$30 off During Our Annual Pro Sale. View Details »

Cloud Security for Everyone

Cloud Security for Everyone

Madhu Akula

April 29, 2017
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. CLOUD SECURITY FOR
    EVERYONE
    SDN + IOT + NETWORK VIRTUALIZATION
    ENTHUSIASTS MEETUP
    Madhu Akula, Automation Ninja @ Appsecco
    29th April 2017, Bengaluru

    View Slide

  2. ABOUT ME
    Automation Ninja @Appsecco
    Interested in Security, DevOps and Cloud
    Speaker & Trainer at Defcon, DevSecCon, AllDayDevOps,
    etc.
    Found bugs in Google, Microso , Yahoo, etc
    Never ending learner!
    Follow me (or) Tweet to me @madhuakula

    View Slide

  3. WHAT IS CLOUD COMPUTING?
    computing in which large groups of remote
    servers are networked to allow the centralized
    data storage, and online access to computer
    services or resources. -
    http://en.wikipedia.org/wiki/Cloud_computing

    View Slide

  4. WHAT ARE THE KEY RESOURCES?
    Virtualization
    Service Oriented Architecture (SOA)
    Programmable API's
    High speed Networks
    Management Layer

    View Slide

  5. CLOUD SERVICE MODELS

    View Slide

  6. CLOUD DEPLOYMENTS
    Public
    Private
    Hybrid

    View Slide

  7. PUBLIC CLOUD VENDORS

    View Slide

  8. SECURITY IN THE CLOUD

    View Slide

  9. SHARED RESPONSIBILITY

    View Slide

  10. SOME OF THE CLOUD SECURITY CONTROLS
    Don't user root account (delete or disable access key)
    Admin's should have written/verbal policy that we don't
    create access key's for root account

    View Slide

  11. CLOUD SECURITY CONTROLS (CONTD.)
    Use MFA (Multi Factor Authentication) for all IAM accounts
    Google Authenticator
    YubiKey | Gemalto (Hardware)

    View Slide

  12. CLOUD SECURITY CONTROLS (CONTD.)
    IAM Security Policy
    TOTP
    Use 1password for team and share TOTP

    View Slide

  13. CLOUD SECURITY CONTROLS (CONTD.)
    Password Policy
    Complexity
    Rotation
    Other

    View Slide

  14. CLOUD SECURITY CONTROLS (CONTD.)
    Make credentials hard to guess
    If they guess we have MFA
    Root account is king, protect

    View Slide

  15. CLOUD SECURITY CONTROLS (CONTD.)
    s3 bucket polices
    Security Group
    Trusted Advisor

    View Slide

  16. CLOUD SECURITY CONTROLS (CONTD.)
    Monitoring
    Hardening failed, how to know?
    Alert on anomalies
    Customizing services for alerts

    View Slide

  17. CLOUD SECURITY CONTROLS (CONTD.)
    Cloudtrail : logs
    SNS : simple notification service
    Config : alerts for modifications & non compliance
    Cloudwatch

    View Slide

  18. BASIC INCIDENT RESPONSE
    Who to contact (update contact list)
    How to communicate (speak only over phone)
    What information to parse
    Where your backups are located and how they are secured

    View Slide

  19. BASIC INCIDENT RESPONSE (CONTD.)
    Don't use AWS to backup for your AWS
    Offsite backups
    Common things to backup
    databases/snapshots
    s3 buckets
    EBS volumes
    cloud formation templates
    Have a plan and practice that plan (like every 6 months)

    View Slide

  20. VPN TO VPC (CLOUD TO DATACENTER)
    General observations
    Setting up is not hard
    Zero control over the encryption
    Routing between both is pain
    Think careful through the CIDR chosen for VPC.
    Otherwise you have to destroy or rebuilt.
    Monitoring VPN/VPC heavily
    VPC flow logs
    very specific for naming conventions (for alerts & other)

    View Slide

  21. DO WE NEED TO WORRY ABOUT OUR DATA,
    OUR INFRA, OUR APPS STORED IN THE PUBLIC
    CLOUD?

    View Slide

  22. APP INSECURITY SCENARIO
    App has a Local File Inclusion bug
    The AWS root credentials are being used
    They are stored in a world readable file on the server
    Attacker reads the credentials and starts multiple large
    instances to mine bitcoins
    Victim saddled with a massive bill at the end of the month

    View Slide

  23. INFRA INSECURITY SCENARIO
    MySQL Production database is listening on external port
    Developers work directly on production database and
    require SQL Management So ware
    They log in using the root user of MySQL Database server
    and a simple password
    Attacker runs a brute force script and cracks the
    password, gains full access to the database

    View Slide

  24. DATA INSECURITY SCENARIO
    Database is getting backed up regularly
    Due to performance reasons, database wasn’t encrypted
    when initial backups were done
    Dev team moves to newer type SSDs and doesn’t
    decommission older HDDs
    Attacker finds older HDD, does forensics for data recovery
    and sell the data for profit

    View Slide

  25. DEMO TIME!!!

    View Slide

  26. 10 STEPS TO SECURE CLOUD DEPLOYMENT
    (INFRASTRUCTURE)
    10 steps checklist

    View Slide

  27. 60% of small companies that suffer a cyber
    attack are out of business within six
    months.
    - US National Cyber Security Alliance

    View Slide

  28. LET'S ASSUME WE HAVE A BREACH
    Protect
    Detect
    Respond

    View Slide

  29. PROTECTION
    Identity
    Mult-factor authentication
    Network Segmentation
    Encryption
    Secret Management

    View Slide

  30. DETECTION
    Monitoring and Alerting
    Log user access
    Changes
    Network activity
    Security events
    Alerting and Testing

    View Slide

  31. RESPOND
    Incident Drills
    Have a script
    Practice regularly
    Red teaming

    View Slide

  32. REFERENCES
    https://www.slideshare.net/akashm/security-in-the-cloud-
    workshop-hstc-2014
    https://twitter.com/markrussinovich/status/796035712688721
    https://www.youtube.com/watch?v=g-wy9NdATtA

    View Slide

  33. RESOURCES
    https://downloads.cloudsecurityalliance.org/assets/research/
    guidance/csaguide.v3.0.pdf
    http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
    computing-risk-assessment/at_download/fullReport
    https://benchmarks.cisecurity.org/downloads/latest/

    View Slide

  34. QUESTIONS
    |
    @madhuakula @appseccouk

    View Slide