Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

SESSION ID: Bryan D. Payne Director of Security Research  Nebula 
@bdpsecurity Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy •CSV-W01

#RSAC Cloud Security Today u Cloud has lots of momentum
u Lots of concerns about security u What’s the real story? !2

#RSAC What this talk will cover u What does it
take to secure an IaaS cloud? u Specific ideas to improve your cloud or select a cloud provider. !3

#RSAC What this talk will NOT cover u A cloud
comparison u A one-size-fits-all cloud security cookbook !4

#RSAC Talk Outline u Cloud Introduction (demo!) u IaaS Architecture
Details u Security Differentiators u Virtualization Stack Security (demo!) u Questions & Wrap-up !5

#RSAC Cloud Service Models !6 Today’s Talk

#RSAC Public Cloud u Users: Anyone with a credit card
u Provider u Doesn’t trust users u Doesn’t want to violate users privacy ! u Monitoring at network edges u Fraud prevention u Network reputation concerns u Broad compliance concerns !7

#RSAC Private Cloud u Users: Part of a common organization
u Provider u Trusts users (at some level) u Has full access to data / workloads ! u Security from top to bottom u Design undergoes great scrutiny u Enterprise integration u Targeted compliance concerns !8

#RSAC Know Your Neighbors u Who are your neighbors (other
users)? u Who is your cloud admin / operator / builder? u Who else has privilege on the cloud? u Who should? u Who does? !9

#RSAC Demo: How Things Can Go Very Wrong !10

Understanding IaaS Cloud Architectures

#RSAC User Perspective u Launch instances u Take snapshots u
Flexible storage options u API + web dashboard !12

#RSAC Admin / Operator Perspective u Create & manage users,
projects, quotas, etc u Configure cloud u Monitor cloud events, logs, health, etc u API + web dashboard !13

#RSAC Builder Perspective u Software engineer & DevOps u Designs
and creates cloud u Controls security domains u Many services to setup & manage !14

#RSAC Cloud Simplicity !15 Compute Object Storage Example services from
OpenStack.

#RSAC Individual Services !16 Network Image Identity Dashboard Volume Compute
Object Storage

#RSAC Security Domains !17 Network Image Identity Dashboard Volume Compute
Object Storage

#RSAC Gated Interconnects !18 Network Image Identity Dashboard Volume Compute
Object Storage

#RSAC Map Data Paths !19 Network Image Identity Dashboard Volume
Compute Object Storage

#RSAC Secure design complete… !20 …or is it?

#RSAC Individual Services !21 Network Image Identity Dashboard Volume Compute
Object Storage

#RSAC Lots of Glue !22 DNS Metering Automation Load Balancing
Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities Network Image Identity Dashboard Volume Compute Object Storage

#RSAC Data Paths !23 DNS Metering Automation Load Balancing Monitoring
Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities Network Image Identity Dashboard Volume Compute Object Storage

#RSAC Message Plumbing !24 DNS Metering Automation Load Balancing Monitoring

#RSAC Billing Plumbing !25 DNS Metering Automation Load Balancing Monitoring

#RSAC Alarm Plumbing !26 DNS Metering Automation Load Balancing Monitoring

#RSAC SSL / TLS Plumbing !27 DNS Metering Automation Load
Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities Network Image Identity Dashboard Volume Compute Object Storage

#RSAC Under Cloud Admin Plumbing !28 DNS Metering Automation Load
Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities Network Image Identity Dashboard Volume Compute Object Storage

#RSAC So Much Plumbing! !29 DNS Metering Automation Load Balancing
Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities Network Image Identity Dashboard Volume Compute Object Storage

#RSAC !30

#RSAC OpenStack Security Guide u http://doc.openstack.org/sec/ u Security guidance on
deploying OpenStack (IaaS Cloud) u Written in one week u Diverse group of authors u Continued contributions accepted through GitHub !31

#RSAC Cloud Security Domains !32 API Endpoints Web Dashboard Compute
Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External

#RSAC Example API Action: Launching an Instance !33 Source: http://docs.openstack.org/training-guides/
External Management

#RSAC Security Challenges in the Cloud u Audit trails u
Controlling access u Defense in depth / Layered security u Protecting bridge points u API Endpoints u Virtualization Security !34

#RSAC !35 Source: http://xkcd.com/908/

Cloud Security Differentiators

#RSAC Security Certifications u Necessary, but not sufficient u Mapping
to cloud not always clear u Not a useful place to differentiate !37

#RSAC !38 High capability $$$$ Targeted Low $ Widespread Intelligence
Services Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies ISP Intercept Hypervisor Breakout Distributed Denial of Service Advanced Persistent Treat Automated Exploitation Tools Complex 0-day Development Service Brute Force Supply Chain Attack Mass Phishing Spear Phishing Social Engineering (Employee) Threats Source: OpenStack Security Guide

#RSAC !39 Cloud Attack Vectors Mitigation Strategies API Endpoints Service
hardening, mandatory access controls, code audits Web Dashboard HTTPS, HSTS, CSP, allowed referrers, disable HTTP trace Information Leakage SSL/TLS, disable memory dedup, random assignments VM Breakout Service hardening, mandatory access controls, code audits Hardware Sharing Avoid bare metal instances / device pass-‐through Default Images Secure and maintain default images Unsecured Instances User and/or tenant level network isolation for instances Secondary Attacks Least privilege, mandatory access controls, strong auth

#RSAC Major Security Considerations u High level architecture has different
security domains u End to end protection of network traffic u Protected virtualization stack u Protected API endpoints u Ability to update easily u Physical security at the datacenter !40

#RSAC Case Study: TLS in the Cloud !41 External Management
Client SSL / TLS Termination Load Balancing Backend Service Backend Service Backend Service Backend Service Internal SSL certiﬁcate Customer-facing SSL certiﬁcate HTTP Header Inspection

#RSAC Case Study: API Endpoint Protection !42 External Management Bob
Compute Storage Mallory Identity Database Message Queue

#RSAC !43 Source: http://xkcd.com/424/

Securing the Virtualization Stack

#RSAC What Is The Security Concern? !45 From Perez-Botero et
al, Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, In Proceedings of the Workshop on Security in Cloud Computing (SCC), May 2013. u Hypervisors have vulnerabilities u A VM-breakout is among the worst exploits for cloud Breakdown of Hypervisor Vulnerabilities

#RSAC Other Virtualization Considerations u Bad actors on the control
plane u Hardware emulation, entropy considerations for VM u Side channel cache attacks !46

#RSAC Mitigation Strategies u Mandatory access controls (KVM+SVirt & Xen+XSM)
u Minimize & harden QEMU software stack u Runtime monitoring u Security updates !47

#RSAC Demo: Layered Security Mitigates Attacks !48

Questions

Time For Action

#RSAC Your Next Steps !51 Securing Your Own Cloud Evaluating
3rd Party Cloud Threat model? Who has privilege? Can you audit everything? Identify security controls? Security-driven architecture? Bryan D. Payne http://www.bryanpayne.org

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

More Decks by Bryan Payne

Other Decks in Technology

Featured

Transcript