Security In The Cloud

Transcript

1. Security in the Cloud Akash  Mahajan  

2. You  will  not  learn  anything  new  today The  interesting  part

    is  learning  why  you   won’t  learn  anything  new  today

3. CASE STUDIES Real  world  security  incidents  we  can  all  learn

    from

4. CASE STUDY 1 Forensic  Investigation  to  find  Malicious  Insider  in

    AWS  Cloud

5. Malicious Insider deleted data on AWS • All  data  was

    on  EBS  disks • Once  client  realised  that  there  was  an  issue • Server  was  replicated  and  the  original  server  left  untouched • The  EBS  disk  from  original  server  was  replicated  and   mounted  in  a  new  instance

6. Forensic Process • Focus  on  data  recovery  for  logs/history •

   ISO  created  from  mounted  disk • Using  TSK  tools  created  strings  from  ISO • Able  to  find  fairly  large  extract  of  text  from  audit  logs  of  one   of  the  server • The  log  snippet  contained  the  user  who  logged  in  and  ran   delete  commands

7. CASE STUDY 2 Platform  and  Application  using  IAAS  AWS  

8. Platform & App using IAAS AWS • Configuration  pretty  strong

   • No  way  to  reach the  ports  unless  IP  whitelisted • Application  Security  Issues  found

9. How did we test? 1. Whitelisted  our  IP  in  security

    groups 2. Able  to  see  ports  and  the  application Discovered  there  was  an  internal  enterprise  mobile   application  connecting  to  a  certain  port  which  was  open  to   all  without  any  authn and  authz

10. CASE STUDY 3 Application  (In)Security  Loves  XXE

11. Application (In)Security & XXE • Researcher  finds  that,  he  can

     inject  his  own  file  name  and   path  in  AWS  EC2 • EC2 uses  Auto  Scaling • Auto  Scaling  requires  information  to  be  present  on  the  EC2 instance • Meta  Web  Server  allows  local  HTTP  Requests  to  be  made   and  server  and  its  credentials  are  pwned

12. CASE STUDY 4 Infrastructure  Security  Fail

13. BrowserStack Hack • Old  neglected  server,  not  being  used. •

    Server  is  brought  up  to  check  something.   • Un  patched  server  is  left  running  on  the  Internet  without   any  network  protection • Attacker  compromises  the  server,  steals  the  AWS   credentials  and  manages  to  email  all  its  customers,  how  bad   the  company  is

14. AWS and Rackspace Host OS Vuln 24th September  2014  

15. AWS and Rackspace Host OS Vuln From  the  Amazon  AWS

     Blog XEN  Hypervisor  Security  Issues
16. None

17. What does this mean? • Security  in  the  cloud  is

     really  not  very  different  from  regular   security • Same  principles  and  processes  apply • Same  tools  and  techniques  apply • IT  folks  need  to  simply  understand  what  is  the  best  way  to   get  the  same  thing  done

18. Moving… Blackbox Whitebox

19. Where we are headed? • External  Pen  tests  on  

    infra • External  VA/PT  on   applications   • OS  Configuration   Audits • Architecture  Review • Testing  Firewalls   • DOS  Testing • Identity  &  Access   Managment

20. WHAT IS CLOUD COMPUTING?

21. Cloud  computing is  computing  in  which  large   groups  of

     remote  servers  are networked to   allow  the  centralized  data  storage,  and   online  access  to  computer  services  or   resources. -­‐ From  http://en.wikipedia.org/wiki/Cloud_computing

22. How  is  Cloud  Computing    different From? Grid  computing  

    Distributed  computing Large  Scale  Clusters  

23. Elasticity is  the  degree  to  which  a  system  is  able

      to  adapt  to  workload  changes

24. How do we get Elasticity? by  provisioning  and  de-­‐provisioning  resources

     in  an   autonomic manner,  such  that  at  each  point  in  time  the   available  resources  match  the   current  demand  as  closely  as  possible.

25. Autonomic Manner The  system  makes  decisions  on  its  own,  using

     high-­‐ level  policies;  it  will  constantly  check  and  optimize  its   status  and  automatically  adapt  itself  to  changing   conditions.

26. AWS  Auto-­‐scale  – Example  of  Elasticity

27. The  tech  behind   cloud  computing   is  not new

28. WHAT MAKES UP THE CLOUD COMPUTING STACK?

29. Virtualization The  main  enabling  technology  for  cloud  computing

30. Service  Oriented   Architecture   (SOA) Breaking  of  business  problems

     into  services  that  can   be  integrated

31. Programmable   APIs Ability  to  interact  with  the  services  offered

     using   programs  and  the  libraries  provided

32. Management   Layer Ability  to  interact  with  the  services  offered

     using  a web  based  front-­‐end  for  management  &  billing

33. High  Speed Networks All  of  the  above  talk  to  each

     other  using   high  speed  networks

34. Cloud Computing Stack Management  Layer Programmable  APIs Service  Layer OS

     Level  Virtualization

35. OS LEVEL VIRTUALIZATION

36. What  is  Virtualization? it  separates  a  physical   computing  device

     into  one  or   more  "virtual"  devices

37. OS Level Virtualization It  essentially  creates  a  scalable   system

     of  multiple independent computing devices.  

38. OS  Level  Virtualization Idle  computing  resources  can  be   allocated

     and  used  more  efficiently

39. Virtualization provides agility • Speed  up  IT  operations • Reduces

     cost  by   increasing   infrastructure utilization  

40. Virtualization provides automation • Computing  automates  the  process  through  which

     the  user   can  provision  resourceson-­‐demand.   • By  minimizing  user  involvement,  automation  speeds up  the   process,  reduces  labor  costs  and  reduces  human  errors

41. SERVICE ORIENTED ARCHITECTURE FOR CLOUD SERVICES

42. What does SOA contain?

43. Compute processor  ,  random  access  memory,  

44. Storage persistent,  redundant,  scalable,  infinite   and  cheap

45. Network all  pervasive,  based  on  TCP/IP  gigabit  fast   and

     more

46. Management what  we  use  to  manage  or  work  with  the

      service

47. Metrics and Measured Service billing  is  like  utility  services  and

     every   service  is  measurable  

48. PROGRAMMABLE APIS AND MANAGEMENT LAYER

49. Programmable APIs Start,  stop,  pause  virtual  servers   ec2-­‐run-­‐instances gcloud

     compute  instances  create

50. Management Layer Basically  a  web  based  control  panel

51. Management Layer

52. SERVICE MODELS

53. Cloud Service Models

54. Software As A Service Meant  for  end  users  to  consume

     a  service  using  applications   and  data  storage

55. Platform As A Service Meant  for  developers  to  utilize  an

     integrated  development   platform  and  framework

56. Infrastructure As A Service Basic  Cloud  Service  building  blocks  are

     given  like  server   instance,  storage  and  network

57. DEPLOYMENT MODELS FOR THE CLOUD

58. Cloud can be in your office too

59. Deployment Models • Public • Private • Hybrid

60. Public Cloud A  cloud  is  called  a  "public  cloud"  when

     the  services  are   rendered  over  a  network  that  is  open  for  public  use.

61. Private Cloud Private  cloud  is  cloud  infrastructure  operated  solely  for

     a   single  organization,  whether  managed  internally  or  by  a   third-­‐party,  and  hosted  either  internally  or  externally

62. Hybrid Cloud Hybrid  cloud  is  a  composition  of  two  or

     more  clouds  (private,   community  or  public)  that  remain  distinct  entities  but  are   bound  together,  offering  the  benefits  of  multiple   deployment  models.  

63. SECURITY IN THE PUBLIC CLOUD We  will  restrict  our  discussion

     about  the  security  of  the  public  cloud

64. Shared  Sense  of   Security Public  cloud  vendors  and  customers

     have  a  shared   sense  of  security
65. None

66. Shared   Responsibility  of   security Public  cloud  vendors  and

     customers  have  to  share   security  responsibility
67. None
68. None

69. Division of Responsibility

70. IAAS CSP takes care of • Physical  Security  (Nobody  should

     walk  away  with  the  server   including  Govt.) • Host  OS  which  runs  the  virtualization  software • Virtualization  Security  (Rogue  VMs  can't  harm  others)

71. IAAS CSP takes care of • Environmental  Safeguards  (DC  is

     safe  to  run  servers) • Administrative  Controls  (Policies  and  Procedures) • Certifications  and  Accreditations  (SAS70,  SOC1,  PCI,   ISO27K1)

72. You take care of • Guest  OS  (The  Compute  instance)

    • Application  Security  (The  application  on  the  compute   instance) • Data  Security  (The  data  being  generated,  processed  by  the   application) • Network  security  for  the  guest  &  applications • Security  Monitoring  of  Guest  OS  &  applications

73. A few public cloud vendors

74. Does  Cloud  Need   Security? Wrong  question  to  ask,  the

     question  should  be…

75. Do  we  need  to   worry  about  our   data,

     our  infra,  our   apps stored  in  the   public  cloud?

76. Our apps in the public cloud • This  applies  only

     to  IAAS  and  PAAS  as  in  SAAS  it  is  not  our   application • An  in  secure  app  can  expose  underlying  infrastructure  and   data  to  theft,  corruption  and  exposure

77. Security Testing of Apps • No  different  from  testing  any

     application  for  security • We  might  require  permission  to  run  automated  scanners   against  the  app • Ideal  framework  to  test  against  is  OWASP  Top  10  and   OWASP  Testing  Guide

78. App Insecurity Scenario • App  has  a  Local  File  Inclusion

     bug • The  AWS  root  credentials  are  being  used • They  are  stored  in  a  world  readable  file  on  the  server • Attacker  reads  the  credentials  and  starts  multiple  large   instances  to  mine  bitcoins • Victim  saddled  with  a  massive  bill  at  the  end  of  the  month

79. Our infra in the public cloud • This  applies  only

     to  IAAS  as  in  SAAS  and  PAAS  it  is  not  our   application  or  infra • Infrastructure  vulnerabilities  can  derail  any  app  security  in   place.  

80. Security Testing of Infra • No  different  from  testing  server

     for  security • We  may  require  permission  to  run  automated  scanners   against  the  server • Ideal  framework  to  test  against  is  any  Penetration  Testing   Standard  PTES  /  OSSTMM

81. Infra Insecurity Scenario • MySQL  Production  database  is  listening  on

     external  port • Developers  work  directly  on  production  database  and  require  SQL   Management  Software • They  log  in  using  the  root  user  of  MySQL  Database  server  and  a  simple   password   • Attacker  runs  a  brute  force  script  and  cracks  the  password,  gains  full   access  to  the  database

82. HEARTBLEED – AN ILLUSTRATION OF AN INFRASTRUCTURE VULNERABILITY

83. Our data in the public cloud • This  applies  only

     all  PAAS,  IAAS  and  SAAS • Our  data  can  get  leaked,  exposed,  stolen,  held  ransom  if  we   don’t  take  care  of  making  sure  it  is  safe  while  being  used,   while  being  transmitted  and  while  being  stored

84. Verifying Data Security through Testing • This  is  a  specialized

     testing  requirement.  A  part  of  this  can  be   tested  by  looking  at  the  system  and  application  architecture • All  the  places  where  the  data  can  be  written,  sent,  travel  need   to  be  looked  at.   • Writing  to  storage,  exposing  APIs,  backups  and  even  insider   threats

85. Verifying Data uses Encryption • Data  at  rest  is  encrypted

    – This  will  ensure  that  if  an  attacker  has  access  to  the  disk/store,  they  can’t  use  the  data • Data  in  motion  is  encrypted – This  will  ensure  that  if  an  attacker  can  sniff  the  network  traffic  they  can’t  see  &tamper  the   data • Data  in  use  (tmp  files,  key  loaded  in  memory) – This  will  ensue  that  if  an  attacker  can’t  do  catastrophic  damage  if  they  manage  to  gain   access  to  a  server

86. Secure Key Management • Once  we  start  using  encryption  for

     data  storage  and  data   transmission,  the  encryption  keys  need  to  be  safeguarded   against  theft,  accidental  loss • A  secure  key  management  process  will  ensure  that  at  any   point  keys  can  be  revoked  and  reissued

87. Data Insecurity Scenario • Database  is  getting  backed  up  regularly.

    • Due  to  performance  reasons,  database  wasn’t  encrypted   when  initial  backups  were  done.   • Dev  team  moves  to  newer  type  SSDs  and  doesn’t   decommission  older  HDDs.   • Attacker  finds  older  HDD,  does  forensics  for  data  recovery   and  sell  the  data  for  profit.

88. Cloud versus the IT department

89. How  does  being  in   the  cloud  change   the

     traditional  IT   department?

90. How  do  IT   departments   manage  cloud   instances

     &  data?

91. Does  the  company   Info  sec  policy  still   apply?

92. Does  the  Country’s   cyber  laws  still   apply?

93. HOW DO YOU TEST FOR SECURITY? What  are  the  frameworks

    for  testing  cloud? Can  we  follow  some  best  practices  ?

94. Cloud Security Alliance • Security  Guidance  Document • https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf •

    Covers  14  Critical  Area  Domains – Security  As  A  Service  got  added!

95. European Network and Information Security Agency (ENISA) • Cloud  Computing

     Information  Assurance  Framework • http://www.enisa.europa.eu/activities/risk-­‐ management/files/deliverables/cloud-­‐computing-­‐ information-­‐assurance-­‐framework/at_download/fullReport • Covers  15  areas  in  OpSec  &  Identity  &Access  Management

96. Why Infrastructure first? In  all  cases  Cloud  Service  Provider  (CSP)

     takes  care  of  physical   security  and  the  host  operating  system.  So  we  just  need  to   worry  about  the  guest  OS  and  all  the  infrastructure  running   on  it.

97. 5 Pillars of Security in IAAS • Identity  and  Access

     Management • Configuration  and  Patch  Management • Endpoint  and  Network  Protection • Vulnerability  and  Asset  Management • Data  Protection

98. How the CSPs stack up for security? CSP/Security   Feature

    AWS Google   Compute   Engine Microsoft   Azure Rackspace IAM YES YES YES Sort of 2FA  for   Management  Layer Need to   enable Need  to   enable NO NO Network  Isolation YES YES YES YES Virtual Private   Networks YES YES YES YES Firewall YES YES YES YES Centralized  Logs and   Audit  Trail YES NO NO NO Encryption for   Storage YES YES YES Key Management YES YES YES YES Older   Slide  

99. THANK YOU • Akash  Mahajan  |  @makash  |  [email protected]  

    • Appsecco  |  Appsecco.com  |  @appseccouk

100. Attributions • Cloud Image Background from www.perspecsys.com • Virtualization image

     By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons • CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32 • Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Toyota Robot at Toyota Kaikan • AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html • SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/ • http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas • By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons