SlideShare a Scribd company logo

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

Download as PPTX, PDF
John Kinsella
John Kinsella

Talk I gave at OWASP San Francisco 3/14/2012

Technology
1 of 22
REBUILDING FOR THE CLOUD HOW CLOUD ARCHITECTURE CAN IMPROVE APPLICATION SECURITY
INTRO
AGENDA Definitions (brief, I promise) Cloud Benefits Cloud Security Concepts Moving applications to the cloud, wrong way Moving applications to the cloud, right way Please do ask questions!
CLOUD [kloud] noun NIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
INFORMATION SECURITY [in-fer-mey-shuhn si-kyoor-i-tee] noun Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. See Also: Job Security
Artist: Tyler, 11. Dortmund, Germany
CLOUD BENEFITS Main benefit: Flexibility Possible benefit: Cost savings
CLOUD SECURITY CLIFF NOTES • Trust nobody • Encrypt everything • Expect service issues
WHAT’S WRONG WITH FORKLIFTING?
FORKLIFTING… “Datacenter” application to the cloud: • Can’t trust what you used to • Datacenter apps usually not flexible • Confidentiality, Integrity, Availability all handled differently
ENTERPRISE vs CLOUD
HOW ABOUT PAAS?
LEVERAGING CLOUD ARCHITECTURE How can we (gently) re-architect to take advantage of the cloud? • Network • Web server • Application Server • Database server • Don’t forget audit/forensics!
NETWORK Good: Limit by IP Better: Allow administration via VPN only Best: Admin interface on separate host, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
WEB/APP SERVER Good: Load balancing, “Basic” hardening (IP ACLs, only accept GET/POST, server tuned for large loads). SSL’s cheap nowadays Better: Build Web Application Firewalls and reverse caches into your IaaS (mod_security’s free) Best: Use 3rd party services to handle load and minimize security issues (CDNs like Akamai, Cloudflare) Required: Input filtering, output encoding.
DATASTORE Good: Place DBs on separate host from application. Better: Place DBs in separate datacenters, and replicate Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB, ElasticSearch) Required: Encrypt data-at-rest
NOSQL SECURITY? • Many NOSQL systems turn off even authentication • Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
INTER-PROCESS COMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
LOGGING & FORENSICS What happens to logs when our scalable architecture… scales down? Cloud really really requires centralized logging, monitoring, and management. Also, consider erase vs. overwrite
WHAT HAVE WE BUILT? • Scalable solution • No single point of failure • Healthy caution of all those around us (filtering/encoding) • Data stored and transmitted safely • And a nice set of audit logs for when Bad Things happen
LEARN MORE Cloud Security Alliance OWASP Cloud top 10
THANKS AND CONTACT INFO “Bad People” drawings from http://badpeopleproject.org Follow me on twitter: @johnlkinsella

Recommended

Architeture diagram
Architeture diagramArchiteture diagram
Architeture diagramJack Huang
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Bogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliBogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliRossi di Albizzate
 
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...Booosting platform voor koplopers in bouwinnovatie
 
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting platform voor koplopers in bouwinnovatie
 
Influence line diagram for model arch bridge
Influence line diagram for model arch bridgeInfluence line diagram for model arch bridge
Influence line diagram for model arch bridgekunalsahu9883
 
Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.David Collings
 
Deezer - Big data as a streaming service
Deezer - Big data as a streaming serviceDeezer - Big data as a streaming service
Deezer - Big data as a streaming serviceJulie Knibbe
 

Recommended

Architeture diagram
Architeture diagramArchiteture diagram
Architeture diagramJack Huang
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Bogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliBogo System by Arch. Carlo Bartoli
Bogo System by Arch. Carlo BartoliRossi di Albizzate
 
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...
20170120 Booosting Projectbezoek paviljoen ABN AMRO - Jeroen Schinkel Traject...Booosting platform voor koplopers in bouwinnovatie
 
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industry
Booosting 2015mei11 - Jos Lichtenberg - Dynamic architecture = dynamic industryBooosting platform voor koplopers in bouwinnovatie
 
Influence line diagram for model arch bridge
Influence line diagram for model arch bridgeInfluence line diagram for model arch bridge
Influence line diagram for model arch bridgekunalsahu9883
 
Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.Chinese arch bridges, timber, stone, concrete, steel.
Chinese arch bridges, timber, stone, concrete, steel.David Collings
 
Deezer - Big data as a streaming service
Deezer - Big data as a streaming serviceDeezer - Big data as a streaming service
Deezer - Big data as a streaming serviceJulie Knibbe
 
How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?QATestLab
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wiresAjinkya Patel
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.pptHiralal Pawar
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueRavikanth lakkakula
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to archesHILLFORT
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in constructionSARASWATI PATHARIYA
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsChris Saint-Amant
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in BriefAnthony Dehnashi
 
Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

More Related Content

Viewers also liked

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?QATestLab
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wiresAjinkya Patel
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.pptHiralal Pawar
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueRavikanth lakkakula
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to archesHILLFORT
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in constructionSARASWATI PATHARIYA
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsChris Saint-Amant
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in BriefAnthony Dehnashi
 

Viewers also liked (8)

How to Perform A/B Testing?
How to Perform A/B Testing?How to Perform A/B Testing?
How to Perform A/B Testing?
 
Recent advances in arch wires
Recent advances in arch wiresRecent advances in arch wires
Recent advances in arch wires
 
Aortic arch final.ppt
Aortic arch final.pptAortic arch final.ppt
Aortic arch final.ppt
 
Arch expansion with fixed appliance technique
Arch expansion with fixed appliance techniqueArch expansion with fixed appliance technique
Arch expansion with fixed appliance technique
 
An introduction to arches
An introduction to archesAn introduction to arches
An introduction to arches
 
Lintels and arches in construction
Lintels and arches in constructionLintels and arches in construction
Lintels and arches in construction
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.jsNetflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
 
Architecture Governance in Brief
Architecture Governance in BriefArchitecture Governance in Brief
Architecture Governance in Brief
 

More from John Kinsella

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 

More from John Kinsella (11)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Rebuilding for the cloud - How Cloud Architeture Can Improve Application Security

  • 1. REBUILDING FOR THE CLOUD HOW CLOUD ARCHITECTURE CAN IMPROVE APPLICATION SECURITY
  • 3. AGENDA Definitions (brief, I promise) Cloud Benefits Cloud Security Concepts Moving applications to the cloud, wrong way Moving applications to the cloud, right way Please do ask questions!
  • 4. CLOUD [kloud] noun NIST Definition (AKA SP800-145) • On demand, self-service • Broad network access • Resource pooling • Rapid elasticity • Measured (read: billable) service
  • 5. INFORMATION SECURITY [in-fer-mey-shuhn si-kyoor-i-tee] noun Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. See Also: Job Security
  • 6. Artist: Tyler, 11. Dortmund, Germany
  • 7. CLOUD BENEFITS Main benefit: Flexibility Possible benefit: Cost savings
  • 8. CLOUD SECURITY CLIFF NOTES • Trust nobody • Encrypt everything • Expect service issues
  • 9. WHAT’S WRONG WITH FORKLIFTING?
  • 10. FORKLIFTING… “Datacenter” application to the cloud: • Can’t trust what you used to • Datacenter apps usually not flexible • Confidentiality, Integrity, Availability all handled differently
  • 13. LEVERAGING CLOUD ARCHITECTURE How can we (gently) re-architect to take advantage of the cloud? • Network • Web server • Application Server • Database server • Don’t forget audit/forensics!
  • 14. NETWORK Good: Limit by IP Better: Allow administration via VPN only Best: Admin interface on separate host, VPN only Artist: Jonathan, Age 7 Heidelberg, Germany
  • 15. WEB/APP SERVER Good: Load balancing, “Basic” hardening (IP ACLs, only accept GET/POST, server tuned for large loads). SSL’s cheap nowadays Better: Build Web Application Firewalls and reverse caches into your IaaS (mod_security’s free) Best: Use 3rd party services to handle load and minimize security issues (CDNs like Akamai, Cloudflare) Required: Input filtering, output encoding.
  • 16. DATASTORE Good: Place DBs on separate host from application. Better: Place DBs in separate datacenters, and replicate Best: Migrate to a “NOSQL” datastore (Cassandra, MongoDB, ElasticSearch) Required: Encrypt data-at-rest
  • 17. NOSQL SECURITY? • Many NOSQL systems turn off even authentication • Data labeling or granular access needs to be handled in application. Artist: Luca, Italy
  • 18. INTER-PROCESS COMMUNICATION Good: Whatever you’ve dreamt up, (cloud bullhorn?) at least encrypt it. Better: Use open protocols for communication between nodes. Make sure encryption is enabled! Best: Consider using message queues. Required, in case you missed it: encryption.
  • 19. LOGGING & FORENSICS What happens to logs when our scalable architecture… scales down? Cloud really really requires centralized logging, monitoring, and management. Also, consider erase vs. overwrite
  • 20. WHAT HAVE WE BUILT? • Scalable solution • No single point of failure • Healthy caution of all those around us (filtering/encoding) • Data stored and transmitted safely • And a nice set of audit logs for when Bad Things happen
  • 21. LEARN MORE Cloud Security Alliance OWASP Cloud top 10
  • 22. THANKS AND CONTACT INFO “Bad People” drawings from http://badpeopleproject.org Follow me on twitter: @johnlkinsella

Editor's Notes

  1. Service: Infrastructure, Platform, Software as a serviceDeployment: Private, community, public, hybrid
  2. So for each one of these things I’ll try to break it down into GOOD – BETTER – BEST.
  3. Some of these points fit better for IaaS, this is one of them
  4. Load balancing – linux virtual server“best” – I’m expecting/wanting resistance to some of these points – I believe CDN/NoSQL/Message Queues have security value from a scalability POV, but they’re not slam-dunk arguments.
  5. RabbitMQ or ActiveMQ