Cloud Security: There's a Storm Coming

Cloud Security: There's a Storm Coming May 19th, 2015

11:00AM

Mark Stanislav

Sr. Security Consultant

Rapid7

Presentation will be available at:

www.misti.com/download Download password is available in your Show Guide

…and their APIs, SDKs, services, networks,

storage, employees, customers, data centers…

■  The first ~10 years of Cloud Computing were mostly spent understanding what the ecosystem could, and should, look like to for everyone from end users to large enterprises

■  A lot of details had to be sorted out:

◆  What hypervisors do we use? What should APIs look like?

◆  How do you scale regions, but prevent cascading failures?

◆  Which types of compliance audits can we still pass?

◆  How do we segment data stores and encrypt properly?

◆  Who are the industry leaders and who are the followers?

◆  What cloud-based companies will be darlings or deadbeats?

◆  Which cloud breaches and stories will define those years?

Security Maturity is More Than Breach Stats

Published in 2009 covering EC2 instance mapping, side-channel attacks, and co-residency attacks.

An “Early” Paper That I Still Love

■  There are absolutely vulnerabilities being found and research being cultivated around attacks against hypervisors and other low-level technology powering cloud deployments

■  Much like all computing, one big deal is having a cloud provider who has the technical capabilities and dedication to security to efficiently patch their underlying architecture

Highly Complex Attacks? Eh, Not So Much…

So What’s Really Going Wrong Then?

Authentication Security

■  Using an Internet-facing service, with all of your “eggs in one basket,” only being protected by a password? Hmm…

■  Cloud computing is, in my opinion, the biggest reason two-factor authentication adoption has accelerated so dramatically

■  AWS, Azure, Linode, Rackspace, Heroku, GCE, Joyent, and more have some form of auth security beyond only a password

#shameless Check out https://twofactorauth.org

Two-Factor is Not Just a “Nice to Have”

2FA Deployments for Web Services

* Through June, 2014

Password Reuse, Anyone?

Access Control Security

■  How much access does a given user or API key have?

◆  Create sub accounts that have limited console access

◆  API keys should be per application, only needed privileges

◆  Leverage standards like SAML and XACML

◆  Define roles and implement RBAC either natively or custom

■  Auditability is often forgotten about

◆  When did they login? Where from? What did they do?

■  Oh, and, don’t LEAK YOUR KEYS AND CREDENTIALS! J

An All-Too-Common Story

Sanitize your code repositories and your machine images before posting publicly!

Scanning for sensitive data is trivial with a script or manually

It’s Not All For “Hacking” Either

DoS, Piracy, Spam, Proxies, & Malware Hosting

Don’t Worry, Providers Screw it Up, too!

Think about how easy it would be to backdoor a community image…

There’s Always the Front Door

■  Cloud security is still predicated on the software (web apps, underlying services, custom middleware, APIs, etc.)

◆  A single vulnerability could provide access to all user data and instances if the provider doesn’t segment properly

■  Ever wonder if your cloud provider’s administrative interfaces are Internet-facing or able to be accessed via client networks?

Defense in Depth is the ONLY Plan

■  Remember that part about being able to patch efficiently?

◆  “Released less than a week ago,” is not an inspiring excuse

■  There will always be 0-day, how are you preparing for it?

■  A single *aaS can involve numerous ways to read/write data:

◆  Web consoles, APIs, SDKs, mobile applications, and more!

◆  If you add a security feature, it should apply to ALL ways

■  Not convinced? Consider Apple’s security of iCloud…

◆  “CelebrityGate” exposed how weak Apple’s coverage of user data was, even when using their advanced features

A Security Control is All or Nothing

Heartbleed: It Could Have Been WAY Worse

Reacting to Heartbleed… Sort of?

Slack – April 2014

Slack – March 2015

So What’s This “There’s a Storm Coming” Thing?

You Are Here

The First Ten Years of Cloud Computing

The Next Ten Years of Cloud Computing

We’re in the eye of the storm. Shocked? J

The Next 10 Years of Cloud Security

■  Figure out how to actually add security to all of these new container technologies everyone is deploying without concern

◆  $150M in funding to Docker, $20M to CoreOS == security?

■  See the mass adoption of two-factor authentication across all cloud computing vendors (those that will survive, anyways…)

◆  Salesforce just bought the two-factor platform Toopher

■  Watch as the “Internet of Things” rises, backed off of *aaS solutions and wait intently for the first major breach to occur

◆  All of the problems of early cloud but with big risks at hand

Docker: The Golden Child of 2015 Cloud

A Glimpse into the Internet of Things

…and this is just one device…

■  IoT has to collapse for platforms, services, and hardware to allow for “the dream” to be realized – but this is a huge risk

◆  Imagine if IFTTT or any similar service was compromised, how much access one attacker would have to people’s lives

What Do I Worry About With Cloud + IoT?

“If Only Cloud Providers Would…”

Microsoft Azure Security

“If Only Cloud Providers Would…”

Amazon Web Services

Some SaaS Providers Get it Right, Too

Github •  Two Factor •  Sessions •  Audit History •  Notifications •  Revoke Tokens •  SSH Fingerprints

IaaS Security - CloudPassage

SaaS Security – Duo Security

API Security - apigee

Don’t Forget F/OSS Options

■  Just because you can use a cloud service doesn’t mean you should use it – an easy sign-up doesn’t excuse losing data

◆  If your organization wants to go 100% cloud, that’s fine, just understand that you are taking risks that you likely didn’t have before, or weren’t as likely to come true

◆  Build a proper data retention policy, clean up objects you don’t need anymore, create off-line data backups still

◆  Encrypt-before-cloud if you can, else, segment data well, separate privileges as much as able, and please audit J

■  Every bad employee password or reused password cloud be the end of your entire company (remember Code Spaces?)

◆  Two-factor authentication or you’re just being neglectful

Cloud Security Housekeeping Notes

Data Deletion? Maybe! Be Careful.

Deletion may not uh, delete data.

■  Virtual Private Cloud (VPC) is the default these days

◆  If it doesn’t need a public IP, don’t you dare give it one

■  Ingress & egress firewalls, network-level AND host-based

■  Just say no to community AMIs; vendor-provided or custom!

■  If an API call allows you to set transparent encryption: do it

◆  Start leveraging the new Key Management Service (KMS)

■  Create Identity and Access Management (IAM) for roles

◆  Super user privilege should be done at a user-level

◆  Require two-factor authentication for all remote users

■  Enable logging for as much as you can handle, it may matter

Some Tips for Secure IaaS (AWS-focused)

Some Tips for Secure SaaS ■  Consider using SAML to tie your SaaS applications into the

organization’s existing authentication backend and for SSO

◆  Okta, OneLogin, etc. then provide “portal” access to SaaS

■  Provide solutions to employees before they provide their own

◆  Controlling SaaS is hard… don’t make employees stray!

■  Yep, two-factor authentication for all business services

◆  This includes social media, HR, sales, marketing, etc.

■  If the service allows, create policies for valid IP/geo ranges

◆  This may buy you time, help act as an early alert, etc.

■  Tie these services into your SIEM and actually review reports

◆  Unfortunately, very few SaaS applications do this natively

THANK YOU!

Mark Stanislav

[email protected]

Please Remember To Fill Out Your

Session Evaluation Forms!

Cloud Security: There's a Storm Coming

Technology

Transcript of Cloud Security: There's a Storm Coming