Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.
8. 8
Solution: SAML 2.0
In two words
– Identity Provider on premise acting as a web proxy to
the authentication source (AD, LDAP, SQL…)
– Generates and signs authentication tokens
– Send them to the SaaS service to prove the user has
been authenticated
– You’re loggued in
Enable Single Sign-On with SaaS services
9. 9
Nice solution but…
Tricky to setup in multi-forests AD environments
Not always easy to configure depending on SPs
Must be highly available
10. 10
And what about (de)provisionning?
Provisioning can be done on the fly following
authentication (and authorization)
– Works fine but de-provisioning is still a challenge
– Reminder: you pay per user
Resource (user, group…) CRUD via web services
not widely deployed yet
http://www.simplecloud.info/
11. 11
Other concerns
Data is by definition fully understood by the SaaS
provider
– Profiling (or worst) : “used for statistics and UX”
– Contracts say provider will not
if you ask them not to
if they say so, it must be true
Data is (sometimes) encrypted on disks
But SaaS provider manages the portal to access it (…)
18. 18
VPC created. And then?
Decide how to integrate it in existing
infrastructure
1) Keep it external
• Completely separate infrastructure
2) Link it to datacenters / WAN
• Consider the VPC as a new site on the WAN
19. 19
1) Keep it external
Internet
Load balancer
Corporate Data center
Bastion
Web Servers
Database
20. 20
Use bastion hosts
– RDP/SSH from known IPs, strong
authentication, logging/auditing
VPC entry point opened only for the service
provided
21. 21
2) Link it to datacenters / WAN
VPN
Load balancer
Corporate Data center
Bastion
Web Servers
Database
22. 22
Use a VPN (or leased line)
– Decide if you want a public or private VPC
One more Internet access vs private datacenter extension
– Be careful to the network range and routing
VPC part of the WAN
– Wizard on AWS to setup dual-VPN to on-premise VPN
concentrator
– Setup firewall rules on both sides (drop all, then think)
23. 23
What we did on IaaS
VPC in different locations, VPNs
– SAML tests (WIF, mod_mellon,…)
– New versions of software on isolated networks
S3, load balancing, managed databases, DNS zone
delegation, CDN, datawarehouse, PaaS …
More and more providers come with an AWS
backend and we can evaluate what they do
24. 24
Example of IaaS security benefit
Launch/rebuild infrastructures in minutes
– With code like this:
Configure this way networks, VPN, security
groups, create instances, fetch data from a GIT
repository, configure load balancers…
25. 25
Code the infrastructure
With specific cloud tools
Cloudformation in AWS
With scripting with CLI tools
Bash, Powershell …
With SDKs (.net, java,…), cloud API libraries
(libcloud…), abstraction tools (Rightscale…) …
And versioning!
26. 26
Example use case
Defacement/intrusion on a IaaS-based website
– Fire new infrastructure clone
– Enable verbose logging
– Redirect traffic (via DNS, load balancers…) to the new
infrastructure
– Identify attack, implement protection/blackhole
– Isolate hacked infrastructure
– Run forensic analysis
– Get a coffee
PaaS security = SaaS security + your application code security
SaaS: everything managed by vendor: your security responsibility is mainly the authentication to the application and the data you put in.PaaS: same thing + maintain your application securityIaaS: same + OS patching and security, architecture security (networking, firewalls, storage access …)
Example of cloud infrastructure: region, multi-az, VPC, ELB 3-tiers, bastion, NAT for upgrades
Available on marketplace: checkpoint, Vyatta, BigIPs, Sophos UTM (ex-astaro)