Upload
firehost
View
397
Download
3
Embed Size (px)
DESCRIPTION
FireHost's Senior Security Engineer will discuss the need for acute awareness to secure data in the Cloud, and how the advancement of the environment has also accelerated the way this technology can be breached. The session will also include case studies on attacks and what you need to be asking yourself and your provider.
Citation preview
Chris HinkleySenior Security Engineer
www.firehost.com@incrediblehink
Secure Cloud Hosting
Real RequirementsTo Protect Your Data
Secure Cloud Hosting: Real Requirements to Protect Your Data
Cloud computing provides computation, software, data
access, and storage services that do not require end-user
knowledge of the physical location and configuration of the
system that delivers the services.
WHAT IS THE CLOUD?
One Word, Infinite Definitions
Cloud computing provides computation, software, data
access, and storage services that do not require end-user
knowledge of the physical location and configuration of the
system that delivers the services.
A virtualized, multi-tenant infrastructure,
providing customers with architectural agility,
instant scalability and environmental security.
the secure cloud /THē siˈkyo$ or kloud/
Secure Cloud Hosting: Real Requirements to Protect Your Data
•Cost savings with virtualization
•Getting out the Hardware and software management business
•Ease and speed of scaling
•Niche cloud service providers that are specializing in secure cloud hosting
WHY THE CLOUD?
It Far Outweighs The Alternatives
Secure Cloud Hosting: Real Requirements to Protect Your Data
WHO IS MOVING TO THE CLOUD?
Google Trends
•Google Trend Screens
Scale is based on the average search traffic in the World
Cloud Hosting
Cloud Security
Search Volume ON THE RISE
Secure Cloud Hosting: Real Requirements to Protect Your Data
WHO IS MOVING TO THE CLOUD?
Google Trends
Scale is based on the average search traffic in the World
Dedicated Hosting
Search Volume ON THE DECLINE
Secure Cloud Hosting: Real Requirements to Protect Your Data
CAN THE CLOUD BE SECURE?
Just The Facts Please
48%34%16%
76%14%6%
5%
InternalExternalCo-Located
1% Mobile
N/A
2% Unknown
InternalExternalCo-ManagedN/A
2% Unknown
6%
Location/Hosting of assets by percent of breaches*
Management of assets by percent of breaches*
*Verizon caseload only
We are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No–not really. It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. ”
“
Secure Cloud Hosting: Real Requirements to Protect Your Data
CAN THE CLOUD BE SECURE?
Just The Facts Please
83%
Attack targeting by percent of breaches*
*Verizon caseload only
17%
Opportunistic
Targeted
49%Low37%
Medium
8% 6%
Attack difficulty by percent of breaches*
High None
Given the industry’s hyper-focus on cloud computing, we do our best to track relevant details during breach investigations and subsequent analysis. We have yet to see a breach involving a successful attack against the hypervisor.
“”
Secure Cloud Hosting: Real Requirements to Protect Your Data
•Network Traffic Separation
•Virtual Machine Isolation
•Storage Separation
•Multi-tenant Security Devices
HOW CAN YOU CREATE ISOLATION?
Separating Your Data
Secure Cloud Hosting: Real Requirements to Protect Your Data
KEEPING HACKERS AT BAY
Protecting Your Web Application
•Security in your SDLC
•Code Review
•Vulnerability Scanning
•Penetration Testing
•Change Management
Secure Cloud Hosting: Real Requirements to Protect Your Data
SECURITY IN DEPTH
Web Application Firewalls
•Security in Depth
•Firewalls=sledgehammer
•WAFs=scalpel
•Signatures and Profiling
•Virtual Patching
•0-day Mitigation
Secure Cloud Hosting: Real Requirements to Protect Your Data
CASE STUDY
TimThumb Wordpress Plugin
•Image Resizing Plugin for Wordpress Blogs
•Included In Many Themes
•0-Day Remote File Include Exploit
•Flawed Logic allowed trivial RFI
13
Secure Cloud Hosting: Real Requirements to Protect Your Data
FIX ALL THE THINGS
Virtually Instant Patching
•Applying a single ‘patch’ Secured Many
•Allowed Adequate Time
•Provided Security / Preserved Functionality
Secure Cloud Hosting: Real Requirements to Protect Your Data
•Traditional infrastructure is no more secure than the cloud.
•Tackle the low-hanging fruit first.
•Your application evolves. So should your security.
IN CONCLUSION
Cloud Security Is Not A Myth