Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Similar documents
Security+ SY0-501 Study Guide Table of Contents

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Cloud Customer Architecture for Securing Workloads on Cloud Services

Copyright 2011 Trend Micro Inc.

Understanding Perimeter Security

Datacenter Security: Protection Beyond OS LifeCycle

W11 Hyper-V security. Jesper Krogh.

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

ADC im Cloud - Zeitalter

A10 HARMONY CONTROLLER

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

SoftLayer Security and Compliance:

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Cloud Essentials for Architects using OpenStack

SYMANTEC DATA CENTER SECURITY

Identity Management and Compliance in OpenShift

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Actual Agility with SDN: Weaving SDN into Data Center Automation May 6, John Burke Principal Research Analyst & CIO

Advanced Systems Security: Cloud Computing Security

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Cloud Systems 2018 Training Programs. Catalog of Course Descriptions

NephOS. A Single Turn-key Solution for Public, Private, and Hybrid Clouds

Security Considerations for Cloud Readiness

F5 Synthesis Information Session. April, 2014

NephOS. A Single Turn-key Solution for Public, Private, and Hybrid Clouds

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Data Center and Cloud Automation

Build Cloud like Rackspace with OpenStack Ansible

Pulse Secure Application Delivery

Office 365 Buyers Guide: Best Practices for Securing Office 365

CogniFit Technical Security Details

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Open Security Controller Project Use Cases

AWS Reference Design Document

Introduction to Cloud Computing

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Table of Contents DevOps Administrators

Docker and Oracle Everything You Wanted To Know

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMWARE ENTERPRISE PKS

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Red Hat OpenStack Platform 10 Product Guide

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Securing Your Amazon Web Services Virtual Networks

Layer Security White Paper

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

The Latest EMC s announcements

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Building a More Secure Cloud Architecture

Identity-Based Cyber Defense. March 2017

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Combating Cyber Risk in the Supply Chain

Orchestration Ownage: Exploiting Container-Centric Datacenter Platforms

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Automated Deployment of Private Cloud (EasyCloud)

Using Threat Modeling To Find Design Flaws

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Advanced threats. "Software defined" everything. Internet of Things. SDDC/Cloud. HTTP is the new TCP. Mobile. F5 Networks, Inc 2

Citrix Workspace. Lausanne Laurent Strauss Christophe Beaugrand

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Intelligent and Secure Network

Building a government cloud Concepts and Solutions

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Imperva Incapsula Website Security

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

DISTRIBUTED SYSTEMS [COMP9243] Lecture 8a: Cloud Computing WHAT IS CLOUD COMPUTING? 2. Slide 3. Slide 1. Why is it called Cloud?

Cisco Cloud Strategy. Uwe Müller. Leader PreSales Cloud & Datacenter Germany

CS 356 Operating System Security. Fall 2013

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Etanova Enterprise Solutions

Understanding Cisco Cybersecurity Fundamentals

Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Reimagining OpenStack*

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

PCI DSS Compliance. White Paper Parallels Remote Application Server

Let s say that hosting a cloudbased application is like car ownership

PrecisionAccess Trusted Access Control

Extend your datacenter with the power of Citrix Open Cloud

ICS Security Monitoring

1. What is Cloud Computing (CC)? What are the Pros and Cons of CC? Technologies of CC 27

Real-time Monitoring, Inventory and Change Tracking for. Track. Report. RESOLVE!

Transcription:

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity

Cloud Security Today Cloud has lots of momentum Lots of concerns about security What s the real story?!2

What this talk will cover What does it take to secure an IaaS cloud? Specific ideas to improve your cloud or select a cloud provider.!3

What this talk will NOT cover A cloud comparison A one-size-fits-all cloud security cookbook!4

Talk Outline Cloud Introduction (demo!) IaaS Architecture Details Security Differentiators Virtualization Stack Security (demo!) Questions & Wrap-up!5

Cloud Service Models Today s Talk!6

Public Cloud Users: Anyone with a credit card Provider! Doesn t trust users Doesn t want to violate users privacy Monitoring at network edges Fraud prevention Network reputation concerns Broad compliance concerns!7

Private Cloud Users: Part of a common organization Provider! Trusts users (at some level) Has full access to data / workloads Security from top to bottom Design undergoes great scrutiny Enterprise integration Targeted compliance concerns!8

Know Your Neighbors Who are your neighbors (other users)? Who is your cloud admin / operator / builder? Who else has privilege on the cloud? Who should? Who does?!9

Demo: How Things Can Go Very Wrong!10

Understanding IaaS Cloud Architectures

User Perspective Launch instances Take snapshots Flexible storage options API + web dashboard!12

Admin / Operator Perspective Create & manage users, projects, quotas, etc Configure cloud Monitor cloud events, logs, health, etc API + web dashboard!13

Builder Perspective Software engineer & DevOps Designs and creates cloud Controls security domains Many services to setup & manage!14

Cloud Simplicity Compute Object Storage Example services from OpenStack.!15

Individual Services Image Identity Dashboard Compute Object Storage Network Volume!16

Security Domains Image Identity Dashboard Compute Object Storage Network Volume!17

Gated Interconnects Image Identity Dashboard Compute Object Storage Network Volume!18

Map Data Paths Image Identity Dashboard Compute Object Storage Network Volume!19

Secure design complete or is it?!20

Individual Services Image Identity Dashboard Compute Object Storage Network Volume!21

Lots of Glue Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!22

Data Paths Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!23

Message Plumbing Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!24

Billing Plumbing Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!25

Alarm Plumbing Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!26

SSL / TLS Plumbing Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!27

Under Cloud Admin Plumbing Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!28

So Much Plumbing! Image Identity Dashboard Billing Alarming Compute Object Storage DNS Automation Network Metering Load Balancing Certificate Authorities Account Maintenance Orchestration Monitoring Messaging Volume Databases!29

!30

OpenStack Security Guide http://doc.openstack.org/sec/ Security guidance on deploying OpenStack (IaaS Cloud) Written in one week Diverse group of authors Continued contributions accepted through GitHub!31

Cloud Security Domains Cloud Users / Administrators External Data Guest Management Instance Instance Compute Node Instance Instance Compute Node API Endpoints Web Dashboard Storage Node Storage Node Management and Control Plane Services Cloud Operators!32

Example API Action: Launching an Instance External Management Source: http://docs.openstack.org/training-guides/!33

Security Challenges in the Cloud Audit trails Controlling access Defense in depth / Layered security Protecting bridge points API Endpoints Virtualization Security!34

Source: http://xkcd.com/908/!35

Cloud Security Differentiators

Security Certifications Necessary, but not sufficient Mapping to cloud not always clear Not a useful place to differentiate!37

Threats High capability $$$$ Targeted Low Widespread $ Intelligence Services Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies ISP Intercept Hypervisor Breakout Advanced Persistent Treat Complex 0-day Development Supply Chain Attack Distributed Denial of Service Spear Phishing Automated Exploitation Tools Service Brute Force Mass Phishing Source: OpenStack Security Guide Social Engineering (Employee)!38

Cloud Attack Vectors API Endpoints Web Dashboard Information Leakage VM Breakout Hardware Sharing Default Images Unsecured Instances Secondary Attacks Mitigation Strategies Service hardening, mandatory access controls, code audits HTTPS, HSTS, CSP, allowed referrers, disable HTTP trace SSL/TLS, disable memory dedup, random assignments Service hardening, mandatory access controls, code audits Avoid bare metal instances / device pass- through Secure and maintain default images User and/or tenant level network isolation for instances Least privilege, mandatory access controls, strong auth!39

Major Security Considerations High level architecture has different security domains End to end protection of network traffic Protected virtualization stack Protected API endpoints Ability to update easily Physical security at the datacenter!40

Case Study: TLS in the Cloud External Management Backend Service Client Customer-facing SSL certificate SSL / TLS Termination Load Balancing HTTP Header Inspection Backend Service Backend Service Backend Service Internal SSL certificate!41

Case Study: API Endpoint Protection External Management Compute Bob Mallory Identity Storage Database Message Queue!42

Source: http://xkcd.com/424/!43

Securing the Virtualization Stack

What Is The Security Concern? Hypervisors have vulnerabilities A VM-breakout is among the worst exploits for cloud Breakdown of Hypervisor Vulnerabilities From Perez-Botero et al, Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, In Proceedings of the Workshop on Security in Cloud Computing (SCC), May 2013.!45

Other Virtualization Considerations Bad actors on the control plane Hardware emulation, entropy considerations for VM Side channel cache attacks!46

Mitigation Strategies Mandatory access controls (KVM+SVirt & Xen+XSM) Minimize & harden QEMU software stack Runtime monitoring Security updates!47

Demo: Layered Security Mitigates Attacks!48

Questions

Time For Action

Your Next Steps Securing Your Own Cloud Identify security controls? Threat model? Security-driven architecture? Can you audit everything? Evaluating 3rd Party Cloud Who has privilege? Bryan D. Payne http://www.bryanpayne.org!51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback