SESSION ID:
#RSAC
Javier Godinez
CLOUD SECURITY ESSENTIALS 2.0CRAWL. WALK. RUN.
Principal DevSecOps ArchitectIntuit
Shannon LIetzDirector, DevSecOps & Security EngIntuit @devsecops
#RSAC
2
IN THE CLOUD,
EVERYTHING IS CODE...
#RSAC
3
Uh… where do these go?
#RSAC
4
EOL JUSTHAPPENS...
http://donsmaps.com/images22/mutta1200.jpg
#RSAC
5
Let’s switch some things around…
Data CenterNetwork
ServersVirtualization
Operations
Platforms
Buyer IdentifierCloud Account(s)
Virtual IP AddressesContainerization
Appliances
Storage
Security Features
ApplicationsEphemeral Instances
Scale on DemandIAAS, PAAS, SAAS
Resource TestingBuilt-In Security
Long-Term Contracts Partner Marketplaces
Slow-ish Decisions
Experiments
#RSAC
6
The Basic Cloud Model
Clou
d Pr
ovid
er N
etw
ork
Backbone
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Internet
Clou
d Ac
coun
t(s)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatform
#RSAC
7
Reality…
Internet
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Data
Cen
ter
Data
Cen
ter
Clou
d Pr
ovid
er N
etw
ork
#RSAC
8
CLOUD IS GREAT!
https://www.flickr.com/photos/comedynose
#RSAC
9
Developers have lots of options…
#RSAC
10
And Attackers also have lots of options…
#RSAC
11
UH... WE’RE NOT IN {KANSAS} ANYMORE
#RSAC
12
DevOps brings mega-change!
This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
… And maybe that’s a good thing!
#RSAC
13
Top 5 Cloud Security Principles 2.0
The Cloud is not a Datacenter.
Reduce blast radius; play the odds.
Encryption is inconvenient.
Speed & Ease is both Friend & Foe.
Protection is ideal; Detection is a must!
#RSAC
14
EVERY COMPANY HAS SOMETHING IN THE CLOUD... THERE’S REALLY NO WAY OUT.
#RSAC
15
The Cloud is not a Datacenter.
#RSAC
16
VPNs that connect to Clouds are evil!
Clou
d Pr
ovid
er N
etw
ork
Data
Cen
ter
PUBLIC SUBNET
APP
DATABASEDATABASE
APP
PUBLIC SUBNET
VPN
Cloud Web ConsoleAPI Credentials
“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!
Remote Access
PRIVATE
SOFTWARE VPN
MANAGED VPN
10.0.0.0/8Connected & Routable?
No IDS?What do you mean the IP could change?
Tags? Security Groups? SDE?
#RSAC
17
Host-Based Controls
Shared Responsibility and Cloud require host-based controls.
Instrumentation is everything!
Fine-grained controls require more scrutiny and bigger big data analysis.
Clou
d Pr
ovid
er N
etw
ork
InstanceInstance
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
#RSAC
18
Lights out…
Lights out datacenters have always been a desired nirvana.
Automation is required to stack and replace cloud workloads.
Cloud security benefits are derived from lights out…
Automation & Instrumentation
Ephemeral Bastions
Drift Management
Security TestingTested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
Clou
d Pr
ovid
er N
etw
ork
Bastion Instance Instance
#RSAC
19
Long live APIs…
Everything in the cloud should be an API, even Security…
Protocols that are not cloudy should not span across environments.
If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it:
Messaging
Databases
File Transfers
Logging
Clou
d Pr
ovid
er N
etw
ork
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
User Routing
Data Replication
ApplicationGateway
File Transfers
Log Sharing
Messaging
My API
#RSAC
20
IT’S GOING TO BE A BLAST!
https://www.flickr.com/photos/mountainbread
#RSAC
21
Blast Radius is a real thing…
R.I.P.
#RSAC
22
Beware of Orchestrators…
Orchestration creates blast radius because it centralizes the deployment/security for cloud workloads.
Tools that act on behalf usually require credentials and create blindspots.
Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be.
Cloud Orchestration Platform
Clou
d Pr
ovid
er N
etw
ork
A B C
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
secrets
What’s normal?
#RSAC
23
Account Sharding is a new control!
Splitting cloud workloads into many accounts has a benefit.
Accounts should contain less than 100% of a cloud workload.
Works well with APIs; works dismal with forklifts.
What is your appetite for risk? Cloud WorkloadTemplates
Clou
d Pr
ovid
er N
etw
ork
33 % 33 % 33 %
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
attacker
#RSAC
24
MFA is a MUST!
Passwords don’t work.
Passwords aren’t enough to protect infrastructure.
Use MFA to protect User accounts and API credentials used by Humans.
On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA.
123456
Implement cloud template…API Credentials accepted...Please input your MFA token:XXXXXX (123456)Cloud stack 123 has been implemented.
#RSAC
25
50 %
Cloud Disaster Recovery is a different animal…
Regional recovery is not enough to cover security woes.
Security events can quickly escalate to disasters.
Got a disaster recovery team?
Multi-Account strategies with separation of duties can help.
Don’t hard code if you can help it.
Encryption is inconvenient, but necessary…
Cloud WorkloadTemplates
Clou
d Pr
ovid
er N
etw
ork
50 % 50 %
Clou
d Ac
coun
t
Clou
d Ac
coun
t
DisasterTemplates
50 %
Clou
d Ac
coun
ts
#RSAC
26
BEGINENCRYPTED TRANSMISSION...
https://www.flickr.com/photos/ideonexus
#RSAC
27
Encryption is a necessary evil…
It helps with Safe Harbor.
It helps with SQL Injection.
It helps with Data Ownership.
It helps with Privacy.
It’s not a silver bullet…
Clou
d Pr
ovid
er N
etw
ork
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Instance
Secrets Management
Key Management & Encryption
App
DBDisk
ManagedService
#RSAC
28
So much inconvenience
It can limit scale and it may narrow design options.
Scalable Key Management is really hard in the cloud.
Inconvenience commonly comes from blue/green changes, dynamic environment & sharing secrets for auto-scale.
Instance
Secrets Management
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
APP APP
DB DB
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Phew I’m exhausted
#RSAC
29
Overcoming Inconvenience
Use built-in transparent encryption when possible.
Use native cloud key management and encryption when available.
Develop back up strategies for keys and secrets.
Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor.
Use APIs to exchange data and rotate encryption.
Clou
d Pr
ovid
er N
etw
ork
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Instance
Secrets Management
Key Management & Encryption
App
DBDisk
ManagedService
#RSAC
30
FRIEND AND FOE...
https://www.flickr.com/photos/sreybhtiek
#RSAC
31
Speed & Ease can create problems…
Overloaded terms like “Policy” can cause confusion for DevOps and Security teams.
Applying broad controls to narrow problems can create gaps.
Security reviews are too slow…
Mistakes can and do happen!!
Security scanners and testing tools are not yet available for solving these speed & ease challenges. DEVOPS SECURITY
CLOUD SECURITY POLICIESSECURITY AS CODE
Page 3 of 433
How do I?Did you mean?What is?
Sigh…It’s like we aren’t speaking the same language…
#RSAC
32
Mixed modes don’t work
Forklifts are not a good idea because the original controls operate different.
Systems designed for waterfall don’t have an easy path to achieve agile.
Fragile applications in the cloud are easy pickings for attackers!
MAN – THIS SHELL IS HEAVY!
#RSAC
33
Code can solve the divide
Paper-resident policies do not stand up to constant cloud evolution and lessons learned.
Translation from paper to code can lead to mistakes.
Traditional security policies do not 1:1 translate to Full Stack deployments.
Data
Cen
ter
Clou
d Pr
ovid
er
Net
wor
k
• LOCK YOUR DOORS• BADGE IN• AUTHORIZED PERSONNEL ONLY• BACKGROUND CHECKS
• CHOOSE STRONG PASSWORDS• USE MFA• ROTATE API CREDENTIALS• CROSS-ACCOUNT ACCESS
EVERYTHING AS CODE
Page 3 of 433
#RSAC
34
Speed & Ease can increase security!
Fast remediation can remove attack path quickly.
Resolution can be achieved in minutes compared to months in a datacenter environment.
Continuous Delivery has an advantage of being able to publish over an attacker.
Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.
APP APP
DB DB
APP
DB
ATTACKED FORENSICSRECOVERED
#RSAC
35
EYES & EARS ...
https://www.flickr.com/photos/waltstoneburner
#RSAC
36
Shift controls & mindset
SecurityMonitoring
#RSAC
37
Cloud Security is a Big Data Challenge…
DevOps + Security is the biggest big data challenge ahead.
Use Attack Models and choose the right Data Sources to discover attacks in near real-time.
Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for.
• Web Access Logs• Java Instrumentation• Proxy Logs• DNS Logs
#RSAC
38
Cloud Security Feedback Loop
insightssecuritysciencesecurity
tools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
SPEED MATTERS
#RSAC
39
THE OPTIONS ARE ENDLESS...
https://www.flickr.com/photos/atomicbartbeans
#RSAC
40
Safe experimentation is critical…
Test possible solutions, arrive at Good Enough.
Crawl-Walk-Run plans can save your org from large-scale incidents.
Keep up with Lessons Learned!
#RSAC
41
10 DAYS
Don’t Hug Your Instances…
Research suggests that you should replace your instances at least every 10 days, and that may not be often enough.
Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.
Make sure to keep a snapshot for forensic and compliance purposes.
Use config management automation to make changes part of the stack.
Refresh routinely; refresh often!
#RSAC
42
Use Cloud Native Security Features...
Cloud native security features are designed to be cloudy.
Audit is a primary need!
Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.
Be deliberate about how to use built-in security controls and who has access.
#RSAC
43
Security as Code… gotta do it.
#RSAC
44
Apply what you learned today…
Next week you should:Understand how your organization is or plans to use cloud providers
Identify cloud workloads and virtual blast radius within your organization
In the first 3 months following this presentation you should:Begin to build Security as Code skills and run cloud security experiments to understand the issues
Develop Crawl-Walk-Run plans to help your organization build security into cloud workloads
Within 6 months you should:Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud
Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads
Remediation happens in hours to days as a result of automation
#RSAC
45
Get Involved & Join the Community
devsecops.org@devsecops on TwitterDevSecOps on LinkedInDevSecOps on GithubRuggedSoftware.orgCompliance at Velocity
Join Us !!!Spread the word!!!
Top Related