Cloud Security: There's a Storm Coming May 19th, 2015 11:00AM Mark Stanislav Sr. Security Consultant Rapid7 

Presentation will be available at: www.misti.com/download Download password is available in your Show Guide 

…and their APIs, SDKs, services, networks, storage, employees, customers, data centers… 

Slide 4 ■  The first ~10 years of Cloud Computing were mostly spent understanding what the ecosystem could, and should, look like to for everyone from end users to large enterprises ■  A lot of details had to be sorted out: ◆  What hypervisors do we use? What should APIs look like? ◆  How do you scale regions, but prevent cascading failures? ◆  Which types of compliance audits can we still pass? ◆  How do we segment data stores and encrypt properly? ◆  Who are the industry leaders and who are the followers? ◆  What cloud-based companies will be darlings or deadbeats? ◆  Which cloud breaches and stories will define those years? Security Maturity is More Than Breach Stats 

Slide 5 Published in 2009 covering EC2 instance mapping, side-channel attacks, and co-residency attacks. An “Early” Paper That I Still Love 

Slide 6 ■  There are absolutely vulnerabilities being found and research being cultivated around attacks against hypervisors and other low-level technology powering cloud deployments ■  Much like all computing, one big deal is having a cloud provider who has the technical capabilities and dedication to security to efficiently patch their underlying architecture Highly Complex Attacks? Eh, Not So Much… 

Slide 7 So What’s Really Going Wrong Then? 

Slide 8 Authentication Security ■  Using an Internet-facing service, with all of your “eggs in one basket,” only being protected by a password? Hmm… ■  Cloud computing is, in my opinion, the biggest reason two-factor authentication adoption has accelerated so dramatically ■  AWS, Azure, Linode, Rackspace, Heroku, GCE, Joyent, and more have some form of auth security beyond only a password #shameless Check out https://twofactorauth.org 

Slide 9 Two-Factor is Not Just a “Nice to Have” 2FA Deployments for Web Services * Through June, 2014 

Slide 10 Password Reuse, Anyone? 

Slide 11 Access Control Security ■  How much access does a given user or API key have? ◆  Create sub accounts that have limited console access ◆  API keys should be per application, only needed privileges ◆  Leverage standards like SAML and XACML ◆  Define roles and implement RBAC either natively or custom ■  Auditability is often forgotten about ◆  When did they login? Where from? What did they do? ■  Oh, and, don’t LEAK YOUR KEYS AND CREDENTIALS! J 

Slide 12 An All-Too-Common Story Sanitize your code repositories and your machine images before posting publicly! Scanning for sensitive data is trivial with a script or manually 

Slide 13 It’s Not All For “Hacking” Either DoS, Piracy, Spam, Proxies, & Malware Hosting 

Slide 14 Don’t Worry, Providers Screw it Up, too! Think about how easy it would be to backdoor a community image… 

Slide 15 There’s Always the Front Door ■  Cloud security is still predicated on the software (web apps, underlying services, custom middleware, APIs, etc.) ◆  A single vulnerability could provide access to all user data and instances if the provider doesn’t segment properly ■  Ever wonder if your cloud provider’s administrative interfaces are Internet-facing or able to be accessed via client networks? 

Slide 16 Defense in Depth is the ONLY Plan ■  Remember that part about being able to patch efficiently? ◆  “Released less than a week ago,” is not an inspiring excuse ■  There will always be 0-day, how are you preparing for it? 

Slide 17 ■  A single *aaS can involve numerous ways to read/write data: ◆  Web consoles, APIs, SDKs, mobile applications, and more! ◆  If you add a security feature, it should apply to ALL ways ■  Not convinced? Consider Apple’s security of iCloud… ◆  “CelebrityGate” exposed how weak Apple’s coverage of user data was, even when using their advanced features A Security Control is All or Nothing 

Slide 18 Heartbleed: It Could Have Been WAY Worse 

Slide 19 Reacting to Heartbleed… Sort of? Slack – April 2014 Slack – March 2015 

Slide 20 So What’s This “There’s a Storm Coming” Thing? You Are Here The First Ten Years of Cloud Computing The Next Ten Years of Cloud Computing We’re in the eye of the storm. Shocked? J 

Slide 21 The Next 10 Years of Cloud Security ■  Figure out how to actually add security to all of these new container technologies everyone is deploying without concern ◆  $150M in funding to Docker, $20M to CoreOS == security? ■  See the mass adoption of two-factor authentication across all cloud computing vendors (those that will survive, anyways…) ◆  Salesforce just bought the two-factor platform Toopher ■  Watch as the “Internet of Things” rises, backed off of *aaS solutions and wait intently for the first major breach to occur ◆  All of the problems of early cloud but with big risks at hand 

Slide 22 Docker: The Golden Child of 2015 Cloud 

Slide 23 A Glimpse into the Internet of Things …and this is just one device… 

Slide 24 ■  IoT has to collapse for platforms, services, and hardware to allow for “the dream” to be realized – but this is a huge risk ◆  Imagine if IFTTT or any similar service was compromised, how much access one attacker would have to people’s lives What Do I Worry About With Cloud + IoT? 

Slide 25 “If Only Cloud Providers Would…” Microsoft Azure Security 

Slide 26 “If Only Cloud Providers Would…” Amazon Web Services 

Slide 27 Some SaaS Providers Get it Right, Too Github •  Two Factor •  Sessions •  Audit History •  Notifications •  Revoke Tokens •  SSH Fingerprints 

Slide 28 IaaS Security - CloudPassage 

Slide 29 SaaS Security – Duo Security 

Slide 30 API Security - apigee 

Slide 31 Don’t Forget F/OSS Options 

Slide 32 ■  Just because you can use a cloud service doesn’t mean you should use it – an easy sign-up doesn’t excuse losing data ◆  If your organization wants to go 100% cloud, that’s fine, just understand that you are taking risks that you likely didn’t have before, or weren’t as likely to come true ◆  Build a proper data retention policy, clean up objects you don’t need anymore, create off-line data backups still ◆  Encrypt-before-cloud if you can, else, segment data well, separate privileges as much as able, and please audit J ■  Every bad employee password or reused password cloud be the end of your entire company (remember Code Spaces?) ◆  Two-factor authentication or you’re just being neglectful Cloud Security Housekeeping Notes 

Slide 33 Data Deletion? Maybe! Be Careful. Deletion may not uh, delete data. 

Slide 34 ■  Virtual Private Cloud (VPC) is the default these days ◆  If it doesn’t need a public IP, don’t you dare give it one ■  Ingress & egress firewalls, network-level AND host-based ■  Just say no to community AMIs; vendor-provided or custom! ■  If an API call allows you to set transparent encryption: do it ◆  Start leveraging the new Key Management Service (KMS) ■  Create Identity and Access Management (IAM) for roles ◆  Super user privilege should be done at a user-level ◆  Require two-factor authentication for all remote users ■  Enable logging for as much as you can handle, it may matter Some Tips for Secure IaaS (AWS-focused) 

Slide 35 Some Tips for Secure SaaS ■  Consider using SAML to tie your SaaS applications into the organization’s existing authentication backend and for SSO ◆  Okta, OneLogin, etc. then provide “portal” access to SaaS ■  Provide solutions to employees before they provide their own ◆  Controlling SaaS is hard… don’t make employees stray! ■  Yep, two-factor authentication for all business services ◆  This includes social media, HR, sales, marketing, etc. ■  If the service allows, create policies for valid IP/geo ranges ◆  This may buy you time, help act as an early alert, etc. ■  Tie these services into your SIEM and actually review reports ◆  Unfortunately, very few SaaS applications do this natively 

THANK YOU! Mark Stanislav [email protected] Please Remember To Fill Out Your Session Evaluation Forms!