Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Transcript

1. 1.

   SESSION ID: Bryan D. Payne Director of Security Research
 Nebula


   @bdpsecurity Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy •CSV-W01
2. 2.

   #RSAC Cloud Security Today u Cloud has lots of momentum

   u Lots of concerns about security u What’s the real story? !2
3. 3.

   #RSAC What this talk will cover u What does it

   take to secure an IaaS cloud? u Specific ideas to improve your cloud or select a cloud provider. !3
4. 4.

   #RSAC What this talk will NOT cover u A cloud

   comparison u A one-size-fits-all cloud security cookbook !4
5. 5.

   #RSAC Talk Outline u Cloud Introduction (demo!) u IaaS Architecture

   Details u Security Differentiators u Virtualization Stack Security (demo!) u Questions & Wrap-up !5
6. 6.

   #RSAC Cloud Service Models !6 Today’s Talk

7. 7.

   #RSAC Public Cloud u Users: Anyone with a credit card

   u Provider u Doesn’t trust users u Doesn’t want to violate users privacy ! u Monitoring at network edges u Fraud prevention u Network reputation concerns u Broad compliance concerns !7
8. 8.

   #RSAC Private Cloud u Users: Part of a common organization

   u Provider u Trusts users (at some level) u Has full access to data / workloads ! u Security from top to bottom u Design undergoes great scrutiny u Enterprise integration u Targeted compliance concerns !8
9. 9.

   #RSAC Know Your Neighbors u Who are your neighbors (other

   users)? u Who is your cloud admin / operator / builder? u Who else has privilege on the cloud? u Who should? u Who does? !9
10. 10.

    #RSAC Demo: How Things Can Go Very Wrong !10

11. 11.

    Understanding IaaS Cloud Architectures

12. 12.

    #RSAC User Perspective u Launch instances u Take snapshots u

    Flexible storage options u API + web dashboard !12
13. 13.

    #RSAC Admin / Operator Perspective u Create & manage users,

    projects, quotas, etc u Configure cloud u Monitor cloud events, logs, health, etc u API + web dashboard !13
14. 14.

    #RSAC Builder Perspective u Software engineer & DevOps u Designs

    and creates cloud u Controls security domains u Many services to setup & manage !14
15. 15.

    #RSAC Cloud Simplicity !15 Compute Object Storage Example services from

    OpenStack.
16. 16.

    #RSAC Individual Services !16 Network Image Identity Dashboard Volume Compute

    Object Storage
17. 17.

    #RSAC Security Domains !17 Network Image Identity Dashboard Volume Compute

    Object Storage
18. 18.

    #RSAC Gated Interconnects !18 Network Image Identity Dashboard Volume Compute

    Object Storage
19. 19.

    #RSAC Map Data Paths !19 Network Image Identity Dashboard Volume

    Compute Object Storage
20. 20.

    #RSAC Secure design complete… !20 …or  is  it?

21. 21.

    #RSAC Individual Services !21 Network Image Identity Dashboard Volume Compute

    Object Storage
22. 22.

    #RSAC Lots of Glue !22 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
23. 23.

    #RSAC Data Paths !23 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
24. 24.

    #RSAC Message Plumbing !24 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
25. 25.

    #RSAC Billing Plumbing !25 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
26. 26.

    #RSAC Alarm Plumbing !26 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
27. 27.

    #RSAC SSL / TLS Plumbing !27 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
28. 28.

    #RSAC Under Cloud Admin Plumbing !28 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
29. 29.

    #RSAC So Much Plumbing! !29 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
30. 30.

    #RSAC !30

31. 31.

    #RSAC OpenStack Security Guide u http://doc.openstack.org/sec/ u Security guidance on

    deploying OpenStack (IaaS Cloud) u Written in one week u Diverse group of authors u Continued contributions accepted through GitHub !31
32. 32.

    #RSAC Cloud Security Domains !32 API Endpoints Web Dashboard Compute

    Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
33. 33.

    #RSAC Example API Action: Launching an Instance !33 Source: http://docs.openstack.org/training-guides/

    External Management
34. 34.

    #RSAC Security Challenges in the Cloud u Audit trails u

    Controlling access u Defense in depth / Layered security u Protecting bridge points u API Endpoints u Virtualization Security !34
35. 35.

    #RSAC !35 Source: http://xkcd.com/908/

36. 36.

    Cloud Security Differentiators

37. 37.

    #RSAC Security Certifications u Necessary, but not sufficient u Mapping

    to cloud not always clear u Not a useful place to differentiate !37
38. 38.

    #RSAC !38 High capability $$$$ Targeted Low $ Widespread Intelligence

    Services Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies ISP Intercept Hypervisor Breakout Distributed Denial of Service Advanced Persistent Treat Automated Exploitation Tools Complex 0-day Development Service Brute Force Supply Chain Attack Mass Phishing Spear Phishing Social Engineering (Employee) Threats Source: OpenStack Security Guide
39. 39.

    #RSAC !39 Cloud  Attack  Vectors Mitigation  Strategies API  Endpoints Service

     hardening,  mandatory  access  controls,  code  audits Web  Dashboard HTTPS,  HSTS,  CSP,  allowed  referrers,  disable  HTTP  trace   Information  Leakage SSL/TLS,  disable  memory  dedup,  random  assignments VM  Breakout Service  hardening,  mandatory  access  controls,  code  audits Hardware  Sharing Avoid  bare  metal  instances  /  device  pass-­‐through Default  Images Secure  and  maintain  default  images Unsecured  Instances User  and/or  tenant  level  network  isolation  for  instances Secondary  Attacks Least  privilege,  mandatory  access  controls,  strong  auth
40. 40.

    #RSAC Major Security Considerations u High level architecture has different

    security domains u End to end protection of network traffic u Protected virtualization stack u Protected API endpoints u Ability to update easily u Physical security at the datacenter !40
41. 41.

    #RSAC Case Study: TLS in the Cloud !41 External Management

    Client SSL / TLS Termination Load Balancing Backend Service Backend Service Backend Service Backend Service Internal SSL certificate Customer-facing SSL certificate HTTP Header Inspection
42. 42.

    #RSAC Case Study: API Endpoint Protection !42 External Management Bob

    Compute Storage Mallory Identity Database Message Queue
43. 43.

    #RSAC !43 Source: http://xkcd.com/424/

44. 44.

    Securing the Virtualization Stack

45. 45.

    #RSAC What Is The Security Concern? !45 From Perez-Botero et

    al, Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, In Proceedings of the Workshop on Security in Cloud Computing (SCC), May 2013. u Hypervisors have vulnerabilities u A VM-breakout is among the worst exploits for cloud Breakdown of Hypervisor Vulnerabilities
46. 46.

    #RSAC Other Virtualization Considerations u Bad actors on the control

    plane u Hardware emulation, entropy considerations for VM u Side channel cache attacks !46
47. 47.

    #RSAC Mitigation Strategies u Mandatory access controls (KVM+SVirt & Xen+XSM)

    u Minimize & harden QEMU software stack u Runtime monitoring u Security updates !47
48. 48.

    #RSAC Demo: Layered Security Mitigates Attacks !48

49. 49.

    Questions

50. 50.

    Time For Action

51. 51.

    #RSAC Your Next Steps !51 Securing Your Own Cloud Evaluating

    3rd Party Cloud Threat model? Who has privilege? Can you audit everything? Identify security controls? Security-driven architecture? Bryan D. Payne http://www.bryanpayne.org