Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
February 26, 2014

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

February 26, 2014
Tweet

Transcript

  1. SESSION ID: Bryan D. Payne Director of Security Research
 Nebula


    @bdpsecurity Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy •CSV-W01
  2. #RSAC Cloud Security Today u Cloud has lots of momentum

    u Lots of concerns about security u What’s the real story? !2
  3. #RSAC What this talk will cover u What does it

    take to secure an IaaS cloud? u Specific ideas to improve your cloud or select a cloud provider. !3
  4. #RSAC What this talk will NOT cover u A cloud

    comparison u A one-size-fits-all cloud security cookbook !4
  5. #RSAC Talk Outline u Cloud Introduction (demo!) u IaaS Architecture

    Details u Security Differentiators u Virtualization Stack Security (demo!) u Questions & Wrap-up !5
  6. #RSAC Cloud Service Models !6 Today’s Talk

  7. #RSAC Public Cloud u Users: Anyone with a credit card

    u Provider u Doesn’t trust users u Doesn’t want to violate users privacy ! u Monitoring at network edges u Fraud prevention u Network reputation concerns u Broad compliance concerns !7
  8. #RSAC Private Cloud u Users: Part of a common organization

    u Provider u Trusts users (at some level) u Has full access to data / workloads ! u Security from top to bottom u Design undergoes great scrutiny u Enterprise integration u Targeted compliance concerns !8
  9. #RSAC Know Your Neighbors u Who are your neighbors (other

    users)? u Who is your cloud admin / operator / builder? u Who else has privilege on the cloud? u Who should? u Who does? !9
  10. #RSAC Demo: How Things Can Go Very Wrong !10

  11. Understanding IaaS Cloud Architectures

  12. #RSAC User Perspective u Launch instances u Take snapshots u

    Flexible storage options u API + web dashboard !12
  13. #RSAC Admin / Operator Perspective u Create & manage users,

    projects, quotas, etc u Configure cloud u Monitor cloud events, logs, health, etc u API + web dashboard !13
  14. #RSAC Builder Perspective u Software engineer & DevOps u Designs

    and creates cloud u Controls security domains u Many services to setup & manage !14
  15. #RSAC Cloud Simplicity !15 Compute Object Storage Example services from

    OpenStack.
  16. #RSAC Individual Services !16 Network Image Identity Dashboard Volume Compute

    Object Storage
  17. #RSAC Security Domains !17 Network Image Identity Dashboard Volume Compute

    Object Storage
  18. #RSAC Gated Interconnects !18 Network Image Identity Dashboard Volume Compute

    Object Storage
  19. #RSAC Map Data Paths !19 Network Image Identity Dashboard Volume

    Compute Object Storage
  20. #RSAC Secure design complete… !20 …or  is  it?

  21. #RSAC Individual Services !21 Network Image Identity Dashboard Volume Compute

    Object Storage
  22. #RSAC Lots of Glue !22 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  23. #RSAC Data Paths !23 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  24. #RSAC Message Plumbing !24 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  25. #RSAC Billing Plumbing !25 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  26. #RSAC Alarm Plumbing !26 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  27. #RSAC SSL / TLS Plumbing !27 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  28. #RSAC Under Cloud Admin Plumbing !28 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  29. #RSAC So Much Plumbing! !29 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  30. #RSAC !30

  31. #RSAC OpenStack Security Guide u http://doc.openstack.org/sec/ u Security guidance on

    deploying OpenStack (IaaS Cloud) u Written in one week u Diverse group of authors u Continued contributions accepted through GitHub !31
  32. #RSAC Cloud Security Domains !32 API Endpoints Web Dashboard Compute

    Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
  33. #RSAC Example API Action: Launching an Instance !33 Source: http://docs.openstack.org/training-guides/

    External Management
  34. #RSAC Security Challenges in the Cloud u Audit trails u

    Controlling access u Defense in depth / Layered security u Protecting bridge points u API Endpoints u Virtualization Security !34
  35. #RSAC !35 Source: http://xkcd.com/908/

  36. Cloud Security Differentiators

  37. #RSAC Security Certifications u Necessary, but not sufficient u Mapping

    to cloud not always clear u Not a useful place to differentiate !37
  38. #RSAC !38 High capability $$$$ Targeted Low $ Widespread Intelligence

    Services Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies ISP Intercept Hypervisor Breakout Distributed Denial of Service Advanced Persistent Treat Automated Exploitation Tools Complex 0-day Development Service Brute Force Supply Chain Attack Mass Phishing Spear Phishing Social Engineering (Employee) Threats Source: OpenStack Security Guide
  39. #RSAC !39 Cloud  Attack  Vectors Mitigation  Strategies API  Endpoints Service

     hardening,  mandatory  access  controls,  code  audits Web  Dashboard HTTPS,  HSTS,  CSP,  allowed  referrers,  disable  HTTP  trace   Information  Leakage SSL/TLS,  disable  memory  dedup,  random  assignments VM  Breakout Service  hardening,  mandatory  access  controls,  code  audits Hardware  Sharing Avoid  bare  metal  instances  /  device  pass-­‐through Default  Images Secure  and  maintain  default  images Unsecured  Instances User  and/or  tenant  level  network  isolation  for  instances Secondary  Attacks Least  privilege,  mandatory  access  controls,  strong  auth
  40. #RSAC Major Security Considerations u High level architecture has different

    security domains u End to end protection of network traffic u Protected virtualization stack u Protected API endpoints u Ability to update easily u Physical security at the datacenter !40
  41. #RSAC Case Study: TLS in the Cloud !41 External Management

    Client SSL / TLS Termination Load Balancing Backend Service Backend Service Backend Service Backend Service Internal SSL certificate Customer-facing SSL certificate HTTP Header Inspection
  42. #RSAC Case Study: API Endpoint Protection !42 External Management Bob

    Compute Storage Mallory Identity Database Message Queue
  43. #RSAC !43 Source: http://xkcd.com/424/

  44. Securing the Virtualization Stack

  45. #RSAC What Is The Security Concern? !45 From Perez-Botero et

    al, Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, In Proceedings of the Workshop on Security in Cloud Computing (SCC), May 2013. u Hypervisors have vulnerabilities u A VM-breakout is among the worst exploits for cloud Breakdown of Hypervisor Vulnerabilities
  46. #RSAC Other Virtualization Considerations u Bad actors on the control

    plane u Hardware emulation, entropy considerations for VM u Side channel cache attacks !46
  47. #RSAC Mitigation Strategies u Mandatory access controls (KVM+SVirt & Xen+XSM)

    u Minimize & harden QEMU software stack u Runtime monitoring u Security updates !47
  48. #RSAC Demo: Layered Security Mitigates Attacks !48

  49. Questions

  50. Time For Action

  51. #RSAC Your Next Steps !51 Securing Your Own Cloud Evaluating

    3rd Party Cloud Threat model? Who has privilege? Can you audit everything? Identify security controls? Security-driven architecture? Bryan D. Payne http://www.bryanpayne.org