Evolution of a secure cloud

The Evolution of a Secure CloudJune 21, 2012

Mike Kavis

VP of Architecture, Inmar

The Atlantic Provinces Chapter of ISACAPresents

® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar

Your Speaker

Mike Kavis has been architecting solutions in the cloud since 2008 and was the CTO for startup M-Dot Network which won the 2010 AWS Startup Challenge. Mike is now the VP of Architecture for Inmar who purchased M-Dot in 2011 and is responsible for Inmar’s Digital Promotions PaaS at Inmar.

2


Some things might be better on premise!

3

Source: http://geekandpoke.typepad.com/

http://geekandpoke.typepad.com/


Digital Publisher

Inmar’s Digital Promotion PaaS

Brand

Point of Sale

Retailer Clearinghouse Mfg. Agent

Inmar’s Offer Network Exchange

Digital Offers


Continuous maturity & increased security over time

5

POC

First Customer

National Network

PublishedAPIs

Self Service (coming soon)

Features&

Amount of Access

Security & Regulatory Requirements

IaaS

SaaS

PaaS


It all started with AWS and a credit card (POC)


7

Network

IaaS – Areas of Responsibility

Server

Application

ID Management

OS

Authentication

Access

Storage

Authorization

Application configuration

Consumer

Provider Network

Outsourcing the security perimeter

Server Storage


Minimal Amount of Security for the POC

• Data Center/Perimeter Security• AWS Keys• Basic application

authorization and authentication• Standard LAMP AMI


Researched Security & Compliance Requirements

• 13 Domains of Cloud Computing

• Based on our requirements, the feedback from Security experts was:– Focus on ISO 27001 and PCI– All others are a subset

• POS Traffic– Encrypt, compress, send over https– Chain, store and consumer level

authentication– No credit card information on wire– No non standard open ports

https://cloudsecurityalliance.org/csaguide.pdf

https://cloudsecurityalliance.org/csaguide.pdf


First Customer Launch

Mobile Coupons

Coupon Portal

B2BPortal

Reporting

Real time high speed transactions

SaaS


Moderate Amount of Security for Launch

Challenges• Segregation of duties is impossible when

there are 2 guys• Keeping up with patches was a challenge

Decision Points• Just enough security for one client• Deployments were manageable manually• Consolidated work on fewer servers (light

load)• Focused on application security

(Authentication/Authorization)


12

Application Authentication Authorization

SaaS - Areas of Responsibility

Perimeter

Server

Application

ID Management

OS

Authentication

Access

Storage

Authorization


Consumer

Provider

Outsourcing the application

Access


SaaS Considerations (still in startup mode)

Data• Independent retailer databases• Encrypted in flight• Shopper ID masked

Decision Points• Deployments were still manageable

manually• Relied on IaaS and standard images• Basic monitoring• Patch when critical• Redundant across zones


National Network

Analytics

Digital Incentives

Social Media

Mobile AdvertisingPaaS



15

Server OS Storage

PaaS - Areas of Responsibility

Application

ID Management

Authentication

Access

Authorization


Perimeter

Server OS Storage

Consumer

Provider

Outsourcing the application platform

Authentication


Current Situation

Acquired by Inmar, focused on security and scalability• 30+ person team• 4 person DevOps team• My focus is on the Platform, another VP

owns the apps

Decision Points• Pass audits, get certifications• Follow IT controls best practices• Distribute work across many nodes• Automate everything• Minimize access, segregation of duties• Intrusion detection and prevention• Patching strategy


Intrusion Detection and Prevention

Leverage AWS’s IAM (Identity and Access Management) services• Multiple security groups with different

permissions• Multiple AWS Accounts (Prod, QA, R&D)• Chef scripts automate security in AMI

creation

Lock down and remove unnecessary software and services• Operating System• Database• Application Server• Monitors and alerts for access attempts• Lock down production DB Access – all non-api access on read-

only slaves• All CRUD via APIs (data service layer) with credentials * rare

exceptions


Restrict Access – Central Logging Strategy

Web Servers

API Servers

Database Servers

Utility Servers

SYSLOG

DB Logs | App Svr Logs | App Logs

Log Servers

DB Logs | App Svr Logs | App Logs

DB Logs | App Svr Logs | API Logs

DB Logs | App Svr Logs | Web Logs

Admins have total access

Developers access log server only

Log search & analytics

Log centralization/prep

® © 2012 Inmar, Inc. All Rights Reserved.Not to be reproduced or distributed without written permission from Inmar © 2012 Inmar®, Inc. CONFIDENTIAL

Not to be reproduced or distributed without written permission from Inmar

SLA & Performance Management


Published APIs

Analytics

Digital Incentives

Social Media

Mobile AdvertisingPaaS


????


Next on the List

API 2.0• Versioning strategy• More advanced security• API access, key management, OAuth

Self Service• Self register• Self subscribe and publish• Online payments

• Hybrid clouds• Offload payments to a processor


Recommendations

Have a roadmap• Prioritize and chip away at the list• Make security tasks part of your sprint

planning• Have a living, breathing security document

because you will get asked for it daily


Recommendations

Don’t be Mordac!

Think Differently• It’s just another data center, only you can’t

see it.• Apply same best practices • Apply some new best practices for the

cloud• Every problem has a solution


Questions

For more information:

[email protected]

Mike Kavis

Technology

Evolution of a secure cloud