Cloud Security for Everyone

Transcript

1. CLOUD SECURITY FOR EVERYONE SDN + IOT + NETWORK VIRTUALIZATION

   ENTHUSIASTS MEETUP Madhu Akula, Automation Ninja @ Appsecco 29th April 2017, Bengaluru

2. ABOUT ME Automation Ninja @Appsecco Interested in Security, DevOps and

   Cloud Speaker & Trainer at Defcon, DevSecCon, AllDayDevOps, etc. Found bugs in Google, Microso , Yahoo, etc Never ending learner! Follow me (or) Tweet to me @madhuakula

3. WHAT IS CLOUD COMPUTING? computing in which large groups of

   remote servers are networked to allow the centralized data storage, and online access to computer services or resources. - http://en.wikipedia.org/wiki/Cloud_computing

4. WHAT ARE THE KEY RESOURCES? Virtualization Service Oriented Architecture (SOA)

   Programmable API's High speed Networks Management Layer

5. CLOUD SERVICE MODELS

6. CLOUD DEPLOYMENTS Public Private Hybrid

7. PUBLIC CLOUD VENDORS

8. SECURITY IN THE CLOUD

9. SHARED RESPONSIBILITY

10. SOME OF THE CLOUD SECURITY CONTROLS Don't user root account

    (delete or disable access key) Admin's should have written/verbal policy that we don't create access key's for root account

11. CLOUD SECURITY CONTROLS (CONTD.) Use MFA (Multi Factor Authentication) for

    all IAM accounts Google Authenticator YubiKey | Gemalto (Hardware)

12. CLOUD SECURITY CONTROLS (CONTD.) IAM Security Policy TOTP Use 1password

    for team and share TOTP

13. CLOUD SECURITY CONTROLS (CONTD.) Password Policy Complexity Rotation Other

14. CLOUD SECURITY CONTROLS (CONTD.) Make credentials hard to guess If

    they guess we have MFA Root account is king, protect

15. CLOUD SECURITY CONTROLS (CONTD.) s3 bucket polices Security Group Trusted

    Advisor

16. CLOUD SECURITY CONTROLS (CONTD.) Monitoring Hardening failed, how to know?

    Alert on anomalies Customizing services for alerts

17. CLOUD SECURITY CONTROLS (CONTD.) Cloudtrail : logs SNS : simple

    notification service Config : alerts for modifications & non compliance Cloudwatch

18. BASIC INCIDENT RESPONSE Who to contact (update contact list) How

    to communicate (speak only over phone) What information to parse Where your backups are located and how they are secured

19. BASIC INCIDENT RESPONSE (CONTD.) Don't use AWS to backup for

    your AWS Offsite backups Common things to backup databases/snapshots s3 buckets EBS volumes cloud formation templates Have a plan and practice that plan (like every 6 months)

20. VPN TO VPC (CLOUD TO DATACENTER) General observations Setting up

    is not hard Zero control over the encryption Routing between both is pain Think careful through the CIDR chosen for VPC. Otherwise you have to destroy or rebuilt. Monitoring VPN/VPC heavily VPC flow logs very specific for naming conventions (for alerts & other)

21. DO WE NEED TO WORRY ABOUT OUR DATA, OUR INFRA,

    OUR APPS STORED IN THE PUBLIC CLOUD?

22. APP INSECURITY SCENARIO App has a Local File Inclusion bug

    The AWS root credentials are being used They are stored in a world readable file on the server Attacker reads the credentials and starts multiple large instances to mine bitcoins Victim saddled with a massive bill at the end of the month

23. INFRA INSECURITY SCENARIO MySQL Production database is listening on external

    port Developers work directly on production database and require SQL Management So ware They log in using the root user of MySQL Database server and a simple password Attacker runs a brute force script and cracks the password, gains full access to the database

24. DATA INSECURITY SCENARIO Database is getting backed up regularly Due

    to performance reasons, database wasn’t encrypted when initial backups were done Dev team moves to newer type SSDs and doesn’t decommission older HDDs Attacker finds older HDD, does forensics for data recovery and sell the data for profit

25. DEMO TIME!!!

26. 10 STEPS TO SECURE CLOUD DEPLOYMENT (INFRASTRUCTURE) 10 steps checklist

27. 60% of small companies that suffer a cyber attack are

    out of business within six months. - US National Cyber Security Alliance

28. LET'S ASSUME WE HAVE A BREACH Protect Detect Respond

29. PROTECTION Identity Mult-factor authentication Network Segmentation Encryption Secret Management

30. DETECTION Monitoring and Alerting Log user access Changes Network activity

    Security events Alerting and Testing

31. RESPOND Incident Drills Have a script Practice regularly Red teaming

32. REFERENCES https://www.slideshare.net/akashm/security-in-the-cloud- workshop-hstc-2014 https://twitter.com/markrussinovich/status/796035712688721 https://www.youtube.com/watch?v=g-wy9NdATtA

33. RESOURCES https://downloads.cloudsecurityalliance.org/assets/research/ guidance/csaguide.v3.0.pdf http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- computing-risk-assessment/at_download/fullReport https://benchmarks.cisecurity.org/downloads/latest/

34. QUESTIONS | @madhuakula @appseccouk