Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
February 26, 2014

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

February 26, 2014
Tweet

Transcript

  1. 1.

    SESSION ID: Bryan D. Payne Director of Security Research
 Nebula


    @bdpsecurity Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy •CSV-W01
  2. 2.

    #RSAC Cloud Security Today u Cloud has lots of momentum

    u Lots of concerns about security u What’s the real story? !2
  3. 3.

    #RSAC What this talk will cover u What does it

    take to secure an IaaS cloud? u Specific ideas to improve your cloud or select a cloud provider. !3
  4. 4.

    #RSAC What this talk will NOT cover u A cloud

    comparison u A one-size-fits-all cloud security cookbook !4
  5. 5.

    #RSAC Talk Outline u Cloud Introduction (demo!) u IaaS Architecture

    Details u Security Differentiators u Virtualization Stack Security (demo!) u Questions & Wrap-up !5
  6. 7.

    #RSAC Public Cloud u Users: Anyone with a credit card

    u Provider u Doesn’t trust users u Doesn’t want to violate users privacy ! u Monitoring at network edges u Fraud prevention u Network reputation concerns u Broad compliance concerns !7
  7. 8.

    #RSAC Private Cloud u Users: Part of a common organization

    u Provider u Trusts users (at some level) u Has full access to data / workloads ! u Security from top to bottom u Design undergoes great scrutiny u Enterprise integration u Targeted compliance concerns !8
  8. 9.

    #RSAC Know Your Neighbors u Who are your neighbors (other

    users)? u Who is your cloud admin / operator / builder? u Who else has privilege on the cloud? u Who should? u Who does? !9
  9. 12.

    #RSAC User Perspective u Launch instances u Take snapshots u

    Flexible storage options u API + web dashboard !12
  10. 13.

    #RSAC Admin / Operator Perspective u Create & manage users,

    projects, quotas, etc u Configure cloud u Monitor cloud events, logs, health, etc u API + web dashboard !13
  11. 14.

    #RSAC Builder Perspective u Software engineer & DevOps u Designs

    and creates cloud u Controls security domains u Many services to setup & manage !14
  12. 22.

    #RSAC Lots of Glue !22 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  13. 23.

    #RSAC Data Paths !23 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  14. 24.

    #RSAC Message Plumbing !24 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  15. 25.

    #RSAC Billing Plumbing !25 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  16. 26.

    #RSAC Alarm Plumbing !26 DNS Metering Automation Load Balancing Monitoring

    Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  17. 27.

    #RSAC SSL / TLS Plumbing !27 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  18. 28.

    #RSAC Under Cloud Admin Plumbing !28 DNS Metering Automation Load

    Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  19. 29.

    #RSAC So Much Plumbing! !29 DNS Metering Automation Load Balancing

    Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate   Authorities Network Image Identity Dashboard Volume Compute Object Storage
  20. 30.
  21. 31.

    #RSAC OpenStack Security Guide u http://doc.openstack.org/sec/ u Security guidance on

    deploying OpenStack (IaaS Cloud) u Written in one week u Diverse group of authors u Continued contributions accepted through GitHub !31
  22. 32.

    #RSAC Cloud Security Domains !32 API Endpoints Web Dashboard Compute

    Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
  23. 34.

    #RSAC Security Challenges in the Cloud u Audit trails u

    Controlling access u Defense in depth / Layered security u Protecting bridge points u API Endpoints u Virtualization Security !34
  24. 37.

    #RSAC Security Certifications u Necessary, but not sufficient u Mapping

    to cloud not always clear u Not a useful place to differentiate !37
  25. 38.

    #RSAC !38 High capability $$$$ Targeted Low $ Widespread Intelligence

    Services Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies ISP Intercept Hypervisor Breakout Distributed Denial of Service Advanced Persistent Treat Automated Exploitation Tools Complex 0-day Development Service Brute Force Supply Chain Attack Mass Phishing Spear Phishing Social Engineering (Employee) Threats Source: OpenStack Security Guide
  26. 39.

    #RSAC !39 Cloud  Attack  Vectors Mitigation  Strategies API  Endpoints Service

     hardening,  mandatory  access  controls,  code  audits Web  Dashboard HTTPS,  HSTS,  CSP,  allowed  referrers,  disable  HTTP  trace   Information  Leakage SSL/TLS,  disable  memory  dedup,  random  assignments VM  Breakout Service  hardening,  mandatory  access  controls,  code  audits Hardware  Sharing Avoid  bare  metal  instances  /  device  pass-­‐through Default  Images Secure  and  maintain  default  images Unsecured  Instances User  and/or  tenant  level  network  isolation  for  instances Secondary  Attacks Least  privilege,  mandatory  access  controls,  strong  auth
  27. 40.

    #RSAC Major Security Considerations u High level architecture has different

    security domains u End to end protection of network traffic u Protected virtualization stack u Protected API endpoints u Ability to update easily u Physical security at the datacenter !40
  28. 41.

    #RSAC Case Study: TLS in the Cloud !41 External Management

    Client SSL / TLS Termination Load Balancing Backend Service Backend Service Backend Service Backend Service Internal SSL certificate Customer-facing SSL certificate HTTP Header Inspection
  29. 42.

    #RSAC Case Study: API Endpoint Protection !42 External Management Bob

    Compute Storage Mallory Identity Database Message Queue
  30. 45.

    #RSAC What Is The Security Concern? !45 From Perez-Botero et

    al, Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, In Proceedings of the Workshop on Security in Cloud Computing (SCC), May 2013. u Hypervisors have vulnerabilities u A VM-breakout is among the worst exploits for cloud Breakdown of Hypervisor Vulnerabilities
  31. 46.

    #RSAC Other Virtualization Considerations u Bad actors on the control

    plane u Hardware emulation, entropy considerations for VM u Side channel cache attacks !46
  32. 47.

    #RSAC Mitigation Strategies u Mandatory access controls (KVM+SVirt & Xen+XSM)

    u Minimize & harden QEMU software stack u Runtime monitoring u Security updates !47
  33. 49.
  34. 51.

    #RSAC Your Next Steps !51 Securing Your Own Cloud Evaluating

    3rd Party Cloud Threat model? Who has privilege? Can you audit everything? Identify security controls? Security-driven architecture? Bryan D. Payne http://www.bryanpayne.org