Security in the cloud Workshop HSTC 2014

Security in the Cloud
Akash Mahajan

Akash Mahajan - Profile
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!

You will not learn anything new today
The interesting part is learning why you
won’t learn anything new today

“Today Internet is Cloud CD Based, if you use Google
your docs get stored in cloud, have you ever seen
Google software CD? No it’s not here, it’s in the
cloud. Called as Cloud CD! When you check, it
Cloud gives error because it is raining!!!! ”
- Vishwa Bandhu Gupta

Cloud computing is computing in which large
groups of remote servers are networked to
allow the centralized data storage, and
online access to computer services or
resources.
- From http://en.wikipedia.org/wiki/Cloud_computing

How is Cloud Computing different
From?
Grid computing
Distributed computing
Large Scale Clusters

Elasticity
is the degree to which a system is able
to adapt to workload changes

How do we get Elasticity?
by provisioning and de-provisioning resources
in an autonomic manner, such that at each
point in time the available resources match
the
current demand as closely as possible.

Autonomic Manner
The system makes decisions on its own,
using high-level policies; it will
constantly check and optimize its
status and automatically adapt itself to
changing conditions.

AWS Auto-scale – Example of Elasticity

The tech behind
cloud computing
is not new

WHAT MAKES UP THE CLOUD
COMPUTING STACK?

Virtualization
The main enabling technology for cloud computing

Service Oriented
Architecture
(SOA)
Breaking of business problems into services that can
be integrated

Programmable
APIs
Ability to interact with the services offered using
programs and the libraries provided

Management
Layer
Ability to interact with the services offered using a
web based front-end for management & billing

High Speed
Networks
All of the above talk to each other using
high speed networks

Cloud Computing Stack
Management Layer
Programmable APIs
Service Layer
OS Level Virtualization

What is Virtualization?
it separates a physical
computing device into one or
more "virtual" devices

It essentially creates a scalable
system of multiple
independent computing
devices.

Idle computing resources can be
allocated and used more efficiently

Virtualization provides agility
• Speed up IT operations
• Reduces cost by
increasing
infrastructure utilization

Virtualization provides automation
• Computing automates the process through
which the user can provision resources on-demand.
• By minimizing user involvement,
automation speeds up the process, reduces
labor costs and reduces human errors

SERVICE ORIENTED ARCHITECTURE
FOR CLOUD SERVICES

Compute
processor , random access
memory,

Storage
persistent, redundant,
scalable, infinite and cheap

Network
all pervasive, based on TCP/IP
gigabit fast and more

Management
what we use to manage or
work with the service

Metrics and Measured Service
billing is like utility services
and every service is
measurable

PROGRAMMABLE APIS AND
MANAGEMENT LAYER

Programmable APIs
Start, stop, pause virtual
servers
ec2-run-instances
gcloud compute instances create

Management Layer
Basically a web based control panel

Software As A Service
Meant for end users to consume a service
using applications and data storage

Platform As A Service
Meant for developers to utilize an integrated
development platform and framework

Infrastructure As A Service
Basic Cloud Service building blocks are given
like server instance, storage and network

DEPLOYMENT MODELS FOR THE
CLOUD

Cloud can be in your office too

Deployment Models
• Public
• Private
• Hybrid

Public Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use.

Private Cloud
Private cloud is cloud infrastructure operated
solely for a single organization, whether
managed internally or by a third-party, and
hosted either internally or externally

Hybrid Cloud
Hybrid cloud is a composition of two or more
clouds (private, community or public) that
remain distinct entities but are bound
together, offering the benefits of multiple
deployment models.

We will restrict our discussion about the security of the public cloud
SECURITY IN THE PUBLIC CLOUD

Shared Sense of
Security
Public cloud vendors and customers have a shared
sense of security

Shared
Responsibility of
security
Public cloud vendors and customers have to share
security responsibility

Amazon AWS takes care of
• Physical Security (Nobody should walk away
with the server including Govt.)
• Host OS which runs the virtualization software
• Virtualization Security (Rogue VMs can't harm
others)

Amazon AWS takes care of
• Environmental Safeguards (DC is safe to run
servers)
• Administrative Controls (Policies and
Procedures)
• Certifications and Accreditations (SAS70, SOC1,
PCI, ISO27K1)

You take care of
• Guest OS (The Compute instance)
• Application Security (The application on the
compute instance)
• Data Security (The data being generated,
processed by the application)
• Network security for the guest &
applications
• Security Monitoring of Guest OS &
applications

Does Cloud Need
Security?
Wrong question to ask, the question should be…

Do we need to
worry about our
data, our infra, our
apps stored in the
public cloud?

Our apps in the public cloud
• This applies only to IAAS and PAAS as in
SAAS it is not our application
• An in secure app can expose underlying
infrastructure and data to theft, corruption
and exposure

Security Testing of Apps
• No different from testing any application for
security
• We might require permission to run
automated scanners against the app
• Ideal framework to test against is OWASP
Top 10 and OWASP Testing Guide

App Insecurity Scenario
• App has a Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the
server
• Attacker reads the credentials and starts
multiple large instances to mine bitcoins
• Victim saddled with a massive bill at the end of
the month

Our infra in the public cloud
• This applies only to IAAS as in SAAS and
PAAS it is not our application or infra
• Infrastructure vulnerabilities can derail any
app security in place.

Security Testing of Infra
• No different from testing server for security
• We may require permission to run
automated scanners against the server
• Ideal framework to test against is any
Penetration Testing Standard PTES /
OSSTMM

Infra Insecurity Scenario
• MySQL Production database is listening on external
port
• Developers work directly on production database
and require SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a brute force script and cracks the
password, gains full access to the database

HEARTBLEED – AN ILLUSTRATION OF AN
INFRASTRUCTURE VULNERABILITY

Servers (Infra)
were leaking
sensitive
information

What kind of information?
• Session IDs
• Usernames
• Password
• Server Certificate’s Private Keys

CloudFlare hosted a vulnerable server
A security researcher sent 2.5 million requests
and got the private keys

What is the big deal about that?
• Private Keys for the SSL certificate
can decrypt all past and future traffic
• Private Keys allow for impersonation of that
service as well.
• What if some website could pretend to be
https://examplebank.com ?

Armature Hour at AWS
• https://opbeat.com/blog/posts/amateur-hour-
at-aws/
• Amazon AWS took about 48 hours after
everyone knew about Heartbleed to patch
its servers and inform its customers
• This caused a lot of heart-ache and pain for
its customers

Our data in the public cloud
• This applies only all PAAS, IAAS and SAAS
• Our data can get leaked, exposed, stolen,
held ransom if we don’t take care of making
sure it is safe while being used, while being
transmitted and while being stored

Verifying Data Security through Testing
• This is a specialized testing requirement. A part
of this can be tested by looking at the system
and application architecture
• All the places where the data can be written,
sent, travel need to be looked at.
• Writing to storage, exposing APIs, backups and
even insider threats

Verifying Data uses Encryption
• Data at rest is encrypted
– This will ensure that if an attacker has access to the
disk/store, they can’t use the data
• Data in motion is encrypted
– This will ensure that if an attacker can sniff the network
traffic they can’t see &tamper the data
• Data in use (tmp files, key loaded in memory)
– This will ensue that if an attacker can’t do catastrophic
damage if they manage to gain access to a server

Secure Key Management
• Once we start using encryption for data
storage and data transmission, the encryption
keys need to be safeguarded against theft,
accidental loss
• A secure key management process will ensure
that at any point keys can be revoked and
reissued

Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database
wasn’t encrypted when initial backups were
done.
• Dev team moves to newer type SSDs and
doesn’t decommission older HDDs.
• Attacker finds older HDD, does forensics for
data recovery and sell the data for profit.

Cloud versus the IT department

How does being in
the cloud change
the traditional IT
department?

How do IT
departments
manage cloud
instances & data?

Does the company
Info sec policy still
apply?

Does the Countries
cyber laws still
apply?

How to applications get attacked?

What are the frameworks for testing cloud?
Can we follow some best practices ?
HOW DO YOU TEST FOR SECURITY?

Cloud Security Alliance
• Security Guidance Document
• https://cloudsecurityalliance.org/guidance/
csaguide.v2.1.pdf
• Covers 13 Critical Area Domains

European Network and Information Security
Agency (ENISA)
• Cloud Computing Information Assurance
Framework
• http://www.enisa.europa.eu/activities/risk-management/
files/deliverables/cloud-computing-
information-assurance-framework/
at_download/fullReport
• Covers 15 areas in OpSec & Identity &Access
Management

Frameworks are great, but
• They are too extensive to be actionable
• They are too generic for real world security
• They provide structure but lack incisive
steps that can be taken right now to
become secure

10 STEPS TO SECURING A CLOUD
DEPLOYMENT (INFRASTRUCTURE)

Why Infrastructure first?
In all cases Cloud Service Provider (CSP) takes
care of physical security and the host
operating system. So we just need to worry
about the guest OS and all the
infrastructure running on it.

AWS and Rackspace Host OS Vuln
24th September 2014

AWS and Rackspace Host OS Vuln
From the Amazon AWS Blog
XEN Hypervisor Security Issues

5 Pillars of Security in IAAS(AWS)
• Identity and Access Management
• Configuration and Patch Management
• Endpoint and Network Protection
• Vulnerability and Asset Management
• Data Protection

How the CSPs stack up for security?
CSP/Security
Feature
AWS Google
Compute
Engine
Microsoft
Azure
Rackspace
IAM YES YES YES Sort of
2FA for
Need to
Need to
YES* (Paid
NO
Management Layer
enable
enable
Service)
Network Isolation YES YES YES YES
Virtual Private
YES YES YES YES
Networks
Firewall YES YES YES YES
Centralized Logs
YES NO YES* NO
and Audit Trail
Encryption for
Storage
YES YES YES
Key Management YES YES YES YES
http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
http://t.co/tig66fyu9K-Thanks
to @govindk

The 10 steps are
1. Enumerate all the network interfaces
2. List all the running services
3. Harden Each Service separately based on best
practices
4. Secure Remote access for server management
(SSH, RDP)
5. Check Operating System Patch Levels

The 10 steps are
6. Harden the networking parameters of the
Kernel (Linux Specific)
7. Enable a Host Firewall
8. Do an inventory all user accounts on the
server and audit them
9. Enable Centralized Logging
10. Enable Encryption on disks, storage etc.

AWS IAM Best Practices
• Lock away your AWS account access keys
• Create individual IAM users
• Use groups to assign permissions to IAM
users
• Grant least privilege

AWS IAM Best Practices
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Use roles for applications that run on Amazon EC2
instances
• Delegate by using roles instead of by sharing
credentials
• Rotate credentials regularly

Real world security incidents we can all learn from
CASE STUDIES

Case Study 1
• Company Not following best practices
• Data loss
• Security Incident
• Catastrophic Business Failure

Case Study 1
CODESPACES AWS HACK

Anatomy of the attack
1. Distract by doing DDOS against the target
2. Gain access to the root credentials of AWS
3. All storage devices, hard disks, S3 storage
deleted
Company was a hosting company
They went bankrupt due to this and 100s of
customers lost all their data

Case Study 2 – Application Security
• Relatively benign bug causes major security
hole in the cloud

Case Study 2
APPLICATION (IN)SECURITY LOVES
XXE

Application (In)Security & XXE
• Researcher finds that, he can inject his own
file name and path in AWS EC2
• EC2 uses Auto Scaling
• Auto Scaling requires information to be
present on the EC2 instance
• Meta Web Server allows local HTTP
Requests to be made and server and its
credentials are pwned

Case Study 3 – Infrastructure
Security
• Un-patched server causes major security
breach

Case Study 3
INFRASTRUCTURE SECURITY FAIL

Browser Stack
• Old neglected server, not being used.
• Server is brought up to check something.
• Un patched server is left running on the
Internet without any network protection
• Attacker compromises the server, steals the
AWS credentials and manages to email all
its customers, how bad the company is

Conclusions
• Security in the cloud is really not very
different from regular security
• Same principles and processes apply
• Same tools and techniques apply
• IT folks need to simply understand what is
the best way to get the same thing done

Questions?
Contact
Twitter @makash
Linkedin https://linkd.in/webappsecguy
Email akashmahajan@gmail.com

Attributions
• Cloud Image Background from www.perspecsys.com
• Video of Vishwa Bandhu https://www.youtube.com/watch?v=ApQlMm39xr0
• Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons
• CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32
• Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/
3.0)], via Wikimedia Commons
• Toyota Robot at Toyota Kaikan
• AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-
on-demand.html
• SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/
• http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-
paas-iaas
• By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via
Wikimedia Commons
• Big Thanks to @govindk for fixing errors in Slide #96

Security in the cloud Workshop HSTC 2014

More Related Content

What's hot

Viewers also liked

Similar to Security in the cloud Workshop HSTC 2014

More from Akash Mahajan

Recently uploaded

Security in the cloud Workshop HSTC 2014

Editor's Notes