Cloud Security: There's a Storm Coming
-
Upload
mark-stanislav -
Category
Technology
-
view
68 -
download
1
Transcript of Cloud Security: There's a Storm Coming
Cloud Security: There's a Storm Coming May 19th, 2015
11:00AM
Mark Stanislav
Sr. Security Consultant
Rapid7
Presentation will be available at:
www.misti.com/download Download password is available in your Show Guide
Slide 4
■ The first ~10 years of Cloud Computing were mostly spent understanding what the ecosystem could, and should, look like to for everyone from end users to large enterprises
■ A lot of details had to be sorted out:
◆ What hypervisors do we use? What should APIs look like?
◆ How do you scale regions, but prevent cascading failures?
◆ Which types of compliance audits can we still pass?
◆ How do we segment data stores and encrypt properly?
◆ Who are the industry leaders and who are the followers?
◆ What cloud-based companies will be darlings or deadbeats?
◆ Which cloud breaches and stories will define those years?
Security Maturity is More Than Breach Stats
Slide 5
Published in 2009 covering EC2 instance mapping, side-channel attacks, and co-residency attacks.
An “Early” Paper That I Still Love
Slide 6
■ There are absolutely vulnerabilities being found and research being cultivated around attacks against hypervisors and other low-level technology powering cloud deployments
■ Much like all computing, one big deal is having a cloud provider who has the technical capabilities and dedication to security to efficiently patch their underlying architecture
Highly Complex Attacks? Eh, Not So Much…
Slide 8
Authentication Security
■ Using an Internet-facing service, with all of your “eggs in one basket,” only being protected by a password? Hmm…
■ Cloud computing is, in my opinion, the biggest reason two-factor authentication adoption has accelerated so dramatically
■ AWS, Azure, Linode, Rackspace, Heroku, GCE, Joyent, and more have some form of auth security beyond only a password
#shameless Check out https://twofactorauth.org
Slide 9
Two-Factor is Not Just a “Nice to Have”
2FA Deployments for Web Services
* Through June, 2014
Slide 11
Access Control Security
■ How much access does a given user or API key have?
◆ Create sub accounts that have limited console access
◆ API keys should be per application, only needed privileges
◆ Leverage standards like SAML and XACML
◆ Define roles and implement RBAC either natively or custom
■ Auditability is often forgotten about
◆ When did they login? Where from? What did they do?
■ Oh, and, don’t LEAK YOUR KEYS AND CREDENTIALS! J
Slide 12
An All-Too-Common Story
Sanitize your code repositories and your machine images before posting publicly!
Scanning for sensitive data is trivial with a script or manually
Slide 14
Don’t Worry, Providers Screw it Up, too!
Think about how easy it would be to backdoor a community image…
Slide 15
There’s Always the Front Door
■ Cloud security is still predicated on the software (web apps, underlying services, custom middleware, APIs, etc.)
◆ A single vulnerability could provide access to all user data and instances if the provider doesn’t segment properly
■ Ever wonder if your cloud provider’s administrative interfaces are Internet-facing or able to be accessed via client networks?
Slide 16
Defense in Depth is the ONLY Plan
■ Remember that part about being able to patch efficiently?
◆ “Released less than a week ago,” is not an inspiring excuse
■ There will always be 0-day, how are you preparing for it?
Slide 17
■ A single *aaS can involve numerous ways to read/write data:
◆ Web consoles, APIs, SDKs, mobile applications, and more!
◆ If you add a security feature, it should apply to ALL ways
■ Not convinced? Consider Apple’s security of iCloud…
◆ “CelebrityGate” exposed how weak Apple’s coverage of user data was, even when using their advanced features
A Security Control is All or Nothing
Slide 20
So What’s This “There’s a Storm Coming” Thing?
You Are Here
The First Ten Years of Cloud Computing
The Next Ten Years of Cloud Computing
We’re in the eye of the storm. Shocked? J
Slide 21
The Next 10 Years of Cloud Security
■ Figure out how to actually add security to all of these new container technologies everyone is deploying without concern
◆ $150M in funding to Docker, $20M to CoreOS == security?
■ See the mass adoption of two-factor authentication across all cloud computing vendors (those that will survive, anyways…)
◆ Salesforce just bought the two-factor platform Toopher
■ Watch as the “Internet of Things” rises, backed off of *aaS solutions and wait intently for the first major breach to occur
◆ All of the problems of early cloud but with big risks at hand
Slide 24
■ IoT has to collapse for platforms, services, and hardware to allow for “the dream” to be realized – but this is a huge risk
◆ Imagine if IFTTT or any similar service was compromised, how much access one attacker would have to people’s lives
What Do I Worry About With Cloud + IoT?
Slide 27
Some SaaS Providers Get it Right, Too
Github • Two Factor • Sessions • Audit History • Notifications • Revoke Tokens • SSH Fingerprints
Slide 32
■ Just because you can use a cloud service doesn’t mean you should use it – an easy sign-up doesn’t excuse losing data
◆ If your organization wants to go 100% cloud, that’s fine, just understand that you are taking risks that you likely didn’t have before, or weren’t as likely to come true
◆ Build a proper data retention policy, clean up objects you don’t need anymore, create off-line data backups still
◆ Encrypt-before-cloud if you can, else, segment data well, separate privileges as much as able, and please audit J
■ Every bad employee password or reused password cloud be the end of your entire company (remember Code Spaces?)
◆ Two-factor authentication or you’re just being neglectful
Cloud Security Housekeeping Notes
Slide 34
■ Virtual Private Cloud (VPC) is the default these days
◆ If it doesn’t need a public IP, don’t you dare give it one
■ Ingress & egress firewalls, network-level AND host-based
■ Just say no to community AMIs; vendor-provided or custom!
■ If an API call allows you to set transparent encryption: do it
◆ Start leveraging the new Key Management Service (KMS)
■ Create Identity and Access Management (IAM) for roles
◆ Super user privilege should be done at a user-level
◆ Require two-factor authentication for all remote users
■ Enable logging for as much as you can handle, it may matter
Some Tips for Secure IaaS (AWS-focused)
Slide 35
Some Tips for Secure SaaS ■ Consider using SAML to tie your SaaS applications into the
organization’s existing authentication backend and for SSO
◆ Okta, OneLogin, etc. then provide “portal” access to SaaS
■ Provide solutions to employees before they provide their own
◆ Controlling SaaS is hard… don’t make employees stray!
■ Yep, two-factor authentication for all business services
◆ This includes social media, HR, sales, marketing, etc.
■ If the service allows, create policies for valid IP/geo ranges
◆ This may buy you time, help act as an early alert, etc.
■ Tie these services into your SIEM and actually review reports
◆ Unfortunately, very few SaaS applications do this natively
THANK YOU!
Mark Stanislav
Please Remember To Fill Out Your
Session Evaluation Forms!