Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gaps in the Clouds by Robert Fritz

OWASP Montréal
June 18, 2014
Technology
0
310

Gaps in the Clouds by Robert Fritz

OWASP Montreal - June 18th - Gaps in the Clouds

MAIN PRESENTER: Robert Fritz

ABSTRACT: Cloud technology offers agility and scaling, and a chance to break away from legacy IT choices. Unfortunately, skipping traditional IT activities often results in poorly patched systems, out of date firewalls, and overprovisioned entitlements wielded by admins whose “day job” is development. Boundaries of accountability and responsibility amongst cloud providers and consumers are confusing, vague, and shift, making security difficult to manage. In such an environment, a “BP-spill” event, where cost wins over safely safety, is likely. This talk will dive down into the cracks between the layers of cloud, and share some of the exciting dirt we have seen and expect to see in coming years.”
BIO: Robert Fritz has been practicing security his entire career. Rob started as an Air Force lieutenant at Langley AFB and later at the Pentagon in Washington DC, building and managing classified networks. Finding he was getting too far from technology after a brief stint flying, he left the military to get back to the tech, and built security tools for HP in their HP-Unix lab. Over time he found himself in more and more security design discussions, so co-authored HP’s Commercial Application Threat Analysis Methodology, building an internal consulting practice at HP. This quantitative approach, led to two pending patents, an external-facing consulting practice, and his contributions to NIST IR-7502, the Common Configuration Scoring System (CVSS follow-on). He is the former lead editor for the Center for Internet Security’s HP-UX Benchmark, and current lead for the Android Benchmark. Robert now works for Morgan Stanley as global head of the Strategic Consulting team in the Security Architecture group, and leads the team’s cloud and social-media security practices.
WHEN: June 18th 2014
WHERE: 700 Rue Wellington, Floor 2, Montreal, QC H3C 3S4
EVENT SPONSOR: Morgan Stanley http://www.morganstanley.com/
PROGRAM:
18:00-18:30 Networking and Morgan Stanley Hosted Pizza and Soft Drinks
18:30-18:45 OWASP Chapter & Morgan Stanley Welcome
18:45-19:45 Main presentation - "Gaps in the Clouds" Robert Fritz
19:45-20:00 Open discussion and questions
20:00-... Optional, informal networking at Aziatic - 626 rue Marguerite-d'Youville, Montréal, QC H3C 1W7

OWASP Montréal

June 18, 2014
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170

Other Decks in Technology

See All in Technology
Coherence 概要
oracle4engineer
PRO
0
730
次に流行る※プログラミング言語「Lean」
soukouki
0
280
20230815_ISTQB® Certified Tester Game Testing v1.0.1(CT-GaMe)に載っていないことの話
mixi_engineers
PRO
0
150
20230816_AprilTagを利用してARで物体を表示させてみた
kentaitakura
0
240
ネットワーク視点で学ぶ Amazon EKS クラスタのスケーラビリティ
sshota0809
2
160
「お客さまとの対話」を加速する、エンタープライズアジャイルことはじめ
muture
0
300
【Web開発】モノリポボイラープレートを趣味でゴリゴリ作成した話
calloc134
1
160
個人分担性がスタートアップの成長を殺す 〜協働でチームがめっちゃ進化する話〜
bonotake
4
4k
DBREを役割ではなく、文化にしたリンケージの取り組み / DBRE Summit 2023
soudai
5
670
NeRF-RPN_carnavi
ryokawanami
0
200
GDSC NTHU Core Team 招募說明會 2023/08/17
nthu
0
180
3D震源マップJapan EQ Locatorはこう動いている!
nagix
0
160

Featured

See All Featured
Six Lessons from altMBA
skipperchong
17
2.5k
Building an army of robots
kneath
300
41k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
How to name files
jennybc
56
83k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
GitHub's CSS Performance
jonrohan
1021
440k
Rails Girls Zürich Keynote
gr2m
90
12k
Thoughts on Productivity
jonyablonski
55
3k
Become a Pro
speakerdeck
PRO
8
3.5k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.4k
The Invisible Side of Design
smashingmag
292
49k
Ruby is Unlike a Banana
tanoku
93
9.8k

Transcript

  1. Cloud Computing Security
    Robert Fritz(VP),
    Cloud Security Practice Lead

    View Slide

  2. 2
    Welcome
     Morgan Stanley Welcome and Acknowledgements
     Morgan Stanley Canada Services Lead: Alan Vesprini(ED)
     Out of Town Guests:
     Reuben Wells(MD), John Panzica(ED), William Ma
     Material Contributors:
     Rares Pateneau(ED), David Mirza-Ahmad, Guillaume Ross, Mickael Emirkanian–Bouchard, Oscar Isasmendi-Gallo(VP), Mia
    Kilborn, John Otterson(VP)
     Event Contributors
     Andrew Graham, Guillaume Ross, Siddharth Kashyap, Levon Petros, Mathias Sofer, Rob Ierfino, Vanessa Houle, Mehdi
    Bennani
     OWASP Welcome and Acknowledgements :
     Jonathan Marcil, Chapter President
    Represented by Michael Robillard, and Marius Popescu

    View Slide

  3. 3
    About Me
     Local Security Architecture Lead
     Global Lead for Strategic Consulting , driving control agenda for:
     Cloud, Social Media, Mobile Computing, and Pioneer
     Security work for 15+ years,
     US Air Force, Hewlett-Packard, now Morgan Stanley
     Patents Pending:
     Including part of HP’s Threat Analysis Methodology
     Lead Editor of Two Center for Internet Security Hardening Benchmarks
     HP-UX and Android
     Contributor to NIST IR7502:
     Metrics For Software Security Configuration Vulnerabilities

    View Slide

  4. 4
    What is “Cloud?”

    View Slide

  5. How Much Cloud?: a Delivery Model

    View Slide

  6. Where is the Cloud?:
    An Access Model
    HOW?
    WHAT?
    WHO?

    View Slide

  7. • Ability to assign a cost to a unit of resource and charge
    by amount of resources used
    Metered
    • Ability to provision resources in real time in
    response to workload runtime events
    Automated
    Provisioning
    • Ability to add and remove resources for a
    workload without the workload being
    aware of it
    Dynamic
    Provisioning
    • Ability to add and remove resources
    to the pool without Interruption of
    service to active workloads
    Elastic
    Internet Technology
    Foundation

    View Slide

  8. Cloud Vendor Landscape
    • Who will own the new infrastructure and the new customers
    – Operationally: Keys and Management
    – Technology: Abstraction and Hardware
    – Data: e.g. Uploading to Amazon is free, getting it back costs $$
    – Expertise: Who will be the new “experts”
    8

    View Slide

  9. Cloud Vendor Landscape:
    Examples
    9
    Azure IaaS
    Azure PaaS
    Office 365
    Google
    Compute
    Google App
    Engine
    Google
    Enterprise /
    Apps
    Traditional
    (But Future
    Speculation)
    PaaS:
    Force.com
    Salesforce /
    AppExchange
    Amazon AWS
    Heroku
    Elastic
    Beanstalk
    Private IaaS:
    OpenStack,
    CloudStack,
    Citrix Cloud
    Platform
    Private
    PaaS:
    OpenShift,
    Cloud
    Foundry
    SaaS
    PaaS
    IaaS
    Private Cloud:
    Mix n Match
    |Dedicated Public Cloud Offerings---------------------------------------|

    View Slide

  10. Security Layers
    Assuming Commercial IaaS / Custom PaaS
    10
    Traditional Application Security
    Cloud Provisioning Broker
    Host Access Broker
    Multi-Tenancy
    Container
    OS or Platform Layer
    •“No IT Work” / Patch
    •Snapshot Proliferation
    •Pre-Pwned Marketplace
    Images
    Application Administrator
    End User
    Provisioning Administrator
    (Owns Firewall / Deployment)
    OS/Platform Troubleshooting
    Internet
    Mid-Talk Quiz: Any Guesses on the Most Common Firewall Rules/ SGs?

    View Slide

  11. Security Challenges:
    Hidden Costs
    • Hidden Costs
    – Adding missing security infrastructure and services
    – Managing conflicting assumptions of security responsibility
    – Managing external change
    – Lock-In
    • Cloud Offerings often don’t include:
    – Consistent authentication standards to and amongst cloud service
    vendors
    – Access and entitlements management
    – Data security
    – Application and infrastructure audit and reporting
    – Attack detection/monitoring
    • Cloud security still maturing; existing solutions may not address all gaps
    11

    View Slide

  12. Stop the Bleeding: PaaS/SaaS
    Data Exposure
    • Data Exfiltration from Infrastructure we Don’t Control
    – Encryption Brokers (eg: CipherCloud)
    • Encrypt Data, and you don’t “Care”
    • BUT: You can’t process cipher text
    • Easy: Cold Storage (Panzura/ RiverBed)
    • Tricky: PaaS/SaaS Applications
    – Identify and Baseline Secret Data: What really is secret?
    – Identify which operations *must* cloud executed
    » Preserve Search and Sort in Some cases
    » Search / Sort Locally for others
    • Data Exfiltration from Infrastructure we Do control:
    – Adapt DLP-classic to HTTP(s) or consume compliance-mail Feeds
    – Monitor Perimeter (look for undercover cloud adoption: eg: SkyHigh)
    12

    View Slide

  13. 13
    Case Study in AWS IaaS:
    Who’s Job is Security?
    Their Job
    • Have NIDS for their Network
    • Scan their apps
    • Separate their tenants / users
    NOT Their Job
    • OS and Up
    • Manage Entitlements and Identity
    • Entitlements are inconsistent
    and overbroad
    • Amazon Says “Buy a Broker”

    View Slide

  14. 14
    Case Study in AWS IaaS:
    What you get with Amazon IAM
    • Recent Enterprise Offering
    Authentication
    • In-GUI :“Global root” permissions per service
    • Granular Entitlement Requires Dozens of pages of
    hand-crafted JSON
    • “All or Nothing” Permissions Model the Norm
    • AMI, Network, IP, and resource permissions new
    Entitlements:
    • Cloud Trail: Raw Dump to S3 Bucket
    Audit

    View Slide

  15. 15
    Case Study in Force.com/SalesForce:
    What you get with SFDC
    • Username / Password Default
    • SAML Optional
    Authentication
    • API and UI- based Entitlements Provisioning
    • Very Little Entitlement Hierarchy but very Inter-
    Dependent
    • Easy to Overprovision
    Entitlements:
    • Inconsistent Coverage
    • Only some via API
    • Some require screen scraping
    • Missing Authorization Failures Entirely
    • direct path access
    Audit

    View Slide

  16. 16
    Case Study in SaaS:
     SaaS Vendors Want to Share Data
     Box: Fishing-Friendly Invites from Outside Firm-Created User
     Box Doesn’t Limit or Audit Sharing of Materials from Non-Firm Folders
     Google Apps: allows In-Document Code that Can Create External-Facing Data Flow
     Doing Business on Social Vendors’ Sites:
     Poor validation of participants’ identity or business affiliation
     Attacks from and propagated by multiple sources; insecure laptops or network (e.g.
    open Wi-Fi) via social networking platforms
     Sites want to grow content volume; firms like us want to know who they are talking to
     Security barriers that increase confidence but decrease volume often removed by sites
    (OAUTH 2.0)

    View Slide

  17. 17
    Questions?

    View Slide