security in the cloud workshop hstc 2014
TRANSCRIPT
![Page 1: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/1.jpg)
Security in the Cloud
Akash Mahajan
![Page 2: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/2.jpg)
Akash Mahajan - Profile
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!
![Page 3: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/3.jpg)
You will not learn anything new today
The interesting part is learning why you won’t learn anything new today
![Page 4: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/4.jpg)
WHAT IS CLOUD COMPUTING?
![Page 5: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/5.jpg)
“Today Internet is Cloud CD Based, if you use Google
your docs get stored in cloud, have you ever seen
Google software CD? No it’s not here, it’s in the
cloud. Called as Cloud CD! When you check, it
Cloud gives error because it is raining!!!! ”
- Vishwa Bandhu Gupta
![Page 6: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/6.jpg)
Cloud computing is computing in which large
groups of remote servers are networked to
allow the centralized data storage, and
online access to computer services or
resources.
- From http://en.wikipedia.org/wiki/Cloud_computing
![Page 7: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/7.jpg)
How is Cloud Computing different
From?
Grid computing
Distributed computing
Large Scale Clusters
![Page 8: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/8.jpg)
Elasticityis the degree to which a system is able
to adapt to workload changes
![Page 9: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/9.jpg)
How do we get Elasticity?
by provisioning and de-provisioning resources
in an autonomic manner, such that at each
point in time the available resources match
the
current demand as closely as possible.
![Page 10: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/10.jpg)
Autonomic Manner
The system makes decisions on its own,
using high-level policies; it will
constantly check and optimize its
status and automatically adapt itself to
changing conditions.
![Page 11: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/11.jpg)
AWS Auto-scale – Example of Elasticity
![Page 12: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/12.jpg)
The tech behind
cloud computing
is not new
![Page 13: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/13.jpg)
WHAT MAKES UP THE CLOUD COMPUTING STACK?
![Page 14: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/14.jpg)
VirtualizationThe main enabling technology for cloud computing
![Page 15: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/15.jpg)
Service Oriented Architecture
(SOA)Breaking of business problems into services that can
be integrated
![Page 16: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/16.jpg)
Programmable APIs
Ability to interact with the services offered using programs and the libraries provided
![Page 17: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/17.jpg)
Management
LayerAbility to interact with the services offered using a
web based front-end for management & billing
![Page 18: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/18.jpg)
High Speed
NetworksAll of the above talk to each other using
high speed networks
![Page 19: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/19.jpg)
Cloud Computing Stack
Management Layer
Programmable APIs
Service Layer
OS Level Virtualization
![Page 20: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/20.jpg)
OS LEVEL VIRTUALIZATION
![Page 21: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/21.jpg)
What is Virtualization?
it separates a physical computing device into one or
more "virtual" devices
![Page 22: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/22.jpg)
OS Level Virtualization
It essentially creates a scalable
system of multiple
independent computing
devices.
![Page 23: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/23.jpg)
OS Level Virtualization
Idle computing resources can be
allocated and used more efficiently
![Page 24: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/24.jpg)
Virtualization provides agility
• Speed up IT operations
• Reduces cost by increasing infrastructure utilization
![Page 25: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/25.jpg)
Virtualization provides automation
• Computing automates the process through
which the user can provision resources on-
demand.
• By minimizing user involvement,
automation speeds up the process, reduces
labor costs and reduces human errors
![Page 26: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/26.jpg)
SERVICE ORIENTED ARCHITECTURE FOR CLOUD SERVICES
![Page 27: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/27.jpg)
What does SOA contain?
![Page 28: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/28.jpg)
Compute
processor , random access memory,
![Page 29: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/29.jpg)
Storage
persistent, redundant, scalable, infinite and cheap
![Page 30: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/30.jpg)
Network
all pervasive, based on TCP/IP gigabit fast and more
![Page 31: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/31.jpg)
Management
what we use to manage or work with the service
![Page 32: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/32.jpg)
Metrics and Measured Service
billing is like utility services and every service is
measurable
![Page 33: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/33.jpg)
PROGRAMMABLE APIS AND MANAGEMENT LAYER
![Page 34: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/34.jpg)
Programmable APIs
Start, stop, pause virtual servers
ec2-run-instances
gcloud compute instances create
![Page 35: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/35.jpg)
Management Layer
Basically a web based control panel
![Page 36: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/36.jpg)
Management Layer
![Page 37: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/37.jpg)
SERVICE MODELS
![Page 38: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/38.jpg)
Cloud Service Models
![Page 39: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/39.jpg)
Software As A Service
Meant for end users to consume a service using applications and data storage
![Page 40: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/40.jpg)
Platform As A Service
Meant for developers to utilize an integrated development platform and framework
![Page 41: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/41.jpg)
Infrastructure As A Service
Basic Cloud Service building blocks are given like server instance, storage and network
![Page 42: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/42.jpg)
DEPLOYMENT MODELS FOR THE CLOUD
![Page 43: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/43.jpg)
Cloud can be in your office too
![Page 44: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/44.jpg)
Deployment Models
• Public
• Private
• Hybrid
![Page 45: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/45.jpg)
Public Cloud
A cloud is called a "public cloud" when the services are rendered over a network that is
open for public use.
![Page 46: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/46.jpg)
Private Cloud
Private cloud is cloud infrastructure operated solely for a single organization, whether
managed internally or by a third-party, and hosted either internally or externally
![Page 47: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/47.jpg)
Hybrid Cloud
Hybrid cloud is a composition of two or more clouds (private, community or public) that
remain distinct entities but are bound together, offering the benefits of multiple
deployment models.
![Page 48: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/48.jpg)
SECURITY IN THE PUBLIC CLOUD
We will restrict our discussion about the security of the public cloud
![Page 49: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/49.jpg)
Shared Sense of Security
Public cloud vendors and customers have a shared
sense of security
![Page 50: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/50.jpg)
![Page 51: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/51.jpg)
Shared Responsibility of
security
Public cloud vendors and customers have to share security responsibility
![Page 52: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/52.jpg)
![Page 53: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/53.jpg)
Division of Responsibility
![Page 54: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/54.jpg)
Amazon AWS takes care of
• Physical Security (Nobody should walk away
with the server including Govt.)
• Host OS which runs the virtualization software
• Virtualization Security (Rogue VMs can't harm
others)
![Page 55: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/55.jpg)
Amazon AWS takes care of
• Environmental Safeguards (DC is safe to run
servers)
• Administrative Controls (Policies and
Procedures)
• Certifications and Accreditations (SAS70, SOC1,
PCI, ISO27K1)
![Page 56: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/56.jpg)
You take care of
• Guest OS (The Compute instance)
• Application Security (The application on the compute instance)
• Data Security (The data being generated, processed by the application)
• Network security for the guest & applications
• Security Monitoring of Guest OS & applications
![Page 57: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/57.jpg)
A few public cloud vendors
![Page 58: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/58.jpg)
Does Cloud Need Security?
Wrong question to ask, the question should be…
![Page 59: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/59.jpg)
Do we need to worry about our
data, our infra, our apps stored in the
public cloud?
![Page 60: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/60.jpg)
Our apps in the public cloud
• This applies only to IAAS and PAAS as in
SAAS it is not our application
• An in secure app can expose underlying
infrastructure and data to theft, corruption
and exposure
![Page 61: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/61.jpg)
Security Testing of Apps
• No different from testing any application for
security
• We might require permission to run
automated scanners against the app
• Ideal framework to test against is OWASP
Top 10 and OWASP Testing Guide
![Page 62: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/62.jpg)
App Insecurity Scenario
• App has a Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the
server
• Attacker reads the credentials and starts
multiple large instances to mine bitcoins
• Victim saddled with a massive bill at the end of
the month
![Page 63: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/63.jpg)
Our infra in the public cloud
• This applies only to IAAS as in SAAS and
PAAS it is not our application or infra
• Infrastructure vulnerabilities can derail any
app security in place.
![Page 64: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/64.jpg)
Security Testing of Infra
• No different from testing server for security
• We may require permission to run
automated scanners against the server
• Ideal framework to test against is any
Penetration Testing Standard PTES /
OSSTMM
![Page 65: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/65.jpg)
Infra Insecurity Scenario
• MySQL Production database is listening on external
port
• Developers work directly on production database
and require SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a brute force script and cracks the
password, gains full access to the database
![Page 66: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/66.jpg)
HEARTBLEED – AN ILLUSTRATION OF AN INFRASTRUCTURE VULNERABILITY
![Page 67: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/67.jpg)
![Page 68: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/68.jpg)
![Page 69: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/69.jpg)
![Page 70: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/70.jpg)
Servers (Infra) were leaking
sensitive information
![Page 71: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/71.jpg)
What kind of information?
• Session IDs
• Usernames
• Password
• Server Certificate’s Private Keys
![Page 72: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/72.jpg)
CloudFlare hosted a vulnerable server
A security researcher sent 2.5 million requests and got the private keys
![Page 73: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/73.jpg)
What is the big deal about that?
• Private Keys for the SSL certificate can decrypt all past and future traffic
• Private Keys allow for impersonation of that service as well.
• What if some website could pretend to be https://examplebank.com ?
![Page 74: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/74.jpg)
Armature Hour at AWS
• https://opbeat.com/blog/posts/amateur-hour-at-aws/
• Amazon AWS took about 48 hours after everyone knew about Heartbleed to patch its servers and inform its customers
• This caused a lot of heart-ache and pain for its customers
![Page 75: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/75.jpg)
Our data in the public cloud
• This applies only all PAAS, IAAS and SAAS
• Our data can get leaked, exposed, stolen,
held ransom if we don’t take care of making
sure it is safe while being used, while being
transmitted and while being stored
![Page 76: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/76.jpg)
Verifying Data Security through Testing
• This is a specialized testing requirement. A part
of this can be tested by looking at the system
and application architecture
• All the places where the data can be written,
sent, travel need to be looked at.
• Writing to storage, exposing APIs, backups and
even insider threats
![Page 77: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/77.jpg)
Verifying Data uses Encryption• Data at rest is encrypted
– This will ensure that if an attacker has access to the
disk/store, they can’t use the data
• Data in motion is encrypted
– This will ensure that if an attacker can sniff the network
traffic they can’t see &tamper the data
• Data in use (tmp files, key loaded in memory)
– This will ensue that if an attacker can’t do catastrophic
damage if they manage to gain access to a server
![Page 78: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/78.jpg)
Secure Key Management
• Once we start using encryption for data
storage and data transmission, the encryption
keys need to be safeguarded against theft,
accidental loss
• A secure key management process will ensure
that at any point keys can be revoked and
reissued
![Page 79: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/79.jpg)
Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database
wasn’t encrypted when initial backups were
done.
• Dev team moves to newer type SSDs and
doesn’t decommission older HDDs.
• Attacker finds older HDD, does forensics for
data recovery and sell the data for profit.
![Page 80: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/80.jpg)
Cloud versus the IT department
![Page 81: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/81.jpg)
How does being in the cloud change the traditional IT
department?
![Page 82: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/82.jpg)
How do IT departments manage cloud
instances & data?
![Page 83: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/83.jpg)
Does the company Info sec policy still
apply?
![Page 84: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/84.jpg)
Does the Countries cyber laws still
apply?
![Page 85: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/85.jpg)
How to applications get attacked?
![Page 86: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/86.jpg)
HOW DO YOU TEST FOR SECURITY?
What are the frameworks for testing cloud?
Can we follow some best practices ?
![Page 87: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/87.jpg)
Cloud Security Alliance
• Security Guidance Document
• https://cloudsecurityalliance.org/guidance/
csaguide.v2.1.pdf
• Covers 13 Critical Area Domains
![Page 88: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/88.jpg)
European Network and Information Security Agency (ENISA)
• Cloud Computing Information Assurance
Framework
• http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-
computing-information-assurance-
framework/at_download/fullReport
• Covers 15 areas in OpSec & Identity &Access
Management
![Page 89: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/89.jpg)
Frameworks are great, but
• They are too extensive to be actionable
• They are too generic for real world security
• They provide structure but lack incisive
steps that can be taken right now to
become secure
![Page 90: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/90.jpg)
10 STEPS TO SECURING A CLOUD DEPLOYMENT (INFRASTRUCTURE)
![Page 91: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/91.jpg)
Why Infrastructure first?
In all cases Cloud Service Provider (CSP) takes care of physical security and the host
operating system. So we just need to worry about the guest OS and all the
infrastructure running on it.
![Page 92: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/92.jpg)
AWS and Rackspace Host OS Vuln
24th September 2014
![Page 93: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/93.jpg)
AWS and Rackspace Host OS VulnFrom the Amazon AWS Blog
XEN Hypervisor Security Issues
![Page 94: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/94.jpg)
![Page 95: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/95.jpg)
5 Pillars of Security in IAAS(AWS)
• Identity and Access Management
• Configuration and Patch Management
• Endpoint and Network Protection
• Vulnerability and Asset Management
• Data Protection
![Page 96: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/96.jpg)
How the CSPs stack up for security?CSP/Security Feature
AWS Google Compute Engine
Microsoft Azure
Rackspace
IAM YES YES YES Sort of
2FA for Management Layer
Need to enable
Need to enable
YES* (Paid Service)
NO
Network Isolation YES YES YES YES
Virtual Private Networks
YES YES YES YES
Firewall YES YES YES YES
Centralized Logsand Audit Trail
YES NO YES* NO
Encryption for Storage
YES YES YES
Key Management YES YES YES YES
http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/http://t.co/tig66fyu9K-Thanks to @govindk
![Page 97: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/97.jpg)
The 10 steps are
1. Enumerate all the network interfaces
2. List all the running services
3. Harden Each Service separately based on best
practices
4. Secure Remote access for server management
(SSH, RDP)
5. Check Operating System Patch Levels
![Page 98: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/98.jpg)
The 10 steps are
6. Harden the networking parameters of the
Kernel (Linux Specific)
7. Enable a Host Firewall
8. Do an inventory all user accounts on the
server and audit them
9. Enable Centralized Logging
10. Enable Encryption on disks, storage etc.
![Page 99: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/99.jpg)
Demo for 10 steps
![Page 100: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/100.jpg)
AWS IAM Best Practices
• Lock away your AWS account access keys
• Create individual IAM users
• Use groups to assign permissions to IAM
users
• Grant least privilege
![Page 101: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/101.jpg)
AWS IAM Best Practices
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Use roles for applications that run on Amazon EC2
instances
• Delegate by using roles instead of by sharing
credentials
• Rotate credentials regularly
![Page 102: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/102.jpg)
CASE STUDIES
Real world security incidents we can all learn from
![Page 103: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/103.jpg)
Case Study 1
• Company Not following best practices
• Data loss
• Security Incident
• Catastrophic Business Failure
![Page 104: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/104.jpg)
CODESPACES AWS HACK
Case Study 1
![Page 105: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/105.jpg)
Anatomy of the attack
1. Distract by doing DDOS against the target
2. Gain access to the root credentials of AWS
3. All storage devices, hard disks, S3 storage deleted
Company was a hosting company
They went bankrupt due to this and 100s of customers lost all their data
![Page 106: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/106.jpg)
Case Study 2 – Application Security
• Relatively benign bug causes major security hole in the cloud
![Page 107: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/107.jpg)
APPLICATION (IN)SECURITY LOVES XXE
Case Study 2
![Page 108: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/108.jpg)
Application (In)Security & XXE
• Researcher finds that, he can inject his own file name and path in AWS EC2
• EC2 uses Auto Scaling
• Auto Scaling requires information to be present on the EC2 instance
• Meta Web Server allows local HTTP Requests to be made and server and its credentials are pwned
![Page 109: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/109.jpg)
Case Study 3 – Infrastructure Security
• Un-patched server causes major security breach
![Page 110: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/110.jpg)
INFRASTRUCTURE SECURITY FAIL
Case Study 3
![Page 111: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/111.jpg)
Browser Stack
• Old neglected server, not being used.
• Server is brought up to check something.
• Un patched server is left running on the Internet without any network protection
• Attacker compromises the server, steals the AWS credentials and manages to email all its customers, how bad the company is
![Page 112: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/112.jpg)
Conclusions
• Security in the cloud is really not very
different from regular security
• Same principles and processes apply
• Same tools and techniques apply
• IT folks need to simply understand what is
the best way to get the same thing done
![Page 114: Security in the cloud Workshop HSTC 2014](https://reader033.vdocuments.us/reader033/viewer/2022060205/55a0fed01a28ab0d2e8b465b/html5/thumbnails/114.jpg)
Attributions
• Cloud Image Background from www.perspecsys.com
• Video of Vishwa Bandhu https://www.youtube.com/watch?v=ApQlMm39xr0
• Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons
• CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32
• Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• Toyota Robot at Toyota Kaikan
• AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html
• SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/
• http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas
• By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• Big Thanks to @govindk for fixing errors in Slide #96