Getting Started with Your Journey into Cloud Security - SOSC devhost:21

Getting Started with Your
Journey into Cloud Security
Madhu Akula
devhost : 21

View Slide

About - Madhu Akula
● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many others
● Speaker & Trainer at BlackHat, DEFCON, GitHub, USENIX, OWASP, All Day
DevOps, DevSecCon, c0c0n, Nullcon, SACON, null, many others
● Co-Author of Security Automation with Ansible 2
● Technical Reviewer & Review Board Member for books, conferences, etc.
● Found security vulnerabilities in 200+ organizations and products including
Google, Microsoft, AT&T, Adobe, WordPress, Ntop, many others
● Offensive Security Certiﬁed Professional & Certiﬁed Kubernetes Administrator
● Never Ending Learner!

View Slide

Why Cloud Security?
Capital One to pay
$80M in connection
with massive data
breach
Docker Hub
repository was
compromised
exposing 190,000
accounts
Accenture left a huge
trove of highly
sensitive data on
exposed servers

View Slide

What is Cloud Security?
There are many deﬁnitions and explanations for this. But in my personal opinion,
Cloud Security is primarily ensuring the shared responsibility between the provider
and customer. This means provider will take care of some responsibility and as a
customer, we have to take certain responsibilities of security.

View Slide

Disclaimer
This session is completely for educational purposes only. DO NOT use these
techniques, scripts, tools, and methods to hack any other systems, it is completely
prohibited unless you have permission.

View Slide

Friendly Disclaimer
Most of the content you will be seeing in the coming slides and examples will be
related to the AWS (Amazon Web Services). But this is to showcase you a getting
started path with just one cloud provider with security focused, this does mean the
similar concepts and methodologies applies to the all other cloud providers as well.
Please use the speciﬁc references and resources (terminology might change) in the
internet available when mapping them and ﬁnding resources.

View Slide

Different types of Cloud Service Providers
● Public Cloud
○ AWS, Azure, GCP, etc.
● Private Cloud
○ RedHat, VMWare, etc.
● Hybrid Cloud
Source: Logan Westberg on LinkedIn

View Slide

Cloud Service Models
● Infrastructure as a Service (IaaS)
○ OpenStack, VMWare, etc.
● Platform as a Service (PaaS)
○ Heroku, Google App Engine, etc.
● Software as a Service (SaaS)
○ Salesforce, Zoho, etc.

View Slide

Shared Responsibility - Pizza as a Service
https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e

View Slide

Shared Responsibility
1. “Security of the Cloud” - AWS is responsible for protecting the infrastructure
that runs all of the services offered in the AWS Cloud. This infrastructure is
composed of the hardware, software, networking, and facilities that run AWS
Cloud services
2. “Security in the Cloud” – Customer responsibility will be determined by the
AWS Cloud services that a customer selects. This determines the amount of
conﬁguration work the customer must perform as part of their security
responsibilities

View Slide

Shared Responsibility - AWS
https://aws.amazon.com/compliance/shared-responsibility-model/

View Slide

AWS Security Primer
https://cloudonaut.io/aws-security-primer

View Slide

AWS in Plain English
https://expeditedsecurity.com/aws-in-plain-english/

View Slide

Get started with AWS - Free AWS Learning for Beginners
https://dannys.cloud/amp/10-best-free-aws-learning-resources-for-beginners

View Slide

AWS Cloud Security Pillars
1. Identity and Access Management
2. Detection
3. Infrastructure Protection
4. Data Protection
5. Incident Response

View Slide

Identity and access management are key parts of an information security program,
ensuring that only authorized and authenticated users and components are able to
access your resources, and only in a manner that you intend. For example, you
should deﬁne principals (that is, accounts, users, roles, and services that can perform
actions in your account), build out policies aligned with these principals, and
implement strong credential management. These privilege-management elements
form the core of authentication and authorization.
Identity and Access Management
https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

View Slide

You can use detective controls to identify a potential security threat or incident.
There are different types of detective controls. For example, conducting an
inventory of assets and their detailed attributes promotes more effective decision
making (and lifecycle controls) to help establish operational baselines. You can also
use internal auditing, an examination of controls related to information systems, to
ensure that practices meet policies and requirements and that you have set the
correct automated alerting notiﬁcations based on deﬁned conditions.
Detection

View Slide

Infrastructure protection encompasses control methodologies, such as defense in
depth, necessary to meet best practices and organizational or regulatory
obligations. Use of these methodologies is critical for successful, ongoing operations
in either the cloud or on-premises.
Infrastructure Protection

View Slide

Before architecting any system, foundational practices that influence security
should be in place. For example, data classification provides a way to categorize
organizational data based on levels of sensitivity, and encryption protects data by
way of rendering it unintelligible to unauthorized access. These tools and techniques
are important because they support objectives such as preventing financial loss or
complying with regulatory obligations.
Data Protection

View Slide

Even with extremely mature preventive and detective controls, your organization
should still put processes in place to respond to and mitigate the potential impact of
security incidents. The architecture of your workload strongly affects the ability of
your teams to operate effectively during an incident, to isolate or contain systems,
and to restore operations to a known good state.
Incident Response

View Slide

Strategic Security
1. Prevent - Deﬁne user permissions and identities, infrastructure protection, and
data protection measures for a smooth and planned AWS adoption strategy
2. Detect - Gain visibility into your organization’s security posture with logging
and monitoring services. Ingest this information into a scalable platform for
event management, testing, and auditing
3. Respond - Automated incident response and recovery to help shift the primary
focus of security teams from response to analyzing the root cause
4. Remediate - Leverage event-driven automation to quickly remediate and
secure your AWS environment in near real-time

View Slide

Learning the Cloud Security by Playing
● http://ﬂaws.cloud
● http://ﬂaws2.cloud

View Slide

Learn by playing the CTF - Cloud Goat
CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It
allows you to hone your cloud cybersecurity skills by creating and completing
several "capture-the-ﬂag" style scenarios. Each scenario is composed of AWS
resources arranged together to create a structured learning experience
https://github.com/RhinoSecurityLabs/cloudgoat

View Slide

How you can learn step by step!
● Learning the technology, services and mainly terminology
● Then understanding their security controls for the service and best practices
● See if you can break anything or ﬁnd security issues (offensive side)
● Now you apply the security defense to the service/technology
● Then see how you can leverage that service/technology for security
● Finally learn to leverage the power of Automation (Terraform, Pulumi, etc.)
● Now you can understand different architecture patterns
● Keep iterating and learning more!

View Slide

Takeaways

View Slide

Resources & References
● https://cloudsecurityalliance.org
● https://cloudsecdocs.com
● https://cloudseclist.com
● https://tldrse§c.com
● https://workshops.aws
● https://awsworkshop.io
● https://summitroute.com
● https://github.com/open-guides/og-aws
● https://cloudonaut.io/page/1/
● https://www.youtube.com/watch?v=3hLmDS179YE
● https://www.aws.training/Details/eLearning?id=34259
● https://gist.github.com/leonardofed/bbf6459ad154ad5215d354f3825435dc
● https://gist.github.com/miglen/797fd38d0e26b9f68a1f
● https://asecure.cloud
● https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf
● https://aws.amazon.com/architecture/well-architected
● https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
● https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training
● https://docs.microsoft.com/en-us/azure/security
● https://github.com/toniblyx/my-arsenal-of-aws-security-tools
● https://tools.tldr.run
● https://www.cloudsecuritypodcast.tv
● https://google.com

View Slide

Thank You!
https://madhuakula.com
@madhuakula
Madhu Akula

View Slide

Getting Started with Your Journey into Cloud Security - SOSC devhost:21

Getting Started with Your Journey into Cloud Security - SOSC devhost:21

Madhu Akula

More Decks by Madhu Akula

Other Decks in Technology

Featured

Transcript