A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
2. Akash Mahajan - Profile
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!
3. You will not learn anything new today
The interesting part is learning why you
won’t learn anything new today
5. “Today Internet is Cloud CD Based, if you use Google
your docs get stored in cloud, have you ever seen
Google software CD? No it’s not here, it’s in the
cloud. Called as Cloud CD! When you check, it
Cloud gives error because it is raining!!!! ”
- Vishwa Bandhu Gupta
6. Cloud computing is computing in which large
groups of remote servers are networked to
allow the centralized data storage, and
online access to computer services or
resources.
- From http://en.wikipedia.org/wiki/Cloud_computing
7. How is Cloud Computing different
From?
Grid computing
Distributed computing
Large Scale Clusters
8. Elasticity
is the degree to which a system is able
to adapt to workload changes
9. How do we get Elasticity?
by provisioning and de-provisioning resources
in an autonomic manner, such that at each
point in time the available resources match
the
current demand as closely as possible.
10. Autonomic Manner
The system makes decisions on its own,
using high-level policies; it will
constantly check and optimize its
status and automatically adapt itself to
changing conditions.
25. Virtualization provides automation
• Computing automates the process through
which the user can provision resources on-demand.
• By minimizing user involvement,
automation speeds up the process, reduces
labor costs and reduces human errors
45. Public Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use.
46. Private Cloud
Private cloud is cloud infrastructure operated
solely for a single organization, whether
managed internally or by a third-party, and
hosted either internally or externally
47. Hybrid Cloud
Hybrid cloud is a composition of two or more
clouds (private, community or public) that
remain distinct entities but are bound
together, offering the benefits of multiple
deployment models.
48. We will restrict our discussion about the security of the public cloud
SECURITY IN THE PUBLIC CLOUD
49. Shared Sense of
Security
Public cloud vendors and customers have a shared
sense of security
50.
51. Shared
Responsibility of
security
Public cloud vendors and customers have to share
security responsibility
54. Amazon AWS takes care of
• Physical Security (Nobody should walk away
with the server including Govt.)
• Host OS which runs the virtualization software
• Virtualization Security (Rogue VMs can't harm
others)
55. Amazon AWS takes care of
• Environmental Safeguards (DC is safe to run
servers)
• Administrative Controls (Policies and
Procedures)
• Certifications and Accreditations (SAS70, SOC1,
PCI, ISO27K1)
56. You take care of
• Guest OS (The Compute instance)
• Application Security (The application on the
compute instance)
• Data Security (The data being generated,
processed by the application)
• Network security for the guest &
applications
• Security Monitoring of Guest OS &
applications
58. Does Cloud Need
Security?
Wrong question to ask, the question should be…
59. Do we need to
worry about our
data, our infra, our
apps stored in the
public cloud?
60. Our apps in the public cloud
• This applies only to IAAS and PAAS as in
SAAS it is not our application
• An in secure app can expose underlying
infrastructure and data to theft, corruption
and exposure
61. Security Testing of Apps
• No different from testing any application for
security
• We might require permission to run
automated scanners against the app
• Ideal framework to test against is OWASP
Top 10 and OWASP Testing Guide
62. App Insecurity Scenario
• App has a Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the
server
• Attacker reads the credentials and starts
multiple large instances to mine bitcoins
• Victim saddled with a massive bill at the end of
the month
63. Our infra in the public cloud
• This applies only to IAAS as in SAAS and
PAAS it is not our application or infra
• Infrastructure vulnerabilities can derail any
app security in place.
64. Security Testing of Infra
• No different from testing server for security
• We may require permission to run
automated scanners against the server
• Ideal framework to test against is any
Penetration Testing Standard PTES /
OSSTMM
65. Infra Insecurity Scenario
• MySQL Production database is listening on external
port
• Developers work directly on production database
and require SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a brute force script and cracks the
password, gains full access to the database
66. HEARTBLEED – AN ILLUSTRATION OF AN
INFRASTRUCTURE VULNERABILITY
71. What kind of information?
• Session IDs
• Usernames
• Password
• Server Certificate’s Private Keys
72. CloudFlare hosted a vulnerable server
A security researcher sent 2.5 million requests
and got the private keys
73. What is the big deal about that?
• Private Keys for the SSL certificate
can decrypt all past and future traffic
• Private Keys allow for impersonation of that
service as well.
• What if some website could pretend to be
https://examplebank.com ?
74. Armature Hour at AWS
• https://opbeat.com/blog/posts/amateur-hour-
at-aws/
• Amazon AWS took about 48 hours after
everyone knew about Heartbleed to patch
its servers and inform its customers
• This caused a lot of heart-ache and pain for
its customers
75. Our data in the public cloud
• This applies only all PAAS, IAAS and SAAS
• Our data can get leaked, exposed, stolen,
held ransom if we don’t take care of making
sure it is safe while being used, while being
transmitted and while being stored
76. Verifying Data Security through Testing
• This is a specialized testing requirement. A part
of this can be tested by looking at the system
and application architecture
• All the places where the data can be written,
sent, travel need to be looked at.
• Writing to storage, exposing APIs, backups and
even insider threats
77. Verifying Data uses Encryption
• Data at rest is encrypted
– This will ensure that if an attacker has access to the
disk/store, they can’t use the data
• Data in motion is encrypted
– This will ensure that if an attacker can sniff the network
traffic they can’t see &tamper the data
• Data in use (tmp files, key loaded in memory)
– This will ensue that if an attacker can’t do catastrophic
damage if they manage to gain access to a server
78. Secure Key Management
• Once we start using encryption for data
storage and data transmission, the encryption
keys need to be safeguarded against theft,
accidental loss
• A secure key management process will ensure
that at any point keys can be revoked and
reissued
79. Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database
wasn’t encrypted when initial backups were
done.
• Dev team moves to newer type SSDs and
doesn’t decommission older HDDs.
• Attacker finds older HDD, does forensics for
data recovery and sell the data for profit.
88. European Network and Information Security
Agency (ENISA)
• Cloud Computing Information Assurance
Framework
• http://www.enisa.europa.eu/activities/risk-management/
files/deliverables/cloud-computing-
information-assurance-framework/
at_download/fullReport
• Covers 15 areas in OpSec & Identity &Access
Management
89. Frameworks are great, but
• They are too extensive to be actionable
• They are too generic for real world security
• They provide structure but lack incisive
steps that can be taken right now to
become secure
90. 10 STEPS TO SECURING A CLOUD
DEPLOYMENT (INFRASTRUCTURE)
91. Why Infrastructure first?
In all cases Cloud Service Provider (CSP) takes
care of physical security and the host
operating system. So we just need to worry
about the guest OS and all the
infrastructure running on it.
93. AWS and Rackspace Host OS Vuln
From the Amazon AWS Blog
XEN Hypervisor Security Issues
94.
95. 5 Pillars of Security in IAAS(AWS)
• Identity and Access Management
• Configuration and Patch Management
• Endpoint and Network Protection
• Vulnerability and Asset Management
• Data Protection
96. How the CSPs stack up for security?
CSP/Security
Feature
AWS Google
Compute
Engine
Microsoft
Azure
Rackspace
IAM YES YES YES Sort of
2FA for
Need to
Need to
YES* (Paid
NO
Management Layer
enable
enable
Service)
Network Isolation YES YES YES YES
Virtual Private
YES YES YES YES
Networks
Firewall YES YES YES YES
Centralized Logs
YES NO YES* NO
and Audit Trail
Encryption for
Storage
YES YES YES
Key Management YES YES YES YES
http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
http://t.co/tig66fyu9K-Thanks
to @govindk
97. The 10 steps are
1. Enumerate all the network interfaces
2. List all the running services
3. Harden Each Service separately based on best
practices
4. Secure Remote access for server management
(SSH, RDP)
5. Check Operating System Patch Levels
98. The 10 steps are
6. Harden the networking parameters of the
Kernel (Linux Specific)
7. Enable a Host Firewall
8. Do an inventory all user accounts on the
server and audit them
9. Enable Centralized Logging
10. Enable Encryption on disks, storage etc.
100. AWS IAM Best Practices
• Lock away your AWS account access keys
• Create individual IAM users
• Use groups to assign permissions to IAM
users
• Grant least privilege
101. AWS IAM Best Practices
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Use roles for applications that run on Amazon EC2
instances
• Delegate by using roles instead of by sharing
credentials
• Rotate credentials regularly
105. Anatomy of the attack
1. Distract by doing DDOS against the target
2. Gain access to the root credentials of AWS
3. All storage devices, hard disks, S3 storage
deleted
Company was a hosting company
They went bankrupt due to this and 100s of
customers lost all their data
106. Case Study 2 – Application Security
• Relatively benign bug causes major security
hole in the cloud
107. Case Study 2
APPLICATION (IN)SECURITY LOVES
XXE
108. Application (In)Security & XXE
• Researcher finds that, he can inject his own
file name and path in AWS EC2
• EC2 uses Auto Scaling
• Auto Scaling requires information to be
present on the EC2 instance
• Meta Web Server allows local HTTP
Requests to be made and server and its
credentials are pwned
109. Case Study 3 – Infrastructure
Security
• Un-patched server causes major security
breach
111. Browser Stack
• Old neglected server, not being used.
• Server is brought up to check something.
• Un patched server is left running on the
Internet without any network protection
• Attacker compromises the server, steals the
AWS credentials and manages to email all
its customers, how bad the company is
112. Conclusions
• Security in the cloud is really not very
different from regular security
• Same principles and processes apply
• Same tools and techniques apply
• IT folks need to simply understand what is
the best way to get the same thing done
114. Attributions
• Cloud Image Background from www.perspecsys.com
• Video of Vishwa Bandhu https://www.youtube.com/watch?v=ApQlMm39xr0
• Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons
• CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32
• Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/
3.0)], via Wikimedia Commons
• Toyota Robot at Toyota Kaikan
• AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-
on-demand.html
• SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/
• http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-
paas-iaas
• By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via
Wikimedia Commons
• Big Thanks to @govindk for fixing errors in Slide #96
Notas del editor
NIST Special Publication 800-145
Grid Computing - A form of distributed and parallel computing, whereby a 'super and virtual computer' is composed of a cluster of networked, loosely coupled computers acting in concert to perform very large tasks.“
Any large scale clusters – Usually with a main frame and bunch of terminals
It is merely the result of adoption of existing technologies and paradigms.
What can these services look like?
What can these services look like?
What can these services look like?
What can these services look like?
Each of which can be easily used and managed to perform computing tasks.
For most physical servers, CPU utilization is less than 50% most times of the day
Compute – contains processing and memory
Storage – Storing data for use
Network – The network that connects the various services
Management – What we use to manage and work with the cloud service
So from now on, whenever I say Cloud I mean Public Cloud
Best example of this is Heartbleed
Show the small demo
Which is why, we use a simple 10 step guide to securing a cloud deployment