Post on 15-Jul-2015
© 2011 CloudPassage Inc.
Securing Servers in Public
& Hybrid Clouds
Carson Sweet
CEO, CloudPassage
RightScale User Conference
Watch the video of this presentation
© 2011 CloudPassage Inc. www.cloudpassage.com
What’s So Different?
© 2011 CloudPassage Inc. www.cloudpassage.com
What’s So Different?
private datacenter
public cloud
www-1 www-2 www-3 www-4
• Servers used to be highly isolated
– Bad guys clearly on the outside
– Layers of perimeter security
– Poor configurations were tolerable
© 2011 CloudPassage Inc. www.cloudpassage.com
What’s So Different?
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated
– Bad guys clearly on the outside
– Layers of perimeter security
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
www-4
© 2011 CloudPassage Inc. www.cloudpassage.com
What’s So Different?
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated
– Bad guys clearly on the outside
– Layers of perimeter security
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
• Sprawling, multiplying exposures
– Rapidly growing attack surface area
– More servers = more vulnerabilities
– More servers ≠ more people
www-7
www-4
www-8
www-5
www-9
www-6
www-10
© 2011 CloudPassage Inc. www.cloudpassage.com
What’s So Different?
private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated
– Bad guys clearly on the outside
– Layers of perimeter security
– Poor configurations were tolerable
• Cloud servers more exposed
– Outside of perimeter protections
– Little network control or visibility
– No idea who’s next door
• Sprawling, multiplying exposures
– Rapidly growing attack surface area
– More servers = more vulnerabilities
– More servers ≠ more people
• Fraudsters target cloud servers
– Softer targets to penetrate
– No perimeter defenses to thwart
– Elasticity = more botnet to sell
www-7
www-4
www-8
www-5
www-9
www-6
www-10
© 2011 CloudPassage Inc. www.cloudpassage.com
Got Cloud Servers? You Are On
The Hook!
“…the customer should assume
responsibility and management of, but not
limited to, the guest operating system.. and
associated application software...”
“…it is possible for customers to enhance
security and/or meet more stringent
compliance requirements with the addition of
host based firewalls, host based intrusion
detection/prevention, encryption and key
management.”
Amazon Web Services: Overview of Security
Processes
AWS Shared Responsibility Model
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2011 CloudPassage Inc. www.cloudpassage.com
Dynamic network
access control
Configuration and
package security
Server account
visibility & control
Server compromise &
intrusion alerting
Server forensics and
security analytics
Integration & automation
capabilities
Servers in hybrid and public clouds must be self-
defending with highly automated controls like…
How To Secure Cloud Servers
© 2011 CloudPassage Inc. www.cloudpassage.com
Architectural Challenges
• Inconsistent Control (you don’t own everything)
– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)
– Cloudbursting, stale servers, dynamic provisioning
• Scalability (handle variable workloads)
– May have one dev server or 1,000 number-crunchers
• Portability (same controls work anywhere)
– Nobody wants multiple tools or IaaS provider lock-in
© 2011 CloudPassage Inc. www.cloudpassage.com
How We Did It: HaloTM Architecture
Halo
HaloCompute
Grid
• Halo Daemon
– Ultra light-weight software
– Installed on server image
– Automatically provisioned
• Halo Compute Grid
– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo
Daemons (95% or more cycles)
Halo
Daemon
www-1
www-1
© 2011 CloudPassage Inc. www.cloudpassage.com
www-1
Halo ComputeGrid
UserPortal
https
RESTfulAPI Gateway
https
Clo
udP
assa
ge
Halo
Halo
Daemon
Policies,
Commands,
Reports
www-1
Halo
© 2011 CloudPassage Inc. www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTfulAPI Gateway
https
Clo
udP
assa
ge
Halo
Policies,
Commands,
Reports
www-1
Halo
Policies &
Commands
© 2011 CloudPassage Inc. www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTfulAPI Gateway
https
Clo
udP
assa
ge
Halo
Policies,
Commands,
Reports
Results &
Updates
Halo
© 2011 CloudPassage Inc. www.cloudpassage.com
www-1
ComputeGrid
UserPortal
https
RESTfulAPI Gateway
https
Clo
udP
assa
ge
Halo
Policies,
Commands,
Reports
www-1
Halo
State and
Event
Analysis
© 2011 CloudPassage Inc. www.cloudpassage.com
Alerts, Reports
and Trendingwww-1
ComputeGrid
UserPortal
https
RESTfulAPI Gateway
https
Clo
udP
assa
ge
Halo
Policies,
Commands,
Reports
www-1
Halo
© 2011 CloudPassage Inc. www.cloudpassage.com
Dynamic network
access control
Configuration and
package security
Server account
visibility & control
Server compromise &
intrusion alerting
Halo GhostPorts server
access control
Halo REST API for
integration & automation
Halo is a security Software-as-a-Service providing
all you need to secure your cloud servers.
HaloTM Functional Capabilities
© 2011 CloudPassage Inc. www.cloudpassage.com
Portable = “Works Anywhere”
Single pane of glass across hosting models• Scales and bursts with dynamic cloud environments
• Not dependant on chokepoints, static networks or fixed IPs
• Agnostic to cloud provider, hypervisor or hardware
© 2011 CloudPassage Inc. www.cloudpassage.com
RightScale Integration
• Deployment via RightScript (today)
– Extremely easy access to cloud server security
– Included in template = automatic security
– No other cloud management console can do this
• Self-Securing Server Templates (in R&D phase)
– CloudPassage IDs exposures & compliance issues
– RightScale consumes data, fixes issues via RightScripts
– New and existing servers become compliant “on the fly”
© 2011 CloudPassage Inc. www.cloudpassage.com
Questions? Comments? Ideas?