A  Guide  to  Securing  your  cloud  deployment   using  open  source  tools   12  STEPS  TO  CLOUD  SECURITY   1  

‹ # ›   ABOUT  ME   Vishnu  VeHrivel   Principal  Engineering  Lead,  A1geo   linkedin.com/in/cloudronin   @cloudronin     Many  years  building,  securing  and  operaMng   cloud  based,  data-­‐driven  systems  for   Financial,  Government  and  Healthcare   sectors.   LongMme  Linux  user  and    champion  of  open   and  secure  development.    

‹ # ›   Cloud  providers  are  responsible  for  some  parts   of  the  infrastructure  stack.       The  other  parts  of  the  security  stack  is  your   responsibility.   You  are  usually  responsible  for  ApplicaMon   Security,  Policies  and  configuraMon,  machine   images  etc.     STEP  1:  KNOW  YOUR  RESPONSIBILITY  

‹ # ›  

‹ # ›   Use  Defense  in  Depth  and  services  like:       •  Virtual  Private  Clouds   •  Network  ACLs   •  RouMng  rules     •  Proxy  Servers  :  Nginx   •  NAT     •  Firewalls   •  ApplicaMon  :  modsecurity   –  Host  :  iptables   –  Network  :  pfSense   STEP  2.  PROTECT  YOUR  NETWORK  

‹ # ›   •  Be  sure  your  harden  your  images  first     •  Turn  off  insecure  ports  and  services     •  Change  default  passwords.   •  Install  AV  So\ware   •  Consider  using  a  Baseline  (STIGs)   –  System  specific  checklists   •  Learn  about  SCAP   •  Tools:     –  open-­‐scap.org   STEP  3:  PROTECT  YOUR  MACHINE  IMAGES  

‹ # ›   •  Know  the  different  Cloud  storage   mechanisms  and  their  Security  implicaMons.   •  De-­‐IdenMfy  when  possible   •  Understand  the  choices  of  EncrypMon   primiMves  like  key  strength  and  Ciphers   types.   •  Don’t  forget  Secure  Archival  and  Disposal  of   Data.   •  Tools:     –  Luks   –  dm-­‐crypt   –  Truecrypt   –  Gnu  Shred   STEP  4:  PROTECT  YOUR  DATA  AT  REST  

‹ # ›   •  Use  secure  applicaMon  protocols  whenever   possible.   •  TLS   •  SSH   •  RDP   •  Securely  Tunnel  traffic  when  not  possible:   –  IPSEC   –  SSL  VPN   –  SSH   •  Use  a  Key  Management  System   •  Tools   –  OpenSwan   –  OpenVPN   STEP  5:  PROTECT  YOUR  DATA  IN  TRANSIT  

‹ # ›   •  Define  and  Categorize  Cloud  based   assets     •  Watch  out  for  Zero  Days   •  Classify  Risk   •  Patch  Affected  Systems   •  Use  a  ConfiguraMon  Management   System   •  Tools   –  Nessus   –  OpenVAS   STEP  6:  PROTECT  AND  PATCH  YOUR  INSTANCES  

‹ # ›   •  Create  Individual  User  accounts  (IAM)   •  Use  a  Group/Role  based  permission  model   •  Grant  Least  privilege  based  on  Business   Need   •  Enable  MulM-­‐Factor  Auth  (MFA)  for   Privileged  Users   •  Audit  all  User  AcMvity   •  Federate  all  User  Access  through  a  Directory   Service   •  Root  Cloud  Accounts  should  not  be  used.   STEP  7:  PROTECT  ACCESS  TO  YOUR  INSTANCES  

‹ # ›   •  Implement  AAA  (AuthenMcaMon,   AuthorizaMon  and  AudiMng).     •  Familiarize  yourself  with  the  OWASP  Top  10   ApplicaMon  Security  Flaws.     •  Follow  Secure  Development  Best  PracMces.   •  Tools:     –  Jenkins   –  PMD   –  FindBugs   STEP  8:  PROTECT  YOUR  APPLICATIONS  

‹ # ›   •  Gather  monitoring  data  at  a  secure  and   separate  Network   •  Establish  baselines   •  Monitor  all  layers  and  Protocols   •  Deploy  the  IDS  behind  the  Network   firewall   •  Fine  tune  alert  levels     •  Use  redundant  alerMng  channels   •  Tools:     –  Nagios   –  ELK  Stack   –  Watcher   –  Snort   STEP  9:  AUDIT  AND  MONITOR  YOUR  CLOUD  

‹ # ›   •  Test  Network,  Infrastructure  and   ApplicaMons  separately  for  Security   VulnerabiliMes  periodically   •  Check  for  Input  validaMon,  session   manipulaMon,  authenMcaMon  and   informaMon  leakage   •  Use  3rd  Party  Tools  where  possible   •  Tools:     –  Metasploit   –  Kali  Linux   –  OpenVAS   STEP  10:  VALIDATE  YOUR  PROTECTION  

‹ # ›   •  Use  a  ConfiguraMon  Management  System   •  Employ  ConMnuous  IntegraMon  and   Delivery.   •  Automated  Provisioning  helps:   •  DocumentaMon   •  BCP/DR  Planning   •  Change  Management   •  Treat  Infrastructure  as  Code.     •  Tools:     –  Docker   –  Ansible   –  Chef     STEP  11:  AUTOMATE  EVERYTHING  

‹ # ›   •  Define  security  scope  and  boundaries   •  Select  proper  risk  Assessment   Methodology.   •  Align  policies  to  Contractual  ObligaMons   •  Choose  a  suitable  Security  control   framework   •  Compliance  Management  Tools:     –  OpenFISMA   –  PTA   –  SOMAP   –  GLPI   STEP  12:  MAINTAIN  SECURITY  POLICIES  

‹ # ›   •  Some  things  are  easier  and  some  are  harder   in  the  Cloud     •  ConvenMonal  security  and  compliance   concepts  sMll  apply  in  the  cloud.   •  The  12  Steps  will  get  your  started  on  your   conMnuous  security  improvement  cycle   STEP  13  ?  THERE  IS  NO  MAGIC  BULLET!  

ATIGEO  CONFIDENTIAL   •  hHps://s3.amazonaws.com/awsmedia/AWS_Security_Best_PracMces.pdf   •  hHp://checklists.nist.gov/   •  hHps://www.us-­‐cert.gov/   •  hHps://www.owasp.org/index.php/Top_10_2013-­‐Top_10   •  hHps://www.cert.org/incident-­‐management/   •  hHp://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPracMces.html   •  hHps://en.wikipedia.org/wiki/PenetraMon_test   •  hHp://www.drdobbs.com/architecture-­‐and-­‐design/top-­‐10-­‐pracMces-­‐for-­‐ effecMve-­‐devops/240149363   •  hHps://en.wikipedia.org/wiki/InformaMon_security_management_system   RESOURCES  

ATIGEO  CONFIDENTIAL     Vishnu  VeHrivel   linkedin.com/in/cloudronin   @cloudronin       THANK  YOU  

©  2015  AMgeo,  CorporaMon.  All  rights  reserved.    AMgeo  and  the  xPaHerns  logo  are  trademarks  of  AMgeo.  The  informaMon  herein  is  for  informaMonal  purposes  only  and  represents  the  current  view  of  AMgeo  as  of  the  date  of  this  presentaMon.    Because  AMgeo  must   respond  to  changing  market  condiMons,  it  should  not  be  interpreted  to  be  a  commitment  on  the  part  of  AMgeo,  and  AMgeo  cannot  guarantee  the  accuracy  of  any  informaMon  provided  a\er  the  date  of  this  presentaMon.    ATIGEO  MAKES  NO  WARRANTIES,  EXPRESS,   IMPLIED  OR  STATUTORY,  AS  TO  THE  INFORMATION  IN  THIS  PRESENTATION.