Title of Presentation - ISACA Kettle Moraine Wisconsin ... Cloud Security_A Guide… · •New...
39
Slide Heading Pragmatic Cloud Security – A Guided Tour Brian Genz October 12, 2016
Transcript of Title of Presentation - ISACA Kettle Moraine Wisconsin ... Cloud Security_A Guide… · •New...
Slide Heading
Pragmatic Cloud Security – A Guided Tour
Brian Genz
October 12, 2016
Agenda
• Cloud architectures, service and delivery models
• Overview of core AWS components
• Review of recent AWS security research
• New “AWS Security Best Practices” guide
• Offensive & defensive research
• Key focus areas for audit, risk & compliance
• Defending the Management Plane
• IAM Policies (and audit tools)
• Incident Response preparation (and new tools)
Cloud Architectures,
Service and Delivery Models
NIST Cloud Computing Definition
“Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction. This cloud model is composed
of five essential characteristics, three service
models, and four deployment models.”
References:• http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
NIST Cloud Computing Definition
“Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction. This cloud model is composed
of five essential characteristics, three service
models, and four deployment models.”
References:• http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
NIST Cloud Computing Reference Architecture
References:• http://www.disa.mil/services/dod-cloud-broker/~/media/files/disa/services/cloud-broker/nist-cloud-ref-architecture.pdf
• NIST SP 500-92: NIST Cloud Computing Reference Architecture
Cloud Computing: A Visualization
References:• https://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_best-practices-security-compliance-with-amazon-web-services.pdf
(IaaS)
Customer vs. Provider Responsibilities
References:• https://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_best-practices-security-compliance-with-amazon-web-services.pdf
Shared Responsibility Model
References:• https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
“AWS Shared Responsibility Model for Infrastructure Services”
Shared Responsibility Model
References:• “Defining and Implementing Effective Cloud Security Architecture in Amazon Web Services” by Mike Morrato
• Gartner Technical Professional Advice, Published September 27, 2016
Customer Responsibility
Network Security IAM Data Protection
Key Management Third-Party Security Tools Host Security
Logging/Monitoring Compliance Network Design
Application Security Audit/Security Assessment API Security
AWS Responsibility
Networking
Compute
Storage
APIs
Overview of Core AWS Components
Understanding the Environment
• As information security professionals, we face a constant
need to understand the context around a particular
environment or technology.
• As rapidly as new technologies emerge, the threat
landscape changes at an equally fast pace.
• While we don’t need to become cloud security architects in
order to assess AWS risk effectively, we do need to
achieve a baseline level of understanding of the
technology as it is deployed and configured in the
environment we are assessing.
Understanding the Environment
• For example, AWS offers its own “acronym soup”
to describe core components / services.
References:
• https://cloudcraft.co/
• https://docs.aws.amazon.com/general/latest/gr/glos-chap.html
Understanding the Environment
• We need to be able to establish a foothold of
familiarity with the core components / services to
be able to start evaluating risk in a meaningful
way.
• We’ll narrow our focus to four core services:
• Amazon VPC (Virtual Private Cloud)
• Amazon EC2 (Compute Power)
• Amazon S3 (Storage)
• Amazon RDS (Database)
Core AWS Components
References:
• https://aws.amazon.com/
Core AWS “Services”
References:
• https://aws.amazon.com/
VPC: “Virtual Private Cloud”
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the Facebook / VPC analogy.
VPC
Internet Connection
Amazon S3
(Storage)
Amazon EC2
(Compute)
Amazon RDS
(Database)
VPC: “Virtual Private Cloud”
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the Facebook / VPC analogy.
VPC
Internet Connection
VPC: Facebook Analogy
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the Facebook / VPC analogy.
Internet Connection
My
HomepageMr. Bean’s
HomepageBob’s
Homepage
VPC: Facebook Analogy
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the Facebook / VPC analogy.
Internet Connection
My VPCMr. Bean’s
VPC Bob’s VPC
Amazon EC2
(Compute)
Amazon S3
(Storage)
Amazon RDS
(Database)
Amazon EC2: “Compute”
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the Netflix / EC2 analogy.
“A Computer or Server”
Amazon EC2
(Compute)
For our discussion
purposes, when you
hear “EC2 Compute:”
Think of it as…
EC2: Netflix Analogy
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the EC2 / Netflix analogy.
Internet Connection Amazon EC2
(Compute)
VPC
RDS: Netflix Analogy
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the EC2 / Netflix analogy.
Internet Connection Amazon EC2
(Compute)
VPC
Amazon RDS
(Database)
-Account Details
-Movie Inventory
S3: Netflix Analogy
References:
• https://aws.amazon.com/
• Thanks to LinuxAcademy.com for the EC2 / Netflix analogy.
Internet Connection Amazon EC2
(Compute)
VPC
Amazon RDS
(Database)
-Account Details
-Movie Inventory
Amazon S3
(Storage)
Review of Recent Research: AWS Security
AWS Security Research
References:
• https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9#.7r43nljme
AWS Security Research
References:
• https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39#.oov8mtygp
AWS Security Research
References:
• http://blyx.com/2016/06/16/cloud-forensics-caine7-on-aws/
AWS Security Research
References:
• https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-
And-Lateral-Movement-In-AWS-wp.pdf
AWS Security Research
References:
• https://alestic.com/2015/10/aws-iam-readonly-too-permissive/
AWS Security Research
References:
• http://threatresponse.cloud/
• http://threatresponse-derbycon.s3-website-us-west-2.amazonaws.com/#/step-1
Key Focus Areas for Audit, Risk & Compliance
AWS Trusted Advisor
References:
• https://aws.amazon.com/premiumsupport/trustedadvisor/
AWS Trusted Advisor
References:
• https://aws.amazon.com/premiumsupport/trustedadvisor/
Prowler
References:
• https://github.com/Alfresco/aws-cis-security-benchmark
Prowler
References:
• https://github.com/Alfresco/aws-cis-security-benchmark
Scout2
References:
• https://nccgroup.github.io/Scout2/
Summary
• We need to continue to keep pace with the changing
technology (and threat) landscape.
• We have reviewed AWS core services to develop a
foothold of familiarity.
• We emphasized the need to identify customer vs. AWS
roles and responsibilities.
• We discussed tools at our disposal for auditing key
aspects of the environment.
• Please visit some of the referenced sources for more
information about current trends.
Questions?
