How To Move Your Data Center To The Cloud - Chris Brenton of Dyn

How to Move Your Data CenterTo A Cloud InfrastructureJanuary 22, 2014

Chris BrentonDirector of Security

http://www.linkedin.com/company/dyn

http://www.facebook.com/Dyn

http://twitter.com/dyninc

http://www.youtube.com/dyninc

Pg. 2 How to Move Your Data Center to a Cloud Infrastructure @chris_brenton

Your Presenter

Chris Brenton - Director of Security@Chris_Brenton

[email protected]






What We’ll Cover

• Background on industry trends

• Strengths and weaknesses of each cloud

service and deployment model

• Security options






New Era of Computing

• Mainframe/mini = Generation 1

• PC client/server = Generation 2

• Hybrid cloud = Generation 3– No single deployment model– Hit its stride in 2010






An Automotive Analogy• The 1960s:

o Easy to work ono Extremely inefficient (poor power and mileage)






An Automotive Analogy• The 1980’s:

o Change fluids and that’s about ito 50% improvement in power and

mileage






An Automotive Analogy• The 2000s:

o Outsource just about everything to specialists

o 200%+ improvement in power and mileage






Private or Public Cloud Infrastructure?

• Private -- Do it all yourself

o You maintain control and all responsibility

o You need to staff accordinglyo Greater flexibility






Private or Public Cloud Infrastructure?

• Public -- Outsource to specialists

o Easier to focus on core product(s)o Less staffing concernso Speed of scale






Definitions: Tenant and Provider

• Tenanto Entity consuming the resource(s)o This could be your customerso This could be other internal workgroups






Definitions: Tenant and Provider

• Providero Entity managing the resource(s)o This could be your Operations

groupo This could be a 3rd party company






Gen2 Computing






Gen3 Computing






Gen3 Computing SMB






Déjà vu – Laptops As A Model• We’ve dealt with mobile workloads in the past







• Workstations used to only reside on desks







• Workstations used to only reside on desks• Laptops opened up the possibility of working

from anywhere






Déjà vu – Laptops As A Model• Security needed to change from being network

based to host based






Déjà vu – Laptops As A Model• Security needed to change from being network

based to host based

• Expect similar to occur with mobile workloads– Shared resources means host based

technology must be reworked prior to use






Cloud Models

• Infrastructure as a Service (IaaS)o Provider supplies platformo Tenant loads OS and all apps






Cloud Models

• Platform as a Service (PaaS)o Provider supplies platform and stacko Tenant provides custom apps






Cloud Models

• Software as a Service (SaaS)o Provider supplies OS, stack and appso Tenant hits the ground running






Cloud Model Examples• IaaS

o Amazon Web Services (AWS)o Rackspace Cloud Hosting






Cloud Model Examples• IaaS

o Amazon Web Services (AWS)o Rackspace Cloud Hosting

• PaaSo Original Microsoft Azureo VMware Cloud Foundry






Cloud Model Examples• SaaS

o Dyno Salesforce






Deployment Model Tradeoffs

• IaaSo Provider generates the lowest level

environmento More work for tenant to deploy appo More tenant control to implement

security






Deployment Model Tradeoffs• SaaS

o Nearly turnkey solution for app deploymento Least amount of tenant control and

flexibility






Deployment Model Tradeoffs• PaaS

o Sits in the middle






Delineation of Responsibility






What Are My Security Options?






Extending The LAN Into The Cloud






LAN Extended Challenges• Increases load on corporate link

o Today we’re mobileo Limits public cloud scaling

• Increase load on perimeter infrastructure






LAN Extended Challenges• Negates network benefits

o Provider load balancingo Multi-peer pointso Geo-location DNS o Higher latency

• No protection within virtual infrastructure






Virtual Appliance Management






Virtual Appliance Architecture






What About Introspection?

• Hypervisor based securityo Has visibility into all VMs







• Hypervisor based securityo Has visibility into all VMs

• Single point of managemento For a specific hypervisor deployment







• Do you want other tenants to have access to your hypervisor?







• Do you want other tenants to have access to your hypervisor?

• Do you want your provider to have non-auditable access to your VMs?o Can break segregation of duties






Host-Based Architecture

Consistent architecture (and risk abatement) regardless of deployment






Why Host Based Firewalls?

• Tenant controlled– Provider gains no additional access








• Supported across all cloud infrastructures








• Supported across all cloud infrastructures• Consistent management across all cloud

deployments









deployments• Security is portable with the VM









deployments• Security is portable with the VM• Mitigate potential risks from vswitch or VLANs






Consistency is Key to Security• Customization is common in small

business






Consistency is Key to Security• Customization is common in small business

• Focus is on getting the product to market– “We’ll worry about maintaining it later”






Consistency is Key to Security• Enterprise needs to play “the long game”






Consistency is Key to Security• Enterprise needs to play “the long game”

• “Snowflakes” can be an inhibitoro Reduces available resources for

innovationo Can easily stunt an organizations

ability to scale






One Off Server Deployment






VM Cloning






Clones Should All Have• Patches to the same level







• Identical configuration settings







• Identical configuration settings• Same system accounts







• Identical configuration settings• Same system accounts• The same processes running in

memory







• Identical configuration settings• Same system accounts• The same processes running in

memory• Usually no reason to logon– Update master and re-clone






VM Clone Security = Spot The Difference Game






Spot The Difference

GoldMaster

Has an additionallistening port open






GoldMaster

1 login successfulon first try

Spot The Difference






Spot The Difference

GoldMaster

Missing 3 patches Missing 3 patches

Missing 3 patches






VM Clone Security

• Can identify positive exceptions, not just negative ones

oSuccessful logino Increased patch level






VM Clone Security

• Can simplify server securityo No more one off auditing!o Far easier to ID variations that matter






Questions?

Chris Brenton - Director of Security@Chris_Brenton

[email protected]





Technology

How To Move Your Data Center To The Cloud - Chris Brenton of Dyn