Cloud Security: There's a Storm Coming

Cloud Security: There's a Storm Coming

This presentation will look at previous security failures of cloud computing deployments by organizations, big and small. By reviewing what has happened in the recent past and leveraging his experience performing security assessments, Mark will discuss the real concerns facing cloud security. This talk will provide challenges, and suggested solutions, to adopting cloud computing technologies and having a great security experience. If your organization is still deciding if "the cloud" is for them, come hear this talk to take a serious look at what's gone wrong…and how to make it right.

In this session you will hear:
• The repercussions of recent cloud security implementation failures
• Examples of common mistakes people make when using some of the most popular cloud services
• What concerns organizations should have for their cloud environments from an attacker's point-of-view
• Guidance on the software and technologies that make cloud computing a safer environment
• Tips on getting your organization to the cloud more safely and/or firm up the security of your existing deployments

9eaada9384c46142a8fd246f11cb9bef?s=128

Mark Stanislav

May 19, 2015
Tweet

Transcript

  1. 1.

    Cloud Security: There's a Storm Coming May 19th, 2015 11:00AM

    Mark Stanislav Sr. Security Consultant Rapid7
  2. 4.

    Slide 4 ▪  The first ~10 years of Cloud Computing

    were mostly spent understanding what the ecosystem could, and should, look like to for everyone from end users to large enterprises ▪  A lot of details had to be sorted out: ◆  What hypervisors do we use? What should APIs look like? ◆  How do you scale regions, but prevent cascading failures? ◆  Which types of compliance audits can we still pass? ◆  How do we segment data stores and encrypt properly? ◆  Who are the industry leaders and who are the followers? ◆  What cloud-based companies will be darlings or deadbeats? ◆  Which cloud breaches and stories will define those years? Security Maturity is More Than Breach Stats
  3. 5.

    Slide 5 Published in 2009 covering EC2 instance mapping, side-channel

    attacks, and co-residency attacks. An “Early” Paper That I Still Love
  4. 6.

    Slide 6 ▪  There are absolutely vulnerabilities being found and

    research being cultivated around attacks against hypervisors and other low-level technology powering cloud deployments ▪  Much like all computing, one big deal is having a cloud provider who has the technical capabilities and dedication to security to efficiently patch their underlying architecture Highly Complex Attacks? Eh, Not So Much…
  5. 8.

    Slide 8 Authentication Security ▪  Using an Internet-facing service, with

    all of your “eggs in one basket,” only being protected by a password? Hmm… ▪  Cloud computing is, in my opinion, the biggest reason two-factor authentication adoption has accelerated so dramatically ▪  AWS, Azure, Linode, Rackspace, Heroku, GCE, Joyent, and more have some form of auth security beyond only a password #shameless Check out https://twofactorauth.org
  6. 9.

    Slide 9 Two-Factor is Not Just a “Nice to Have”

    2FA Deployments for Web Services * Through June, 2014
  7. 11.

    Slide 11 Access Control Security ▪  How much access does

    a given user or API key have? ◆  Create sub accounts that have limited console access ◆  API keys should be per application, only needed privileges ◆  Leverage standards like SAML and XACML ◆  Define roles and implement RBAC either natively or custom ▪  Auditability is often forgotten about ◆  When did they login? Where from? What did they do? ▪  Oh, and, don’t LEAK YOUR KEYS AND CREDENTIALS! J
  8. 12.

    Slide 12 An All-Too-Common Story Sanitize your code repositories and

    your machine images before posting publicly! Scanning for sensitive data is trivial with a script or manually
  9. 14.

    Slide 14 Don’t Worry, Providers Screw it Up, too! Think

    about how easy it would be to backdoor a community image…
  10. 15.

    Slide 15 There’s Always the Front Door ▪  Cloud security

    is still predicated on the software (web apps, underlying services, custom middleware, APIs, etc.) ◆  A single vulnerability could provide access to all user data and instances if the provider doesn’t segment properly ▪  Ever wonder if your cloud provider’s administrative interfaces are Internet-facing or able to be accessed via client networks?
  11. 16.

    Slide 16 Defense in Depth is the ONLY Plan ▪ 

    Remember that part about being able to patch efficiently? ◆  “Released less than a week ago,” is not an inspiring excuse ▪  There will always be 0-day, how are you preparing for it?
  12. 17.

    Slide 17 ▪  A single *aaS can involve numerous ways

    to read/write data: ◆  Web consoles, APIs, SDKs, mobile applications, and more! ◆  If you add a security feature, it should apply to ALL ways ▪  Not convinced? Consider Apple’s security of iCloud… ◆  “CelebrityGate” exposed how weak Apple’s coverage of user data was, even when using their advanced features A Security Control is All or Nothing
  13. 20.

    Slide 20 So What’s This “There’s a Storm Coming” Thing?

    You Are Here The First Ten Years of Cloud Computing The Next Ten Years of Cloud Computing We’re in the eye of the storm. Shocked? J
  14. 21.

    Slide 21 The Next 10 Years of Cloud Security ▪ 

    Figure out how to actually add security to all of these new container technologies everyone is deploying without concern ◆  $150M in funding to Docker, $20M to CoreOS == security? ▪  See the mass adoption of two-factor authentication across all cloud computing vendors (those that will survive, anyways…) ◆  Salesforce just bought the two-factor platform Toopher ▪  Watch as the “Internet of Things” rises, backed off of *aaS solutions and wait intently for the first major breach to occur ◆  All of the problems of early cloud but with big risks at hand
  15. 24.

    Slide 24 ▪  IoT has to collapse for platforms, services,

    and hardware to allow for “the dream” to be realized – but this is a huge risk ◆  Imagine if IFTTT or any similar service was compromised, how much access one attacker would have to people’s lives What Do I Worry About With Cloud + IoT?
  16. 27.

    Slide 27 Some SaaS Providers Get it Right, Too Github

    •  Two Factor •  Sessions •  Audit History •  Notifications •  Revoke Tokens •  SSH Fingerprints
  17. 32.

    Slide 32 ▪  Just because you can use a cloud

    service doesn’t mean you should use it – an easy sign-up doesn’t excuse losing data ◆  If your organization wants to go 100% cloud, that’s fine, just understand that you are taking risks that you likely didn’t have before, or weren’t as likely to come true ◆  Build a proper data retention policy, clean up objects you don’t need anymore, create off-line data backups still ◆  Encrypt-before-cloud if you can, else, segment data well, separate privileges as much as able, and please audit J ▪  Every bad employee password or reused password cloud be the end of your entire company (remember Code Spaces?) ◆  Two-factor authentication or you’re just being neglectful Cloud Security Housekeeping Notes
  18. 34.

    Slide 34 ▪  Virtual Private Cloud (VPC) is the default

    these days ◆  If it doesn’t need a public IP, don’t you dare give it one ▪  Ingress & egress firewalls, network-level AND host-based ▪  Just say no to community AMIs; vendor-provided or custom! ▪  If an API call allows you to set transparent encryption: do it ◆  Start leveraging the new Key Management Service (KMS) ▪  Create Identity and Access Management (IAM) for roles ◆  Super user privilege should be done at a user-level ◆  Require two-factor authentication for all remote users ▪  Enable logging for as much as you can handle, it may matter Some Tips for Secure IaaS (AWS-focused)
  19. 35.

    Slide 35 Some Tips for Secure SaaS ▪  Consider using

    SAML to tie your SaaS applications into the organization’s existing authentication backend and for SSO ◆  Okta, OneLogin, etc. then provide “portal” access to SaaS ▪  Provide solutions to employees before they provide their own ◆  Controlling SaaS is hard… don’t make employees stray! ▪  Yep, two-factor authentication for all business services ◆  This includes social media, HR, sales, marketing, etc. ▪  If the service allows, create policies for valid IP/geo ranges ◆  This may buy you time, help act as an early alert, etc. ▪  Tie these services into your SIEM and actually review reports ◆  Unfortunately, very few SaaS applications do this natively