Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Started with Your Journey into Cloud Security - SOSC devhost:21

Getting Started with Your Journey into Cloud Security - SOSC devhost:21

Most organizations use cloud services in one way or another to run their workloads. In this session, we will see how we can get started on our journey in the vast domain of Cloud Security. Along with an interesting interaction to instill a deeper understanding of the fundamentals of working with the cloud, Madhu will share his experiences too.

SOSC devhost : 21 Event

Madhu Akula

May 15, 2021
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Getting Started with Your
    Journey into Cloud Security
    Madhu Akula
    devhost : 21

    View Slide

  2. About - Madhu Akula
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many others
    ● Speaker & Trainer at BlackHat, DEFCON, GitHub, USENIX, OWASP, All Day
    DevOps, DevSecCon, c0c0n, Nullcon, SACON, null, many others
    ● Co-Author of Security Automation with Ansible 2
    ● Technical Reviewer & Review Board Member for books, conferences, etc.
    ● Found security vulnerabilities in 200+ organizations and products including
    Google, Microsoft, AT&T, Adobe, WordPress, Ntop, many others
    ● Offensive Security Certified Professional & Certified Kubernetes Administrator
    ● Never Ending Learner!

    View Slide

  3. Why Cloud Security?
    Capital One to pay
    $80M in connection
    with massive data
    breach
    Docker Hub
    repository was
    compromised
    exposing 190,000
    accounts
    Accenture left a huge
    trove of highly
    sensitive data on
    exposed servers

    View Slide

  4. What is Cloud Security?
    There are many definitions and explanations for this. But in my personal opinion,
    Cloud Security is primarily ensuring the shared responsibility between the provider
    and customer. This means provider will take care of some responsibility and as a
    customer, we have to take certain responsibilities of security.

    View Slide

  5. Disclaimer
    This session is completely for educational purposes only. DO NOT use these
    techniques, scripts, tools, and methods to hack any other systems, it is completely
    prohibited unless you have permission.

    View Slide

  6. Friendly Disclaimer
    Most of the content you will be seeing in the coming slides and examples will be
    related to the AWS (Amazon Web Services). But this is to showcase you a getting
    started path with just one cloud provider with security focused, this does mean the
    similar concepts and methodologies applies to the all other cloud providers as well.
    Please use the specific references and resources (terminology might change) in the
    internet available when mapping them and finding resources.

    View Slide

  7. Different types of Cloud Service Providers
    ● Public Cloud
    ○ AWS, Azure, GCP, etc.
    ● Private Cloud
    ○ RedHat, VMWare, etc.
    ● Hybrid Cloud
    Source: Logan Westberg on LinkedIn

    View Slide

  8. Cloud Service Models
    ● Infrastructure as a Service (IaaS)
    ○ OpenStack, VMWare, etc.
    ● Platform as a Service (PaaS)
    ○ Heroku, Google App Engine, etc.
    ● Software as a Service (SaaS)
    ○ Salesforce, Zoho, etc.

    View Slide

  9. Shared Responsibility - Pizza as a Service
    https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e

    View Slide

  10. Shared Responsibility
    1. “Security of the Cloud” - AWS is responsible for protecting the infrastructure
    that runs all of the services offered in the AWS Cloud. This infrastructure is
    composed of the hardware, software, networking, and facilities that run AWS
    Cloud services
    2. “Security in the Cloud” – Customer responsibility will be determined by the
    AWS Cloud services that a customer selects. This determines the amount of
    configuration work the customer must perform as part of their security
    responsibilities

    View Slide

  11. Shared Responsibility - AWS
    https://aws.amazon.com/compliance/shared-responsibility-model/

    View Slide

  12. AWS Security Primer
    https://cloudonaut.io/aws-security-primer

    View Slide

  13. AWS in Plain English
    https://expeditedsecurity.com/aws-in-plain-english/

    View Slide

  14. Get started with AWS - Free AWS Learning for Beginners
    https://dannys.cloud/amp/10-best-free-aws-learning-resources-for-beginners

    View Slide

  15. AWS Cloud Security Pillars
    1. Identity and Access Management
    2. Detection
    3. Infrastructure Protection
    4. Data Protection
    5. Incident Response

    View Slide

  16. Identity and access management are key parts of an information security program,
    ensuring that only authorized and authenticated users and components are able to
    access your resources, and only in a manner that you intend. For example, you
    should define principals (that is, accounts, users, roles, and services that can perform
    actions in your account), build out policies aligned with these principals, and
    implement strong credential management. These privilege-management elements
    form the core of authentication and authorization.
    Identity and Access Management
    https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

    View Slide

  17. You can use detective controls to identify a potential security threat or incident.
    There are different types of detective controls. For example, conducting an
    inventory of assets and their detailed attributes promotes more effective decision
    making (and lifecycle controls) to help establish operational baselines. You can also
    use internal auditing, an examination of controls related to information systems, to
    ensure that practices meet policies and requirements and that you have set the
    correct automated alerting notifications based on defined conditions.
    Detection
    https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

    View Slide

  18. Infrastructure protection encompasses control methodologies, such as defense in
    depth, necessary to meet best practices and organizational or regulatory
    obligations. Use of these methodologies is critical for successful, ongoing operations
    in either the cloud or on-premises.
    Infrastructure Protection
    https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

    View Slide

  19. Before architecting any system, foundational practices that influence security
    should be in place. For example, data classification provides a way to categorize
    organizational data based on levels of sensitivity, and encryption protects data by
    way of rendering it unintelligible to unauthorized access. These tools and techniques
    are important because they support objectives such as preventing financial loss or
    complying with regulatory obligations.
    Data Protection
    https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

    View Slide

  20. Even with extremely mature preventive and detective controls, your organization
    should still put processes in place to respond to and mitigate the potential impact of
    security incidents. The architecture of your workload strongly affects the ability of
    your teams to operate effectively during an incident, to isolate or contain systems,
    and to restore operations to a known good state.
    Incident Response
    https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

    View Slide

  21. Strategic Security
    1. Prevent - Define user permissions and identities, infrastructure protection, and
    data protection measures for a smooth and planned AWS adoption strategy
    2. Detect - Gain visibility into your organization’s security posture with logging
    and monitoring services. Ingest this information into a scalable platform for
    event management, testing, and auditing
    3. Respond - Automated incident response and recovery to help shift the primary
    focus of security teams from response to analyzing the root cause
    4. Remediate - Leverage event-driven automation to quickly remediate and
    secure your AWS environment in near real-time

    View Slide

  22. Learning the Cloud Security by Playing
    ● http://flaws.cloud
    ● http://flaws2.cloud

    View Slide

  23. Learn by playing the CTF - Cloud Goat
    CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It
    allows you to hone your cloud cybersecurity skills by creating and completing
    several "capture-the-flag" style scenarios. Each scenario is composed of AWS
    resources arranged together to create a structured learning experience
    https://github.com/RhinoSecurityLabs/cloudgoat

    View Slide

  24. How you can learn step by step!
    ● Learning the technology, services and mainly terminology
    ● Then understanding their security controls for the service and best practices
    ● See if you can break anything or find security issues (offensive side)
    ● Now you apply the security defense to the service/technology
    ● Then see how you can leverage that service/technology for security
    ● Finally learn to leverage the power of Automation (Terraform, Pulumi, etc.)
    ● Now you can understand different architecture patterns
    ● Keep iterating and learning more!

    View Slide

  25. Takeaways

    View Slide

  26. Resources & References
    ● https://cloudsecurityalliance.org
    ● https://cloudsecdocs.com
    ● https://cloudseclist.com
    ● https://tldrse§c.com
    ● https://workshops.aws
    ● https://awsworkshop.io
    ● https://summitroute.com
    ● https://github.com/open-guides/og-aws
    ● https://cloudonaut.io/page/1/
    ● https://www.youtube.com/watch?v=3hLmDS179YE
    ● https://www.aws.training/Details/eLearning?id=34259
    ● https://gist.github.com/leonardofed/bbf6459ad154ad5215d354f3825435dc
    ● https://gist.github.com/miglen/797fd38d0e26b9f68a1f
    ● https://asecure.cloud
    ● https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf
    ● https://aws.amazon.com/architecture/well-architected
    ● https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
    ● https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training
    ● https://docs.microsoft.com/en-us/azure/security
    ● https://github.com/toniblyx/my-arsenal-of-aws-security-tools
    ● https://tools.tldr.run
    ● https://www.cloudsecuritypodcast.tv
    ● https://google.com

    View Slide

  27. Thank You!
    https://madhuakula.com
    @madhuakula
    Madhu Akula

    View Slide