Chaos_Engineering_for_Cloud_Native_Security.pdf

Transcript

1. Chaos Engineering for Cloud Native Security Kennedy Torkura BSides Berlin

   2020

2. 1 Cloud Native Security the 4Cs of cloud native security

   Cloud native infrastructure is infrastructure that is hidden behind useful abstractions, controlled by APIs, managed by software, and has the purpose of running applications (cloud native applications). - Kris Nova et. al Cloud native security is about securing cloud native infrastructure.

3. 1 Most cloud security incidents are caused by users ▪

   User focused security (cloud customer) □ Shared security responsibility model □ Users are responsible for security e.g. configuration of cloud assets ▪ CSA Top Threats to Cloud Computing: □ #1- Data breaches – Cloud storage – Cloud IAM □ #2 Misconfiguration and inadequate change control ▪ OWASP Top 10 - Security misconfiguration Cloud Security

4. Cloud Mis-configurations users bucket groups policy policy virtual machine

5. Cloud Mis-configurations * Deploy time/orchestration ▪ Terraform ▪ CloudFormation ▪

   Chef …. ⇒ Visibility into the cloud state ⇒ Validation of the efficiency of security tools

6. Chaos Engineering Chaos Engineering is the discipline of experimenting on

   a system in order to build confidence in the system’s capability to withstand turbulent conditions in production - principlesofchaos.org Immunity by Infection -> Vaccination ▪ Protect our bodies by introducing disease-like substances ▪ Our bodies are tricked to believe the substances are real ▪ Our immune systems are triggered to develop appropriate defences

7. Chaos Engineering ▪ Chaos engineering is a fancy name for

   fault injection ▪ Fault injection is a concept that emanates from scientific research ▪ Chaos engineering is not about recklessness but entails careful planning, experimentation and observation

8. Security Chaos Engineering ▪ The benefits of chaos engineering go

   beyond performance and availability aspects of resiliencel ▪ Resilience is defined as the “ability to persist dependability” ▪ Security is a core attribute of dependability ▪ Chaos engineering concepts are also suitable for gaining confidence is security attributes

9. Risk Driven Fault Injection Risk-driven Fault Injection aims at injecting

   security faults (perturbations) into cloud systems in order to detect security weaknesses and enable remediations e.g. security hardening

10. Risk Driven Fault Injection Chaos Actions ▪ Create ▪ Delete

    ▪ Modify users bucket groups policy policy virtual machine Note Do not delete databases, storage etc

11. Risk Driven Fault Injection High level architecture of CloudStrike Results

    of an experiment

12. Risk Driven Fault Injection Security Fault Engine

13. Risk Driven Fault Injection start create user Bob get cloud

    buckets select random bucket create malicious policy assign policy to Bob & bucket end An example of an experiment hypothesis: cloud buckets are secure

14. DEMO

15. State Recovery After Experiment

16. Risk Driven Fault Injection ▪ Modes of operation: □ Low-

    30% □ Medium - 60% □ High - 90% ▪ Attack scenario: chaining of multiple attack points

17. Conclusion • Cloud native security entails securing cloud native infrastructures

    • Traditional security tooling is not sufficient for the contemporary security challenges • Security chaos engineering is a viable option for improving cloud native security

18. Thank you for listening ! Chaos Engineering for Cloud Native

    Security Email: [email protected] Twitter: @run2obtain Website: http:/ /ktorkura.me/portfolio/ Meduim:https:/ /medium.com/@run2obtain