Gaps in the Clouds by Robert Fritz

Gaps in the Clouds by Robert Fritz

OWASP Montreal - June 18th - Gaps in the Clouds


ABSTRACT: Cloud technology offers agility and scaling, and a chance to break away from legacy IT choices. Unfortunately, skipping traditional IT activities often results in poorly patched systems, out of date firewalls, and overprovisioned entitlements wielded by admins whose “day job” is development. Boundaries of accountability and responsibility amongst cloud providers and consumers are confusing, vague, and shift, making security difficult to manage. In such an environment, a “BP-spill” event, where cost wins over safely safety, is likely. This talk will dive down into the cracks between the layers of cloud, and share some of the exciting dirt we have seen and expect to see in coming years.”
BIO: Robert Fritz has been practicing security his entire career. Rob started as an Air Force lieutenant at Langley AFB and later at the Pentagon in Washington DC, building and managing classified networks. Finding he was getting too far from technology after a brief stint flying, he left the military to get back to the tech, and built security tools for HP in their HP-Unix lab. Over time he found himself in more and more security design discussions, so co-authored HP’s Commercial Application Threat Analysis Methodology, building an internal consulting practice at HP. This quantitative approach, led to two pending patents, an external-facing consulting practice, and his contributions to NIST IR-7502, the Common Configuration Scoring System (CVSS follow-on). He is the former lead editor for the Center for Internet Security’s HP-UX Benchmark, and current lead for the Android Benchmark. Robert now works for Morgan Stanley as global head of the Strategic Consulting team in the Security Architecture group, and leads the team’s cloud and social-media security practices.
WHEN: June 18th 2014
WHERE: 700 Rue Wellington, Floor 2, Montreal, QC H3C 3S4
EVENT SPONSOR: Morgan Stanley
18:00-18:30 Networking and Morgan Stanley Hosted Pizza and Soft Drinks
18:30-18:45 OWASP Chapter & Morgan Stanley Welcome
18:45-19:45 Main presentation - "Gaps in the Clouds" Robert Fritz
19:45-20:00 Open discussion and questions
20:00-... Optional, informal networking at Aziatic - 626 rue Marguerite-d'Youville, Montréal, QC H3C 1W7


OWASP Montréal

June 18, 2014


  1. Cloud Computing Security Robert Fritz(VP), Cloud Security Practice Lead

  2. 2 Welcome  Morgan Stanley Welcome and Acknowledgements  Morgan

    Stanley Canada Services Lead: Alan Vesprini(ED)  Out of Town Guests:  Reuben Wells(MD), John Panzica(ED), William Ma  Material Contributors:  Rares Pateneau(ED), David Mirza-Ahmad, Guillaume Ross, Mickael Emirkanian–Bouchard, Oscar Isasmendi-Gallo(VP), Mia Kilborn, John Otterson(VP)  Event Contributors  Andrew Graham, Guillaume Ross, Siddharth Kashyap, Levon Petros, Mathias Sofer, Rob Ierfino, Vanessa Houle, Mehdi Bennani  OWASP Welcome and Acknowledgements :  Jonathan Marcil, Chapter President Represented by Michael Robillard, and Marius Popescu
  3. 3 About Me  Local Security Architecture Lead  Global

    Lead for Strategic Consulting , driving control agenda for:  Cloud, Social Media, Mobile Computing, and Pioneer  Security work for 15+ years,  US Air Force, Hewlett-Packard, now Morgan Stanley  Patents Pending:  Including part of HP’s Threat Analysis Methodology  Lead Editor of Two Center for Internet Security Hardening Benchmarks  HP-UX and Android  Contributor to NIST IR7502:  Metrics For Software Security Configuration Vulnerabilities
  4. 4 What is “Cloud?”

  5. How Much Cloud?: a Delivery Model

  6. Where is the Cloud?: An Access Model HOW? WHAT? WHO?

  7. • Ability to assign a cost to a unit of

    resource and charge by amount of resources used Metered • Ability to provision resources in real time in response to workload runtime events Automated Provisioning • Ability to add and remove resources for a workload without the workload being aware of it Dynamic Provisioning • Ability to add and remove resources to the pool without Interruption of service to active workloads Elastic Internet Technology Foundation
  8. Cloud Vendor Landscape • Who will own the new infrastructure

    and the new customers – Operationally: Keys and Management – Technology: Abstraction and Hardware – Data: e.g. Uploading to Amazon is free, getting it back costs $$ – Expertise: Who will be the new “experts” 8
  9. Cloud Vendor Landscape: Examples 9 Azure IaaS Azure PaaS Office

    365 Google Compute Google App Engine Google Enterprise / Apps Traditional (But Future Speculation) PaaS: Salesforce / AppExchange Amazon AWS Heroku Elastic Beanstalk Private IaaS: OpenStack, CloudStack, Citrix Cloud Platform Private PaaS: OpenShift, Cloud Foundry SaaS PaaS IaaS Private Cloud: Mix n Match |Dedicated Public Cloud Offerings---------------------------------------|
  10. Security Layers Assuming Commercial IaaS / Custom PaaS 10 Traditional

    Application Security Cloud Provisioning Broker Host Access Broker Multi-Tenancy Container OS or Platform Layer •“No IT Work” / Patch •Snapshot Proliferation •Pre-Pwned Marketplace Images Application Administrator End User Provisioning Administrator (Owns Firewall / Deployment) OS/Platform Troubleshooting Internet Mid-Talk Quiz: Any Guesses on the Most Common Firewall Rules/ SGs?
  11. Security Challenges: Hidden Costs • Hidden Costs – Adding missing

    security infrastructure and services – Managing conflicting assumptions of security responsibility – Managing external change – Lock-In • Cloud Offerings often don’t include: – Consistent authentication standards to and amongst cloud service vendors – Access and entitlements management – Data security – Application and infrastructure audit and reporting – Attack detection/monitoring • Cloud security still maturing; existing solutions may not address all gaps 11
  12. Stop the Bleeding: PaaS/SaaS Data Exposure • Data Exfiltration from

    Infrastructure we Don’t Control – Encryption Brokers (eg: CipherCloud) • Encrypt Data, and you don’t “Care” • BUT: You can’t process cipher text • Easy: Cold Storage (Panzura/ RiverBed) • Tricky: PaaS/SaaS Applications – Identify and Baseline Secret Data: What really is secret? – Identify which operations *must* cloud executed » Preserve Search and Sort in Some cases » Search / Sort Locally for others • Data Exfiltration from Infrastructure we Do control: – Adapt DLP-classic to HTTP(s) or consume compliance-mail Feeds – Monitor Perimeter (look for undercover cloud adoption: eg: SkyHigh) 12
  13. 13 Case Study in AWS IaaS: Who’s Job is Security?

    Their Job • Have NIDS for their Network • Scan their apps • Separate their tenants / users NOT Their Job • OS and Up • Manage Entitlements and Identity • Entitlements are inconsistent and overbroad • Amazon Says “Buy a Broker”
  14. 14 Case Study in AWS IaaS: What you get with

    Amazon IAM • Recent Enterprise Offering Authentication • In-GUI :“Global root” permissions per service • Granular Entitlement Requires Dozens of pages of hand-crafted JSON • “All or Nothing” Permissions Model the Norm • AMI, Network, IP, and resource permissions new Entitlements: • Cloud Trail: Raw Dump to S3 Bucket Audit
  15. 15 Case Study in What you get with SFDC

    • Username / Password Default • SAML Optional Authentication • API and UI- based Entitlements Provisioning • Very Little Entitlement Hierarchy but very Inter- Dependent • Easy to Overprovision Entitlements: • Inconsistent Coverage • Only some via API • Some require screen scraping • Missing Authorization Failures Entirely • direct path access Audit
  16. 16 Case Study in SaaS:  SaaS Vendors Want to

    Share Data  Box: Fishing-Friendly Invites from Outside Firm-Created User  Box Doesn’t Limit or Audit Sharing of Materials from Non-Firm Folders  Google Apps: allows In-Document Code that Can Create External-Facing Data Flow  Doing Business on Social Vendors’ Sites:  Poor validation of participants’ identity or business affiliation  Attacks from and propagated by multiple sources; insecure laptops or network (e.g. open Wi-Fi) via social networking platforms  Sites want to grow content volume; firms like us want to know who they are talking to  Security barriers that increase confidence but decrease volume often removed by sites (OAUTH 2.0)
  17. 17 Questions?