Cloud Security: There's a Storm Coming

Cloud Security: There's a Storm Coming May 19th, 2015 11:00AM
Mark Stanislav Sr. Security Consultant Rapid7

Presentation will be available at: www.misti.com/download Download password is available
in your Show Guide

…and their APIs, SDKs, services, networks, storage, employees, customers, data
centers…

▪  The first ~10 years of Cloud Computing
were mostly spent understanding what the ecosystem could, and should, look like to for everyone from end users to large enterprises ▪  A lot of details had to be sorted out: ◆  What hypervisors do we use? What should APIs look like? ◆  How do you scale regions, but prevent cascading failures? ◆  Which types of compliance audits can we still pass? ◆  How do we segment data stores and encrypt properly? ◆  Who are the industry leaders and who are the followers? ◆  What cloud-based companies will be darlings or deadbeats? ◆  Which cloud breaches and stories will define those years? Security Maturity is More Than Breach Stats

Published in 2009 covering EC2 instance mapping, side-channel
attacks, and co-residency attacks. An “Early” Paper That I Still Love

▪  There are absolutely vulnerabilities being found and
research being cultivated around attacks against hypervisors and other low-level technology powering cloud deployments ▪  Much like all computing, one big deal is having a cloud provider who has the technical capabilities and dedication to security to efficiently patch their underlying architecture Highly Complex Attacks? Eh, Not So Much…

So What’s Really Going Wrong Then?

Authentication Security ▪  Using an Internet-facing service, with
all of your “eggs in one basket,” only being protected by a password? Hmm… ▪  Cloud computing is, in my opinion, the biggest reason two-factor authentication adoption has accelerated so dramatically ▪  AWS, Azure, Linode, Rackspace, Heroku, GCE, Joyent, and more have some form of auth security beyond only a password #shameless Check out https://twofactorauth.org

Two-Factor is Not Just a “Nice to Have”
2FA Deployments for Web Services * Through June, 2014

Password Reuse, Anyone?

Access Control Security ▪  How much access does
a given user or API key have? ◆  Create sub accounts that have limited console access ◆  API keys should be per application, only needed privileges ◆  Leverage standards like SAML and XACML ◆  Define roles and implement RBAC either natively or custom ▪  Auditability is often forgotten about ◆  When did they login? Where from? What did they do? ▪  Oh, and, don’t LEAK YOUR KEYS AND CREDENTIALS! J

An All-Too-Common Story Sanitize your code repositories and
your machine images before posting publicly! Scanning for sensitive data is trivial with a script or manually

It’s Not All For “Hacking” Either DoS, Piracy,
Spam, Proxies, & Malware Hosting

Don’t Worry, Providers Screw it Up, too! Think
about how easy it would be to backdoor a community image…

There’s Always the Front Door ▪  Cloud security
is still predicated on the software (web apps, underlying services, custom middleware, APIs, etc.) ◆  A single vulnerability could provide access to all user data and instances if the provider doesn’t segment properly ▪  Ever wonder if your cloud provider’s administrative interfaces are Internet-facing or able to be accessed via client networks?

Defense in Depth is the ONLY Plan ▪ 
Remember that part about being able to patch efficiently? ◆  “Released less than a week ago,” is not an inspiring excuse ▪  There will always be 0-day, how are you preparing for it?

▪  A single *aaS can involve numerous ways
to read/write data: ◆  Web consoles, APIs, SDKs, mobile applications, and more! ◆  If you add a security feature, it should apply to ALL ways ▪  Not convinced? Consider Apple’s security of iCloud… ◆  “CelebrityGate” exposed how weak Apple’s coverage of user data was, even when using their advanced features A Security Control is All or Nothing

Heartbleed: It Could Have Been WAY Worse

Reacting to Heartbleed… Sort of? Slack – April
2014 Slack – March 2015

So What’s This “There’s a Storm Coming” Thing?
You Are Here The First Ten Years of Cloud Computing The Next Ten Years of Cloud Computing We’re in the eye of the storm. Shocked? J

The Next 10 Years of Cloud Security ▪ 
Figure out how to actually add security to all of these new container technologies everyone is deploying without concern ◆  $150M in funding to Docker, $20M to CoreOS == security? ▪  See the mass adoption of two-factor authentication across all cloud computing vendors (those that will survive, anyways…) ◆  Salesforce just bought the two-factor platform Toopher ▪  Watch as the “Internet of Things” rises, backed off of *aaS solutions and wait intently for the first major breach to occur ◆  All of the problems of early cloud but with big risks at hand

Docker: The Golden Child of 2015 Cloud

A Glimpse into the Internet of Things …and
this is just one device…

▪  IoT has to collapse for platforms, services,
and hardware to allow for “the dream” to be realized – but this is a huge risk ◆  Imagine if IFTTT or any similar service was compromised, how much access one attacker would have to people’s lives What Do I Worry About With Cloud + IoT?

“If Only Cloud Providers Would…” Microsoft Azure Security

“If Only Cloud Providers Would…” Amazon Web Services

Some SaaS Providers Get it Right, Too Github
•  Two Factor •  Sessions •  Audit History •  Notifications •  Revoke Tokens •  SSH Fingerprints

IaaS Security - CloudPassage

SaaS Security – Duo Security

API Security - apigee

Don’t Forget F/OSS Options

▪  Just because you can use a cloud
service doesn’t mean you should use it – an easy sign-up doesn’t excuse losing data ◆  If your organization wants to go 100% cloud, that’s fine, just understand that you are taking risks that you likely didn’t have before, or weren’t as likely to come true ◆  Build a proper data retention policy, clean up objects you don’t need anymore, create off-line data backups still ◆  Encrypt-before-cloud if you can, else, segment data well, separate privileges as much as able, and please audit J ▪  Every bad employee password or reused password cloud be the end of your entire company (remember Code Spaces?) ◆  Two-factor authentication or you’re just being neglectful Cloud Security Housekeeping Notes

Data Deletion? Maybe! Be Careful. Deletion may not
uh, delete data.

▪  Virtual Private Cloud (VPC) is the default
these days ◆  If it doesn’t need a public IP, don’t you dare give it one ▪  Ingress & egress firewalls, network-level AND host-based ▪  Just say no to community AMIs; vendor-provided or custom! ▪  If an API call allows you to set transparent encryption: do it ◆  Start leveraging the new Key Management Service (KMS) ▪  Create Identity and Access Management (IAM) for roles ◆  Super user privilege should be done at a user-level ◆  Require two-factor authentication for all remote users ▪  Enable logging for as much as you can handle, it may matter Some Tips for Secure IaaS (AWS-focused)

Some Tips for Secure SaaS ▪  Consider using
SAML to tie your SaaS applications into the organization’s existing authentication backend and for SSO ◆  Okta, OneLogin, etc. then provide “portal” access to SaaS ▪  Provide solutions to employees before they provide their own ◆  Controlling SaaS is hard… don’t make employees stray! ▪  Yep, two-factor authentication for all business services ◆  This includes social media, HR, sales, marketing, etc. ▪  If the service allows, create policies for valid IP/geo ranges ◆  This may buy you time, help act as an early alert, etc. ▪  Tie these services into your SIEM and actually review reports ◆  Unfortunately, very few SaaS applications do this natively

THANK YOU! Mark Stanislav [email protected] Please Remember To Fill Out
Your Session Evaluation Forms!

Cloud Security: There's a Storm Coming

Cloud Security: There's a Storm Coming

More Decks by Mark Stanislav

Other Decks in Technology

Featured

Transcript