Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Your responsibility in Cloud Security
Nihat Guven PurpleBox, Inc.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Agenda• Cloud Computing Overview
• Shared Responsibility Model
• Customer’s responsibility and best practices for:
• Identity and Access Management
• Data Security / Encryption
• Backup and Recovery
• OS security and patching
• Network Security
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Cloud Computing - NIST Definition a service delivery model that includes the following essential characteristics:
On-demand self-service – users can provision services on their own
Broad network access – service is available on any medium or device, including mobile
Resource pooling – multiple users and dynamic access to pooled resources
Rapid elasticity – resources can expand or contract as quickly as they are used or freed
Measured service – services are charged based on what is used
three primary cloud service delivery mechanisms:
Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), and
Software as a Service (SaaS).
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Cloud Service Delivery Models Three primary cloud service delivery mechanisms:
Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), and
Software as a Service (SaaS).
Rapidly blurring lines and expanding usage of the XaaS model
SecaaS, StaaS, IDaaS, etc…
Buzzword of the day: Serverless / FaaS
Future: Everything as a Service
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Cloud Adoption
Source: ISACA/CSA Cloud Computing Market Maturity Whitepaper - 2015
Cloud computing is not marketing
hype anymore; for many enterprises,
cloud has become a critical part of the
IT landscape.
• Business as Usual
• Strategic
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Security is changing from being the biggest concern…
Source: A Global Look at IT Audit Best Practices - Assessing the International Leaders in Annual ISACA/Protiviti Survey 2016
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
… to Security is a differentiator
Source: ISACA/CSA Cloud Computing Market Maturity Whitepaper - 2015
The performance benefits have led to
financial benefits and the ability to
invest in areas such as product
development and innovation and
expanding to new markets.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Bad things can happen in Cloud too
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Bad things can happen in Cloud too
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Security Professionals and Cloud
Source: AWS Logicworks Survey
Skills that are required to support
cloud solutions are not available.
• DevOps
• SecDevOps
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Shared Responsibility Model• Cloud providers are Secure (most of them)
• Moving to the cloud does NOT make YOU secure by default
• There are several areas where security is the customer’s responsibility
• Depends on the service used (IaaS, PaaS, SaaS)
• Customer benefits from the Cloud vendors Security and Compliance efforts
• Identity and Access Management is almost always the customer’s responsibility
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
The level of responsibility and hand-off points will depend on the services used.
There are difference among Cloud service types as well as cloud providers
Source: Gartner, April 2016
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Shared Responsibility Model - AWS view
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Shared Responsibility Model - MS Azure ViewMS view on this is evolving. More information is available on their website then before…
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Shared Responsibility Model - GCP ViewFocus on GCP Security. No emphasis on the responsibility of the cloud user.
The Google security model is an end-to-end process, built on over 15 years of experience focused on keeping customers safe on Google applications like Gmail, Search and other Apps. With Google Cloud Platform your applications and data take advantage of the same security model.
Source: https://cloud.google.com/security/
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Compliance in AWS
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Compliance in MS Azure
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Compliance in GCP
Source: https://cloud.google.com/security/compliance
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Cloud Services are Secure - Are you?Your Cloud provider is secure - Doesn't mean you are!
Fear of unknown - New technologies, new processes, new architectures.
Too much attention to the security of the cloud. Not much attention to the security in the cloud.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Cloud Services are Secure - How can you be secure?Focus on Business Value / Business Requirements
Develop an enterprise cloud strategy
Public Cloud should be part of your enterprise architecture
Adopt “Security by Design” mentality
Develop and adopt security guidance on acceptable uses for infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
Develop, get buy-in and enforce policies
Train your employees. Develop expertise.
Automate policy enforcement.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS SecurityNew tools enable better security controls
Automation
Programatic Infrastructure
Software Defined Network / Server / Configuration
Challenges:
Existing Security Organizations, Programs, Cultures need to adopt
Existing IT Infrastructure and Security tools do not support the new technologies
Buyer be aware. Not all Cloud provides are the same.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Current StatusSecurity posture of major cloud providers is as good as or better than most enterprise data centers
Cloud providers have compliance reports to attest to their controls
Cloud providers have developed native security tools are are making them available to the users at no or fraction of the cost of traditional tools
A well-architected environment built on the leading public cloud platforms can be better-protected then traditional data centers (on-prem or co-location)
Most security weaknesses are a result of a failure to implement adequate controls on the user’s part:
misconfiguration, missing patches, mismanaged credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - How do you get there?Use what is available from your vendor: Cloud native tools, white papers, best practices.
Embrace Agile: It is not just for developers. SecDevOps is the future.
Learn to talk API
Integrate the processes and tools into the DevOps lifecycle (SecDevOps)
Let go of your servers - Immutable Infrastructure
Automate - Remove the “human element / user error”
Start using. Get your teams trained.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
10 Stages in Public Cloud Adoption1. Do Nothing. Hope it goes away. 2. Get concerned that you’re last to the party. 3. Realize that the security issues are perfectly manageable. 4. Trial some low-risk SaaS applications. 5. Test cloud with a tiny, non-critical new project so nobody gets fired if it doesn’t
work out. 6. Migrate all the back-ups and disaster recovery to the cloud. 7. Road bump! Find it’s costing more than expected… and then rearchitect
quietly to do it properly this time. 8. Seriously embrace hybrid cloud since it seems to offer everything. 9. Ditch hybrid because it’s not delivering as expected — go full public cloud. 10.Wonder what to do with all the data centers you no longer need.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Your Responsibility and Best Practices
Identity and Access Management
Data Security / Encryption
Backup and Recovery
OS security and patching
Network Security
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Top 11 IAM best practices1. Users – Create individual users. 2. Permissions – Grant least privilege. 3. Groups – Manage permissions with groups. 4. Conditions – Restrict privileged access further with conditions. 5. Auditing – Enable AWS CloudTrail to get logs of API calls. 6. Password – Configure a strong password policy. 7. Rotate – Rotate security credentials regularly. 8. MFA – Enable MFA for privileged users. 9. Sharing – Use IAM roles to share access. 10. Roles – Use IAM roles for Amazon EC2 instances. 11. Root – Reduce or remove use of root.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Encrypt your sensitive informationNative encryption across services for free ▪ Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift ▪ End-to-end SSL/TLS
Scalable key management ▪ AWS Key Management Service (KMS) ▪ AWS CloudHSM
Third-party encryption options ▪ Trend Micro, SafeNet, Vormetric, HyTrust, Sophos, etc.
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Log and MonitorWhat can you answer using a CloudTrail event?
▪ Who made the API call?
▪ When was the API call made?
▪ What was the API call?
▪ Which resources were acted upon in the API call?
▪ Where was the API call made from and made to?
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions 2. Enable log file validation 3. Encrypted logs 4. Integrate with Amazon CloudWatch Logs 5. Centralize logs from all accounts
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAMAdmin Access, Password Policies, MFA
IAM Users, Roles, Groups, Permissions
Demo
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Admin Access
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Admin Access
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Admin Access, Password Policies, MFA
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAM Users, Roles, Credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAM Users, Roles, Credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAM Users, Roles, Credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAM Users, Roles, Credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - IAM Users, Roles, Credentials
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - NetworkNetwork Segmentation
VPC
Public Subnets
Private Subnets
NACL/ Routing / Internet Gateway / NAT Gateway
Firewall / Security Groups
Site-to-Cloud VPN Connectivity
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - NetworkNetwork Segmentation
VPC
Public Subnets
Private Subnets
NACL/ Routing / Internet Gateway
Firewall / Security Groups
Site-to-Cloud VPN Connectivity
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Server OS Security and PatchingApproved list of Images
OS: Linux / Microsoft
Hardened to CIS Standards
Maintained by Security in a central library
Saved as Golden Image
Provided to users via automated scripts / workflows.
What if every server in your environment could have the same configuration: secured, patched and accredited by InfoSec?
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
IaaS Security - Server OS Security and PatchingChallenges are similar:
Prioritizing
Maintenance window
Testing for impact of a patch
Approaches are different:
Decoupled system components (micro-services)
Patch everything on the “golden image”
Test (SecDevOps)
Roll-out live, no maintenance windows (CI/CD)
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Security Monitoring Demo
New Instance is Started
Does it have the required Tags?
• Put Instance in Quarantine
• Send email to owner
• Check required tags
• Apply workflow
• Environment: Dev / Stage / Prod • Check for allowed AMIs • Check for allowed instance types • Check for allowed VPC/SG • etc…
• Apply enforcement action
• BU: Corporate, Manufacturing, Retail • Check for allowed AMIs • Check for allowed instance types • Check for allowed VPC/SG • etc…
• Apply enforcement action
• Compliance: None / HIPAA / PCI • Check for allowed AMIs • Check for allowed instance types • Check for allowed VPC/SG • etc…
• Apply enforcement action
No
Yes
PurpleBox, Inc www.prplbx.com
+1 (770) 421-5808
Pur
pleB
ox, I
nc. M
arke
ting
- C
loud
- Se
curi
ty
©20
16 A
ll R
ight
s Res
erve
d
Thank YouNihat Guven
PurpleBox, Inc.
404-281-7120