Cloud security 2.0: Joko nyt pilveen voi luottaa?

Size: px

Start display at page:

Download "Cloud security 2.0: Joko nyt pilveen voi luottaa?"

Allyson Wilson
6 years ago
Views:

1 Cloud security 2.0: Joko nyt pilveen voi luottaa?

2 Helsinki 2 Teemu Lehtonen Senior Cloud architect, Security teemu.lehtonen@nordcloud.com Nordcloud Finland Fredrikinkatu 63 a C Helsinki Finland

3 Cloud security fundamentals Case AWS

4 Security In the Cloud Environment Security is a shared responsibility Cloud Provider is responsible for the security OF the cloud YOU are responsible for the security IN the cloud

Target: You - Facilities - Physical Security - Physical Infrastructure - Network Infrastructure - Virtualization Infrastructure - End-points - Operating System - Applications -

5 Target: You - Facilities - Physical Security - Physical Infrastructure - Network Infrastructure - Virtualization Infrastructure - End-points - Operating System - Applications - Security Groups - Identity and access controls - Network ACLs - Network Configuration - Account Management - Service Security Features - Incident & Risk management -. Secure Compliant Workloads

6 Reality: 10 AWS Security mistakes 1. Not protecting AWS Secret / Access keys (Identity & Access Management) 2. Not managing remote access (VPC) 3. Not using AWS WAF 4. Not having AWS asset management strategy (AWS Config, VPC) 5. Not enabling and using CloudTrail (CloudTrail and CloudWatch) 6. Not protecting secrets (KMS, Identity & Access Management, Dev Tools) 7. Not using least privilege permissions (Identity & Access Management) 8. Not running hardened AWS Images (Inspector) Keeping images up to date! 9. Ignoring vulnerability scanning (Inspector) Also Cloud account! (Trusted Advisor) 10.Using AWS root account for access (Identity & Access Management)

7 Securing the cloud approaches: Copy Cloud On Advisory premises Cloud Automation Mixed Managed Cloud-Native Cloud Copy Independent, the existing on-premises controls to the cloud as is industry leading - Follow traditional advice RMIAS to model shape your - cloud Same products strategy. as in on-premises - Integration needed to On-Premises - Follow Vendor best practises to secure the Cloud Infra itself Partially copied and partially Migration transformed and cloud - Add implementation agility and automation to RMIAS enabling you to fully - Mix of products used for securing use cloud the capabilities. Applications and Cloud Infra - Integration to On- Premises needed -Flexible Cloud native services Security products where keeping your cloud possible available, - Fully transformed optimised, and - Agility secure and Automation all everywhere times. - Infrastructure as code - Can Report as own entity

8 Security In the Cloud Environment Approach recommendations: Utilize Provider Segregation to Your Advantage Automate, including naming conventions!

9 Security in the Cloud Case AWS

10 Key AWS tools around security Identity & Access Management AWS Trusted Advisor AWS CloudWatch AWS VPC AWS Elastic Load Balancing Amazon Inspector AWS Key Management Service AWS Directory Services AWS CloudTrail AWS Config AWS Service Catalog AWS Cloud Formation

-Pros: Drive MB not Lada -Cons: Varying nativity Nordcloud Partners - Cloud

11 More tools 11 Marketplace -Cloud versions of the respective onpremises tools -Cloud native tools -Pre-hardened Images -Examples: - Anti-Malware - VPN -Pros: Drive MB not Lada -Cons: Varying nativity Nordcloud Partners - Cloud Native Anti Malware - Cloud Infra security assessment - Web Application Security

12 Identity & Access Management 12 What Market Why Place Where -Central Identity & Access management tool for Cloud Account - Integrated to Services - Grouping of resources - Grouping of Accesses - Grouping of Identities - Delegation & Federation -Not recommended for your application or Servers! - For Security & Compliancy - DataCenter access control - Auditing -For segregation - Organization - Roles -For Integration - Existing RBAC - 3rd parties - Everywhere! - Central Access Control -Multi Account Delegation - DR account integration - Managed Service RBAC - Service provider

13 Identity & Access Management Example 13 Create another AWS account for DR purposes Copy CloudTrail and Backups to the DR account for fast recovery Infrastructure as code either backed up or outside Production account Can be automated, costs only the storing App DR Data Cloud Trail Snap Shots DR Data Cloud Trail Snap Shots DBs RBAC DBs DB Front App App DR Backups

14 CloudTrail 14 What Market Why Place Where -Automatic logging tool of Cloud Infra - All Methods - All Services - All Regions - Central repository - Encrypted if needed - For Security & Compliancy - Datacenter access log -For Performance - Auto Scaling -For Auditing - Automate audit data collection - Everywhere! - Security Operations - Application optimization - Performance -Together with Cloud Watch - Automation

15 Cloudtrail example 15 { "Records": [{ "eventversion": "1.0", "useridentity": { "type": "IAMUser", "principalid": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam:: :user/bob", "accountid": " ", "accesskeyid": "EXAMPLE_KEY_ID", "username": "Alice" }, "requestparameters": { "instancesset": { "items": [{ "instanceid": "i-ebeaf123" }] }, "force": false }, Who requested What was requested "eventtime": " T21:01:59Z", "eventsource": "ec2.amazonaws.com", "eventname": "StopInstances", "awsregion": "eu-west-1", "sourceipaddress": " ", "useragent": "ec2-api-tools ", The Response "responseelements": { "instancesset": { "items": [{ "instanceid": "i-ebeaf123", "currentstate": { "code": 64, "name": "starting" }, "previousstate": { "code": 16, "name": "stopped" } When and where requested

16 CloudWatch 16 What Why Where -Real time monitoring tool - AWS resources - Your Servers - Your Applications - Collect & monitor: - metrics - logs - Alarms / Control - Outside - Automation -For Security & Compliancy - Automatic log Analysis -For Performance management - Scaling -Enable monitoring of anything with log files -For Auditing - Proof of mitigations - Digest log Data - Everywhere! - Security Operations - Application optimization - Performance - You name it! - Install log agents! -Together with SNS and SQS - Automation

17 CloudWatch Example 17 Install CloudWatch Log Agent to push logs from your Web server Create filter patterns on source basis: OS logs vs. Application logs vs. Audit logs CloudWatch App OS Web Custom Metrics App DB Front App RBAC Log Streams

18 Virtual Private Cloud: VPC 18 What Market Why Place Where -Virtual Data Centers - Isolated multi-tiered networks - Isolated gateways - Collection of Security groups ~ FW - Collection of NACLs - Collections of Services -Architecture building block - Segregation tool - within application - within organization -Availability tool - multi zone architecture - multi region architecture - For Applications - For Testing -For Development -For Security & Management

19 Virtual Private Cloud: VPC 19 Production VPC Peering Security & Management RDS m APP WEB AD/DNS HBSS AD/DNS WSUS/Patch Management IAM CloudTrail Logs RDS s APP WEB SNMP - Log - NTP KMS Vulnerability Scanner CloudTrail Bastion 01 Bastion 02 End Users Internet

20 Key Management Service 20 What Market Why Place Where -Managed Two-tier encryption Service - Separate master key - unique data keys - Cost & AWS Integration -Compliancy needs like PCI -Stricter Internal requirements - Encrypt master images - Databases -Big Data -CloudTrail - Key rotation -Encrypt Data at Rest

21 Bringing tools together: Embedded Security 21 SSL & Encryption at rest Private Subnets Production Load Balancing with WAF (CF) Hardened images for each server type with RBAC security groups VPC Peering AD/DNS Security & Management AD/DNS Separate Management VPC IAM Fixed Content RDS m APP WEB HBSS WSUS/Patch Management CloudTrail Logs Logging CloudWatch RDS s APP WEB SNMP - Log - NTP Vulnerability Scanner KMS CloudTrail RDS snapshots ACLs and IAM policies for Static data access control Database Security groups NACLs associated with multiple subnets Web subnets with own route tables End Users Internet Bastion 01 VPN Bastion 02 Multi Factor Authentication RBAC

22 Cloud Security opportunities: Auditing

CloudWatch CloudWatch Application Alarms

23 Auditing in the cloud: Cloud Level 23 IAM IAM SAML KMS CloudTrail Logs CloudTrail CloudTrail Lambda CloudWatch CloudWatch Application Alarms Application Alarms & Audit Alarms Audit Account Audit Targets

24 Auditing and tools in the cloud: Application Level IAM SAML IAM SAML CloudWatch Audit and security logs Inspector KMS Application logs CloudTrail CloudWatch Config Rules Lambda: Fight back Fight Back Actions WAF Security Groups SoC Account Application account

25 Cloud Security opportunities: Backups

26 Backups IAM SAML IAM SAML KMS Recovery test Lambdas Sender Lambdas (Restore requests) Instances Stacks Objects & Logs Databases Lambdas RPO & RTO in resource tags! Instance Snapshots Stacks Objects & Logs DB Snapshots Retrieve Lambdas Instance Snapshots Stacks Objects & Logs DB Snapshots Backup Account Application account

27 Cloud Security opportunities: How not to Patch

28 How not to patch APP Builders Stack Updater Hardened Base AMIs Ami Builder Application AMIs Approval Prod Dev Stage Stacks RDS m RDS s APP APP WEB WEB Logs Update Checker

29 How not to patch: Details AMIs 3000 lines CloudFormation 300 Lines Python for Builder 200 Lines Python for Checker

30 WE ARE NORDCLOUD #TheCloudRevolution

Detecting Credential Compromise in AWS

Detecting Credential Compromise in AWS William Bengtson Senior Security Engineer, Netflix Credential compromise is an important concern for anyone operating in the cloud. The concerns become more widespread