Slide 1

Slide 1 text

Security in the Cloud Akash  Mahajan  

Slide 2

Slide 2 text

You  will  not  learn  anything  new  today The  interesting  part  is  learning  why  you   won’t  learn  anything  new  today

Slide 3

Slide 3 text

CASE STUDIES Real  world  security  incidents  we  can  all  learn  from

Slide 4

Slide 4 text

CASE STUDY 1 Forensic  Investigation  to  find  Malicious  Insider  in  AWS  Cloud

Slide 5

Slide 5 text

Malicious Insider deleted data on AWS • All  data  was  on  EBS  disks • Once  client  realised  that  there  was  an  issue • Server  was  replicated  and  the  original  server  left  untouched • The  EBS  disk  from  original  server  was  replicated  and   mounted  in  a  new  instance

Slide 6

Slide 6 text

Forensic Process • Focus  on  data  recovery  for  logs/history • ISO  created  from  mounted  disk • Using  TSK  tools  created  strings  from  ISO • Able  to  find  fairly  large  extract  of  text  from  audit  logs  of  one   of  the  server • The  log  snippet  contained  the  user  who  logged  in  and  ran   delete  commands

Slide 7

Slide 7 text

CASE STUDY 2 Platform  and  Application  using  IAAS  AWS  

Slide 8

Slide 8 text

Platform & App using IAAS AWS • Configuration  pretty  strong • No  way  to  reach the  ports  unless  IP  whitelisted • Application  Security  Issues  found

Slide 9

Slide 9 text

How did we test? 1. Whitelisted  our  IP  in  security  groups 2. Able  to  see  ports  and  the  application Discovered  there  was  an  internal  enterprise  mobile   application  connecting  to  a  certain  port  which  was  open  to   all  without  any  authn and  authz

Slide 10

Slide 10 text

CASE STUDY 3 Application  (In)Security  Loves  XXE

Slide 11

Slide 11 text

Application (In)Security & XXE • Researcher  finds  that,  he  can  inject  his  own  file  name  and   path  in  AWS  EC2 • EC2 uses  Auto  Scaling • Auto  Scaling  requires  information  to  be  present  on  the  EC2 instance • Meta  Web  Server  allows  local  HTTP  Requests  to  be  made   and  server  and  its  credentials  are  pwned

Slide 12

Slide 12 text

CASE STUDY 4 Infrastructure  Security  Fail

Slide 13

Slide 13 text

BrowserStack Hack • Old  neglected  server,  not  being  used. • Server  is  brought  up  to  check  something.   • Un  patched  server  is  left  running  on  the  Internet  without   any  network  protection • Attacker  compromises  the  server,  steals  the  AWS   credentials  and  manages  to  email  all  its  customers,  how  bad   the  company  is

Slide 14

Slide 14 text

AWS and Rackspace Host OS Vuln 24th September  2014  

Slide 15

Slide 15 text

AWS and Rackspace Host OS Vuln From  the  Amazon  AWS  Blog XEN  Hypervisor  Security  Issues

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

What does this mean? • Security  in  the  cloud  is  really  not  very  different  from  regular   security • Same  principles  and  processes  apply • Same  tools  and  techniques  apply • IT  folks  need  to  simply  understand  what  is  the  best  way  to   get  the  same  thing  done

Slide 18

Slide 18 text

Moving… Blackbox Whitebox

Slide 19

Slide 19 text

Where we are headed? • External  Pen  tests  on   infra • External  VA/PT  on   applications   • OS  Configuration   Audits • Architecture  Review • Testing  Firewalls   • DOS  Testing • Identity  &  Access   Managment

Slide 20

Slide 20 text

WHAT IS CLOUD COMPUTING?

Slide 21

Slide 21 text

Cloud  computing is  computing  in  which  large   groups  of  remote  servers  are networked to   allow  the  centralized  data  storage,  and   online  access  to  computer  services  or   resources. -­‐ From  http://en.wikipedia.org/wiki/Cloud_computing

Slide 22

Slide 22 text

How  is  Cloud  Computing    different From? Grid  computing   Distributed  computing Large  Scale  Clusters  

Slide 23

Slide 23 text

Elasticity is  the  degree  to  which  a  system  is  able   to  adapt  to  workload  changes

Slide 24

Slide 24 text

How do we get Elasticity? by  provisioning  and  de-­‐provisioning  resources  in  an   autonomic manner,  such  that  at  each  point  in  time  the   available  resources  match  the   current  demand  as  closely  as  possible.

Slide 25

Slide 25 text

Autonomic Manner The  system  makes  decisions  on  its  own,  using  high-­‐ level  policies;  it  will  constantly  check  and  optimize  its   status  and  automatically  adapt  itself  to  changing   conditions.

Slide 26

Slide 26 text

AWS  Auto-­‐scale  – Example  of  Elasticity

Slide 27

Slide 27 text

The  tech  behind   cloud  computing   is  not new

Slide 28

Slide 28 text

WHAT MAKES UP THE CLOUD COMPUTING STACK?

Slide 29

Slide 29 text

Virtualization The  main  enabling  technology  for  cloud  computing

Slide 30

Slide 30 text

Service  Oriented   Architecture   (SOA) Breaking  of  business  problems  into  services  that  can   be  integrated

Slide 31

Slide 31 text

Programmable   APIs Ability  to  interact  with  the  services  offered  using   programs  and  the  libraries  provided

Slide 32

Slide 32 text

Management   Layer Ability  to  interact  with  the  services  offered  using  a web  based  front-­‐end  for  management  &  billing

Slide 33

Slide 33 text

High  Speed Networks All  of  the  above  talk  to  each  other  using   high  speed  networks

Slide 34

Slide 34 text

Cloud Computing Stack Management  Layer Programmable  APIs Service  Layer OS  Level  Virtualization

Slide 35

Slide 35 text

OS LEVEL VIRTUALIZATION

Slide 36

Slide 36 text

What  is  Virtualization? it  separates  a  physical   computing  device  into  one  or   more  "virtual"  devices

Slide 37

Slide 37 text

OS Level Virtualization It  essentially  creates  a  scalable   system  of  multiple independent computing devices.  

Slide 38

Slide 38 text

OS  Level  Virtualization Idle  computing  resources  can  be   allocated  and  used  more  efficiently

Slide 39

Slide 39 text

Virtualization provides agility • Speed  up  IT  operations • Reduces  cost  by   increasing   infrastructure utilization  

Slide 40

Slide 40 text

Virtualization provides automation • Computing  automates  the  process  through  which  the  user   can  provision  resourceson-­‐demand.   • By  minimizing  user  involvement,  automation  speeds up  the   process,  reduces  labor  costs  and  reduces  human  errors

Slide 41

Slide 41 text

SERVICE ORIENTED ARCHITECTURE FOR CLOUD SERVICES

Slide 42

Slide 42 text

What does SOA contain?

Slide 43

Slide 43 text

Compute processor  ,  random  access  memory,  

Slide 44

Slide 44 text

Storage persistent,  redundant,  scalable,  infinite   and  cheap

Slide 45

Slide 45 text

Network all  pervasive,  based  on  TCP/IP  gigabit  fast   and  more

Slide 46

Slide 46 text

Management what  we  use  to  manage  or  work  with  the   service

Slide 47

Slide 47 text

Metrics and Measured Service billing  is  like  utility  services  and  every   service  is  measurable  

Slide 48

Slide 48 text

PROGRAMMABLE APIS AND MANAGEMENT LAYER

Slide 49

Slide 49 text

Programmable APIs Start,  stop,  pause  virtual  servers   ec2-­‐run-­‐instances gcloud  compute  instances  create

Slide 50

Slide 50 text

Management Layer Basically  a  web  based  control  panel

Slide 51

Slide 51 text

Management Layer

Slide 52

Slide 52 text

SERVICE MODELS

Slide 53

Slide 53 text

Cloud Service Models

Slide 54

Slide 54 text

Software As A Service Meant  for  end  users  to  consume  a  service  using  applications   and  data  storage

Slide 55

Slide 55 text

Platform As A Service Meant  for  developers  to  utilize  an  integrated  development   platform  and  framework

Slide 56

Slide 56 text

Infrastructure As A Service Basic  Cloud  Service  building  blocks  are  given  like  server   instance,  storage  and  network

Slide 57

Slide 57 text

DEPLOYMENT MODELS FOR THE CLOUD

Slide 58

Slide 58 text

Cloud can be in your office too

Slide 59

Slide 59 text

Deployment Models • Public • Private • Hybrid

Slide 60

Slide 60 text

Public Cloud A  cloud  is  called  a  "public  cloud"  when  the  services  are   rendered  over  a  network  that  is  open  for  public  use.

Slide 61

Slide 61 text

Private Cloud Private  cloud  is  cloud  infrastructure  operated  solely  for  a   single  organization,  whether  managed  internally  or  by  a   third-­‐party,  and  hosted  either  internally  or  externally

Slide 62

Slide 62 text

Hybrid Cloud Hybrid  cloud  is  a  composition  of  two  or  more  clouds  (private,   community  or  public)  that  remain  distinct  entities  but  are   bound  together,  offering  the  benefits  of  multiple   deployment  models.  

Slide 63

Slide 63 text

SECURITY IN THE PUBLIC CLOUD We  will  restrict  our  discussion  about  the  security  of  the  public  cloud

Slide 64

Slide 64 text

Shared  Sense  of   Security Public  cloud  vendors  and  customers  have  a  shared   sense  of  security

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

Shared   Responsibility  of   security Public  cloud  vendors  and  customers  have  to  share   security  responsibility

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Division of Responsibility

Slide 70

Slide 70 text

IAAS CSP takes care of • Physical  Security  (Nobody  should  walk  away  with  the  server   including  Govt.) • Host  OS  which  runs  the  virtualization  software • Virtualization  Security  (Rogue  VMs  can't  harm  others)

Slide 71

Slide 71 text

IAAS CSP takes care of • Environmental  Safeguards  (DC  is  safe  to  run  servers) • Administrative  Controls  (Policies  and  Procedures) • Certifications  and  Accreditations  (SAS70,  SOC1,  PCI,   ISO27K1)

Slide 72

Slide 72 text

You take care of • Guest  OS  (The  Compute  instance) • Application  Security  (The  application  on  the  compute   instance) • Data  Security  (The  data  being  generated,  processed  by  the   application) • Network  security  for  the  guest  &  applications • Security  Monitoring  of  Guest  OS  &  applications

Slide 73

Slide 73 text

A few public cloud vendors

Slide 74

Slide 74 text

Does  Cloud  Need   Security? Wrong  question  to  ask,  the  question  should  be…

Slide 75

Slide 75 text

Do  we  need  to   worry  about  our   data,  our  infra,  our   apps stored  in  the   public  cloud?

Slide 76

Slide 76 text

Our apps in the public cloud • This  applies  only  to  IAAS  and  PAAS  as  in  SAAS  it  is  not  our   application • An  in  secure  app  can  expose  underlying  infrastructure  and   data  to  theft,  corruption  and  exposure

Slide 77

Slide 77 text

Security Testing of Apps • No  different  from  testing  any  application  for  security • We  might  require  permission  to  run  automated  scanners   against  the  app • Ideal  framework  to  test  against  is  OWASP  Top  10  and   OWASP  Testing  Guide

Slide 78

Slide 78 text

App Insecurity Scenario • App  has  a  Local  File  Inclusion  bug • The  AWS  root  credentials  are  being  used • They  are  stored  in  a  world  readable  file  on  the  server • Attacker  reads  the  credentials  and  starts  multiple  large   instances  to  mine  bitcoins • Victim  saddled  with  a  massive  bill  at  the  end  of  the  month

Slide 79

Slide 79 text

Our infra in the public cloud • This  applies  only  to  IAAS  as  in  SAAS  and  PAAS  it  is  not  our   application  or  infra • Infrastructure  vulnerabilities  can  derail  any  app  security  in   place.  

Slide 80

Slide 80 text

Security Testing of Infra • No  different  from  testing  server  for  security • We  may  require  permission  to  run  automated  scanners   against  the  server • Ideal  framework  to  test  against  is  any  Penetration  Testing   Standard  PTES  /  OSSTMM

Slide 81

Slide 81 text

Infra Insecurity Scenario • MySQL  Production  database  is  listening  on  external  port • Developers  work  directly  on  production  database  and  require  SQL   Management  Software • They  log  in  using  the  root  user  of  MySQL  Database  server  and  a  simple   password   • Attacker  runs  a  brute  force  script  and  cracks  the  password,  gains  full   access  to  the  database

Slide 82

Slide 82 text

HEARTBLEED – AN ILLUSTRATION OF AN INFRASTRUCTURE VULNERABILITY

Slide 83

Slide 83 text

Our data in the public cloud • This  applies  only  all  PAAS,  IAAS  and  SAAS • Our  data  can  get  leaked,  exposed,  stolen,  held  ransom  if  we   don’t  take  care  of  making  sure  it  is  safe  while  being  used,   while  being  transmitted  and  while  being  stored

Slide 84

Slide 84 text

Verifying Data Security through Testing • This  is  a  specialized  testing  requirement.  A  part  of  this  can  be   tested  by  looking  at  the  system  and  application  architecture • All  the  places  where  the  data  can  be  written,  sent,  travel  need   to  be  looked  at.   • Writing  to  storage,  exposing  APIs,  backups  and  even  insider   threats

Slide 85

Slide 85 text

Verifying Data uses Encryption • Data  at  rest  is  encrypted – This  will  ensure  that  if  an  attacker  has  access  to  the  disk/store,  they  can’t  use  the  data • Data  in  motion  is  encrypted – This  will  ensure  that  if  an  attacker  can  sniff  the  network  traffic  they  can’t  see  &tamper  the   data • Data  in  use  (tmp  files,  key  loaded  in  memory) – This  will  ensue  that  if  an  attacker  can’t  do  catastrophic  damage  if  they  manage  to  gain   access  to  a  server

Slide 86

Slide 86 text

Secure Key Management • Once  we  start  using  encryption  for  data  storage  and  data   transmission,  the  encryption  keys  need  to  be  safeguarded   against  theft,  accidental  loss • A  secure  key  management  process  will  ensure  that  at  any   point  keys  can  be  revoked  and  reissued

Slide 87

Slide 87 text

Data Insecurity Scenario • Database  is  getting  backed  up  regularly. • Due  to  performance  reasons,  database  wasn’t  encrypted   when  initial  backups  were  done.   • Dev  team  moves  to  newer  type  SSDs  and  doesn’t   decommission  older  HDDs.   • Attacker  finds  older  HDD,  does  forensics  for  data  recovery   and  sell  the  data  for  profit.

Slide 88

Slide 88 text

Cloud versus the IT department

Slide 89

Slide 89 text

How  does  being  in   the  cloud  change   the  traditional  IT   department?

Slide 90

Slide 90 text

How  do  IT   departments   manage  cloud   instances  &  data?

Slide 91

Slide 91 text

Does  the  company   Info  sec  policy  still   apply?

Slide 92

Slide 92 text

Does  the  Country’s   cyber  laws  still   apply?

Slide 93

Slide 93 text

HOW DO YOU TEST FOR SECURITY? What  are  the  frameworks for  testing  cloud? Can  we  follow  some  best  practices  ?

Slide 94

Slide 94 text

Cloud Security Alliance • Security  Guidance  Document • https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf • Covers  14  Critical  Area  Domains – Security  As  A  Service  got  added!

Slide 95

Slide 95 text

European Network and Information Security Agency (ENISA) • Cloud  Computing  Information  Assurance  Framework • http://www.enisa.europa.eu/activities/risk-­‐ management/files/deliverables/cloud-­‐computing-­‐ information-­‐assurance-­‐framework/at_download/fullReport • Covers  15  areas  in  OpSec  &  Identity  &Access  Management

Slide 96

Slide 96 text

Why Infrastructure first? In  all  cases  Cloud  Service  Provider  (CSP)  takes  care  of  physical   security  and  the  host  operating  system.  So  we  just  need  to   worry  about  the  guest  OS  and  all  the  infrastructure  running   on  it.

Slide 97

Slide 97 text

5 Pillars of Security in IAAS • Identity  and  Access  Management • Configuration  and  Patch  Management • Endpoint  and  Network  Protection • Vulnerability  and  Asset  Management • Data  Protection

Slide 98

Slide 98 text

How the CSPs stack up for security? CSP/Security   Feature AWS Google   Compute   Engine Microsoft   Azure Rackspace IAM YES YES YES Sort of 2FA  for   Management  Layer Need to   enable Need  to   enable NO NO Network  Isolation YES YES YES YES Virtual Private   Networks YES YES YES YES Firewall YES YES YES YES Centralized  Logs and   Audit  Trail YES NO NO NO Encryption for   Storage YES YES YES Key Management YES YES YES YES Older   Slide  

Slide 99

Slide 99 text

THANK YOU • Akash  Mahajan  |  @makash  |  [email protected]   • Appsecco  |  Appsecco.com  |  @appseccouk

Slide 100

Slide 100 text

Attributions • Cloud Image Background from www.perspecsys.com • Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons • CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32 • Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Toyota Robot at Toyota Kaikan • AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html • SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/ • http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas • By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons