12 steps to_cloud_security
TRANSCRIPT
12 Steps to Cloud SecurityA guide to securing your cloud deployment using open
source tools
Vishnu Vettrivel
Principal Engineering Lead, Atigeo
@cloudronin
Step 1: Know your responsibility
• Cloud providers are responsible for some parts of the infrastructure stack.
• The other parts of the
security stack is your responsibility.
• You are usually responsible for Application Security, Policies and configuration, machine images etc.
Step 2. Protect your Network
• Use Defense in Depth and services like: • Virtual Private Clouds• Network ACLs• Routing rules • Proxy Servers • NAT • Firewalls
• Application• Host• Network
Step 3: Protect your Machine Images
• Be sure your harden your images first
• Turn off insecure ports and services
• Change default passwords.
• Install AV Software
• Consider using a Baseline
Step 4: Protect your Data at Rest
• Know the different Cloud storage mechanisms and their Security implications.
• De-Identify when possible
• Understand the choices of Encryption primitives like key strength and Ciphers types.
• Don’t forget Secure Archival and Disposal of Data.
Step 5: Protect your Data in Transit
• Use secure application protocols whenever possible.• TLS• SSH• RDP
• Securely Tunnel traffic when not possible:• IPSEC• SSL VPN• SSH
• Use a Key Management System
Step 6: Protect and Patch your Instances
• Define and Categorize Cloud based assets
• Watch out for Zero Days
• Classify Risk
• Patch Affected Systems
• Use a Configuration Management System
Step 7: Protect Access to your Instances
• Create Individual User accounts
• Use Role based Access• Grant Least privilege
based on Business Need• Enable Multi-Factor
Authentication for Privileged Users
• Audit all User Activity• Federate all User Access
through a Directory Service
Step 8: Protect your Applications
• Implement AAA (Authentication, Authorization and Auditing).
• Familiarize yourself with the OWASP Top 10 Application Security Flaws.
• Follow Secure Development Best Practices.
Step 9: Audit and Monitor your Cloud
• Gather monitoring data at a secure and separate Network
• Establish baselines• Monitor all layers and
Protocols• Deploy the IDS behind the
Network firewall• Fine tune alert levels • Use redundant alerting
channels
Step 10: Validate your Protection
• Test Network, Infrastructure and Applications separately for Security Vulnerabilities periodically
• Check for Input validation, session manipulation, authentication and information leakage
• Use 3rd Party Tools where possible
Step 11: Automate Everything
• Use a Configuration Management System
• Employ Continuous Integration and Delivery.
• Automated Provisioning helps:• Documentation• BCP/DR Planning• Change Management
• Treat Infrastructure as Code.
Step 12: Update your Security Policy
•Define security scope and boundaries•Select proper risk Assessment Methodology.•Align policies to Contractual Obligations•Choose a suitable Security control framework
Step 13 ? There is no magic bullet!
• Some things are easier and some are harder in the Cloud
• Conventional security and compliance concepts still apply in the cloud.
• The 12 Steps will get your started on your continuous security improvement cycle
Resources https://s3.amazonaws.com/awsmedia/AWS_Security_Best_Practices.pdf
http://checklists.nist.gov/ https://www.us-cert.gov/ https://www.owasp.org/index.php/Top_10_2013-Top_10 https://www.cert.org/incident-management/ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html https://en.wikipedia.org/wiki/Penetration_test http://www.drdobbs.com/architecture-and-design/top-10-practices-for-
effective-devops/240149363 https://en.wikipedia.org/wiki/Information_security_management_system
Thank You
Vishnu VettrivelPrincipal Engineering Lead, Atigeo
@cloudronin
@atigeoxpatterns.co
m
linkedin.com/company/atigeo