Securing a Cloud Computing Architecture

hi welcome to another Centrify chalk talk this is Frank kibrit and I'm joined here by David McNeely our director of product management and today we're going to delve into a little bit of new territory something we haven't spent a lot of time in chalk talks talking about that is a embracing cloud computing and what are some of the issues that come up in in that realm and David interesting places I mean you and I were on a call with a well-known reporter on an online publication a couple days ago and you know she was clearly asking for some someone to kind of spell it out for and demystify what all the different type of cloud applications or capabilities are infrastructure as a service platform as a service certainly SAS maybe we can start there and just kind of demystify those a little bit explain what each one of those are and we'll start there sure so cloud computing is sort of a general term that is an umbrella it embraces all of those three categories you talked about at the lowest I view it is like three different layers and a stack at the bottom is the computing gear itself that's infrastructure as a service where I could go to something like Amazon ec2 and buy a server and and they turn it on and then you know give me the account so I could log on I can load any software I want I can do anything I want to with that machine typically you're buying CPU a certain amount of virtual CPU a certain amount of memory and then disk is just by the gigabyte however what you want to spend yeah yeah and I'm but I'm managing it all I'm deciding what I want right I'm tearing it up and right if you want load applications on it that's up to you but it's it's your job to do whatever you want with that operating system a lot of people like that because it gives life flexibility they can load whatever web apps or databases they want sort of the next site layer up is that web apps database layer where you know if it's an infrastructure type of a component they viewed and that's called platform as-a-service and if the platform as a service layer I can purchase websites I can purchase database your interface is not at the operating system level anymore it's now at the API level or administrative interface for that particular kind of application right whatever that may be if it's a database or web server it's going to be those interfaces okay and then SAS I guess would be the application layer what most people already understand is you know like or WebEx or any of those kind of things all you know it's the software application that I get to buy I'm just going to use it as another person in the system sometimes they'll carve out and create your own virtual environment so that you know you see your data like in Salesforce I don't see anybody else's data right but I don't get to see the operating system underneath it or the website or anything like that okay good so obviously you're spending a lot of time with our customers and your you know we're helping them bring their cross-platform system environment into Active Directory what are you hearing them say about you know what's driving them maybe they either look at cloud or what types of applications or use cases are they looking for the cloud to help them out with either a probably more on the infrastructure service side right so usually the driver for cloud is it could be one of many different things but I think there's two the sort of come out on top and that is either a project a short-term that requires a fairly large amount of compute infrastructure and you know the resources to deliver that in a short amount of time frame is just really hard to accomplish inside the company with traditional IT yeah we actually delivered a product deployment manager and one of the things we wanted to do here with scalability testing that tools the purpose is to go and discover you know quite a few different systems deploy software and have all the machines join Active Directory so how do you simulate having a hundred servers that it can connect to without spinning up you know physically underwriting servers so you can do it in virtualized infrastructure but a hundred servers I need to have a big enough you know ESX server that's got you know enough memory enough hard drive that kind of thing to spin up 100 so it was actually easier for us to go to the cloud and spin up 100 because you know you go to the Amazon interface of the Rackspace interface or whoever it and it says I want to spin up a Red Hat server and then it asked you quantity and you just type in 100 and hit go you got a hundred servers right servers yeah and so that that's one of the bigger reasons that people do this for smaller projects and that's usually project by project you know the others cost it it's so inexpensive to do this that you know the person that's running the project can just use a credit card then expensive yeah I don't have to go through the approval process and do right you'll get my expense report later okay but and then there's another you know I've run across a couple of other customers who said you know their data centers are at capacity they've gotten more projects coming online they've even been encouraging their customers within the organization to convert from physical servers to virtual servers with a buyback program you give us one physical server I'll give you five VMs it's all a lot easier to do names and videos inside the environment but take that same issue of maxed out data center and it costs money to buy servers and put them into the data center and if I can't expand the size of my data center and I need more compute you start looking at you know the cloud infrastructures they're pretty inexpensive compared to you know what it would cost to expand my data center by machines pay the perpetual licenses for all this stuff sure okay good and so we know customers are starting to do that we've seen some of our own customers having discussions with us about that what what are the typical challenges they're running into so you know I want to embrace some of that and get some of the benefits you talked about you know I'm sure there's security or compliance challenges maybe even logistical or operational challenges that they're the rep against you know there's quite a few different challenges and the way I look at it you have to start looking at the server from when it's very first turned on if I go to Amazon or any of the other cloud providers and turn on a server I'm taking somebody else's image somebody else's template and using it and so when they install the operating system they had to answer a few os-level questions and it's because they wanted to give me a server up and running very very fast right otherwise I could have just gone out and create my own templates and a lot of people do create their own templates but these templates are pre created have a the privileged account has already been created and it already has a password or there's a mechanism required to gain access to that particular server and if I'm an enterprise organization I'm going to spin up 100 of these servers I need to be able to control those privileged accounts easy so from the very moment that it turns on that's one of the issues is how do I take over the privileged accounts and how do I enable my staff to be able to log on to that system and get the privilege that they need up that's a very traditional identity management access management to the system you also have several other security policies that go right along with that you know what is the base image template how is it configured does it have a firewall that's on the host so that makes a lot of sense what about the issues of just you know it's not your data center or your closet down the down the hallway it's now sitting at a third party and you can't necessarily control you know operational folks at that third party site so how do you how do you kind of ensure both they I guess that's partly through the privileged access but also that only you have access to the systems that you've got that trust between systems on your premise em and the ones in the cloud right so I first start out by saying there's quite a few different cloud models where I can go purchase infrastructure as a service and there are several vendors that will outsource and manage it for you in those cases you're setting up a trust relationship with a business agreement that says I'll trust you a hosting provider to provide me servers and you're going to manage the security on the systems in that case the business level agreement did that work of ensuring that they're secured and that there's monitoring taking place on the system's people like Savas are in the business of doing that kind of work and then there's you know if I'm buying a server from Amazon they're basically spinning up a server and handing it over to you and saying it's all yours not my responsibility anymore I'll run the infrastructure underneath it and I'll protect you know the in-memory and the on disk between that system and others that are hosted in the environment but you're responsible for all the security that system right so you have to look at you know both the network access the of the system who's allowed to gain access to it from a firewall point of view you also have to look at the users that are authorized to gain access and usually you need to set up your own infrastructure in and tie it back to your infrastructure so that there's a way for you to grant your own staff the ability to log into those systems that are hosted ok that sounds like it begs for maybe a quick drawing on how that works and some of the new stuff that you're working on from Centrify ok the first thing is that you know most enterprises already have active factory setup this is where the user accounts exist and what we're talking about doing is enabling these people to be able to gain access to new compute resources that live outside the organization one of the features that we're going to leverage is Microsoft server and domain isolation but the way this works is let's assume that I get a couple of servers set up in a cloud environment here and these are it doesn't matter what cloud provider they are and we're just going to assume that Internet connectivity exists most cloud providers by the way will give me public IPS for these machines which means I from the inside I can get to them going out and you know the machines on the outside obviously can't come through the firewall to get to my systems but usually it's people on the inside that need to get to those servers so that use case typically works if if in fact these machines really needed to get on the inside we need to look at a different networking technology so public IP addresses they're obviously connected to the Internet most people already have a DMZ setup and we're going to use the DMZ as a place to allow those machines to join into a new Act Directory infrastructure see ok and the reason we're using new one is because we're we want to we don't want to expose the one that we have on the inside to the outside world though so there's a nice line here that the consists of the firewall but I need those machines to be able to join into Active Directory so that they can support Active Directory user based authentication we're going to leverage a one-way trust in order to let these users access resources that are tied in to the other Active Directory infrastructure so if as long as I've got connectivity and they can they can see this machine and he's on the public internet they'll be able to do a joint operation into that Active Directory infrastructure now this user can log into that machine and so you've created almost zero you've just extended your data right virtually to these cloud hosted systems although in order to make sure that this is secured we're going to have to use IPSec in transport mode there's IVs that most people know of IPSec in-you VPN usage which means setting up a client here that logs on to a gateway over here on the site was kind of VPN and we talked about in our direct secure product you know how to use IPSec as a way to logically isolate machines regardless of what network they're on all we're doing here is to say well there's a network that's in the cloud it's got public IP addresses this machine has got public IP addresses and since they're all in the public open we want to protect them and make sure that they only allow communication from other trusted systems so we've been working on methods to take this machine fired up and have it join Active Directory in a secured fashion that enables us to establish that security this machine in the domain in the DMZ is going to be set up so that he only allows communication from systems that are trusted in other words systems that can identify who they are so I configure that in advance to create this wrested environment ok and so now that I have this kind of connectivity then I can have the machines join into Active Directory now one of the nice things about joining Active Directory is that we can leverage all of the users the groups the group policy infrastructures to enforce a lot of policies so that you know the idea being really if I were to spit up a brand new one of these and add it to the environment he performs a joint operation to ad he picks up policies and based on the users coming out of the Active Directory infrastructure these users automatically get to log in how does that join happen is that an automated function as well well there's there's some technology that we've created in a deployment manager tool that enables that kind of join what we've done is the easiest way to look at it is it would be something I run here on my workstation as deployment manager and it will go create the computer account here upload the software and then tell this machine to join to the pre created computer account and so since I have rights to this directory from this workstation point of view I can go write the computer account and then as I connect to this machine up in the cloud I can tell it to go join into the Active Directory ok this tool was designed to you know basically have you add a computer to the system and then have it you'd go out and analyze the system's readiness to join Active Directory fixing problems like you know what if this machine was looking at a different like inside the cloud and not one that you know knew about is the main controller I could fix that and make it point to this so it does that pre-flight check if you wait does all that work and fixes everything and then it can push over the software and then tell it to join so there are some other things that we've done to the deployment manager that makes it a little bit easier to use in cloud environments remember this kept up with a little database of all the accounts that existed in a cloud or all the let's say servers that you had in the cloud but there may be some other methods of provisioning and we run across a lot of different scenarios so this this is one that I described where I'm doing it manually based on the deployment manager there's another model where we basically preload a server template put our software onto it I've got a couple of customers doing that now where the the server templates they use have Centrify on them and basically the machine boots up and the first time boot script says go join Active Directory you can either have a computer accounts pre created and I just grab the next available computer account or you could say you know put an account inside that first boot script that has very explicit permissions to do the one operation creating computer accounts in the directory either way it really works it's up to you as far as the security model you want to adhere to if that were the case and or I had another tool like rightscale that can basically monitor the load of a website and say you know I've got you know three servers now but if load gets to this peak threshold and spin up to more systems so now you get a little bit more dynamic and that's sort of the beauty of the cloud is that being able to be dynamic this tool then would need to be able to just simply somehow keep up to date with the number of servers I have in the cloud so we've added some capabilities here for it to make calls to the V cloud API or to the Amazon's ec2 interface to basically ask what are the set of servers that I have configured for my account because they're linked to my account to the person who logged onto the interface very cool that then gives you a much more dynamic environment and at that point you know you also have some other tools here in the deployment manager I think we talked about before you know the right the ability to launch putty or one SCP and and that kind of thing to be able to get to my servers interactively so you basically take a deployment manager and extended all the capabilities of that for your private data center environment next that to work with any kind of Amazon cloud or any V cloud right instance that's in a public environment right and that's actually another thing that's that's happening is that as enterprises look to deploy cloud infrastructures what they're seeing is that VMware is moving from using ESX to abstracting it into a logical V cloud you know where I could spin up my own VMs and float them across multiple ESX servers in making it easier to manage basically that means that the V cloud API exists inside my company and I can do the use the same tool to access an internal cloud just like a would an external guide and there's quite a few other advantages that VMware will be talking about at the VM world in using that tool set just because it's going to be the same kind of toolset that you'll find at some of the other V cloud Express providers on the Internet today okay so great so I'm able to easily spin these servers up and and now I can manage them through a single pane of glass with your deployment manager now as far as monitoring and getting visibility into what's happening on those systems who made what changes that type of thing what commands happened on the systems is there what's the story for auditing in this environment right actually I think that's another one that's really important you know a lot of people sort of depended upon when systems were inside my datacenter you know I had the comfort around the fact that I had doors that I controlled access to and we set up more stringent access policies to those doors you know my badge didn't get me in but you know the IT guy can get in that kind of thing and obviously you know the physical building security and the security officer could watch cameras to the doors that kind of thing and that's that's another huge change for IT because these servers now virtual and they moved outside my companies so they're not you know behind that same kind of protection the same kind of physical protection so you know on the inside we used to depend upon log analysis tools and rolling up lot logs and of course you also had you know the the door access logs and video camera footage if you really needed to determine you know who things to the servers we're starting to find that monitoring is becoming a lot more important especially for regulations now if you take the machines and move them out to the cloud it's sort of a bigger question of like who's accessing my servers you know obviously I've done a lot of work to put in place some network security functions here that protect access to those servers but user activity is something that becomes much much more important and again we can leverage our direct audit tool as a way to record the activity of users it records the interactive login sessions into a database that's off the machine yeah so that we can then go back and look at the sessions play those back and it doesn't matter how people get to the machine or who it is that's logging in we'll be able to record the activity so that just goes a lot better comfort feeling around you know the who's accessing the machines and and it adds to the data set that log analysis log roll up does and a lot of times we find customers merging those two together to get a better picture okay so we've talked a lot about you know moving the server instances out and and how to audit that environment what about applications like any web app if I want to host that or push that to the cloud right let me help with that model as well I'm actually you know the fact that we've joined these machines to Active Directory helps out quite a bit going inside this virtual machine let's just draw a line and say that this is the OS layer and this is the app player if the application layer can make a call into the OS and the OS is tied to Active Directory then we can enable the application to tie into Active Directory for user authentication functions and we have specific plugins for you know Apache and j2ee based applications and db2 and the like you know so the databases and apps all work together tie into the operating system that just simply means that we can very easily go back to your existing process around granting this user or the right to logon to resources they're no longer inside so we're going to be managing the access control policies in this directory that's protected but it's the one that could govern you know those applications and then based on the fact that these machines are tied into Active Directory both Kerberos for single sign-on as well as sam'l or a DFS work correctly to go control user login to those patience in the case of Apache or the j2ee based applications we can even go back and say well an Active Directory group based here that has members from these users I can use to control who can gain access to that application so this is all great stuff I think one of the questions that you know IT folks might have is so I now have to move Active Directory into the DMZ right to be my centralized directory for not only my internal stuff but for my cloud-based stuff is that is that a little Jim that concern how would you address that concern that customers might have yeah I think that's a very good question because it is something new for a lot of people while there's a lot of organizations that do have machines in the DMZ I think running Active Directory and the DMZ is is kind of a new thing but you know one of the things we are saying is that this active directory that you run on the inside is not copied and put into the DMZ we're saying set up a nude Active Directory forest in the DMZ here what I've done is set up one and call it you know cloud Centrify comm or something like that right it's a completely separate Active Directory forest and it has this one way trust relationship so I've got a very nice security boundary between the two the administrators are log on to this are completely different than the administrators that log on to this one fact I'm the one that logs onto that when an IT runs and manages the inside one right but we have a relationship trust relationship I think there's another issue which is you want me to put Active Directory outside the firewall how secure is that and you know I think actually direct secure answers are IPSec server domain isolation answers that because that allows us to you know control access much more granular in the system one of the other things that about this kind of a solution is that we actually have a couple of other service providers that are doing exactly this type of thing in their hosting environment offering this kind of solution to their customers so both sabbath's and via West's are both doing this the the infrastructure itself that they expose to their customers has Active Directory behind the scenes in order to manage the user accounts it really is the it's a security infrastructure right it's more than just a directory repository since and tie all the systems to this security infrastructure okay and the benefit to the customers that he gets a single user account that he can use to log into various servers so as I log in to a virtual private data center I get one account that I can use to log into that Windows Server and if I add a Linux system I use the same account to log into Linux system I had 10 more Linux systems it's the same account right I get to use that Active Directory for that purpose one last question the you know customers that are watching this or folks that are familiar with Centrify this is involves a core set of capabilities that we've always offered what's unique about what we're introducing with with the new capabilities around pushing the step to the cloud right there's a lot of things that are very similar from what we've been doing before one of the things that's different about this is that we are proposing a deployment model with respect to setting up a new ad forests on the outside with a trust relationship to the one on the inside we're also leveraging Microsoft server domain isolation IPSec capability and a transport mode because when you start looking at the firewall rules and the kind of traffic required delet systems on the outside talk to domain controllers on the inside it usually requires too many firewall ports to be opened with IPSec in a transport mode which is peer-to-peer I only need to allow the IPSec ports to be opened that's a very few number of them and that that narrows the the security risk quite a bit right so you're moving the responsibility back to the host systems itself for blocking or allowing communications it allows you to describe an isolated environment so that only systems that belong to my company are allowed to communicate on those ports so I don't usually have to worry too much about those just because it's treated identically to VPN traffic by firewalls they typically all will allow it and that technology is the same one that allows us to totally isolate these machines regardless of where they are so I don't worry about them being on the public internet because of the fact that we're using IPSec policies on each and every host we can basically describe an IPSec required for all of these machines that are outside the firewall meaning if you don't have IPSec capabilities on your to get our laptop or host and you don't have credentials from my company there's no way you're going to talk in case I'm just going to deny traffic altogether great thanks David thank you all right that wraps up another Centrify chalk talk and again I'm Frank can Bri what David McNeely and we encourage you to check out Centrify comm there's a lot of other chalk talks and product demos around deployment manager and direct secure that go into more detail than what we talked about today so check those out as well thanks again

One Comment

  1. Kelly Malone said:

    Very good explanation of IAM

    June 27, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *