CLOUD SECURITY ESSENTIALS 2.0

CRAWL. WALK. RUN.

Javier GodinezPrincipal DevSecOps Architect

Intuit

Shannon LIetz

Director, DevSecOps & Security Eng

Intuit

@devsecops

A Throwaway

Deck for R

SA

2

IN THE CLOUD,

EVERYTHING IS CODE...

3

Uh… where do these go?

EOL JUSTHAPPENS... http://donsmaps.com/images22/mutta1200.jpg

5

Let’s switch some things around…Data Center

NetworkServers

Virtualization

Operations

Platforms

Buyer IdentifierCloud Account(s)

Virtual IP AddressesContainerization

Appliances

Storage

Security Features

ApplicationsEphemeral Instances

Scale on DemandIAAS, PAAS, SAAS

Resource TestingBuilt-In Security

Long-Term Contracts Partner Marketplaces

Slow-ish Decisions

Experiments

6

The Basic Cloud Model

Clou

d Pr

ovid

er N

etw

ork

Backbone

Backbone

Cloud Platform (Orchestration)

Network Compute Storage

Internet

Clou

d Ac

coun

t(s)

Load Balancers

ComputeInstances

VPCs

Block Storage

Object Storage

RelationalDatabases

NoSQLDatabases

Containers

ContentAcceleration

Messaging Email

Utilities

Key Management

API/Templates

Certificate Management

PartnerPlatform

7

Reality…Internet

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Data

Cen

ter

Data

Cen

ter

Clou

d Pr

ovid

er N

etw

ork

8

CLOUD IS GREAT!

https://www.flickr.com/photos/comedynose

9

Developers have lots of options…

10

And Attackers also have lots of options…

11

UH... WE’RE NOT IN {KANSAS} ANYMORE

12

This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.

DevOps brings mega-change!

http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security

… And maybe that’s a good thing!

13

Top 5 Cloud Security Principles 2.0• The Cloud is not a Datacenter.• Reduce blast radius; play the odds.• Encryption is inconvenient.• Speed & Ease is both Friend & Foe.• Protection is ideal; Detection is a must!

14

EVERY COMPANY HAS SOMETHING IN THE CLOUD... THERE’S REALLY NO WAY OUT.

15

The Cloud is not a Datacenter.

16

Direct Connections/VPNs to Clouds are evil!

Clou

d Pr

ovid

er N

etw

ork

Data

Cen

ter

PUBLIC SUBNET

APP

DATABASEDATABASE

APP

PUBLIC SUBNET

VPN

Cloud Web ConsoleAPI Credentials

“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!

Remote Access

PRIVATE

SOFTWARE VPN

MANAGED VPN

10.0.0.0/8Connected & Routable?

No IDS?What do you mean the IP could change?

Tags? Security Groups? SDE?

17

Host-Based Controls• Shared Responsibility and

Cloud require host-based controls.• Instrumentation is

everything!• Fine-grained controls

require more scrutiny and bigger big data analysis.

Clou

d Pr

ovid

er N

etw

ork

InstanceInstance

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

18

Lights out…• Lights out datacenters have always

been a desired nirvana.• Automation is required to stack

and replace cloud workloads.• Cloud security benefits are derived

from lights out…• Automation & Instrumentation• Ephemeral Bastions• Drift Management• Security Testing

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

Clou

d Pr

ovid

er N

etw

ork

Bastion Instance Instance

19

Long live APIs…• Everything in the cloud should be

an API, even Security…• Protocols that are not cloudy should

not span across environments.• If you wouldn’t put it on the

Internet then you should put an API and Authentication in front of it:• Messaging• Databases• File Transfers• Logging

Clou

d Pr

ovid

er N

etw

ork

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

User Routing

Data Replication

ApplicationGateway

File Transfers

Log Sharing

Messaging

My API

20

IT’S GOING TO BE A BLAST!

https://www.flickr.com/photos/mountainbread

21

Blast Radius is a real thing…

R.I.P.

22

Beware of Orchestrators…• Orchestration creates blast radius

because it centralizes the deployment/security for cloud workloads.

• Tools that act on behalf usually require credentials and create blindspots.

• Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be.

Cloud Orchestration Platform

Clou

d Pr

ovid

er N

etw

ork

A B C

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

secrets

What’s normal?

23

Account Sharding is a new control!• Splitting cloud workloads into

many accounts has a benefit.• Accounts should contain less

than 100% of a cloud workload.• Works well with APIs; works

dismal with forklifts.• What is your appetite for

risk?Cloud

WorkloadTemplates

Clou

d Pr

ovid

er N

etw

ork

33 % 33 % 33 %

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

attacker

24

MFA is a MUST!• Passwords don’t work.• Passwords aren’t enough to

protect infrastructure.• Use MFA to protect User

accounts and API credentials used by Humans.

• On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA.

123456

Implement cloud template…API Credentials accepted...Please input your MFA token:XXXXXX (123456)Cloud stack 123 has been implemented.

25

50 %

Cloud Disaster Recovery is a different animal…• Regional recovery is not enough

to cover security woes.• Security events can quickly

escalate to disasters.• Got a disaster recovery team?• Multi-Account strategies with

separation of duties can help.• Don’t hard code if you can help it.• Encryption is inconvenient, but

necessary…

Cloud WorkloadTemplates

Clou

d Pr

ovid

er N

etw

ork

50 % 50 %

Clou

d Ac

coun

t

Clou

d Ac

coun

t

DisasterTemplates

50 %

Clou

d Ac

coun

ts

26

BEGINENCRYPTED TRANSMISSION...

https://www.flickr.com/photos/ideonexus

27

Encryption is a necessary evil…• It helps with Safe Harbor.• It helps with SQL Injection.• It helps with Data

Ownership.• It helps with Privacy.

It’s not a silver bullet…

Clou

d Pr

ovid

er N

etw

ork

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Instance

Secrets Management

Key Management & Encryption

App

DBDisk

ManagedService

28

So much inconvenience• It can limit scale and it may

narrow design options.• Scalable Key Management is

really hard in the cloud.• Inconvenience commonly

comes from blue/green changes, dynamic environment & sharing secrets for auto-scale.

Instance

Secrets Management

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

APP APP

DB DB

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Phew I’m exhausted

29

Overcoming Inconvenience• Use built-in transparent

encryption when possible.• Use native cloud key management

and encryption when available.• Develop back up strategies for

keys and secrets.• Apply App Level Encryption to

help with SQL Injection and preserving Safe Harbor.

• Use APIs to exchange data and rotate encryption.

Clou

d Pr

ovid

er N

etw

ork

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Instance

Secrets Management

Key Management & Encryption

App

DBDisk

ManagedService

30

FRIEND AND FOE...

https://www.flickr.com/photos/sreybhtiek

31

Speed & Ease can create problems…• Overloaded terms like “Policy” can

cause confusion for DevOps and Security teams.

• Applying broad controls to narrow problems can create gaps.

• Security reviews are too slow…• Mistakes can and do happen!!• Security scanners and testing tools

are not yet available for solving these speed & ease challenges.

DEVOPS SECURITY

CLOUD SECURITY POLICIESSECURITY AS CODE

Page 3 of 433

How do I?Did you mean?What is?

Sigh…It’s like we aren’t speaking the same language…

32

Mixed modes don’t work• Forklifts are not a good

idea because the original controls operate different.• Systems designed for

waterfall don’t have an easy path to achieve agile.• Fragile applications in the

cloud are easy pickings for attackers! MAN – THIS SHELL IS HEAVY!

33

Code can solve the divide• Paper-resident policies do

not stand up to constant cloud evolution and lessons learned.• Translation from paper to

code can lead to mistakes.• Traditional security policies

do not 1:1 translate to Full Stack deployments.

Data

Cen

ter

Clou

d Pr

ovid

er

Net

wor

k

• LOCK YOUR DOORS• BADGE IN• AUTHORIZED PERSONNEL ONLY• BACKGROUND CHECKS

• CHOOSE STRONG PASSWORDS• USE MFA• ROTATE API CREDENTIALS• CROSS-ACCOUNT ACCESS

EVERYTHING AS CODE

Page 3 of 433

34

Speed & Ease can increase security!• Fast remediation can remove attack

path quickly.• Resolution can be achieved in

minutes compared to months in a datacenter environment.

• Continuous Delivery has an advantage of being able to publish over an attacker.

• Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.

APP APP

DB DB

APP

DB

ATTACKED FORENSICSRECOVERED

35

EYES & EARS ...

https://www.flickr.com/photos/waltstoneburner

36

Shift controls & mindset

SecurityMonitoring

37

Cloud Security is a Big Data Challenge…• DevOps + Security is the biggest

big data challenge ahead.• Use Attack Models and choose

the right Data Sources to discover attacks in near real-time.

• Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for.

• Web Access Logs• Java Instrumentation• Proxy Logs• DNS Logs

38

Cloud Security Feedback Loop

insightssecuritysciencesecurity

tools & data

Cloud accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

SPEED MATTERS

39

THE OPTIONS ARE ENDLESS...

https://www.flickr.com/photos/atomicbartbeans

40

Safe experimentation is critical…• Test possible solutions,

arrive at Good Enough.• Crawl-Walk-Run plans

can save your org from large-scale incidents.• Keep up with Lessons

Learned!

41

10 DAYS

Don’t Hug Your Instances…• Research suggests that you should

replace your instances at least every 10 days, and that may not be often enough.

• Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.

• Make sure to keep a snapshot for forensic and compliance purposes.

• Use config management automation to make changes part of the stack.

• Refresh routinely; refresh often!

42

Use Cloud Native Security Features...• Cloud native security features are

designed to be cloudy.• Audit is a primary need!• Configuration and baseline checks

baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.

• Be deliberate about how to use built-in security controls and who has access.

43

Security as Code… gotta do it.

By: Peter Benjamin

44

Apply what you learned today…• Next week you should:• Understand how your organization is or plans to use cloud providers• Identify cloud workloads and virtual blast radius within your organization

• In the first 3 months following this presentation you should:• Begin to build Security as Code skills and run cloud security experiments to understand

the issues• Develop Crawl-Walk-Run plans to help your organization build security into cloud

workloads• Within 6 months you should:

• Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud

• Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads

• Remediation happens in hours to days as a result of automation

45

Get Involved & Join the Community• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity

Join Us !!!Spread the word!!!