over time
5
POC
First Customer
National Network
PublishedAPIs
Self Service (coming soon)
Features&
Amount of Access
Security & Regulatory Requirements
IaaS
SaaS
PaaS
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
It all started with AWS and a credit card (POC)
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
7
Network
IaaS – Areas of Responsibility
Server
Application
ID Management
OS
Authentication
Access
Storage
Authorization
Application configuration
Consumer
Provider Network
Outsourcing the security perimeter
Server Storage
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Minimal Amount of Security for the POC
• Data Center/Perimeter Security• AWS Keys• Basic application
authorization and authentication• Standard LAMP AMI
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Researched Security & Compliance Requirements
• 13 Domains of Cloud Computing
• Based on our requirements, the feedback from Security experts was:– Focus on ISO 27001 and PCI– All others are a subset
• POS Traffic– Encrypt, compress, send over https– Chain, store and consumer level
authentication– No credit card information on wire– No non standard open ports
https://cloudsecurityalliance.org/csaguide.pdf
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
First Customer Launch
Mobile Coupons
Coupon Portal
B2BPortal
Reporting
Real time high speed transactions
SaaS
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Moderate Amount of Security for Launch
Challenges• Segregation of duties is impossible when
there are 2 guys• Keeping up with patches was a challenge
Decision Points• Just enough security for one client• Deployments were manageable manually• Consolidated work on fewer servers (light
load)• Focused on application security
(Authentication/Authorization)
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
12
Application Authentication Authorization
SaaS - Areas of Responsibility
Perimeter
Server
Application
ID Management
OS
Authentication
Access
Storage
Authorization
Application configuration
Consumer
Provider
Outsourcing the application
Access
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
SaaS Considerations (still in startup mode)
Data• Independent retailer databases• Encrypted in flight• Shopper ID masked
Decision Points• Deployments were still manageable
manually• Relied on IaaS and standard images• Basic monitoring• Patch when critical• Redundant across zones
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
National Network
Analytics
Digital Incentives
Social Media
Mobile AdvertisingPaaS
Real time high speed transactions
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
15
Server OS Storage
PaaS - Areas of Responsibility
Application
ID Management
Authentication
Access
Authorization
Application configuration
Perimeter
Server OS Storage
Consumer
Provider
Outsourcing the application platform
Authentication
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Current Situation
Acquired by Inmar, focused on security and scalability• 30+ person team• 4 person DevOps team• My focus is on the Platform, another VP
owns the apps
Decision Points• Pass audits, get certifications• Follow IT controls best practices• Distribute work across many nodes• Automate everything• Minimize access, segregation of duties• Intrusion detection and prevention• Patching strategy
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Intrusion Detection and Prevention
Leverage AWS’s IAM (Identity and Access Management) services• Multiple security groups with different
permissions• Multiple AWS Accounts (Prod, QA, R&D)• Chef scripts automate security in AMI
creation
Lock down and remove unnecessary software and services• Operating System• Database• Application Server• Monitors and alerts for access attempts• Lock down production DB Access – all non-api access on read-
only slaves• All CRUD via APIs (data service layer) with credentials * rare
exceptions
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Restrict Access – Central Logging Strategy
Web Servers
API Servers
Database Servers
Utility Servers
SYSLOG
DB Logs | App Svr Logs | App Logs
Log Servers
DB Logs | App Svr Logs | App Logs
DB Logs | App Svr Logs | API Logs
DB Logs | App Svr Logs | Web Logs
Admins have total access
Developers access log server only
Log search & analytics
Log centralization/prep
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar © 2012 Inmar®, Inc. CONFIDENTIAL
Not to be reproduced or distributed without written permission from Inmar
SLA & Performance Management
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Published APIs
Analytics
Digital Incentives
Social Media
Mobile AdvertisingPaaS
Real time high speed transactions
????
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Next on the List
API 2.0• Versioning strategy• More advanced security• API access, key management, OAuth
Self Service• Self register• Self subscribe and publish• Online payments
• Hybrid clouds• Offload payments to a processor
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Recommendations
Have a roadmap• Prioritize and chip away at the list• Make security tasks part of your sprint
planning• Have a living, breathing security document
because you will get asked for it daily
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Recommendations
Don’t be Mordac!
Think Differently• It’s just another data center, only you can’t
see it.• Apply same best practices • Apply some new best practices for the
cloud• Every problem has a solution
® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar
Questions