Pro Yearly is on sale from $80 to $50! »

Cloud Security for Everyone

Cloud Security for Everyone

A53edd970bfc4b815bad87323175367b?s=128

Madhu Akula

April 29, 2017
Tweet

Transcript

  1. CLOUD SECURITY FOR EVERYONE SDN + IOT + NETWORK VIRTUALIZATION

    ENTHUSIASTS MEETUP Madhu Akula, Automation Ninja @ Appsecco 29th April 2017, Bengaluru
  2. ABOUT ME Automation Ninja @Appsecco Interested in Security, DevOps and

    Cloud Speaker & Trainer at Defcon, DevSecCon, AllDayDevOps, etc. Found bugs in Google, Microso , Yahoo, etc Never ending learner! Follow me (or) Tweet to me @madhuakula
  3. WHAT IS CLOUD COMPUTING? computing in which large groups of

    remote servers are networked to allow the centralized data storage, and online access to computer services or resources. - http://en.wikipedia.org/wiki/Cloud_computing
  4. WHAT ARE THE KEY RESOURCES? Virtualization Service Oriented Architecture (SOA)

    Programmable API's High speed Networks Management Layer
  5. CLOUD SERVICE MODELS

  6. CLOUD DEPLOYMENTS Public Private Hybrid

  7. PUBLIC CLOUD VENDORS

  8. SECURITY IN THE CLOUD

  9. SHARED RESPONSIBILITY

  10. SOME OF THE CLOUD SECURITY CONTROLS Don't user root account

    (delete or disable access key) Admin's should have written/verbal policy that we don't create access key's for root account
  11. CLOUD SECURITY CONTROLS (CONTD.) Use MFA (Multi Factor Authentication) for

    all IAM accounts Google Authenticator YubiKey | Gemalto (Hardware)
  12. CLOUD SECURITY CONTROLS (CONTD.) IAM Security Policy TOTP Use 1password

    for team and share TOTP
  13. CLOUD SECURITY CONTROLS (CONTD.) Password Policy Complexity Rotation Other

  14. CLOUD SECURITY CONTROLS (CONTD.) Make credentials hard to guess If

    they guess we have MFA Root account is king, protect
  15. CLOUD SECURITY CONTROLS (CONTD.) s3 bucket polices Security Group Trusted

    Advisor
  16. CLOUD SECURITY CONTROLS (CONTD.) Monitoring Hardening failed, how to know?

    Alert on anomalies Customizing services for alerts
  17. CLOUD SECURITY CONTROLS (CONTD.) Cloudtrail : logs SNS : simple

    notification service Config : alerts for modifications & non compliance Cloudwatch
  18. BASIC INCIDENT RESPONSE Who to contact (update contact list) How

    to communicate (speak only over phone) What information to parse Where your backups are located and how they are secured
  19. BASIC INCIDENT RESPONSE (CONTD.) Don't use AWS to backup for

    your AWS Offsite backups Common things to backup databases/snapshots s3 buckets EBS volumes cloud formation templates Have a plan and practice that plan (like every 6 months)
  20. VPN TO VPC (CLOUD TO DATACENTER) General observations Setting up

    is not hard Zero control over the encryption Routing between both is pain Think careful through the CIDR chosen for VPC. Otherwise you have to destroy or rebuilt. Monitoring VPN/VPC heavily VPC flow logs very specific for naming conventions (for alerts & other)
  21. DO WE NEED TO WORRY ABOUT OUR DATA, OUR INFRA,

    OUR APPS STORED IN THE PUBLIC CLOUD?
  22. APP INSECURITY SCENARIO App has a Local File Inclusion bug

    The AWS root credentials are being used They are stored in a world readable file on the server Attacker reads the credentials and starts multiple large instances to mine bitcoins Victim saddled with a massive bill at the end of the month
  23. INFRA INSECURITY SCENARIO MySQL Production database is listening on external

    port Developers work directly on production database and require SQL Management So ware They log in using the root user of MySQL Database server and a simple password Attacker runs a brute force script and cracks the password, gains full access to the database
  24. DATA INSECURITY SCENARIO Database is getting backed up regularly Due

    to performance reasons, database wasn’t encrypted when initial backups were done Dev team moves to newer type SSDs and doesn’t decommission older HDDs Attacker finds older HDD, does forensics for data recovery and sell the data for profit
  25. DEMO TIME!!!

  26. 10 STEPS TO SECURE CLOUD DEPLOYMENT (INFRASTRUCTURE) 10 steps checklist

  27. 60% of small companies that suffer a cyber attack are

    out of business within six months. - US National Cyber Security Alliance
  28. LET'S ASSUME WE HAVE A BREACH Protect Detect Respond

  29. PROTECTION Identity Mult-factor authentication Network Segmentation Encryption Secret Management

  30. DETECTION Monitoring and Alerting Log user access Changes Network activity

    Security events Alerting and Testing
  31. RESPOND Incident Drills Have a script Practice regularly Red teaming

  32. REFERENCES https://www.slideshare.net/akashm/security-in-the-cloud- workshop-hstc-2014 https://twitter.com/markrussinovich/status/796035712688721 https://www.youtube.com/watch?v=g-wy9NdATtA

  33. RESOURCES https://downloads.cloudsecurityalliance.org/assets/research/ guidance/csaguide.v3.0.pdf http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- computing-risk-assessment/at_download/fullReport https://benchmarks.cisecurity.org/downloads/latest/

  34. QUESTIONS | @madhuakula @appseccouk