Save 37% off PRO during our Black Friday Sale! »

Chaos_Engineering_for_Cloud_Native_Security.pdf

 Chaos_Engineering_for_Cloud_Native_Security.pdf

Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud native infrastructure (CNI). We present CloudStrike, to tackle the
aforementioned security issues. CloudStrike employs Risk-driven
Fault Injection, a derivative of chaos engineering. CloudStrike injects failures that impact security (i.e. integrity, confidentiality and availability) of cloud systems. CloudStrike has been evalu-
ated using multi-cloud enterprise environments based on AWS
and Google Cloud Platforms. These evaluations demonstrate the
feasibility of our proposals.

Ffe01e3ae9525455ed84d9713793a764?s=128

Kennedy Torkura

February 21, 2020
Tweet

Transcript

  1. Chaos Engineering for Cloud Native Security Kennedy Torkura BSides Berlin

    2020
  2. 1 Cloud Native Security the 4Cs of cloud native security

    Cloud native infrastructure is infrastructure that is hidden behind useful abstractions, controlled by APIs, managed by software, and has the purpose of running applications (cloud native applications). - Kris Nova et. al Cloud native security is about securing cloud native infrastructure.
  3. 1 Most cloud security incidents are caused by users ▪

    User focused security (cloud customer) □ Shared security responsibility model □ Users are responsible for security e.g. configuration of cloud assets ▪ CSA Top Threats to Cloud Computing: □ #1- Data breaches – Cloud storage – Cloud IAM □ #2 Misconfiguration and inadequate change control ▪ OWASP Top 10 - Security misconfiguration Cloud Security
  4. Cloud Mis-configurations users bucket groups policy policy virtual machine

  5. Cloud Mis-configurations * Deploy time/orchestration ▪ Terraform ▪ CloudFormation ▪

    Chef …. ⇒ Visibility into the cloud state ⇒ Validation of the efficiency of security tools
  6. Chaos Engineering Chaos Engineering is the discipline of experimenting on

    a system in order to build confidence in the system’s capability to withstand turbulent conditions in production - principlesofchaos.org Immunity by Infection -> Vaccination ▪ Protect our bodies by introducing disease-like substances ▪ Our bodies are tricked to believe the substances are real ▪ Our immune systems are triggered to develop appropriate defences
  7. Chaos Engineering ▪ Chaos engineering is a fancy name for

    fault injection ▪ Fault injection is a concept that emanates from scientific research ▪ Chaos engineering is not about recklessness but entails careful planning, experimentation and observation
  8. Security Chaos Engineering ▪ The benefits of chaos engineering go

    beyond performance and availability aspects of resiliencel ▪ Resilience is defined as the “ability to persist dependability” ▪ Security is a core attribute of dependability ▪ Chaos engineering concepts are also suitable for gaining confidence is security attributes
  9. Risk Driven Fault Injection Risk-driven Fault Injection aims at injecting

    security faults (perturbations) into cloud systems in order to detect security weaknesses and enable remediations e.g. security hardening
  10. Risk Driven Fault Injection Chaos Actions ▪ Create ▪ Delete

    ▪ Modify users bucket groups policy policy virtual machine Note Do not delete databases, storage etc
  11. Risk Driven Fault Injection High level architecture of CloudStrike Results

    of an experiment
  12. Risk Driven Fault Injection Security Fault Engine

  13. Risk Driven Fault Injection start create user Bob get cloud

    buckets select random bucket create malicious policy assign policy to Bob & bucket end An example of an experiment hypothesis: cloud buckets are secure
  14. DEMO

  15. State Recovery After Experiment

  16. Risk Driven Fault Injection ▪ Modes of operation: □ Low-

    30% □ Medium - 60% □ High - 90% ▪ Attack scenario: chaining of multiple attack points
  17. Conclusion • Cloud native security entails securing cloud native infrastructures

    • Traditional security tooling is not sufficient for the contemporary security challenges • Security chaos engineering is a viable option for improving cloud native security
  18. Thank you for listening ! Chaos Engineering for Cloud Native

    Security Email: run2obtain@gmail.com Twitter: @run2obtain Website: http:/ /ktorkura.me/portfolio/ Meduim:https:/ /medium.com/@run2obtain