Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Transcript

1. SESSION ID:
   Bryan D. Payne
   Director of Security Research

   Nebula

   @bdpsecurity
   Good Fences Make Good Neighbors:
   Rethinking Your Cloud Selection Strategy
   •CSV-W01
   

   View Slide

2. #RSAC
   Cloud Security Today
   u Cloud has lots of momentum
   u Lots of concerns about security
   u What’s the real story?
   !2
   

   View Slide

3. #RSAC
   What this talk will cover
   u What does it take to secure an IaaS cloud?
   u Specific ideas to improve your cloud or select a cloud provider.
   !3
   

   View Slide

4. #RSAC
   What this talk will NOT cover
   u A cloud comparison
   u A one-size-fits-all cloud security cookbook
   !4
   

   View Slide

5. #RSAC
   Talk Outline
   u Cloud Introduction (demo!)
   u IaaS Architecture Details
   u Security Differentiators
   u Virtualization Stack Security (demo!)
   u Questions & Wrap-up
   !5
   

   View Slide

6. #RSAC
   Cloud Service Models
   !6
   Today’s Talk
   

   View Slide

7. #RSAC
   Public Cloud
   u Users: Anyone with a credit card
   u Provider
   u Doesn’t trust users
   u Doesn’t want to violate users privacy
   !
   u Monitoring at network edges
   u Fraud prevention
   u Network reputation concerns
   u Broad compliance concerns
   !7
   

   View Slide

8. #RSAC
   Private Cloud
   u Users: Part of a common organization
   u Provider
   u Trusts users (at some level)
   u Has full access to data / workloads
   !
   u Security from top to bottom
   u Design undergoes great scrutiny
   u Enterprise integration
   u Targeted compliance concerns
   !8
   

   View Slide

9. #RSAC
   Know Your Neighbors
   u Who are your neighbors (other users)?
   u Who is your cloud admin / operator / builder?
   u Who else has privilege on the cloud?
   u Who should?
   u Who does?
   !9
   

   View Slide

10. #RSAC
    Demo: How Things Can Go Very Wrong
    !10
    

    View Slide

11. Understanding IaaS
    Cloud Architectures
    

    View Slide

12. #RSAC
    User Perspective
    u Launch instances
    u Take snapshots
    u Flexible storage options
    u API + web dashboard
    !12
    

    View Slide

13. #RSAC
    Admin / Operator Perspective
    u Create & manage users, projects, quotas, etc
    u Configure cloud
    u Monitor cloud events, logs, health, etc
    u API + web dashboard
    !13
    

    View Slide

14. #RSAC
    Builder Perspective
    u Software engineer & DevOps
    u Designs and creates cloud
    u Controls security domains
    u Many services to setup & manage
    !14
    

    View Slide

15. #RSAC
    Cloud Simplicity
    !15
    Compute Object Storage
    Example services from OpenStack.
    

    View Slide

16. #RSAC
    Individual Services
    !16
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

17. #RSAC
    Security Domains
    !17
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

18. #RSAC
    Gated Interconnects
    !18
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

19. #RSAC
    Map Data Paths
    !19
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

20. #RSAC
    Secure design complete…
    !20
    …or  is  it?
    

    View Slide

21. #RSAC
    Individual Services
    !21
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

22. #RSAC
    Lots of Glue
    !22
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

23. #RSAC
    Data Paths
    !23
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

24. #RSAC
    Message Plumbing
    !24
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

25. #RSAC
    Billing Plumbing
    !25
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

26. #RSAC
    Alarm Plumbing
    !26
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

27. #RSAC
    SSL / TLS Plumbing
    !27
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

28. #RSAC
    Under Cloud Admin Plumbing
    !28
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

29. #RSAC
    So Much Plumbing!
    !29
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate  
    Authorities
    Network
    Image Identity Dashboard
    Volume
    Compute Object Storage
    

    View Slide

30. #RSAC
    !30
    

    View Slide

31. #RSAC
    OpenStack Security Guide
    u http://doc.openstack.org/sec/
    u Security guidance on deploying
    OpenStack (IaaS Cloud)
    u Written in one week
    u Diverse group of authors
    u Continued contributions accepted
    through GitHub
    !31
    

    View Slide

32. #RSAC
    Cloud Security Domains
    !32
    API Endpoints
    Web Dashboard
    Compute
    Node
    Compute
    Node
    Storage
    Node
    Storage
    Node
    Guest
    Management
    Data
    Management and Control Plane Services
    Cloud Users / Administrators
    Cloud Operators
    Instance
    Instance
    Instance
    Instance
    External
    

    View Slide

33. #RSAC
    Example API Action: Launching an Instance
    !33
    Source: http://docs.openstack.org/training-guides/
    External
    Management
    

    View Slide

34. #RSAC
    Security Challenges in the Cloud
    u Audit trails
    u Controlling access
    u Defense in depth / Layered security
    u Protecting bridge points
    u API Endpoints
    u Virtualization Security
    !34
    

    View Slide

35. #RSAC
    !35
    Source: http://xkcd.com/908/
    

    View Slide

36. Cloud Security
    Differentiators
    

    View Slide

37. #RSAC
    Security Certifications
    u Necessary, but not sufficient
    u Mapping to cloud not always clear
    u Not a useful place to differentiate
    !37
    

    View Slide

38. #RSAC
    !38
    High capability
    $$$$
    Targeted
    Low
    $
    Widespread
    Intelligence
    Services
    Organized
    Crime
    Highly Capable
    Groups
    Motivated
    Individuals
    Script
    Kiddies
    ISP
    Intercept
    Hypervisor Breakout
    Distributed Denial of Service
    Advanced Persistent Treat
    Automated
    Exploitation Tools
    Complex 0-day Development Service Brute Force
    Supply Chain Attack
    Mass Phishing
    Spear Phishing
    Social Engineering (Employee)
    Threats
    Source: OpenStack Security Guide
    

    View Slide

39. #RSAC
    !39
    Cloud  Attack  Vectors Mitigation  Strategies
    API  Endpoints Service  hardening,  mandatory  access  controls,  code  audits
    Web  Dashboard HTTPS,  HSTS,  CSP,  allowed  referrers,  disable  HTTP  trace  
    Information  Leakage SSL/TLS,  disable  memory  dedup,  random  assignments
    VM  Breakout Service  hardening,  mandatory  access  controls,  code  audits
    Hardware  Sharing Avoid  bare  metal  instances  /  device  pass-­‐through
    Default  Images Secure  and  maintain  default  images
    Unsecured  Instances User  and/or  tenant  level  network  isolation  for  instances
    Secondary  Attacks Least  privilege,  mandatory  access  controls,  strong  auth
    

    View Slide

40. #RSAC
    Major Security Considerations
    u High level architecture has different security domains
    u End to end protection of network traffic
    u Protected virtualization stack
    u Protected API endpoints
    u Ability to update easily
    u Physical security at the datacenter
    !40
    

    View Slide

41. #RSAC
    Case Study: TLS in the Cloud
    !41
    External Management
    Client
    SSL / TLS
    Termination
    Load
    Balancing
    Backend
    Service
    Backend
    Service
    Backend
    Service
    Backend
    Service
    Internal
    SSL certificate
    Customer-facing
    SSL certificate
    HTTP Header
    Inspection
    

    View Slide

42. #RSAC
    Case Study: API Endpoint Protection
    !42
    External Management
    Bob
    Compute
    Storage
    Mallory
    Identity
    Database
    Message
    Queue
    

    View Slide

43. #RSAC
    !43
    Source: http://xkcd.com/424/
    

    View Slide

44. Securing the
    Virtualization Stack
    

    View Slide

45. #RSAC
    What Is The Security Concern?
    !45
    From Perez-Botero et al, Characterizing Hypervisor
    Vulnerabilities in Cloud Computing Servers, In Proceedings of
    the Workshop on Security in Cloud Computing (SCC), May 2013.
    u Hypervisors have
    vulnerabilities
    u A VM-breakout is among
    the worst exploits for cloud
    Breakdown of Hypervisor Vulnerabilities
    

    View Slide

46. #RSAC
    Other Virtualization Considerations
    u Bad actors on the control plane
    u Hardware emulation, entropy considerations for VM
    u Side channel cache attacks
    !46
    

    View Slide

47. #RSAC
    Mitigation Strategies
    u Mandatory access controls (KVM+SVirt & Xen+XSM)
    u Minimize & harden QEMU software stack
    u Runtime monitoring
    u Security updates
    !47
    

    View Slide

48. #RSAC
    Demo: Layered Security Mitigates Attacks
    !48
    

    View Slide

49. Questions
    

    View Slide

50. Time For Action
    

    View Slide

51. #RSAC
    Your Next Steps
    !51
    Securing Your
    Own Cloud
    Evaluating 3rd
    Party Cloud
    Threat model?
    Who has
    privilege?
    Can you audit
    everything?
    Identify security
    controls?
    Security-driven
    architecture?
    Bryan D. Payne
    http://www.bryanpayne.org
    

    View Slide