Getting Started with Your Journey into Cloud Security Madhu Akula devhost : 21

About - Madhu Akula ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many others ● Speaker & Trainer at BlackHat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, DevSecCon, c0c0n, Nullcon, SACON, null, many others ● Co-Author of Security Automation with Ansible 2 ● Technical Reviewer & Review Board Member for books, conferences, etc. ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, WordPress, Ntop, many others ● Offensive Security Certified Professional & Certified Kubernetes Administrator ● Never Ending Learner!

Why Cloud Security? Capital One to pay $80M in connection with massive data breach Docker Hub repository was compromised exposing 190,000 accounts Accenture left a huge trove of highly sensitive data on exposed servers

What is Cloud Security? There are many definitions and explanations for this. But in my personal opinion, Cloud Security is primarily ensuring the shared responsibility between the provider and customer. This means provider will take care of some responsibility and as a customer, we have to take certain responsibilities of security.

Disclaimer This session is completely for educational purposes only. DO NOT use these techniques, scripts, tools, and methods to hack any other systems, it is completely prohibited unless you have permission.

Friendly Disclaimer Most of the content you will be seeing in the coming slides and examples will be related to the AWS (Amazon Web Services). But this is to showcase you a getting started path with just one cloud provider with security focused, this does mean the similar concepts and methodologies applies to the all other cloud providers as well. Please use the specific references and resources (terminology might change) in the internet available when mapping them and finding resources.

Different types of Cloud Service Providers ● Public Cloud ○ AWS, Azure, GCP, etc. ● Private Cloud ○ RedHat, VMWare, etc. ● Hybrid Cloud Source: Logan Westberg on LinkedIn

Cloud Service Models ● Infrastructure as a Service (IaaS) ○ OpenStack, VMWare, etc. ● Platform as a Service (PaaS) ○ Heroku, Google App Engine, etc. ● Software as a Service (SaaS) ○ Salesforce, Zoho, etc.

Shared Responsibility - Pizza as a Service https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e

Shared Responsibility 1. “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services 2. “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities

Shared Responsibility - AWS https://aws.amazon.com/compliance/shared-responsibility-model/

AWS Security Primer https://cloudonaut.io/aws-security-primer

AWS in Plain English https://expeditedsecurity.com/aws-in-plain-english/

Get started with AWS - Free AWS Learning for Beginners https://dannys.cloud/amp/10-best-free-aws-learning-resources-for-beginners

AWS Cloud Security Pillars 1. Identity and Access Management 2. Detection 3. Infrastructure Protection 4. Data Protection 5. Incident Response

Identity and access management are key parts of an information security program, ensuring that only authorized and authenticated users and components are able to access your resources, and only in a manner that you intend. For example, you should define principals (that is, accounts, users, roles, and services that can perform actions in your account), build out policies aligned with these principals, and implement strong credential management. These privilege-management elements form the core of authentication and authorization. Identity and Access Management https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

You can use detective controls to identify a potential security threat or incident. There are different types of detective controls. For example, conducting an inventory of assets and their detailed attributes promotes more effective decision making (and lifecycle controls) to help establish operational baselines. You can also use internal auditing, an examination of controls related to information systems, to ensure that practices meet policies and requirements and that you have set the correct automated alerting notifications based on defined conditions. Detection https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

Infrastructure protection encompasses control methodologies, such as defense in depth, necessary to meet best practices and organizational or regulatory obligations. Use of these methodologies is critical for successful, ongoing operations in either the cloud or on-premises. Infrastructure Protection https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

Before architecting any system, foundational practices that influence security should be in place. For example, data classification provides a way to categorize organizational data based on levels of sensitivity, and encryption protects data by way of rendering it unintelligible to unauthorized access. These tools and techniques are important because they support objectives such as preventing financial loss or complying with regulatory obligations. Data Protection https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

Even with extremely mature preventive and detective controls, your organization should still put processes in place to respond to and mitigate the potential impact of security incidents. The architecture of your workload strongly affects the ability of your teams to operate effectively during an incident, to isolate or contain systems, and to restore operations to a known good state. Incident Response https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html#sec.security

Strategic Security 1. Prevent - Define user permissions and identities, infrastructure protection, and data protection measures for a smooth and planned AWS adoption strategy 2. Detect - Gain visibility into your organization’s security posture with logging and monitoring services. Ingest this information into a scalable platform for event management, testing, and auditing 3. Respond - Automated incident response and recovery to help shift the primary focus of security teams from response to analyzing the root cause 4. Remediate - Leverage event-driven automation to quickly remediate and secure your AWS environment in near real-time

Learning the Cloud Security by Playing ● http://flaws.cloud ● http://flaws2.cloud

Learn by playing the CTF - Cloud Goat CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience https://github.com/RhinoSecurityLabs/cloudgoat

How you can learn step by step! ● Learning the technology, services and mainly terminology ● Then understanding their security controls for the service and best practices ● See if you can break anything or find security issues (offensive side) ● Now you apply the security defense to the service/technology ● Then see how you can leverage that service/technology for security ● Finally learn to leverage the power of Automation (Terraform, Pulumi, etc.) ● Now you can understand different architecture patterns ● Keep iterating and learning more!

Takeaways

Resources & References ● https://cloudsecurityalliance.org ● https://cloudsecdocs.com ● https://cloudseclist.com ● https://tldrse§c.com ● https://workshops.aws ● https://awsworkshop.io ● https://summitroute.com ● https://github.com/open-guides/og-aws ● https://cloudonaut.io/page/1/ ● https://www.youtube.com/watch?v=3hLmDS179YE ● https://www.aws.training/Details/eLearning?id=34259 ● https://gist.github.com/leonardofed/bbf6459ad154ad5215d354f3825435dc ● https://gist.github.com/miglen/797fd38d0e26b9f68a1f ● https://asecure.cloud ● https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf ● https://aws.amazon.com/architecture/well-architected ● https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf ● https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training ● https://docs.microsoft.com/en-us/azure/security ● https://github.com/toniblyx/my-arsenal-of-aws-security-tools ● https://tools.tldr.run ● https://www.cloudsecuritypodcast.tv ● https://google.com

Thank You! https://madhuakula.com @madhuakula Madhu Akula