Embed Size (px)
Citation preview
DC Cloud Security SummitConor F. Sibley, CTO10/20/2016
Higher Logic at a glance - Company• Founded 2007• ~100 employees• Growing fast• Product• Online Communities• Volunteer Management• Customer Advocacy Management• Small Org Web Management• Event Communities
Higher Logic at a glance - Technology• Platform• AWS (auto scale ~65
instances)• Lots of AWS Services
(SES/SQS)• MSSQL • IIS• C#• .NET• Solr• HAProxy
• ClamAV• Active Directory• SSRS• MySQL• PostgreSQL• Redis• Tons of OSS in the App
tier
The Problem(s)• Since founding we have seen ever increasing:• Contractual security requirements• Larger and more security conscious clients• Attack sophistication• Issues finding staff with security expertise• Number of employees
What we used to do• Housed in a budget datacenter• Experience performance degradation or notification
from client• Panic• TCPDump/Scan each machine/LogParserLizard• Panic worse• IPTables Block/Reprovision servers/Deploy new code• Waste days on post issue investigation instead of
focusing on growing our business
Product Security Model – Defense in Depth• Physical Security• AWS
• Network Security• Alert Logic
• Application Security• Higher Logic
• Content Security• Client
AWS - Physical• Compliance Center• https://aws.amazon.com/compliance/
Alert Logic - Network• Web Application Firewall• Reduces overall system load
• Offsite Log Management• Single point of investigation
• Security Operations Center• 24/7 we get to sleep and don’t have to hire extra staff
• Intrusion Detection• Active monitoring of production infrastructure while we
innovate
Higher Logic• Encryption and KMS via
Virgil Security• Multiple VPCs• Firewalls• Fault tolerant• Encrypted data volumes• Application access and
auditing
• Immutable infrastructure• Mostly…
• Role Based Access Control• IAM• Group Managed Service
Accounts• Manual Testing• Automated Testing• Security Scanners• Penetration Testing
Client• Education• Learning Series
• Configuration• Who can access what• Including HL staff
• Accountability• Audit who did what and when• Scheduled reports showing privileged actions
Incident Response• Source• AWS/Alert Logic SOC/AppDynamics/Internal/Client Notification
• Identify• Based on system component expert is assigned primary
responsibility• Contain• Find boundaries of issue, isolate, remove from network and
snapshot EVERYTHING• DESTROY• …
• Rebuild• Let Auto Scaling Groups take over
Summary – Our guiding principals for security• Use vendors!• Reduce staff• Maintain 24/7 monitoring/alerting• Focus on our core business• Control costs• Point to best practice during sales calls• Security accreditation
