Cloud Application Security Guy + OWASP 3 firstname.lastname@example.org! email@example.com! Racker since October 2011! Rackspace’s Cloud Product Group! Work with developers and QE! OWASP International Foundation Board Member and Treasurer ! Project Leader of OWASP Live CD & OWASP WTE projects!
Google – all bad. 7 • Hardcoded keys • Hardcoded algorithms • Recommendations for all cypher block types (including ECB) • Old (top result is from 2007) • Null & Hardcoded IV’s • Old libraries (last updated in 2002).
is local key protection • Doesn’t handle central key distribution • Limited logging & auditing • Limited automation • Tied to dependencies • Kernel protections aimed at keys for kernel use rather than application use. 8
Data Protection API (DPAPI) provides the ability to store, retrieve and share keys protected by the OS. • Active Directory allows keys to be stored locally. • Not portable (duh) • Somewhat centrally manageable. 9
key-store capable of distributing keying material to all types of deployments including ephemeral Cloud instances. 2. Support reasonable compliance regimes through reporting and auditability. 3. Application adoption costs should be minimal or non- existent. 4. Build a community and ecosystem by being open-source and extensible. 5. Improve security through sane defaults and centralized management of key policies. 6. Out of band communication mechanism to notify and protect sensitive assets. 12
File System ReST API PKCS 21 • Provides a file system abstraction • Simple to integrate, but requires an agent • Existing standard, medium interoperability • Pretty crusty API, multi-tenancy, vendor extensions • Easy integration for most applications • Security issues, shell dependencies • Common method, easily understood • Requires code changes to integrate
Syslog API • Multiple log options, specified by central policy & local configuration • API logging provides a compliant streaming log solution • More likely for a log to escape a compromised server • PANICs and other events surfaced via API • API can respond to events on the agent
Go for Agent – Binary packages – Low run-time memory • Pairing options for various security levels – Oauth, Token, Manual Key Exchange • Once paired, agent and API exchange keys – API can store a key-pair by tenant or by agent – Offers a wide range of installation options • Support for Chef / Puppet Installation • Agent will mount a directory 24 API Agent Tenant Public Tenant Keys Agent Public Agent Keys Key exchange allows for signed messages!
"configuration_key",! "mime_type": "application/aes-256-cbc",! "expiration": "2014-02-28T19:14:44.180394",! "secret": "b7990b786ee9659b43e6b1cd6136de07d9c5…",! *"owner": "myapp",! *"group": "myapp",! *"cacheable": false! }! Defines metadata about a key. Settings in the policy can be overrided if needed. (*) Overrides policy settings.