Community, GHC15

GHC15: Cloud Security Presentations

Security in Cloud Based Integration Solutions

Sindhu Gangadharan, Vice President, SAP


How do you secure your data in the cloud?
Secure information, secure interaction and secure identity. How are control and access mechanisms used to protect these systems.
Also look at their physical security. There are world class data centers around the globe. Cloud integration service providers operate from a specific country – do their laws and contracts line up with your business needs?
Your idea of privacy may also vary from your service provider.
Make sure each customer gets their own tenant assigned. Message processing runtimes of different customers are located o different virtual machines, and have your own database schema.  How is data between tenants secured? Is it enforced?
Data at rest should be encrypted. Digital signatures should be deployed.  They should have some sort of tamper evident architectures, with well defined recovery plans.
There needs to be secure interaction. That means authentication and access control, encryption of data in transit, security key management and storage. Remote access should be secured with VPN, most likely using IPsec.  Don’t forget audit logging!

Journey to the Cloud

Katherine Krieger, Analyst, External Cloud Access Platform of Goldman Sachs


Why use the public cloud?
No need to buy expensive hardware, particularly for short term needs. You can deploy faster. You are also outsourcing risk management and flexibility.
Of course, though, you have to now worry about someone from the public cloud becoming an insider threat.  You need to cover legal and regulatory risk.
To cover all bases for all projects, Goldman Sachs has found themselves using several public cloud providers.
In the process of moving to the cloud, found they had to make modifications to their internal applications.  This was frustrated by the fact that there are little to no standardization of public cloud providers. Keep in mind, when we’re talking about financial services, speed and performance and working every time is critical.
GS requires encryption for data at rest and data in motion, and also want to be in control of all of their keys.
GS had to ensure there were low latency guarantees and buy HSMs so they could keep all of their keys, and the cloud provider would not have any access to it.
They have a continuous validation environment – something like a security monkey architecture. watchers, changes, instance validation and checking for anomalies.
 

Cloud Security from the Inside

Brian Chess, Senior Vice President of Infrastructure and Security of NetSuite, Inc.

How exactly did Brian Chess end up at this cloud provider? He was originally involved in integrated circuit design, but was more interested in software. He liked the rigorous quality process that hardware was using, but discovered software people didn’t care. So – he started Fortify 🙂

Then he found that the top reason people were not moving to the cloud was concern over security – so, he moved into the cloud!

Again, keep in mind that the cloud provider’s priority are no the same as yours.

Security is really hard to measure. The difference between a secure system and a very insecure system can be whisker thin. This is a really hard problem. So much of this is about trust.

The largest risk here, like the financial industry, is from bad insiders. Insider problems.

Like banks, public cloud will need regulation – but we’ll always have to worry about the insider threat.

An Overview of DDOS Impact on Cloud Performance

Yasmine Kandissounon, Software Security Engineer of Rackspace

We all have to worry about distributed denial of service attacks – they are on the rise, and new types of targets are being attacked.34% more attacks in the first half of 2015 vs 2014, and the average attack size is increasing as well!

The bad guys want to make the systems crash, plane and simple.  In the past, the attacker would use just one system to attack your system.  But, they got smarter.  They are taking control of systems and turning them into zombies, then they use these as botnets to do the attack. This increases their chances of doing the attack and  makes it harder to track the real bad guy.

But why? Often, politics.  For example, people were mad about a new law in Canada, so an attack was launched against them.

There are a few types of attacks. Protocol abuse, like ping-of-death, teardrop, smurf.  There are flooding attacks, where they overwhelm the system.  Application layer attacks – like encryption/decryption attacks, Http requests, DB queries. Finally, amplification attacks.

Now… bring in he cloud. Even with multi-tenant systems, if the cloud provider is attacked – all people using that service are impacted.

Protect yourself with

  • Hardening: updates, patches, firewalls and access control lists and intrusion prevention systems.
  • Packet filtering: deep packet inspection, blackholing and clean pipes
  • Traffic routing: CDN (Content Delivery Network)