Secure Cloud Hosting: Real Requirements to Protect your Data

Chris HinkleySenior Security Engineer

www.firehost.com@incrediblehink

Secure Cloud Hosting

Real RequirementsTo Protect Your Data

Secure Cloud Hosting: Real Requirements to Protect Your Data

Cloud computing provides computation, software, data

access, and storage services that do not require end-user

knowledge of the physical location and configuration of the

system that delivers the services.

WHAT IS THE CLOUD?

One Word, Infinite Definitions

Cloud computing provides computation, software, data

access, and storage services that do not require end-user

knowledge of the physical location and configuration of the

system that delivers the services.

A virtualized, multi-tenant infrastructure,

providing customers with architectural agility,

instant scalability and environmental security.

the secure cloud /THē siˈkyo$ or kloud/


•Cost savings with virtualization

•Getting out the Hardware and software management business

•Ease and speed of scaling

•Niche cloud service providers that are specializing in secure cloud hosting

WHY THE CLOUD?

It Far Outweighs The Alternatives


WHO IS MOVING TO THE CLOUD?

Google Trends

•Google Trend Screens

Scale is based on the average search traffic in the World

Cloud Hosting

Cloud Security

Search Volume ON THE RISE


WHO IS MOVING TO THE CLOUD?

Google Trends

Scale is based on the average search traffic in the World

Dedicated Hosting

Search Volume ON THE DECLINE


CAN THE CLOUD BE SECURE?

Just The Facts Please

48%34%16%

76%14%6%

5%

InternalExternalCo-Located

1% Mobile

N/A

2% Unknown

InternalExternalCo-ManagedN/A

2% Unknown

6%

Location/Hosting of assets by percent of breaches*

Management of assets by percent of breaches*

*Verizon caseload only

We are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No–not really. It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. ”

“


CAN THE CLOUD BE SECURE?

Just The Facts Please

83%

Attack targeting by percent of breaches*

*Verizon caseload only

17%

Opportunistic

Targeted

49%Low37%

Medium

8% 6%

Attack difficulty by percent of breaches*

High None

Given the industry’s hyper-focus on cloud computing, we do our best to track relevant details during breach investigations and subsequent analysis. We have yet to see a breach involving a successful attack against the hypervisor.

“”


•Network Traffic Separation

•Virtual Machine Isolation

•Storage Separation

•Multi-tenant Security Devices

HOW CAN YOU CREATE ISOLATION?

Separating Your Data


KEEPING HACKERS AT BAY

Protecting Your Web Application

•Security in your SDLC

•Code Review

•Vulnerability Scanning

•Penetration Testing

•Change Management


SECURITY IN DEPTH

Web Application Firewalls

•Security in Depth

•Firewalls=sledgehammer

•WAFs=scalpel

•Signatures and Profiling

•Virtual Patching

•0-day Mitigation


CASE STUDY

TimThumb Wordpress Plugin

•Image Resizing Plugin for Wordpress Blogs

•Included In Many Themes

•0-Day Remote File Include Exploit

•Flawed Logic allowed trivial RFI

13


FIX ALL THE THINGS

Virtually Instant Patching

•Applying a single ‘patch’ Secured Many

•Allowed Adequate Time

•Provided Security / Preserved Functionality


•Traditional infrastructure is no more secure than the cloud.

•Tackle the low-hanging fruit first.

•Your application evolves. So should your security.

IN CONCLUSION

Cloud Security Is Not A Myth

Thank YouQuestions?

Email [email protected]

Twitter twitter.com/FireHost

Chris Hinkley

Technology

Secure Cloud Hosting: Real Requirements to Protect your Data