12 Steps to Cloud Security

Transcript

1. A  Guide  to  Securing  your  cloud  deployment   using  open

    source  tools   12  STEPS  TO  CLOUD  SECURITY   1  

2. ‹ # ›   ABOUT  ME   Vishnu  VeHrivel  

   Principal  Engineering  Lead,  A1geo   linkedin.com/in/cloudronin   @cloudronin     Many  years  building,  securing  and  operaMng   cloud  based,  data-­‐driven  systems  for   Financial,  Government  and  Healthcare   sectors.   LongMme  Linux  user  and    champion  of  open   and  secure  development.    

3. ‹ # ›   Cloud  providers  are  responsible  for  some

    parts   of  the  infrastructure  stack.       The  other  parts  of  the  security  stack  is  your   responsibility.   You  are  usually  responsible  for  ApplicaMon   Security,  Policies  and  configuraMon,  machine   images  etc.     STEP  1:  KNOW  YOUR  RESPONSIBILITY  

4. ‹ # ›  

5. ‹ # ›   Use  Defense  in  Depth  and  services

    like:       •  Virtual  Private  Clouds   •  Network  ACLs   •  RouMng  rules     •  Proxy  Servers  :  Nginx   •  NAT     •  Firewalls   •  ApplicaMon  :  modsecurity   –  Host  :  iptables   –  Network  :  pfSense   STEP  2.  PROTECT  YOUR  NETWORK  

6. ‹ # ›   •  Be  sure  your  harden  your

    images  first     •  Turn  off  insecure  ports  and  services     •  Change  default  passwords.   •  Install  AV  So\ware   •  Consider  using  a  Baseline  (STIGs)   –  System  specific  checklists   •  Learn  about  SCAP   •  Tools:     –  open-­‐scap.org   STEP  3:  PROTECT  YOUR  MACHINE  IMAGES  

7. ‹ # ›   •  Know  the  different  Cloud  storage

     mechanisms  and  their  Security  implicaMons.   •  De-­‐IdenMfy  when  possible   •  Understand  the  choices  of  EncrypMon   primiMves  like  key  strength  and  Ciphers   types.   •  Don’t  forget  Secure  Archival  and  Disposal  of   Data.   •  Tools:     –  Luks   –  dm-­‐crypt   –  Truecrypt   –  Gnu  Shred   STEP  4:  PROTECT  YOUR  DATA  AT  REST  

8. ‹ # ›   •  Use  secure  applicaMon  protocols  whenever

     possible.   •  TLS   •  SSH   •  RDP   •  Securely  Tunnel  traffic  when  not  possible:   –  IPSEC   –  SSL  VPN   –  SSH   •  Use  a  Key  Management  System   •  Tools   –  OpenSwan   –  OpenVPN   STEP  5:  PROTECT  YOUR  DATA  IN  TRANSIT  

9. ‹ # ›   •  Define  and  Categorize  Cloud  based

     assets     •  Watch  out  for  Zero  Days   •  Classify  Risk   •  Patch  Affected  Systems   •  Use  a  ConfiguraMon  Management   System   •  Tools   –  Nessus   –  OpenVAS   STEP  6:  PROTECT  AND  PATCH  YOUR  INSTANCES  

10. ‹ # ›   •  Create  Individual  User  accounts  (IAM)

      •  Use  a  Group/Role  based  permission  model   •  Grant  Least  privilege  based  on  Business   Need   •  Enable  MulM-­‐Factor  Auth  (MFA)  for   Privileged  Users   •  Audit  all  User  AcMvity   •  Federate  all  User  Access  through  a  Directory   Service   •  Root  Cloud  Accounts  should  not  be  used.   STEP  7:  PROTECT  ACCESS  TO  YOUR  INSTANCES  

11. ‹ # ›   •  Implement  AAA  (AuthenMcaMon,   AuthorizaMon

     and  AudiMng).     •  Familiarize  yourself  with  the  OWASP  Top  10   ApplicaMon  Security  Flaws.     •  Follow  Secure  Development  Best  PracMces.   •  Tools:     –  Jenkins   –  PMD   –  FindBugs   STEP  8:  PROTECT  YOUR  APPLICATIONS  

12. ‹ # ›   •  Gather  monitoring  data  at  a

     secure  and   separate  Network   •  Establish  baselines   •  Monitor  all  layers  and  Protocols   •  Deploy  the  IDS  behind  the  Network   firewall   •  Fine  tune  alert  levels     •  Use  redundant  alerMng  channels   •  Tools:     –  Nagios   –  ELK  Stack   –  Watcher   –  Snort   STEP  9:  AUDIT  AND  MONITOR  YOUR  CLOUD  

13. ‹ # ›   •  Test  Network,  Infrastructure  and  

    ApplicaMons  separately  for  Security   VulnerabiliMes  periodically   •  Check  for  Input  validaMon,  session   manipulaMon,  authenMcaMon  and   informaMon  leakage   •  Use  3rd  Party  Tools  where  possible   •  Tools:     –  Metasploit   –  Kali  Linux   –  OpenVAS   STEP  10:  VALIDATE  YOUR  PROTECTION  

14. ‹ # ›   •  Use  a  ConfiguraMon  Management  System

      •  Employ  ConMnuous  IntegraMon  and   Delivery.   •  Automated  Provisioning  helps:   •  DocumentaMon   •  BCP/DR  Planning   •  Change  Management   •  Treat  Infrastructure  as  Code.     •  Tools:     –  Docker   –  Ansible   –  Chef     STEP  11:  AUTOMATE  EVERYTHING  

15. ‹ # ›   •  Define  security  scope  and  boundaries

      •  Select  proper  risk  Assessment   Methodology.   •  Align  policies  to  Contractual  ObligaMons   •  Choose  a  suitable  Security  control   framework   •  Compliance  Management  Tools:     –  OpenFISMA   –  PTA   –  SOMAP   –  GLPI   STEP  12:  MAINTAIN  SECURITY  POLICIES  

16. ‹ # ›   •  Some  things  are  easier  and

     some  are  harder   in  the  Cloud     •  ConvenMonal  security  and  compliance   concepts  sMll  apply  in  the  cloud.   •  The  12  Steps  will  get  your  started  on  your   conMnuous  security  improvement  cycle   STEP  13  ?  THERE  IS  NO  MAGIC  BULLET!  

17. ATIGEO  CONFIDENTIAL   •  hHps://s3.amazonaws.com/awsmedia/AWS_Security_Best_PracMces.pdf   •  hHp://checklists.nist.gov/   • 

    hHps://www.us-­‐cert.gov/   •  hHps://www.owasp.org/index.php/Top_10_2013-­‐Top_10   •  hHps://www.cert.org/incident-­‐management/   •  hHp://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPracMces.html   •  hHps://en.wikipedia.org/wiki/PenetraMon_test   •  hHp://www.drdobbs.com/architecture-­‐and-­‐design/top-­‐10-­‐pracMces-­‐for-­‐ effecMve-­‐devops/240149363   •  hHps://en.wikipedia.org/wiki/InformaMon_security_management_system   RESOURCES  

18. ATIGEO  CONFIDENTIAL     Vishnu  VeHrivel   linkedin.com/in/cloudronin   @cloudronin

          THANK  YOU  

19. ©  2015  AMgeo,  CorporaMon.  All  rights  reserved.    AMgeo  and

     the  xPaHerns  logo  are  trademarks  of  AMgeo.  The  informaMon  herein  is  for  informaMonal  purposes  only  and  represents  the  current  view  of  AMgeo  as  of  the  date  of  this  presentaMon.    Because  AMgeo  must   respond  to  changing  market  condiMons,  it  should  not  be  interpreted  to  be  a  commitment  on  the  part  of  AMgeo,  and  AMgeo  cannot  guarantee  the  accuracy  of  any  informaMon  provided  a\er  the  date  of  this  presentaMon.    ATIGEO  MAKES  NO  WARRANTIES,  EXPRESS,   IMPLIED  OR  STATUTORY,  AS  TO  THE  INFORMATION  IN  THIS  PRESENTATION.