Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security In The Cloud

Security In The Cloud

A non-technical look at what security means in the cloud. With case studies and explanation around IAAS, PAAS and SAAS

Akash Mahajan

May 14, 2016
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. You  will  not  learn  anything  new  today The  interesting  part

     is  learning  why  you   won’t  learn  anything  new  today
  2. Malicious Insider deleted data on AWS • All  data  was

     on  EBS  disks • Once  client  realised  that  there  was  an  issue • Server  was  replicated  and  the  original  server  left  untouched • The  EBS  disk  from  original  server  was  replicated  and   mounted  in  a  new  instance
  3. Forensic Process • Focus  on  data  recovery  for  logs/history •

    ISO  created  from  mounted  disk • Using  TSK  tools  created  strings  from  ISO • Able  to  find  fairly  large  extract  of  text  from  audit  logs  of  one   of  the  server • The  log  snippet  contained  the  user  who  logged  in  and  ran   delete  commands
  4. Platform & App using IAAS AWS • Configuration  pretty  strong

    • No  way  to  reach the  ports  unless  IP  whitelisted • Application  Security  Issues  found
  5. How did we test? 1. Whitelisted  our  IP  in  security

     groups 2. Able  to  see  ports  and  the  application Discovered  there  was  an  internal  enterprise  mobile   application  connecting  to  a  certain  port  which  was  open  to   all  without  any  authn and  authz
  6. Application (In)Security & XXE • Researcher  finds  that,  he  can

     inject  his  own  file  name  and   path  in  AWS  EC2 • EC2 uses  Auto  Scaling • Auto  Scaling  requires  information  to  be  present  on  the  EC2 instance • Meta  Web  Server  allows  local  HTTP  Requests  to  be  made   and  server  and  its  credentials  are  pwned
  7. BrowserStack Hack • Old  neglected  server,  not  being  used. •

    Server  is  brought  up  to  check  something.   • Un  patched  server  is  left  running  on  the  Internet  without   any  network  protection • Attacker  compromises  the  server,  steals  the  AWS   credentials  and  manages  to  email  all  its  customers,  how  bad   the  company  is
  8. AWS and Rackspace Host OS Vuln From  the  Amazon  AWS

     Blog XEN  Hypervisor  Security  Issues
  9. What does this mean? • Security  in  the  cloud  is

     really  not  very  different  from  regular   security • Same  principles  and  processes  apply • Same  tools  and  techniques  apply • IT  folks  need  to  simply  understand  what  is  the  best  way  to   get  the  same  thing  done
  10. Where we are headed? • External  Pen  tests  on  

    infra • External  VA/PT  on   applications   • OS  Configuration   Audits • Architecture  Review • Testing  Firewalls   • DOS  Testing • Identity  &  Access   Managment
  11. Cloud  computing is  computing  in  which  large   groups  of

     remote  servers  are networked to   allow  the  centralized  data  storage,  and   online  access  to  computer  services  or   resources. -­‐ From  http://en.wikipedia.org/wiki/Cloud_computing
  12. How  is  Cloud  Computing    different From? Grid  computing  

    Distributed  computing Large  Scale  Clusters  
  13. How do we get Elasticity? by  provisioning  and  de-­‐provisioning  resources

     in  an   autonomic manner,  such  that  at  each  point  in  time  the   available  resources  match  the   current  demand  as  closely  as  possible.
  14. Autonomic Manner The  system  makes  decisions  on  its  own,  using

     high-­‐ level  policies;  it  will  constantly  check  and  optimize  its   status  and  automatically  adapt  itself  to  changing   conditions.
  15. Programmable   APIs Ability  to  interact  with  the  services  offered

     using   programs  and  the  libraries  provided
  16. Management   Layer Ability  to  interact  with  the  services  offered

     using  a web  based  front-­‐end  for  management  &  billing
  17. High  Speed Networks All  of  the  above  talk  to  each

     other  using   high  speed  networks
  18. OS Level Virtualization It  essentially  creates  a  scalable   system

     of  multiple independent computing devices.  
  19. Virtualization provides agility • Speed  up  IT  operations • Reduces

     cost  by   increasing   infrastructure utilization  
  20. Virtualization provides automation • Computing  automates  the  process  through  which

     the  user   can  provision  resourceson-­‐demand.   • By  minimizing  user  involvement,  automation  speeds up  the   process,  reduces  labor  costs  and  reduces  human  errors
  21. Software As A Service Meant  for  end  users  to  consume

     a  service  using  applications   and  data  storage
  22. Platform As A Service Meant  for  developers  to  utilize  an

     integrated  development   platform  and  framework
  23. Infrastructure As A Service Basic  Cloud  Service  building  blocks  are

     given  like  server   instance,  storage  and  network
  24. Public Cloud A  cloud  is  called  a  "public  cloud"  when

     the  services  are   rendered  over  a  network  that  is  open  for  public  use.
  25. Private Cloud Private  cloud  is  cloud  infrastructure  operated  solely  for

     a   single  organization,  whether  managed  internally  or  by  a   third-­‐party,  and  hosted  either  internally  or  externally
  26. Hybrid Cloud Hybrid  cloud  is  a  composition  of  two  or

     more  clouds  (private,   community  or  public)  that  remain  distinct  entities  but  are   bound  together,  offering  the  benefits  of  multiple   deployment  models.  
  27. SECURITY IN THE PUBLIC CLOUD We  will  restrict  our  discussion

     about  the  security  of  the  public  cloud
  28. Shared   Responsibility  of   security Public  cloud  vendors  and

     customers  have  to  share   security  responsibility
  29. IAAS CSP takes care of • Physical  Security  (Nobody  should

     walk  away  with  the  server   including  Govt.) • Host  OS  which  runs  the  virtualization  software • Virtualization  Security  (Rogue  VMs  can't  harm  others)
  30. IAAS CSP takes care of • Environmental  Safeguards  (DC  is

     safe  to  run  servers) • Administrative  Controls  (Policies  and  Procedures) • Certifications  and  Accreditations  (SAS70,  SOC1,  PCI,   ISO27K1)
  31. You take care of • Guest  OS  (The  Compute  instance)

    • Application  Security  (The  application  on  the  compute   instance) • Data  Security  (The  data  being  generated,  processed  by  the   application) • Network  security  for  the  guest  &  applications • Security  Monitoring  of  Guest  OS  &  applications
  32. Do  we  need  to   worry  about  our   data,

     our  infra,  our   apps stored  in  the   public  cloud?
  33. Our apps in the public cloud • This  applies  only

     to  IAAS  and  PAAS  as  in  SAAS  it  is  not  our   application • An  in  secure  app  can  expose  underlying  infrastructure  and   data  to  theft,  corruption  and  exposure
  34. Security Testing of Apps • No  different  from  testing  any

     application  for  security • We  might  require  permission  to  run  automated  scanners   against  the  app • Ideal  framework  to  test  against  is  OWASP  Top  10  and   OWASP  Testing  Guide
  35. App Insecurity Scenario • App  has  a  Local  File  Inclusion

     bug • The  AWS  root  credentials  are  being  used • They  are  stored  in  a  world  readable  file  on  the  server • Attacker  reads  the  credentials  and  starts  multiple  large   instances  to  mine  bitcoins • Victim  saddled  with  a  massive  bill  at  the  end  of  the  month
  36. Our infra in the public cloud • This  applies  only

     to  IAAS  as  in  SAAS  and  PAAS  it  is  not  our   application  or  infra • Infrastructure  vulnerabilities  can  derail  any  app  security  in   place.  
  37. Security Testing of Infra • No  different  from  testing  server

     for  security • We  may  require  permission  to  run  automated  scanners   against  the  server • Ideal  framework  to  test  against  is  any  Penetration  Testing   Standard  PTES  /  OSSTMM
  38. Infra Insecurity Scenario • MySQL  Production  database  is  listening  on

     external  port • Developers  work  directly  on  production  database  and  require  SQL   Management  Software • They  log  in  using  the  root  user  of  MySQL  Database  server  and  a  simple   password   • Attacker  runs  a  brute  force  script  and  cracks  the  password,  gains  full   access  to  the  database
  39. Our data in the public cloud • This  applies  only

     all  PAAS,  IAAS  and  SAAS • Our  data  can  get  leaked,  exposed,  stolen,  held  ransom  if  we   don’t  take  care  of  making  sure  it  is  safe  while  being  used,   while  being  transmitted  and  while  being  stored
  40. Verifying Data Security through Testing • This  is  a  specialized

     testing  requirement.  A  part  of  this  can  be   tested  by  looking  at  the  system  and  application  architecture • All  the  places  where  the  data  can  be  written,  sent,  travel  need   to  be  looked  at.   • Writing  to  storage,  exposing  APIs,  backups  and  even  insider   threats
  41. Verifying Data uses Encryption • Data  at  rest  is  encrypted

    – This  will  ensure  that  if  an  attacker  has  access  to  the  disk/store,  they  can’t  use  the  data • Data  in  motion  is  encrypted – This  will  ensure  that  if  an  attacker  can  sniff  the  network  traffic  they  can’t  see  &tamper  the   data • Data  in  use  (tmp  files,  key  loaded  in  memory) – This  will  ensue  that  if  an  attacker  can’t  do  catastrophic  damage  if  they  manage  to  gain   access  to  a  server
  42. Secure Key Management • Once  we  start  using  encryption  for

     data  storage  and  data   transmission,  the  encryption  keys  need  to  be  safeguarded   against  theft,  accidental  loss • A  secure  key  management  process  will  ensure  that  at  any   point  keys  can  be  revoked  and  reissued
  43. Data Insecurity Scenario • Database  is  getting  backed  up  regularly.

    • Due  to  performance  reasons,  database  wasn’t  encrypted   when  initial  backups  were  done.   • Dev  team  moves  to  newer  type  SSDs  and  doesn’t   decommission  older  HDDs.   • Attacker  finds  older  HDD,  does  forensics  for  data  recovery   and  sell  the  data  for  profit.
  44. How  does  being  in   the  cloud  change   the

     traditional  IT   department?
  45. HOW DO YOU TEST FOR SECURITY? What  are  the  frameworks

    for  testing  cloud? Can  we  follow  some  best  practices  ?
  46. Cloud Security Alliance • Security  Guidance  Document • https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf •

    Covers  14  Critical  Area  Domains – Security  As  A  Service  got  added!
  47. European Network and Information Security Agency (ENISA) • Cloud  Computing

     Information  Assurance  Framework • http://www.enisa.europa.eu/activities/risk-­‐ management/files/deliverables/cloud-­‐computing-­‐ information-­‐assurance-­‐framework/at_download/fullReport • Covers  15  areas  in  OpSec  &  Identity  &Access  Management
  48. Why Infrastructure first? In  all  cases  Cloud  Service  Provider  (CSP)

     takes  care  of  physical   security  and  the  host  operating  system.  So  we  just  need  to   worry  about  the  guest  OS  and  all  the  infrastructure  running   on  it.
  49. 5 Pillars of Security in IAAS • Identity  and  Access

     Management • Configuration  and  Patch  Management • Endpoint  and  Network  Protection • Vulnerability  and  Asset  Management • Data  Protection
  50. How the CSPs stack up for security? CSP/Security   Feature

    AWS Google   Compute   Engine Microsoft   Azure Rackspace IAM YES YES YES Sort of 2FA  for   Management  Layer Need to   enable Need  to   enable NO NO Network  Isolation YES YES YES YES Virtual Private   Networks YES YES YES YES Firewall YES YES YES YES Centralized  Logs and   Audit  Trail YES NO NO NO Encryption for   Storage YES YES YES Key Management YES YES YES YES Older   Slide  
  51. THANK YOU • Akash  Mahajan  |  @makash  |  [email protected]  

    • Appsecco  |  Appsecco.com  |  @appseccouk
  52. Attributions • Cloud Image Background from www.perspecsys.com • Virtualization image

    By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons • CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32 • Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Toyota Robot at Toyota Kaikan • AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html • SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/ • http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas • By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons