Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic,...
Transcript of Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic,...
![Page 1: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/1.jpg)
events.techtarget.com
Information Security Decisions | © TechTarget
Rich Mogull, Analyst & CEO, Securosis, LLC
@rmogull
Pragmatic Cloud Security
![Page 2: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/2.jpg)
This Old Process
Information Security Decisions | © TechTarget
● Assess
● Redesign
● Secure
● Inspect
● Profit!
![Page 3: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/3.jpg)
Assess
How would we be
harmed if the asset
was unavailable for a
period of time?
Can we maintain compliance when
moving to the cloud?
How would we be
harmed if the
information/data was
unexpectedly
changed?
How would we be
harmed if the asset
became public and
widely distributed?
How would we be
harmed if an
employee of our cloud
provider accessed the
asset?
How would we be
harmed if the process
or function was
manipulated by an
outsider?
How would we be
harmed if the process
or function failed to
provide expected
results?
![Page 4: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/4.jpg)
The Stack
Sprockets & Moving Parts - Compute, Network,
Storage Infrastructure
Glue & Guts -
IPAM, IAM, BGP, DNS, SSL, PKI Metastructure
Apps & Widgets -
Applications & Services Applistructure
Infostructure Content & Context -
Data & Information
Developed by Chris Hoff, Juniper
![Page 5: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/5.jpg)
The Stack
Glue & Guts -
IPAM, IAM, BGP, DNS, SSL, PKI Metastructure
Developed by Chris Hoff, Juniper
![Page 6: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/6.jpg)
Secure Management Plane
Admin IAM on roids
VPC Netsec
Automate
management logging
and alerting
Public Private
Upgrade all
components
Config old-school
netsec
Secure by
architecture
Lock access
Mo Modular
![Page 7: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/7.jpg)
Metastructure Management
![Page 8: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/8.jpg)
DIY Metastructure Mgmt
● API and CLI scripts
● Decent alerting, bad stopping
Image from http://www.diylife.com/gallery/diy-disasters-doors-and-roads-to-nowhere/2285831/
![Page 9: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/9.jpg)
Automate Security
●E.g. Netflix Security Monkey
![Page 10: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/10.jpg)
Review
● Lock down management plane
● Focus on IAM for admins
● Automate monitoring using cloud APIs
● Look at metastructure management tools
![Page 11: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/11.jpg)
The Stack
Sprockets & Moving Parts - Compute, Network,
Storage Infrastructure
Glue & Guts -
IPAM, IAM, BGP, DNS, SSL, PKI Metastructure
Apps & Widgets -
Applications & Services Applistructure
Infostructure Content & Context -
Data & Information
Developed by Chris Hoff, Juniper
![Page 12: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/12.jpg)
The Stack
Sprockets & Moving Parts - Compute, Network,
Storage Infrastructure
Developed by Chris Hoff, Juniper
![Page 13: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/13.jpg)
Hypersegregate
Dynamic, automatic, software defined
firewalls
![Page 14: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/14.jpg)
Host Automation
● Initialization scripts (cloud-init)
- Install and config security agents
● Chef/Puppet
● Auto register and assess
● Privileged user mgmt and IAM
![Page 15: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/15.jpg)
Demo
![Page 16: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/16.jpg)
What We Will Do
● Automate cloud security policy compliance
- Leverage S3, EC2, and APIs to bootstrap instance security
polices.
● Build a software defined security application
- Glue multiple APIs together using Ruby to identify
unmanaged instances.
![Page 17: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/17.jpg)
Our Process
● Launch an instance
● Assign an IAM Role
● Use cloud-init to bootstrap Chef
● Securely, and automatically, distribute security credentials
![Page 18: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/18.jpg)
AWS IAM
![Page 19: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/19.jpg)
![Page 20: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/20.jpg)
AWS IAM Roles
![Page 21: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/21.jpg)
Using IAM Roles to Distribute Credentials
Secure S3
Bucket EC2
Instance
Role: ChefClient
S3 Tools
validator.pem
client.rb
![Page 22: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/22.jpg)
Set Up Your S3 Bucket
![Page 23: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/23.jpg)
Create an IAM Role
![Page 24: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/24.jpg)
![Page 25: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/25.jpg)
Adjust IAM Role Policy for Your Bucket
![Page 26: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/26.jpg)
Setting The Role of an EC2/VPC Instance
![Page 27: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/27.jpg)
Insert Script
![Page 28: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/28.jpg)
Select Chef Security Group
![Page 29: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/29.jpg)
What You Didn’t See
● We have a pre-configured Chef server
● Our Chef server is in an isolated security group
● We created a security group to launch instances in so
they can connect to our Chef server
● We created our Chef credentials
![Page 30: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/30.jpg)
Chef
● Ruby based configuration management
● Commercial, hosted, or open source
- http://opscode.com/chef
● Policies as code
● Cross-platform
![Page 31: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/31.jpg)
Chef Basics
● Server
● Workstation
● Node
● Attributes
● Recipe
● Cookbook
● Chef-repo
● Environment
● Knife
![Page 32: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/32.jpg)
Chef Security
● Temporal certificate used for initial bootstrapping
● Client certificate then issued
● Per-node certificates
● Per-client certificates
● Organizations
● Client IAM
![Page 33: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/33.jpg)
Our Script
![Page 34: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/34.jpg)
Pre-assigning an IAM Role
![Page 35: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/35.jpg)
Role Run List
● Role: base
● Cookbook: chef-client
● Cookbook: delete-validator
![Page 36: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/36.jpg)
What is
Happening
![Page 37: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/37.jpg)
Review
● Security credentials stored securely in S3
● Initialization script
- Installs Chef
- Downloads temp credentials using temp credentials
- Configures Chef with initial role
● Chef then pushes initial security policies
![Page 38: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/38.jpg)
Purpose Built
Virtual Security
Virtual
Appliance VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security
Agents
VLANs & Physical
Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISOR HYPERVISOR
HYPERVISOR
1 2 3
...Virtual Security Appliances & Introspection
Solutions
![Page 39: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/39.jpg)
Security & Compliance Platforms
![Page 40: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/40.jpg)
Directory Server
Federation
Extensions
X SAML
Restricting Device/Location with SAML
![Page 41: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/41.jpg)
Review
● Hypersegregate- virtual, API-managed networks are your
friends
● Automate host security- from instance launch to
assessment to patching
● You will need tools to scale, even if you write them
yourself
![Page 42: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/42.jpg)
The Stack
Sprockets & Moving Parts - Compute, Network,
Storage Infrastructure
Glue & Guts -
IPAM, IAM, BGP, DNS, SSL, PKI Metastructure
Apps & Widgets -
Applications & Services Applistructure
Infostructure Content & Context -
Data & Information
Developed by Chris Hoff, Juniper
![Page 43: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/43.jpg)
The Stack
Infostructure Content & Context -
Data & Information
Developed by Chris Hoff, Juniper
![Page 44: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/44.jpg)
Abstraction/Management
Compute Instances
IaaS
PaaS
SaaS
Cloud Data Architectures
![Page 45: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/45.jpg)
Keep Instances Clean
● Snapshots are not your friend.
● tmp, swap, keys
![Page 46: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/46.jpg)
Volume Encryption
Key Mgmt Server
Storage Instance
Crypto
Client
HSM, SECaaS, VM, or Server
Public/Private Cloud (IaaS)
Protecting your snapshots since ’09!
![Page 47: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/47.jpg)
Object Storage Encryption
Or “how to use Dropbox without pissing off users too badly”
![Page 48: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/48.jpg)
DB Security 4 Cloud
Table Security, get it?
http://kagenohikari.multiply.com/journal/item/25/Stylish_Recyclables
• Leverage architecture- segregate and split
• Use table views with CID, not direct table access
• Database Activity Monitoring
• Encryption
![Page 49: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/49.jpg)
Cloud App Encryption
![Page 50: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/50.jpg)
SaaS Tokenization
![Page 51: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/51.jpg)
Review
● Keep your instances clean.
● Encrypt volumes and don’t store sensitive data in boot
volumes.
● Encrypt object storage data before it hits the cloud.
● Follow good DB segregation.
● Tokenize and/or encrypt data at the application layer
when you can.
![Page 52: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/52.jpg)
The Stack
Sprockets & Moving Parts - Compute, Network,
Storage Infrastructure
Glue & Guts -
IPAM, IAM, BGP, DNS, SSL, PKI Metastructure
Apps & Widgets -
Applications & Services Applistructure
Infostructure Content & Context -
Data & Information
Developed by Chris Hoff, Juniper
![Page 53: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/53.jpg)
The Stack
Apps & Widgets -
Applications & Services Applistructure
Developed by Chris Hoff, Juniper
![Page 54: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/54.jpg)
Cloud WAF
Internet
Web/App Server
VPN Proxy
From WAF Only
“Hidden” IP
DNS A record
Management panel
restricted to proxy IP
WAF
![Page 55: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/55.jpg)
Test and Assess
● Test in private cloud or
locked off network zone.
● DAST and web app vuln
testing most useful.
http://www.melbournebuildinginspectors.com.au/moorabbin/nicholson-wright-building-surveyors/
![Page 56: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/56.jpg)
Active Defense
Image from http://www.chmag.in/article/jul2010/honeypot
Image from http://www.justsaypictures.com/images/shark-bait.jpg
![Page 57: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/57.jpg)
Review
● Remember- at this point you are relying heavily on your
secure foundation.
● DAST and web app vulnerability testing are most useful.
● Cloud WAF.
● Mess with attackers using active defense.
● Don’t forget federated identity.
![Page 58: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/58.jpg)
This Old Cloud
● Keep it simple
● Architect for cloud
● Split and encrypt
● Federate for success
![Page 59: Pragmatic Cloud Securitycdn.ttgtmedia.com/rms/editorial/Rich Mogull_Pragmatic...Dynamic, automatic, software defined firewalls Host Automation Initialization scripts (cloud-init) -](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec973d99259b21db32deed4/html5/thumbnails/59.jpg)
Thank You!
●Rich Mogull
●Analyst/CEO
●nexus.securosis.com
●@rmogull