Post on 11-Jul-2015
Security in the Cloud
Akash Mahajan
Akash Mahajan - Profile
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!
You will not learn anything new today
The interesting part is learning why you won’t learn anything new today
WHAT IS CLOUD COMPUTING?
“Today Internet is Cloud CD Based, if you use Google
your docs get stored in cloud, have you ever seen
Google software CD? No it’s not here, it’s in the
cloud. Called as Cloud CD! When you check, it
Cloud gives error because it is raining!!!! ”
- Vishwa Bandhu Gupta
Cloud computing is computing in which large
groups of remote servers are networked to
allow the centralized data storage, and
online access to computer services or
resources.
- From http://en.wikipedia.org/wiki/Cloud_computing
How is Cloud Computing different
From?
Grid computing
Distributed computing
Large Scale Clusters
Elasticityis the degree to which a system is able
to adapt to workload changes
How do we get Elasticity?
by provisioning and de-provisioning resources
in an autonomic manner, such that at each
point in time the available resources match
the
current demand as closely as possible.
Autonomic Manner
The system makes decisions on its own,
using high-level policies; it will
constantly check and optimize its
status and automatically adapt itself to
changing conditions.
AWS Auto-scale – Example of Elasticity
The tech behind
cloud computing
is not new
WHAT MAKES UP THE CLOUD COMPUTING STACK?
VirtualizationThe main enabling technology for cloud computing
Service Oriented Architecture
(SOA)Breaking of business problems into services that can
be integrated
Programmable APIs
Ability to interact with the services offered using programs and the libraries provided
Management
LayerAbility to interact with the services offered using a
web based front-end for management & billing
High Speed
NetworksAll of the above talk to each other using
high speed networks
Cloud Computing Stack
Management Layer
Programmable APIs
Service Layer
OS Level Virtualization
OS LEVEL VIRTUALIZATION
What is Virtualization?
it separates a physical computing device into one or
more "virtual" devices
OS Level Virtualization
It essentially creates a scalable
system of multiple
independent computing
devices.
OS Level Virtualization
Idle computing resources can be
allocated and used more efficiently
Virtualization provides agility
• Speed up IT operations
• Reduces cost by increasing infrastructure utilization
Virtualization provides automation
• Computing automates the process through
which the user can provision resources on-
demand.
• By minimizing user involvement,
automation speeds up the process, reduces
labor costs and reduces human errors
SERVICE ORIENTED ARCHITECTURE FOR CLOUD SERVICES
What does SOA contain?
Compute
processor , random access memory,
Storage
persistent, redundant, scalable, infinite and cheap
Network
all pervasive, based on TCP/IP gigabit fast and more
Management
what we use to manage or work with the service
Metrics and Measured Service
billing is like utility services and every service is
measurable
PROGRAMMABLE APIS AND MANAGEMENT LAYER
Programmable APIs
Start, stop, pause virtual servers
ec2-run-instances
gcloud compute instances create
Management Layer
Basically a web based control panel
Management Layer
SERVICE MODELS
Cloud Service Models
Software As A Service
Meant for end users to consume a service using applications and data storage
Platform As A Service
Meant for developers to utilize an integrated development platform and framework
Infrastructure As A Service
Basic Cloud Service building blocks are given like server instance, storage and network
DEPLOYMENT MODELS FOR THE CLOUD
Cloud can be in your office too
Deployment Models
• Public
• Private
• Hybrid
Public Cloud
A cloud is called a "public cloud" when the services are rendered over a network that is
open for public use.
Private Cloud
Private cloud is cloud infrastructure operated solely for a single organization, whether
managed internally or by a third-party, and hosted either internally or externally
Hybrid Cloud
Hybrid cloud is a composition of two or more clouds (private, community or public) that
remain distinct entities but are bound together, offering the benefits of multiple
deployment models.
SECURITY IN THE PUBLIC CLOUD
We will restrict our discussion about the security of the public cloud
Shared Sense of Security
Public cloud vendors and customers have a shared
sense of security
Shared Responsibility of
security
Public cloud vendors and customers have to share security responsibility
Division of Responsibility
Amazon AWS takes care of
• Physical Security (Nobody should walk away
with the server including Govt.)
• Host OS which runs the virtualization software
• Virtualization Security (Rogue VMs can't harm
others)
Amazon AWS takes care of
• Environmental Safeguards (DC is safe to run
servers)
• Administrative Controls (Policies and
Procedures)
• Certifications and Accreditations (SAS70, SOC1,
PCI, ISO27K1)
You take care of
• Guest OS (The Compute instance)
• Application Security (The application on the compute instance)
• Data Security (The data being generated, processed by the application)
• Network security for the guest & applications
• Security Monitoring of Guest OS & applications
A few public cloud vendors
Does Cloud Need Security?
Wrong question to ask, the question should be…
Do we need to worry about our
data, our infra, our apps stored in the
public cloud?
Our apps in the public cloud
• This applies only to IAAS and PAAS as in
SAAS it is not our application
• An in secure app can expose underlying
infrastructure and data to theft, corruption
and exposure
Security Testing of Apps
• No different from testing any application for
security
• We might require permission to run
automated scanners against the app
• Ideal framework to test against is OWASP
Top 10 and OWASP Testing Guide
App Insecurity Scenario
• App has a Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the
server
• Attacker reads the credentials and starts
multiple large instances to mine bitcoins
• Victim saddled with a massive bill at the end of
the month
Our infra in the public cloud
• This applies only to IAAS as in SAAS and
PAAS it is not our application or infra
• Infrastructure vulnerabilities can derail any
app security in place.
Security Testing of Infra
• No different from testing server for security
• We may require permission to run
automated scanners against the server
• Ideal framework to test against is any
Penetration Testing Standard PTES /
OSSTMM
Infra Insecurity Scenario
• MySQL Production database is listening on external
port
• Developers work directly on production database
and require SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a brute force script and cracks the
password, gains full access to the database
HEARTBLEED – AN ILLUSTRATION OF AN INFRASTRUCTURE VULNERABILITY
Servers (Infra) were leaking
sensitive information
What kind of information?
• Session IDs
• Usernames
• Password
• Server Certificate’s Private Keys
CloudFlare hosted a vulnerable server
A security researcher sent 2.5 million requests and got the private keys
What is the big deal about that?
• Private Keys for the SSL certificate can decrypt all past and future traffic
• Private Keys allow for impersonation of that service as well.
• What if some website could pretend to be https://examplebank.com ?
Armature Hour at AWS
• https://opbeat.com/blog/posts/amateur-hour-at-aws/
• Amazon AWS took about 48 hours after everyone knew about Heartbleed to patch its servers and inform its customers
• This caused a lot of heart-ache and pain for its customers
Our data in the public cloud
• This applies only all PAAS, IAAS and SAAS
• Our data can get leaked, exposed, stolen,
held ransom if we don’t take care of making
sure it is safe while being used, while being
transmitted and while being stored
Verifying Data Security through Testing
• This is a specialized testing requirement. A part
of this can be tested by looking at the system
and application architecture
• All the places where the data can be written,
sent, travel need to be looked at.
• Writing to storage, exposing APIs, backups and
even insider threats
Verifying Data uses Encryption• Data at rest is encrypted
– This will ensure that if an attacker has access to the
disk/store, they can’t use the data
• Data in motion is encrypted
– This will ensure that if an attacker can sniff the network
traffic they can’t see &tamper the data
• Data in use (tmp files, key loaded in memory)
– This will ensue that if an attacker can’t do catastrophic
damage if they manage to gain access to a server
Secure Key Management
• Once we start using encryption for data
storage and data transmission, the encryption
keys need to be safeguarded against theft,
accidental loss
• A secure key management process will ensure
that at any point keys can be revoked and
reissued
Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database
wasn’t encrypted when initial backups were
done.
• Dev team moves to newer type SSDs and
doesn’t decommission older HDDs.
• Attacker finds older HDD, does forensics for
data recovery and sell the data for profit.
Cloud versus the IT department
How does being in the cloud change the traditional IT
department?
How do IT departments manage cloud
instances & data?
Does the company Info sec policy still
apply?
Does the Countries cyber laws still
apply?
How to applications get attacked?
HOW DO YOU TEST FOR SECURITY?
What are the frameworks for testing cloud?
Can we follow some best practices ?
Cloud Security Alliance
• Security Guidance Document
• https://cloudsecurityalliance.org/guidance/
csaguide.v2.1.pdf
• Covers 13 Critical Area Domains
European Network and Information Security Agency (ENISA)
• Cloud Computing Information Assurance
Framework
• http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-
computing-information-assurance-
framework/at_download/fullReport
• Covers 15 areas in OpSec & Identity &Access
Management
Frameworks are great, but
• They are too extensive to be actionable
• They are too generic for real world security
• They provide structure but lack incisive
steps that can be taken right now to
become secure
10 STEPS TO SECURING A CLOUD DEPLOYMENT (INFRASTRUCTURE)
Why Infrastructure first?
In all cases Cloud Service Provider (CSP) takes care of physical security and the host
operating system. So we just need to worry about the guest OS and all the
infrastructure running on it.
AWS and Rackspace Host OS Vuln
24th September 2014
AWS and Rackspace Host OS VulnFrom the Amazon AWS Blog
XEN Hypervisor Security Issues
5 Pillars of Security in IAAS(AWS)
• Identity and Access Management
• Configuration and Patch Management
• Endpoint and Network Protection
• Vulnerability and Asset Management
• Data Protection
How the CSPs stack up for security?CSP/Security Feature
AWS Google Compute Engine
Microsoft Azure
Rackspace
IAM YES YES YES Sort of
2FA for Management Layer
Need to enable
Need to enable
YES* (Paid Service)
NO
Network Isolation YES YES YES YES
Virtual Private Networks
YES YES YES YES
Firewall YES YES YES YES
Centralized Logsand Audit Trail
YES NO YES* NO
Encryption for Storage
YES YES YES
Key Management YES YES YES YES
http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/http://t.co/tig66fyu9K-Thanks to @govindk
The 10 steps are
1. Enumerate all the network interfaces
2. List all the running services
3. Harden Each Service separately based on best
practices
4. Secure Remote access for server management
(SSH, RDP)
5. Check Operating System Patch Levels
The 10 steps are
6. Harden the networking parameters of the
Kernel (Linux Specific)
7. Enable a Host Firewall
8. Do an inventory all user accounts on the
server and audit them
9. Enable Centralized Logging
10. Enable Encryption on disks, storage etc.
Demo for 10 steps
AWS IAM Best Practices
• Lock away your AWS account access keys
• Create individual IAM users
• Use groups to assign permissions to IAM
users
• Grant least privilege
AWS IAM Best Practices
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Use roles for applications that run on Amazon EC2
instances
• Delegate by using roles instead of by sharing
credentials
• Rotate credentials regularly
CASE STUDIES
Real world security incidents we can all learn from
Case Study 1
• Company Not following best practices
• Data loss
• Security Incident
• Catastrophic Business Failure
CODESPACES AWS HACK
Case Study 1
Anatomy of the attack
1. Distract by doing DDOS against the target
2. Gain access to the root credentials of AWS
3. All storage devices, hard disks, S3 storage deleted
Company was a hosting company
They went bankrupt due to this and 100s of customers lost all their data
Case Study 2 – Application Security
• Relatively benign bug causes major security hole in the cloud
APPLICATION (IN)SECURITY LOVES XXE
Case Study 2
Application (In)Security & XXE
• Researcher finds that, he can inject his own file name and path in AWS EC2
• EC2 uses Auto Scaling
• Auto Scaling requires information to be present on the EC2 instance
• Meta Web Server allows local HTTP Requests to be made and server and its credentials are pwned
Case Study 3 – Infrastructure Security
• Un-patched server causes major security breach
INFRASTRUCTURE SECURITY FAIL
Case Study 3
Browser Stack
• Old neglected server, not being used.
• Server is brought up to check something.
• Un patched server is left running on the Internet without any network protection
• Attacker compromises the server, steals the AWS credentials and manages to email all its customers, how bad the company is
Conclusions
• Security in the cloud is really not very
different from regular security
• Same principles and processes apply
• Same tools and techniques apply
• IT folks need to simply understand what is
the best way to get the same thing done
Questions?
Contact
Twitter @makash
Linkedin https://linkd.in/webappsecguy
Email akashmahajan@gmail.com
Attributions
• Cloud Image Background from www.perspecsys.com
• Video of Vishwa Bandhu https://www.youtube.com/watch?v=ApQlMm39xr0
• Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons
• CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32
• Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• Toyota Robot at Toyota Kaikan
• AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html
• SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/
• http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas
• By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• Big Thanks to @govindk for fixing errors in Slide #96