Transcript Insecurity in the Cloud

Security for Saas/Cloud
(and InnerSpace)
Roy Ellis
[email protected]
Insecurity in the Cloud
Fearing security deficiencies is one of the biggest reasons
people aren’t moving to the Cloud
 Is the Public Cloud more or less secure?
 Who’s job is security in the Cloud?
 How do I secure my Application in the Cloud?
• (or in my local environment?)
2
© 2012 Progress Software Corporation. All rights reserved.
Is the Cloud more or less secure?
YES!
Of course, it all depends on you…
3
© 2012 Progress Software Corporation. All rights reserved.
Security is never complete
 Security is a process, but a solution
• Requires a set of defined goals and exclusions
• Requires monitoring
• Requires updating as technology and system
access evolve
 Protecting vital data via security is a multiple
step approach using:
4
• Environment
• Hardware
• Process
• Software
© 2012 Progress Software Corporation. All rights reserved.
Who’s job is security in the Cloud?
Security of your application in the Cloud is a
partnership between you and your Cloud provider
 Think of it as a Marriage and get a prenup!
 Both partners have specific jobs and responsibilities
 Make sure you know what the Cloud provider does
 And know what YOU must do
5
© 2012 Progress Software Corporation. All rights reserved.
Who’s job is security in the Cloud?
Security is your responsibility
6
© 2012 Progress Software Corporation. All rights reserved.
Security in Amazon’s Cloud
Amazon clearly defines it’s responsibilities for security in the cloud
“Since AWS and its customers share control over the IT environment,
both parties have responsibility for managing the IT environment.
AWS’ part in this shared responsibility includes providing its
services on a highly secure and controlled platform and providing
a wide array of security features customers can use.
The customers’ responsibility includes configuring their IT
environments in a secure and controlled manner for their
purposes.
While customers don’t communicate their use and configurations to
AWS, AWS does communicate its security and control environment
relevant to customers.”
From “Amazon Web Services: Risk and Compliance May 2011”
7
© 2012 Progress Software Corporation. All rights reserved.
Security in Amazon’s Cloud
Amazon White Papers for Security
 Amazon Web Services Overview of Security Processes
 Security Best Practices
 Creating a HIPAA-Compliant Medical Data Applications with AWS
 AWS Risk and Compliance
 PCI DSS Level 1 Compliance
http://aws.amazon.com/security/
8
© 2012 Progress Software Corporation. All rights reserved.
Security in Amazon’s Cloud
Amazon Certifications for Security

SAS70 Type II SOC 1/SSAE 16/ISAE 3402
• Statement of Auditing Standards (Auditing of AWS modifications)
• Service Organization Controls 1 (Auditing of AWS Controls)
 PCI DSS Level 1
• Payment Card Industry Data Security Standard
 ISO 27001
• Information Security Management Standard (ISMS)
 FISMA – Moderate & Low Level
• Federal Information Security Management Act
9
© 2012 Progress Software Corporation. All rights reserved.
Security in Amazon’s Cloud
Amazon Certifications for Security
 ITAR
• International Traffic in Arms Compliance (for USGov)
 FIPS 140-2
• Federal Information Processing Standard (for USGov)
 HIPAA

Healthcare Information Privacy Accountability Act
http://aws.amazon.com/security/
10
© 2012 Progress Software Corporation. All rights reserved.
Physical Security
Handled by Amazon
 Access to the building/hardware limited
• Non-descript facilities
• Extensive setback w/military grade perimeter control
• Multi-level human and video surveillance, etc
 Employee controls
• Account provisioning, no access until added
• Account review, every 90 days must re-approve
• Access removal, immediate
• Strict heavy weighted password policy
 Environmental Safeguards
• Fire Detection and Suppression
• Power
• Climate and Temperature
11
© 2012 Progress Software Corporation. All rights reserved.
Infrastructure Security
Handled by Amazon
 Software cycle
• Peer reviews
• Testing
• Approval
 Change Management
• Phased deployment to lowest impact or single system
• Scheduled – no downtime
• Self-audits
 Infrastructure implementation
• Highly modified Xen hypervisor (VM server)
• Amazon has years of managing the infrastructure
12
© 2012 Progress Software Corporation. All rights reserved.
Data Lifecycle Security
(Confidentiality/Integrity/Availability- CIA)
 EC2 SLA of 99.95% availability
 Backups – optionally available from Amazon
• EBS – redundancy but no backups provided
• S3 (Simple Storage Service)
– 99.99999% integrity guarantee
– 99.99% availability guarantee
 Storage Device Decommissioning
• Security accepted decommissioning methods or actual destruction
– DoD 5220.00-M “National Industrial Security Program Operating Manual”
– NIST 800-88 “Guidelines for Media Sanitization”
 Fault Separation
• 3, 4, 5, 6, 7 separate Regions around the world
• At least 2 Availability Zones in each Region
13
© 2012 Progress Software Corporation. All rights reserved.
Firewalls – Managing your machines
Firewalls – your responsibility w/help from Amazon
 1st defense against intrusion and internet attacks

Amazon gives you firewall tools – Security Groups
• No ports open by default
• Ports you open can be IP address limited
 Security Groups can be set up to create a DMZ
• Open the ports 80 (web) and 443 (https) to the world in 1 Security Group
– Port 443 & IP address access 0.0.0.0/0 (anyone can access)
• Open ports from web server to Application server with IP address limited
to only the web server machine
– Port 5162:UDP & IP address access <web.server.ip.address>/32
– Port 3055:TCP & IP address access <web.server.ip.address>/32
14
© 2012 Progress Software Corporation. All rights reserved.
Firewalls – Managing your machines
Web Server
168.2.10.3
Terminal
Server
168.2.10.3
InternalIPIP10.24.3.5
10.24.3.5
Internal
Inner
Security
Zone
Client
Security
Group
Port 80/443
IP Address
0.0.0.0/0
Amazon
Firewall
15
DMZ
© 2012 Progress Software Corporation. All rights reserved.
Security
Group
Port 5162
Port 3055
IP Address
10.24.3.5/32
Security
Group
Firewall
AppServer
WebSpeed&& DB
DB
Controlling access for management
Maintenance access – your responsibility w/help from Amazon
 SSH (port 22)
• Need your x.509 certificate for validation
• Password connection disallowed by default
• SSH has encrypted communication
 Remote Desktop on Windows (port 3389)
• Need to decrypt your personal certificate for password
• Remote Desktop uses encrypted communication
 Best Practices
• Only allow access to 1 machine of your deployment
• Limit access to your IP address only
• Keep port closed unless managing the machine
• Connect to all other machines from behind the firewall
16
© 2012 Progress Software Corporation. All rights reserved.
Controlling access for management
From “Amazon Web Services Overview for Security Processes”
17
© 2012 Progress Software Corporation. All rights reserved.
Network Security – your responsibility
 HTTPS
• For web communication
 SSL
• For web communication from client to AppServer
• Needed elsewhere?
– It’s your setup
– It’s your call
 Performance latency?
• Using HTTPS/SSL will cause performance degradation
• Only encrypt information that is sensitive
– Use different AppServers w/SSL for sensitive data
18
© 2012 Progress Software Corporation. All rights reserved.
Application Authentication – your responsibility
 Some 3rd party authentication recommendations
• LDAP
• Active Directories
• Kerberos
• Multi-Factor Authentication
• Require complex passwords!
 ABL Client-Principal
• Current and future OpenEdge products rely on Client-Principal (multi-tenancy,
auditing)
• A cryptographically “sealed” security token
• Container for authenticated credentials
– user, password, domain info, etc.
• Once sealed the client-principal is read-only
• Can be used by all ABL application components
– ABL Session, DB connection
19
© 2012 Progress Software Corporation. All rights reserved.
Securely managing your application – your responsibility
 OpenEdge Explorer and OpenEdge Management
• Has its own user authentication
 The AdminServer has security settings
• “Require Username” and “Admin Groups”
 Separation of Development and Production
• The internal developer threat to your production system
• Different machines, networks, ports, everything
 Keep your operating system up-to-date
• Download and install critical system updates
• Install and configure system firewall
20
© 2012 Progress Software Corporation. All rights reserved.
Securing your application – your responsibility
 Protect your intellectual property (application code)
• Employ encryption (file or file system level)
• Utilize O/S and user access limitation
 The basics of runtime
• DBAuthkey (RCODEKEY)- ensure code running against the DB was
compiled to use that DB
• Runtime table and column access controls
• Operating system file security settings, etc.
21
© 2012 Progress Software Corporation. All rights reserved.
Securing your data – your responsibility
 Protect your data
• Employ encryption
• Utilize O/S and user access limitation
 OpenEdge Auditing - since OpenEdge 10.1A
• Satisfies most government and regulatory requirements- like a camera in
a retail store (won’t stop theft but can ID the thief)
• Audit database events
22
– Create
– Schema changes
– Update
– User authentication
– Delete
– Utilities (dump, load, etc.)
© 2012 Progress Software Corporation. All rights reserved.
– Application-defined events
Securing your data
Data Encryption – your responsibility
 OpenEdge 10.2B Transparent Data Encryption
• Option for Enterprise Database: At-Rest Encryption
– Storage area and individual object level
– Data secure on-disk, backup, and binary dump
– Data is unencrypted In-Memory = (up to) normal speed
• Secure Key Store and Key Management
– Change keys on-line
• Industry standard encryptions
– AES, DES, triple DES, etc.
No application changes for TDE!
23
© 2012 Progress Software Corporation. All rights reserved.
Securing your data
A High-Level View of Encryption
Client
<SSL>
Server
Encrypted
Messages
Shared
Memory
Dump/Load
Backups
Encrypted
Data
Encrypted
Data
Database
on Disk
24
© 2012 Progress Software Corporation. All rights reserved.
Encrypted
Data
Securing your data
OpenEdge Database Encryptable Objects
Type I
Type II
Database Storage Area
Entire area encrypted
Database Storage Area
Object-level encryption
Tables
Indexes
LOBs
25
© 2012 Progress Software Corporation. All rights reserved.
Table
Index
LOB
Index
LOB
Table
Index
Table
LOB
Index
LOB
Table
LOB
Table
Index
Securing your data
Database Storage Engine
Key
Store
Shared Memory
Buffer Pool
(plain text block)
Write I/O
Encrypt
&
Database
Files
Decrypt
Policy
Area


26
Encrypted Data
Read I/O
Key Store
• Database Master Key (DMK)
• DMK Admin/User Passphrase
• Manual/Automatic Authentication on DB start
Encryption Policy Area
• Encryption Policies - What (object) & how (cipher)
© 2012 Progress Software Corporation. All rights reserved.
Securing your OpenEdge Application
Other considerations…
 Disaster Recovery
• Securing your data from catastrophic loss (soft and hard failures)
 Database Replication & Replication Plus
• Replicate to up to 2 databases at the same time
• Quick failover to backup databases
 Exit Strategy
• How do you get your data back if you want to end your partnership?
– Have a plan
– Get agreement in writing from provider
27
© 2012 Progress Software Corporation. All rights reserved.
Multi-Tenancy
Isolated
Tenancy
Infrastructure
Tenancy
Tenant1 Tenant2 Tenant3
Tenant1 Tenant2 Tenant3
Application
Tenancy
Tenant1 Tenant2 Tenant3
App
App
App
App
App
App
App
DB
DB
DB
DB
DB
DB
DB
Infra. Infra. Infra.
Infrastructure
Isolating
Easier customization, security
Simpler throttling control
Target dissimilar customers
No transformation
28
© 2012 Progress Software Corporation. All rights reserved.
Shared
Tenancy
Tenant1 Tenant2 Tenant3
App
DB
Infrastructure
DB
DB
Infrastructure
Sharing
Better economy of scale
Simpler management
Target like-customers
Least cost to serve
Progress Arcade and the “Road to the Cloud”
“Back roads”
“Expressway”
Public
Clouds
Private
Clouds
How much Time, Money, Resources?
29
© 2012 Progress Software Corporation. All rights reserved.
•Wizard-like process
•Single-source billing
•Cloud agnostic
•Common user experience
•No vendor lock-in
12 Clicks
Progress Arcade
Cloud Deployment Flexibility
30
© 2012 Progress Software Corporation. All rights reserved.
Progress Arcade
31
© 2012 Progress Software Corporation. All rights reserved.
Progress Arcade - Free Community Resources
32
SHARE
TRY
BROWSE
Network and
discuss all things
SaaS and cloud
with others just
like you
With just a few clicks
take a test-drive of
applications and
solutions provided
by Progress
Visit our virtual
marketplace of
complementary
products &
services
© 2012 Progress Software Corporation. All rights reserved.
Progress Arcade - Premium Resources
33
STAGE
DEMO
DEPLOY
Configure and
prepare your
application for
the cloud quickly
and easily
Offer prospects
the ability to
demonstrate
your products in
the cloud
Deploy your
production
application in the
cloud with just a
few simple clicks
© 2012 Progress Software Corporation. All rights reserved.
Links, documents, other stuff you might want to know…
 Amazon’s Web Security information
• http://aws.amazon.com/security/
 2011 Security Webinar “Briefcase”
• Including streaming playback of the webinar
• Many security white papers
• http://communities.progress.com/pcom/docs/DOC-106849
 Introduction to Arcade
• Tomorrow at 8:30 AM, Concord Room
• http://arcade.progress.com/
34
© 2012 Progress Software Corporation. All rights reserved.