12 Steps to Cloud Security

12 Steps to Cloud Security A guide to securing your
cloud deployment using open source tools Vishnu Vettrivel Principal Engineering Lead, Atigeo @cloudronin

Step 1: Know your responsibility •  Cloud providers are responsible
for some parts of the infrastructure stack. •  The other parts of the security stack is your responsibility. •  You are usually responsible for Application Security, Policies and configuration, machine images etc.

Step 2. Protect your Network •  Use Defense in Depth
and services like: •  Virtual Private Clouds •  Network ACLs •  Routing rules •  Proxy Servers : Nginx •  NAT •  Firewalls •  Application : modsecurity •  Host : iptables •  Network : pfSense

Step 3: Protect your Machine Images •  Be sure your
harden your images first •  Turn off insecure ports and services •  Change default passwords. •  Install AV Software •  Consider using a Baseline •  Tools: OpenScap

Step 4: Protect your Data at Rest •  Know the
different Cloud storage mechanisms and their Security implications. •  De-Identify when possible •  Understand the choices of Encryption primitives like key strength and Ciphers types. •  Don’t forget Secure Archival and Disposal of Data. •  Tools: Luks, dm-crypt

Step 5: Protect your Data in Transit •  Use secure
application protocols whenever possible. •  TLS •  SSH •  RDP •  Securely Tunnel traffic when not possible: •  IPSEC •  SSL VPN •  SSH •  Use a Key Management System •  Tools: OpenSwan, OpenVPN

Step 6: Protect and Patch your Instances •  Define and
Categorize Cloud based assets •  Watch out for Zero Days •  Classify Risk •  Patch Affected Systems •  Use a Configuration Management System •  Tools: OpenVAS

Step 7: Protect Access to your Instances •  Create Individual
User accounts •  Use Role based Access •  Grant Least privilege based on Business Need •  Enable Multi-Factor Authentication for Privileged Users •  Audit all User Activity •  Federate all User Access through a Directory Service •  Tools: SSSD, OpenLDAP

Step 8: Protect your Applications •  Implement AAA (Authentication, Authorization
and Auditing). •  Familiarize yourself with the OWASP Top 10 Application Security Flaws. •  Follow Secure Development Best Practices. •  Tools: Jenkins, PMD, FindBugs

Step 9: Audit and Monitor your Cloud •  Gather monitoring
data at a secure and separate Network •  Establish baselines •  Monitor all layers and Protocols •  Deploy the IDS behind the Network firewall •  Fine tune alert levels •  Use redundant alerting channels •  Tools: ElasticSearch, LogStash, Kibana, Watcher, Nagios

Step 10: Validate your Protection •  Test Network, Infrastructure and
Applications separately for Security Vulnerabilities periodically •  Check for Input validation, session manipulation, authentication and information leakage •  Use 3rd Party Tools where possible •  Tools: Metasploit, Kali Linux, OpenVAS

Step 11: Automate Everything •  Use a Configuration Management System
•  Employ Continuous Integration and Delivery. •  Automated Provisioning helps: •  Documentation •  BCP/DR Planning •  Change Management •  Treat Infrastructure as Code. •  Tools: Chef, Puppet, Ansible, Docker, Kubernetes, Openshift

Step 12: Update your Security Policy •  Define security scope
and boundaries •  Select proper risk Assessment Methodology. •  Align policies to Contractual Obligations •  Choose a suitable Security control framework •  Tools: OpenFISMA, PTA

Step 13 ? There is no magic bullet! •  Some
things are easier and some are harder in the Cloud •  Conventional security and compliance concepts still apply in the cloud. •  The 12 Steps will get your started on your continuous security improvement cycle

Resources §  https://s3.amazonaws.com/awsmedia/AWS_Security_Best_Practices.pdf §  http://checklists.nist.gov/ §  https://www.us-cert.gov/ §  https://www.owasp.org/index.php/Top_10_2013-Top_10 § 
https://www.cert.org/incident-management/ §  http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html §  https://en.wikipedia.org/wiki/Penetration_test §  http://www.drdobbs.com/architecture-and-design/top-10-practices-for- effective-devops/240149363 §  https://en.wikipedia.org/wiki/Information_security_management_system

Thank You Vishnu Vettrivel Principal Engineering Lead, Atigeo @cloudronin @atigeo
xpatterns.com linkedin.com/

12 Steps to Cloud Security

12 Steps to Cloud Security

Vishnu Vettrivel

More Decks by Vishnu Vettrivel

Other Decks in Technology

Featured

Transcript

12 Steps to Cloud Security A guide to securing your

Step 1: Know your responsibility •  Cloud providers are responsible

Step 2. Protect your Network •  Use Defense in Depth

Step 3: Protect your Machine Images •  Be sure your

Step 4: Protect your Data at Rest •  Know the

Step 5: Protect your Data in Transit •  Use secure

Step 6: Protect and Patch your Instances •  Define and

Step 7: Protect Access to your Instances •  Create Individual

Step 8: Protect your Applications •  Implement AAA (Authentication, Authorization

Step 9: Audit and Monitor your Cloud •  Gather monitoring

Step 10: Validate your Protection •  Test Network, Infrastructure and

Step 11: Automate Everything •  Use a Configuration Management System

Step 12: Update your Security Policy •  Define security scope

Step 13 ? There is no magic bullet! •  Some

Resources §  https://s3.amazonaws.com/awsmedia/AWS_Security_Best_Practices.pdf §  http://checklists.nist.gov/ §  https://www.us-cert.gov/ §  https://www.owasp.org/index.php/Top_10_2013-Top_10 §

Thank You Vishnu Vettrivel Principal Engineering Lead, Atigeo @cloudronin @atigeo