Application Security in the Cloud - Best Practices

Application Security in the Cloud

Best Practices

May 20, 2010

Your Panel Today

Presenting:

Bernard Golden – CEO, HyperStratus

Steve Riley – Sr. Technical Program Manager, Amazon Web

Services

Michael Crandell – CEO, RightScale

Q&A line:

Tony Spataro – Security Specialist, RightScale

Andrew DeMille – Sr. Account Manager, RightScale

Please use the questions window to ask

questions anytime!

Agenda

Welcome

We‟re all in this Together

Overview of AWS Security

Overview of RightScale Security

Introduction to Security Best Practices for AWS

Q&A

Please use the questions window to ask

questions anytime!

Security Is The Biggest Issue

Slowing Cloud Deployment

Number one concern

Confusion: who‟s

responsible?

Lack of

guidance/best

practices

What You’ll Learn In

This Webinar

Application security: Six key

best practices areas

Techniques for layered &

application group security

Amazon: infrastructure and

security framework

RightScale: management to

automate security consistently

HyperStratus

In The Enterprise

World class education & consulting

Amazon & RightScale partner

Contributor to AWS practices & code

Proven methodologies

„6 Security Essentials‟

Security is a Shared

Responsibility

Integrates application with infrastructure

and management security framework

Implements consistent and

automated security practices

Best Practices

Security Framework

You

Traditional security model

Control

Secure Not secure

Ownership

Mine Not mine

Location

Here Not here

Layers of trust

Myhardware(root)

Mysoftware

Mypeople

Perimeters separate trusted (owned, local)from untrusted (other, remote)

The model is breaking

Control

Secure Not secure

Ownership

Mine Not mine

Location

Here Not here

Seriously?

The model is breaking

Control

Secure Not secure

Ownership

Mine Not mine

Location

Here Not here

Seriously?

New security model

Control

Encryption and

signatures

Service level

agreementsAuditable security

standards

Ownership vs. control

Ownershipnot required

To maintain control

LAN/WAN

• Pipe

• Data

VPN

• Data

On-premise

• Compute

• Storage

• Data

Cloud

• Data

Amazon EC2Amazon S3Amazon CloudFront

Amazon EC2Amazon S3Amazon CloudFront

Amazon S3Amazon SimpleDB

Amazon EBSAmazon RDS

Amazon EC2

++

++

++

Hypervisor layer

Physical interfaces

AWS firewall

Customer 1security groups

Customer 2security groups

Customer nsecurity groups

Customer 1virtual interfaces

Customer 2virtual interfaces

Customer nvirtual interfaces

Customer 1 Customer 2 Customer n…

…

…

AWS admins onlySSH via bastionsAudits reviewed

Customer onlyInbound flowsDefault deny

Customer onlySSH, ID/pw, X.509Root/admin control

0 0000 0

0 0 0 0 0

0 0 0 0 0

/ /// / /

/ / / / /

/ / / / /

Amazon EBS

all others

EC2

• EC2 ephemeral• Other services

Your corporate network

AmazonWeb ServicesCloud

Your VPC

Your corporate network

AmazonWeb ServicesCloud

Your VPC

Currently• EC2 on-demand and reserved• EBS• CloudWatch• Linux/Unix and Windows• US-East, EU-West

Upcoming• >1 router, >1 AZ• Outbound Internet• Elastic IPs• Elastic Load Balancing• Autoscaling• DevPay• Inter-subnet security groups

Compliance

Sarbanes-Oxley Act• Ongoing

HIPAA• Current customer deployments

• Whitepaper describes the specifics

SAS 70 type II• Complete

• Physical security, access controls, change management, operations

ISO 27001• In progress

Righ

tScaleRightScale Cloud Management Platform

RightScale Lifecycle Management

RightScale Security

Account Permissions

Resource Partitioning

Credential Management

Automation

Alerts and Monitoring

35

Management Structure for Separation of privileges

IT personnel have only the access they need to

perform their job function:

• “Designer” role: Developers and Testers

• “Observer” role: Managers, Support Reps, Auditors

• “Actor” role: Operations Personnel

Account Permissions

Best Practices: • Grant access only as required

to perform business function

• Especially limit Actor and

Admin privileges

• One user account per person

(no sharing)

Account Permissions

Resource Partitioning

Use two AWS/RS accounts; one for test/dev

and one for production

• Developers have unrestricted access to dev account

• Be more restrictive and granular with access to the

production account (only ops personnel, privileges only

as-needed)

Best Practices:

• When ServerTemplates are ready to deploy, share them

with your production account

• Ensures consistent testing and deployment procedures;

auditor-friendly access control rules

Resource Partitioning

Resource Partitioning

Allow Internet traffic

Allow cloud traffic

Security Groups

Credential Management

• Mediate users' consumption of cloud resources

• Input your AWS credential to the dashboard

• Ability to launch and bring down cloud resources ordained

through “Roles” given in RightScale

• Safeguard Application passwords

• With dashboard credentials users don‟t need to know passwords

RightScale Automation

• Security Patch Rollout

• Rolling out to all servers in deployment w/ push of button

• Inject key material into instances at boot time

• Use without ever storing it on disk

• Machine builds are consistent and auditable

25 Top Information Managers: 2010

Dave Powers, Eli Lilly & Co.

“Alongside the elastic cloud approach, Lilly is leveraging

RightScale's infrastructure management interface and

services against appliance/application stacks in a "vending

machine" concept that allows self-service to infrastructure and

up to three tiers of applications as needed.”

RightScale Alerts and Monitoring

Security Analytics

• Network bandwidth (Denial of Service)

• Disk/CPU usage (spam bot activity)

Intrusion Detection

• Alert when # logged-in users > 0

• Alert when network connections happen

Intrusion Prevention

• Escalate by unmounting encrypted volumes

• Escalate by shutting down machine or closing firewall

Alerts & Automation at work

Load exceeds threshold

Additional servers operational

Load drops below thresholdAdditional servers terminated

Security is a Shared

Responsibility

Integrates application with infrastructure

and management security framework

Implements consistent and

automated security practices

Best Practices

Security Framework

You

6 Crucial Areas

For Complete Security

1. Security groups

2. Key management

3. Network security

4. Storage protection

5. Intrusion detection

6. Application code management

Default Security Group Partitioning

Amazon Web Services

Web

Application

Storage

Default (22, 80, 8080, 3306)

Default (22, 80, 8080, 3306)

Default (22, 80, 8080, 3306)

Default

group is

closed

Default

overloading

Overloading

presents

security risk

A Better Option: Security Group

Partitioning By Application Role

Port 22

Single IP AddressPorts 80, 8080

Port 22

Single IP Address

Port 22

Single IP Address

Ports 80, 8080

Ports 3306, 8080

Ports 3306, 8080

Web

Application

Storage

Best Practice: Security Group

Partitioning By Application Stage

Dev Stage Production

Dev Sec Group

Dev Sec Group

Dev Sec Group

Stage Sec Group

Stage Sec Group

Stage Sec Group

Prod Sec Group

Prod Sec Group

Prod Sec Group

Amazon, Rightscale &

HyperStratus Together

Key to security is

thoroughness and consistency

AWS provides robust security

framework

RightScale automates and

implements consistency

Application applies security

practices to reduce risk

HyperStratus brings it all

together

Recommendations

Identify application security requirements

Understand AWS security framework

Define application security requirements

implemented and automated via RightScale

Integrate application security best practices with

RightScale and AWS security framework

Ensure application project management and IT

processes reinforce top-to-bottom security

architecture

Today’s Webinar Offer:Free “6 Security Essentials” Assessment

from Hyperstratus

Free for

30 days!

Compare your security to Cloud

Application Security Best Practices

Cover all six key areas

Only takes an hour

For more info:

www.hyperstratus.com/drupal/securitychecklist

Or call 925.209.4609

Q & A Free for

30 days!

Free “6 Security Essentials” Assessment

from Hyperstratus

www.hyperstratus.com/drupal/securitychecklist

Or call 925.209.4609

More information:

www.RightScale.com http://aws.amazon.com/

Webinar Recordings:

www. RightScale.com/Webinars

Thank You!