Post on 11-Feb-2017
transcript
Fundamentals of Cloud & Cloud Security
Viresh SuriGlobalLogic
16th December 2015 | DelhiInnerve - 2015
CLOUD COMPUTING Fundamentals of
What is Cloud Computing?
Evolution of IT Computing Models
http://mydocumentum.wordpress.com/2011/05/14/monday-may-9-2011/
The NIST Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction. National Institute of Standards and Technology (NIST) www.nist.gov
Cloud Computing Taxonomy - NIST
http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
Private(On-Premise)
Infrastructure
(as a Service)
Platform(as a
Service)
Service Models
Storage
Server HW
Networking
Servers
Databases
Virtualization
Runtimes
Applications
Security & Integration
Storage
Server HW
Networking
Servers
Databases
Virtualization
Runtimes
Applications
Security & Integration
Storage
Server HW
Networking
Servers
Databases
Virtualization
Runtimes
Applications
Security & Integration
Software(as a
Service)
Storage
Server HW
Networking
Servers
Databases
Virtualization
Runtimes
Security & Integration
Applications
Managed by you Managed by vendor
Virtualization – The Cloud Backbone
Hypervisor
Cloud Architecture
What is driving Cloud adoption ?
Enterprise challenges
Speed of provisioning constraints business execution
Disaster Recovery, Fault Tolerance, High Availability
Existing hardware has reached end of serviceable life
Datacenter capacity limits are being reached
Applications & processes have variable demand
High Maintenance CostsSoftware License Costs
How Cloud helps …Elastic CapacityInfinitely Scalable (Almost)
Quick and Easy DeploymentProvisioning in MinutesBusiness Agility
No CapEx, only OpEx., Fine grained billing (hourly)Pay as You go
Leverage Global Scalability& DR
Be Free from IT Management Hassles
Metering, Monitoring, Alerts
Cloud Challenges
Legal & Compliance
Security Lack of Standards, Compatibility
Reliability & Performance
A Snapshot of Cloud Providers
Holistic Migration Process
Cloud Assessment
•Cost Analysis• Security &
Compliance•Migration Tools •Application
Compatibility•Defining Success
Criteria
Cloud Platform Validation
•Understand a particular platform
•Platform capabilities• Services Offered• Security
considerations•Pricing•Build POCs•Compatibility issues• Identify Migration
tools
Data Migration
•DB Options & Management
• Storage Options• HA & DR support• Migration Tools•Backup / Restore
points•Define success
criteria
Application Migration
• Full Migration•Partial Migration•Run in parallel• Integration with
On-Premise systems
• Integration tools & Management
•Create / Identify images to be used
Cloud Deployment
•Configure Auto-Scaling
•Monitoring & Notifications
• Security Configuration
•Dashboards for resource management
•Business Continuity Planning
Cloud Optimization
•Cost Saving Opportunities
•Analyze usage patterns
•Application Performance Tuning
•
Public v/s Private Cloud Decision
Key Question Private Cloud Preferable
Public Cloud Preferable
Demand Constant Variable
Growth Predictable Unpredictable
Users Concentrated Dispersed
Customization High Minimal to none
Data Privacy & Security
Stringent Requirement Moderate Requirement
Performance Very High Moderate to High
CLOUD SECURITYFundamentals of
Important Points to know Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application Attacks), 36 per cent (Suspicious Activity) and 27 per cent (Brute Force attacks) respectively over the previous year, while top attacks aimed at on-premises deployments remained relatively flat.
Read more: http://www.itproportal.com/2015/11/16/interview-charting-the-cloud-security-landscape/#ixzz3uT1S7EQ8
As per 2014 KPMG Cloud Security Report
• When it comes to selecting a cloud solution, Security is the no. 1 concern
• Compared to 2012 survey, security and data privacy are greater concerns than cost efficiency
• Security is a lesser challenge now, compared to 2012. Cloud providers better prepared to secure data, and manage security breaches when they occur
CSA’s “Notorious 9” Security Threats
• Data Breaches
• Data Loss
• Account or Service Hijacking
• Insecure APIs
• Denial of Service
• Malicious Insiders
• Abuse of Cloud Services
• Insufficient Due Diligence
• Shared Technology
Key Security Considerations in a Public Cloud
Network Security• Built-in firewalls, control of network access to
instances and subnets
• Private / Dedicated Connectivity options from office / on-premises environments
• Encryption in transit
• DDoS mitigation
Configuration Management• Inventory and Configuration Management tools
to identify resources, track to manage them
• Template definition and management tools to create standard / pre-configured VMs
• Deployment Tools to manage creation and decommissioning of resources as per org. standard
Data Encryption• Available for data at rest in Storage services
• Flexible Key Management options, including Cloud Managed keys / self-managed keys
• Hardware based cryptographic key storage options
• APIs for you to integrate encryption and data protection with any service developed / deployed on the cloud
Access Control• Capabilities to define, enforce and manage user
access policies across services
• Identity and Access Management
• Multifactor authentication, including hardware based authentication options
• Integration and federation with corporate directories
Monitoring and Logging• Deep visibility into API calls, including
Who ? What ? When ? From Where ?
• Log aggregation, streamlining investigations, compliance reporting
• Alert notifications
Cloud Security Landscape
http://www.josephfloyd.com/blog/cloud-security-landscape
Cloud Security Comparison
http://fortycloud.com/iaas-security-state-of-the-industry/
The Road Ahead• Clouds are more prone to security attacks than on-perm deployments
• Doesn’t mean that those attacks are successful
• Cloud Providers are better enabled to handle security now
• 2016 will be the first year when people choose cloud because of security benefits, and not elasticity / cost
• However, stay cautious ! More serious attacks could be expected as well
Security in AWS
Standards SupportedGxPISO 13485AS9100ISO/TS 16949
Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data Encryption Server-side Data Encryption Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Cust
omer
s
AWS CloudTrail
CloudTrail records API calls on services, delivers detailed logs
Use Cases supported :Security Analysis : Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns
Track Changes to AWS Resources : Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes
Troubleshoot Operational Issues : Identify the most recent actions made to resources in your AWS account
Compliance Aid : Easier to demonstrate compliance with internal policies and regulatory standards
AWS ConfigAWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
Use Cases :• Am I safe ? : Continuously monitor the configurations of your resources
and evaluate these configurations for potential security weaknesses• Where is the evidence ? : A complete inventory of all resources and
their configuration attributes is available for any point in time• What will this change effect ? : Relationships between resources are
understood, so that you can proactively assess change impact• What has changed ? : You can quickly identify the recent configuration
changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use your encryption keys
• Centralized view of all key usage in the organization
• Uses HSMs to protect Key Security
• Integrated with AWS CloudTrial to provide logs for all key usage for regulatory and compliance requirements
AWS IAM• Centrally manage users, security credentials such as passwords, access
keys, permissions, policies that control which AWS services and resources users can access
• Allows creation of multiple AWS users, give them their own user name, password, access keys
AWS CloudHSM
• Allows protection of encryption keys within HSMs designed and validated to government standards for secure key management
• Keys can be generated, managed and stored cryptographic keys such that they are accessible only by us
• Allows regulatory compliance without compromising on application performance
• CloudHSM instances are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances
AWS VPC• Allows provisioning of logically isolated section of AWS cloud, where AWS
resources can be launched in a virtual network defined by you
• You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways
• You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet
• Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
AWS WAF• AWS WAF is a web application firewall that helps protect your web applications
from common web exploits that could affect application availability, compromise security, or consume excessive resources.
• Gives you control over which traffic to allow or block to your web application by defining customizable web security rules.
• You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.
• New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
AWS Inspector (Preview)• Automated security assessment service that helps improve the security
and compliance of applications deployed on AWS.
• Automatically assesses applications for vulnerabilities or deviations from best practices.
• After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.
• Includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g. PCI DSS) and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.
viresh.suri@globallogic.com
http://www.linkedin.com/in/vireshsuri
Thank You