Top Banner
CLOUD SECURITY ESSENTIALS 2.0 CRAWL. WALK. RUN. Javier Godinez Principal DevSecOps Architect Intuit Shannon LIetz Director, DevSecOps & Security Eng Intuit @devsecops A Throwaway Dec k for RSA
45

A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

Jan 24, 2017

Download

Technology

Shannon Lietz
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

CLOUD SECURITY ESSENTIALS 2.0

CRAWL. WALK. RUN.

Javier GodinezPrincipal DevSecOps Architect

Intuit

Shannon LIetz

Director, DevSecOps & Security Eng

Intuit

@devsecops

A Throwaway

Deck for R

SA

Page 2: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

2

IN THE CLOUD,

EVERYTHING IS CODE...

Page 3: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

3

Uh… where do these go?

Page 4: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

EOL JUSTHAPPENS... http://donsmaps.com/images22/mutta1200.jpg

Page 5: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

5

Let’s switch some things around…Data Center

NetworkServers

Virtualization

Operations

Platforms

Buyer IdentifierCloud Account(s)

Virtual IP AddressesContainerization

Appliances

Storage

Security Features

ApplicationsEphemeral Instances

Scale on DemandIAAS, PAAS, SAAS

Resource TestingBuilt-In Security

Long-Term Contracts Partner Marketplaces

Slow-ish Decisions

Experiments

Page 6: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

6

The Basic Cloud Model

Clou

d Pr

ovid

er N

etw

ork

Backbone

Backbone

Cloud Platform (Orchestration)

Network Compute Storage

Internet

Clou

d Ac

coun

t(s)

Load Balancers

ComputeInstances

VPCs

Block Storage

Object Storage

RelationalDatabases

NoSQLDatabases

Containers

ContentAcceleration

Messaging Email

Utilities

Key Management

API/Templates

Certificate Management

PartnerPlatform

Page 7: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

7

Reality…Internet

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Clou

d Pr

ovid

er N

etw

ork

Data

Cen

ter

Data

Cen

ter

Clou

d Pr

ovid

er N

etw

ork

Page 8: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

8

CLOUD IS GREAT!

https://www.flickr.com/photos/comedynose

Page 9: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

9

Developers have lots of options…

Page 10: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

10

And Attackers also have lots of options…

Page 11: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

11

UH... WE’RE NOT IN {KANSAS} ANYMORE

Page 12: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

12

This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.

DevOps brings mega-change!

http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security

… And maybe that’s a good thing!

Page 13: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

13

Top 5 Cloud Security Principles 2.0• The Cloud is not a Datacenter.• Reduce blast radius; play the odds.• Encryption is inconvenient.• Speed & Ease is both Friend & Foe.• Protection is ideal; Detection is a must!

Page 14: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

14

EVERY COMPANY HAS SOMETHING IN THE CLOUD... THERE’S REALLY NO WAY OUT.

Page 15: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

15

The Cloud is not a Datacenter.

Page 16: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

16

Direct Connections/VPNs to Clouds are evil!

Clou

d Pr

ovid

er N

etw

ork

Data

Cen

ter

PUBLIC SUBNET

APP

DATABASEDATABASE

APP

PUBLIC SUBNET

VPN

Cloud Web ConsoleAPI Credentials

“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!

Remote Access

PRIVATE

SOFTWARE VPN

MANAGED VPN

10.0.0.0/8Connected & Routable?

No IDS?What do you mean the IP could change?

Tags? Security Groups? SDE?

Page 17: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

17

Host-Based Controls• Shared Responsibility and

Cloud require host-based controls.• Instrumentation is

everything!• Fine-grained controls

require more scrutiny and bigger big data analysis.

Clou

d Pr

ovid

er N

etw

ork

InstanceInstance

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

Page 18: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

18

Lights out…• Lights out datacenters have always

been a desired nirvana.• Automation is required to stack

and replace cloud workloads.• Cloud security benefits are derived

from lights out…• Automation & Instrumentation• Ephemeral Bastions• Drift Management• Security Testing

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

Clou

d Pr

ovid

er N

etw

ork

Bastion Instance Instance

Page 19: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

19

Long live APIs…• Everything in the cloud should be

an API, even Security…• Protocols that are not cloudy should

not span across environments.• If you wouldn’t put it on the

Internet then you should put an API and Authentication in front of it:• Messaging• Databases• File Transfers• Logging

Clou

d Pr

ovid

er N

etw

ork

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

User Routing

Data Replication

ApplicationGateway

File Transfers

Log Sharing

Messaging

My API

Page 20: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

20

IT’S GOING TO BE A BLAST!

https://www.flickr.com/photos/mountainbread

Page 21: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

21

Blast Radius is a real thing…

R.I.P.

Page 22: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

22

Beware of Orchestrators…• Orchestration creates blast radius

because it centralizes the deployment/security for cloud workloads.

• Tools that act on behalf usually require credentials and create blindspots.

• Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be.

Cloud Orchestration Platform

Clou

d Pr

ovid

er N

etw

ork

A B C

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

secrets

What’s normal?

Page 23: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

23

Account Sharding is a new control!• Splitting cloud workloads into

many accounts has a benefit.• Accounts should contain less

than 100% of a cloud workload.• Works well with APIs; works

dismal with forklifts.• What is your appetite for

risk?Cloud

WorkloadTemplates

Clou

d Pr

ovid

er N

etw

ork

33 % 33 % 33 %

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

attacker

Page 24: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

24

MFA is a MUST!• Passwords don’t work.• Passwords aren’t enough to

protect infrastructure.• Use MFA to protect User

accounts and API credentials used by Humans.

• On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA.

123456

Implement cloud template…API Credentials accepted...Please input your MFA token:XXXXXX (123456)Cloud stack 123 has been implemented.

Page 25: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

25

50 %

Cloud Disaster Recovery is a different animal…• Regional recovery is not enough

to cover security woes.• Security events can quickly

escalate to disasters.• Got a disaster recovery team?• Multi-Account strategies with

separation of duties can help.• Don’t hard code if you can help it.• Encryption is inconvenient, but

necessary…

Cloud WorkloadTemplates

Clou

d Pr

ovid

er N

etw

ork

50 % 50 %

Clou

d Ac

coun

t

Clou

d Ac

coun

t

DisasterTemplates

50 %

Clou

d Ac

coun

ts

Page 26: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

26

BEGINENCRYPTED TRANSMISSION...

https://www.flickr.com/photos/ideonexus

Page 27: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

27

Encryption is a necessary evil…• It helps with Safe Harbor.• It helps with SQL Injection.• It helps with Data

Ownership.• It helps with Privacy.

It’s not a silver bullet…

Clou

d Pr

ovid

er N

etw

ork

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Instance

Secrets Management

Key Management & Encryption

App

DBDisk

ManagedService

Page 28: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

28

So much inconvenience• It can limit scale and it may

narrow design options.• Scalable Key Management is

really hard in the cloud.• Inconvenience commonly

comes from blue/green changes, dynamic environment & sharing secrets for auto-scale.

Instance

Secrets Management

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

Instance

Disk

APP APP

DB DB

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Phew I’m exhausted

Page 29: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

29

Overcoming Inconvenience• Use built-in transparent

encryption when possible.• Use native cloud key management

and encryption when available.• Develop back up strategies for

keys and secrets.• Apply App Level Encryption to

help with SQL Injection and preserving Safe Harbor.

• Use APIs to exchange data and rotate encryption.

Clou

d Pr

ovid

er N

etw

ork

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Clou

d Ac

coun

t

Instance

Secrets Management

Key Management & Encryption

App

DBDisk

ManagedService

Page 30: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

30

FRIEND AND FOE...

https://www.flickr.com/photos/sreybhtiek

Page 31: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

31

Speed & Ease can create problems…• Overloaded terms like “Policy” can

cause confusion for DevOps and Security teams.

• Applying broad controls to narrow problems can create gaps.

• Security reviews are too slow…• Mistakes can and do happen!!• Security scanners and testing tools

are not yet available for solving these speed & ease challenges.

DEVOPS SECURITY

CLOUD SECURITY POLICIESSECURITY AS CODE

Page 3 of 433

How do I?Did you mean?What is?

Sigh…It’s like we aren’t speaking the same language…

Page 32: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

32

Mixed modes don’t work• Forklifts are not a good

idea because the original controls operate different.• Systems designed for

waterfall don’t have an easy path to achieve agile.• Fragile applications in the

cloud are easy pickings for attackers! MAN – THIS SHELL IS HEAVY!

Page 33: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

33

Code can solve the divide• Paper-resident policies do

not stand up to constant cloud evolution and lessons learned.• Translation from paper to

code can lead to mistakes.• Traditional security policies

do not 1:1 translate to Full Stack deployments.

Data

Cen

ter

Clou

d Pr

ovid

er

Net

wor

k

• LOCK YOUR DOORS• BADGE IN• AUTHORIZED PERSONNEL ONLY• BACKGROUND CHECKS

• CHOOSE STRONG PASSWORDS• USE MFA• ROTATE API CREDENTIALS• CROSS-ACCOUNT ACCESS

EVERYTHING AS CODE

Page 3 of 433

Page 34: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

34

Speed & Ease can increase security!• Fast remediation can remove attack

path quickly.• Resolution can be achieved in

minutes compared to months in a datacenter environment.

• Continuous Delivery has an advantage of being able to publish over an attacker.

• Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.

APP APP

DB DB

APP

DB

ATTACKED FORENSICSRECOVERED

Page 35: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

35

EYES & EARS ...

https://www.flickr.com/photos/waltstoneburner

Page 36: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

36

Shift controls & mindset

SecurityMonitoring

Page 37: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

37

Cloud Security is a Big Data Challenge…• DevOps + Security is the biggest

big data challenge ahead.• Use Attack Models and choose

the right Data Sources to discover attacks in near real-time.

• Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for.

• Web Access Logs• Java Instrumentation• Proxy Logs• DNS Logs

Page 38: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

38

Cloud Security Feedback Loop

insightssecuritysciencesecurity

tools & data

Cloud accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

SPEED MATTERS

Page 39: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

39

THE OPTIONS ARE ENDLESS...

https://www.flickr.com/photos/atomicbartbeans

Page 40: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

40

Safe experimentation is critical…• Test possible solutions,

arrive at Good Enough.• Crawl-Walk-Run plans

can save your org from large-scale incidents.• Keep up with Lessons

Learned!

Page 41: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

41

10 DAYS

Don’t Hug Your Instances…• Research suggests that you should

replace your instances at least every 10 days, and that may not be often enough.

• Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.

• Make sure to keep a snapshot for forensic and compliance purposes.

• Use config management automation to make changes part of the stack.

• Refresh routinely; refresh often!

Page 42: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

42

Use Cloud Native Security Features...• Cloud native security features are

designed to be cloudy.• Audit is a primary need!• Configuration and baseline checks

baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.

• Be deliberate about how to use built-in security controls and who has access.

Page 43: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

43

Security as Code… gotta do it.

By: Peter Benjamin

Page 44: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

44

Apply what you learned today…• Next week you should:• Understand how your organization is or plans to use cloud providers• Identify cloud workloads and virtual blast radius within your organization

• In the first 3 months following this presentation you should:• Begin to build Security as Code skills and run cloud security experiments to understand

the issues• Develop Crawl-Walk-Run plans to help your organization build security into cloud

workloads• Within 6 months you should:

• Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud

• Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads

• Remediation happens in hours to days as a result of automation

Page 45: A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

45

Get Involved & Join the Community• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity

Join Us !!!Spread the word!!!