Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem
-
Upload
nebulainc -
Category
Technology
-
view
88 -
download
1
Transcript of Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem
© 2015 Nebula, Inc. All rights reserved.
(cloud) Computing for the Enterprise
Private Cloud Security Practical Solutions for a Challenging Problem
Bryan D. Payne March 18, 2015
© 2015 Nebula, Inc. All rights reserved.
Private Network Internet
Storage
LDAP NTP
VLAN Tunnels
SIEM
DNS PKI
© 2015 Nebula, Inc. All rights reserved.
Intelligence Services
Serious Organized Crime
Highly Capable Groups
MoFvated Individuals
Script Kiddies
Likelihood of A,ack
Sophis2ca2on & Likelihood of Exploita2on
Source: OpenStack Security Guide
© 2015 Nebula, Inc. All rights reserved.
Compromise User System
VM Breakout
API Vuln
Dashboard Vuln
Access Cloud As Admin
Access Cloud As Outsider
Access Cloud As User
View Other Instances
Abuse Cloud Resources
View Data In Cloud
View Data In Cloud
Modify LDAP
View External Data
Follow VLANs into Corp Net
Spear Phishing
IniMal Access Touch Cloud Exploit Cloud Exploit Enterprise
Compromise Instance
© 2015 Nebula, Inc. All rights reserved.
Known hardware and soIware OrchestraFon + = Security
Opportunity
© 2015 Nebula, Inc. All rights reserved.
API EndpointsWeb Dashboard
ComputeNode
ComputeNode
StorageNode
StorageNode
Guest
ManagementData
Management and Control Plane Services
Cloud Users / Administrators
Cloud Operators
Inst
ance
Inst
ance
Inst
ance
Inst
ance
External
© 2015 Nebula, Inc. All rights reserved.
Cloud A/ack Vectors MiFgaFon Strategies
API Endpoints Service hardening, mandatory access controls, code audits
Web Dashboard CSP, expected domains, HTTPS, HSTS, allowed referrers
InformaMon Leakage SSL/TLS, disable memory dedup, randomize resource assign
VM Breakout Service hardening, mandatory access controls, code audits
Hardware Sharing Avoid bare metal instances, avoid device pass-‐through
Default Images Secure and maintain default images
Secondary AYacks Least priv, mandatory access controls, SSL/TLS, strong auth
© 2015 Nebula, Inc. All rights reserved.
Threat: Information Leakage
• TLS for network services – API endpoints – Web dashboard – Log feeds – AD / LDAP – External Storage
• Cross-VM attacks (timing, cache effects, etc)
© 2015 Nebula, Inc. All rights reserved.
Threat: VM Breakout • Mandatory access controls
– SELinux + KVM (SVirt) • Build hardening
– Remove unused device models from QEMU – Compiler hardening flags
• General Node Hardening – De-privilege node, with respect to cloud – Boot + Runtime attestation, SELinux, etc
© 2015 Nebula, Inc. All rights reserved.
Threat: Control Plane Compromise • Layers of Security
– Firewall (bi-directional on control plane) – Limit propagation of sensitive data – Unique secrets everywhere – Audit network service interface bindings – TLS, SELinux, boot + runtime attestation
• Primary Focus: Limit damage from a bad actor on the control plane
© 2015 Nebula, Inc. All rights reserved.
Threat: Vulnerabilities Upstream • Targeted security audits
– Work closely with OpenStack and Linux communities
• Aggressive security update policies – Cloud-specific triage process – Be prepared to test and rollout quickly
© 2015 Nebula, Inc. All rights reserved.
Threat: Poor Entropy for Instances • Mix entropy from multiple sources
– Hardware generated from multiple vendors
• Distribute securely / fairly – Entropy stream distributed throughout cloud – Available to all instances, using RNG Tools