Post on 24-Jan-2017
transcript
CLOUD SECURITY ESSENTIALS 2.0
CRAWL. WALK. RUN.
Javier GodinezPrincipal DevSecOps Architect
Intuit
Shannon LIetz
Director, DevSecOps & Security Eng
Intuit
@devsecops
A Throwaway
Deck for R
SA
5
Let’s switch some things around…Data Center
NetworkServers
Virtualization
Operations
Platforms
Buyer IdentifierCloud Account(s)
Virtual IP AddressesContainerization
Appliances
Storage
Security Features
ApplicationsEphemeral Instances
Scale on DemandIAAS, PAAS, SAAS
Resource TestingBuilt-In Security
Long-Term Contracts Partner Marketplaces
Slow-ish Decisions
Experiments
6
The Basic Cloud Model
Clou
d Pr
ovid
er N
etw
ork
Backbone
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Internet
Clou
d Ac
coun
t(s)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatform
7
Reality…Internet
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Clou
d Pr
ovid
er N
etw
ork
Data
Cen
ter
Data
Cen
ter
Clou
d Pr
ovid
er N
etw
ork
12
This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.
DevOps brings mega-change!
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
… And maybe that’s a good thing!
13
Top 5 Cloud Security Principles 2.0• The Cloud is not a Datacenter.• Reduce blast radius; play the odds.• Encryption is inconvenient.• Speed & Ease is both Friend & Foe.• Protection is ideal; Detection is a must!
16
Direct Connections/VPNs to Clouds are evil!
Clou
d Pr
ovid
er N
etw
ork
Data
Cen
ter
PUBLIC SUBNET
APP
DATABASEDATABASE
APP
PUBLIC SUBNET
VPN
Cloud Web ConsoleAPI Credentials
“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!
Remote Access
PRIVATE
SOFTWARE VPN
MANAGED VPN
10.0.0.0/8Connected & Routable?
No IDS?What do you mean the IP could change?
Tags? Security Groups? SDE?
17
Host-Based Controls• Shared Responsibility and
Cloud require host-based controls.• Instrumentation is
everything!• Fine-grained controls
require more scrutiny and bigger big data analysis.
Clou
d Pr
ovid
er N
etw
ork
InstanceInstance
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
18
Lights out…• Lights out datacenters have always
been a desired nirvana.• Automation is required to stack
and replace cloud workloads.• Cloud security benefits are derived
from lights out…• Automation & Instrumentation• Ephemeral Bastions• Drift Management• Security Testing
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
Clou
d Pr
ovid
er N
etw
ork
Bastion Instance Instance
19
Long live APIs…• Everything in the cloud should be
an API, even Security…• Protocols that are not cloudy should
not span across environments.• If you wouldn’t put it on the
Internet then you should put an API and Authentication in front of it:• Messaging• Databases• File Transfers• Logging
Clou
d Pr
ovid
er N
etw
ork
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
User Routing
Data Replication
ApplicationGateway
File Transfers
Log Sharing
Messaging
My API
22
Beware of Orchestrators…• Orchestration creates blast radius
because it centralizes the deployment/security for cloud workloads.
• Tools that act on behalf usually require credentials and create blindspots.
• Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be.
Cloud Orchestration Platform
Clou
d Pr
ovid
er N
etw
ork
A B C
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
secrets
What’s normal?
23
Account Sharding is a new control!• Splitting cloud workloads into
many accounts has a benefit.• Accounts should contain less
than 100% of a cloud workload.• Works well with APIs; works
dismal with forklifts.• What is your appetite for
risk?Cloud
WorkloadTemplates
Clou
d Pr
ovid
er N
etw
ork
33 % 33 % 33 %
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
attacker
24
MFA is a MUST!• Passwords don’t work.• Passwords aren’t enough to
protect infrastructure.• Use MFA to protect User
accounts and API credentials used by Humans.
• On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA.
123456
Implement cloud template…API Credentials accepted...Please input your MFA token:XXXXXX (123456)Cloud stack 123 has been implemented.
25
50 %
Cloud Disaster Recovery is a different animal…• Regional recovery is not enough
to cover security woes.• Security events can quickly
escalate to disasters.• Got a disaster recovery team?• Multi-Account strategies with
separation of duties can help.• Don’t hard code if you can help it.• Encryption is inconvenient, but
necessary…
Cloud WorkloadTemplates
Clou
d Pr
ovid
er N
etw
ork
50 % 50 %
Clou
d Ac
coun
t
Clou
d Ac
coun
t
DisasterTemplates
50 %
Clou
d Ac
coun
ts
27
Encryption is a necessary evil…• It helps with Safe Harbor.• It helps with SQL Injection.• It helps with Data
Ownership.• It helps with Privacy.
It’s not a silver bullet…
Clou
d Pr
ovid
er N
etw
ork
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Instance
Secrets Management
Key Management & Encryption
App
DBDisk
ManagedService
28
So much inconvenience• It can limit scale and it may
narrow design options.• Scalable Key Management is
really hard in the cloud.• Inconvenience commonly
comes from blue/green changes, dynamic environment & sharing secrets for auto-scale.
Instance
Secrets Management
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
APP APP
DB DB
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Phew I’m exhausted
29
Overcoming Inconvenience• Use built-in transparent
encryption when possible.• Use native cloud key management
and encryption when available.• Develop back up strategies for
keys and secrets.• Apply App Level Encryption to
help with SQL Injection and preserving Safe Harbor.
• Use APIs to exchange data and rotate encryption.
Clou
d Pr
ovid
er N
etw
ork
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Clou
d Ac
coun
t
Instance
Secrets Management
Key Management & Encryption
App
DBDisk
ManagedService
31
Speed & Ease can create problems…• Overloaded terms like “Policy” can
cause confusion for DevOps and Security teams.
• Applying broad controls to narrow problems can create gaps.
• Security reviews are too slow…• Mistakes can and do happen!!• Security scanners and testing tools
are not yet available for solving these speed & ease challenges.
DEVOPS SECURITY
CLOUD SECURITY POLICIESSECURITY AS CODE
Page 3 of 433
How do I?Did you mean?What is?
Sigh…It’s like we aren’t speaking the same language…
32
Mixed modes don’t work• Forklifts are not a good
idea because the original controls operate different.• Systems designed for
waterfall don’t have an easy path to achieve agile.• Fragile applications in the
cloud are easy pickings for attackers! MAN – THIS SHELL IS HEAVY!
33
Code can solve the divide• Paper-resident policies do
not stand up to constant cloud evolution and lessons learned.• Translation from paper to
code can lead to mistakes.• Traditional security policies
do not 1:1 translate to Full Stack deployments.
Data
Cen
ter
Clou
d Pr
ovid
er
Net
wor
k
• LOCK YOUR DOORS• BADGE IN• AUTHORIZED PERSONNEL ONLY• BACKGROUND CHECKS
• CHOOSE STRONG PASSWORDS• USE MFA• ROTATE API CREDENTIALS• CROSS-ACCOUNT ACCESS
EVERYTHING AS CODE
Page 3 of 433
34
Speed & Ease can increase security!• Fast remediation can remove attack
path quickly.• Resolution can be achieved in
minutes compared to months in a datacenter environment.
• Continuous Delivery has an advantage of being able to publish over an attacker.
• Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.
APP APP
DB DB
APP
DB
ATTACKED FORENSICSRECOVERED
37
Cloud Security is a Big Data Challenge…• DevOps + Security is the biggest
big data challenge ahead.• Use Attack Models and choose
the right Data Sources to discover attacks in near real-time.
• Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for.
• Web Access Logs• Java Instrumentation• Proxy Logs• DNS Logs
38
Cloud Security Feedback Loop
insightssecuritysciencesecurity
tools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
SPEED MATTERS
40
Safe experimentation is critical…• Test possible solutions,
arrive at Good Enough.• Crawl-Walk-Run plans
can save your org from large-scale incidents.• Keep up with Lessons
Learned!
41
10 DAYS
Don’t Hug Your Instances…• Research suggests that you should
replace your instances at least every 10 days, and that may not be often enough.
• Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.
• Make sure to keep a snapshot for forensic and compliance purposes.
• Use config management automation to make changes part of the stack.
• Refresh routinely; refresh often!
42
Use Cloud Native Security Features...• Cloud native security features are
designed to be cloudy.• Audit is a primary need!• Configuration and baseline checks
baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.
• Be deliberate about how to use built-in security controls and who has access.
44
Apply what you learned today…• Next week you should:• Understand how your organization is or plans to use cloud providers• Identify cloud workloads and virtual blast radius within your organization
• In the first 3 months following this presentation you should:• Begin to build Security as Code skills and run cloud security experiments to understand
the issues• Develop Crawl-Walk-Run plans to help your organization build security into cloud
workloads• Within 6 months you should:
• Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud
• Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads
• Remediation happens in hours to days as a result of automation