Fundamentals of Cloud Security

Transcript

1. Cloud Tenant Security Governance Tony Rice April, 11 2017 Here’s

   your second chance, don’t waste it Securing the Migration to the Cloud

2. And you are? Tony Rice Senior Information Security Engineer Cloud

   Security Management Virginia Tech ‘92 CISSP @rtphokie linkedin.com/in/tonyrrice

3. “Conventional security and compliance concepts still apply in the cloud.”

   - AWS

4. Shared Responsibility in the Cloud Data Center Platform Services Compute

   Storage Networking Virtual Machines /Containers Apps • Web/App/DB Server • User Accounts • Operating System • Access Control • Physical Security • Infrastructure Security • Identity • Access Control Cloud Provider Tenant Tenant Operations Data Registration Support Billing • Tenant data collected to provide service Customer/ Tenant Data • Integrity • Encryption • Data that tenant brings • Data that tenant collects • Data that tenant processes Cloud Provider (e.g. AWS) Responsible for the privacy and security of the Cloud Tenant (that’s you) Responsible for the privacy and security In the Cloud Responsibility

5. • local OS accounts Consolidate identities • Shared accounts Individual/Federated

   accounts • Open access Least privilege access • Open access Audit Everything • Passwords SSH keys / disable passwords • Old school auth MFA • Secure tomorrow Harden, maintain patching • going away luncheon Access lifecycle Cloud Security Best Practices

6. Service Users Instance Users • Log into AWS • Manage

   (by default) • Billing • Instance users • Grant privileges • Restrict through IAM users • Separate components across security groups • Only open required ports between Security Groups • Open SSH up only through a jump box or bastion host Know Your Users

7. SSH Keys $ ssh-keygen -t rsa -b 2048 Generating public/private

   rsa key pair. Enter file in which to save the key (/home/userid/.ssh/id_rsa): Created directory '/home/userid/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/userid/.ssh/id_rsa. Your public key has been saved in /home/userid/.ssh/id_rsa.pub. The key fingerprint is: d0:81:24:8e:d7:f0:3b:9b:23:53:95:93:4a:da:9b:e3

8. Solution SSH Keys $ ssh-keygen -t rsa -b 2048 Generating

   public/private rsa key pair. Enter file in which to save the key (/home/userid/.ssh/id_rsa): Created directory '/home/userid/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/userid/.ssh/id_rsa. Your public key has been saved in /home/userid/.ssh/id_rsa.pub. The key fingerprint is: d0:81:24:8e:d7:f0:3b:9b:23:53:95:93:4a:da:9b:e3 $ cat ~/.ssh/id_rsa.pub | ssh userid@<ip ddress> "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys”

9. $ vi /etc/ssh/sshd_config PasswordAuthentication • set to no • not

   commented out Shared Responsibility in the Cloud

10. Solution SSH Keys Host ben* bthom* mb1* mb0* mbi0* tc-*

    trice-* 172* 10.122.* lolong* blv* mbva* cdtg-* mb-* ForwardAgent yes ForwardX11 yes User admtrice dentityFile ~/.ssh/testers_id_dsa Compression yes host myrhel Hostname 10.107.39.201 User root PubkeyAuthentication yes IdentityFile /Users/trice/.ssh/tricepem.pem host hackathon Hostname 34.208.169.90 User ec2-user PubkeyAuthentication yes IdentityFile /Users/trice/.ssh/trice-aws-ha2-key-pair.pem

11. ssh -i ~/.ssh/my-key-pair.pem [email protected]

12. Multi Factor Authentication • Bad passwords

13. 0.0.0.0/0 Problem Solution • Network Access Control List allows too

    much access • Separate components across security groups • Only open required ports between Security Groups • Open SSH up only through a jump box or bastion host Network Defense

14. https://s3.amazonaws.com/quickstart-reference/linux/bastion/latest/templates/linux-bastion-master.template

15. NIST (National Institute of Standards and Technology) NIST SP 800-123

    CIS Benchmarks Amazon, CentOS, Debian, FreeBSD, HP-UX, Solaris Server, Red Hat, Slackware, SUSE, Ubuntu, and more Hardening Golden Images Artifact Repo Developer Continuous Hardening Hardening the Cloud 1. Identify Components – Web Server, App Server, Bastion Host, RDS, S3 2. Harden Components – CIS, AWS Guidelines, Cloud9 3. Validate – Qualys/CIS-CAT tool 4. Continuous Hardening – CI/CD Pipeline Bastion/Jump Secure Admin xqAccess Region -1 Relational DB (RDS) Storage (S3) App Engine Nginx (WebServer) Validate Hardening

16. Cisco Public © 2017 Cisco and/or its affiliates. All rights

    reserved. 16 http://aws.amazon.com/compliance/resources/

17. Problem Solution From selection to separation, access only expands. No

    tracking of non-human access • Define change points (onboarding, termination, promotion, discipline) • Build access management steps are built into HR processes • Regularly review “Does <userid> still need access to <resource>?” Access Lifecycle

18. Problem Solution • Do you know what is going on

    in your network? applications? • Cloudtrail and Cloudwatch provide easy solutions • Elk and Splunk for searching • Move logs off to cheap storage Audit Logging

19. Problem Solution • Enabling ICMP access from the internet •

    ICMP DOS • Advertises your infrastructure, even known vulnerabilities • ICMP is disabled by default, leave it that way. • Disable again after any troubleshooting or auditing should ICMP

20. Cisco Public © 2017 Cisco and/or its affiliates. All rights

    reserved. 20 • Amazon Web Services Security https://aws.amazon.com/security • Center for Internet Security http://cisecurity.org • Security of Cloud Computing: Seeing Through the Fog http://www.satnac.org.za/proceedings/2011/papers/Internet_Services_and_Applications/178.pdf • CSA Security Guidance Version 3 https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/