Cloud Security Enterprise Concerns and Mitigations. November 3 rd 2015

Transcription

1 Cloud Security Enterprise Concerns and Mitigations November 3 rd 2015

2 Biography Javed Samuel - Technical Director at NCC Group Lead Training Services Technical Account Manager for various clients Deliver security assessments (eg. Architecture Reviews, Cloud, Cryptography) Former Developer 2

3 Agenda Introduction to Cloud Security Cloud Service Security Threats Penetration Testing Highlights Concluding Lessons Additional Areas of Concerns in Cloud Security 3

4 Introduction to Cloud Security

5 Cloud Security Introduction Lots of general purpose hosts Central management Distributed data storage Ability to move applications from system to system Low touch provisioning system Soft failover/redundancy 5

6 Why Cloud Computing? Has transformed business and government, Created new security challenges. Cloud service model delivers businesssupporting technology more efficiently than ever before. Transforms design and delivery of computing technology. 6

7 Cloud Computing Risks Bypass information technology (IT) departments and information officers. Undermines important business-level security policies, processes, and best practices. Businesses are vulnerable to security breaches that can quickly erase any gains made by the switch to SaaS. 7

8 Review of Cloud Service Types Software as a Service (SaaS) Software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. On-demand software". SaaS is typically accessed by users using a thin client via a web browser. o Salesforce.com, Google Apps, Workday, Concur, Citrix GotoMeeting, WebEx 8

9 Review of Cloud Service Types Platform as a Service (PaaS) Provides a platform allowing customers to develop, run, and manage Web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. o AWS, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos 9

10 Review of Cloud Service Types Infrastructure as a Service (IaaS) Form of cloud computing that provides virtualized computing resources over the Internet. A third-party provider hosts hardware, software, servers, storage and other infrastructure components on behalf of its users. o Amazon Web Services (AWS), Windows Azure, Google Compute Engine, Rackspace Open Cloud, and IBM SmartCloud Enterprise. 10

11 Other Cloud Service Types An Honorable Mention to Citrix! Citrix Presentation Server Not a Cloud Service hosted on-premises (accessed internally/externally) Allows for the rapid remote deployment of internal applications Or full desktop environments 11

12 Other Cloud Service Types 12

13 Most Common Cloud Services Security Assessments & Penetration Tests Microsoft Exchange & Lync Microsoft SharePoint & OneDrive Google Apps for Business Dropbox / Box Slack / HipChat Windows Azure / AWS / Google Cloud 13

14 Breaking In to a Company CLOUD! Attacking Cloud Services Enterprises are increasingly offloading traditional in-house IT to the Cloud. Customer data for commercial services are now more likely to be third party hosted for scalability. Changes the perimeter diagram somewhat. 14

15 Breaking In to a Company CLOUD! Attacking Cloud Services In some cases cloud hosting makes our job easier. Services traditionally buried in the internal network are now on the Internet. E.g. Exchange Online, SharePoint All we need is privilege, federated identity = WIN! Cloud environment security is as strong as the keys / passwords used for the management console. 15

16 Cloud Service Security Threats

17 Cloud Service Security Threats 1. Service Platform Security Is the platform you are using actually secure itself? How do you know? 2. Cloud Data Security Is your data secure with your Cloud Services Provider? Is it encrypted? 17

18 Cloud Service Security Threats 3. Incident Response in the Cloud How much control and visibility do you have if something bad happens? Do you have an Incident Response plan? 4. Cloud Exposure of Systems & Data What important data are you placing outside of your perimeter? Do you know what data is outside your perimeter? 18

19 Cloud Service Security Threats 1. Service Platform Security Is the Cloud Service platform secure itself? Has it been security tested to a comprehensive level? What could go wrong? o Web application provisioning o Multi-tenant environments o Is it a segregated tier or are you in a shared environment? 19

20 Cloud Service Security Threats 2. Cloud Data Security What data are you putting in the cloud? Your corporate ? (Exchange Online) Does your risk management criteria include: o Trusting your CSP with your sensitive data? o Worrying about the CSP being compromised? 20

21 Cloud Service Security Threats 2. Cloud Data Security The choice is obviously yours Many firms are worried about data compromise in the Cloud. Are you? Searchable encryption products are on the rise data encryption in the Cloud to protect your data from the CSP ecosystem. o CipherCloud o Vaultive (others) 21

22 Cloud Service Security Threats 3. Incident Response in the Cloud Incidents and events happen all the time Does your CSP carry out adequate logging? Can you access the logs? What is the lead time in sourcing the logs? What form are they available in? 22

23 Cloud Service Security Threats 3. Incident Response in the Cloud Will they provide running memory snapshots? Will they provide disk images? Have you verified your IR process? Do they provide realtime telemetry for your SOC? 23

24 Cloud Service Security Threats 4. Cloud Exposure of Systems & Data How do your users access the Cloud Service environment? How do your administrators access the Cloud Service environment? What does an attacker gain if they access as a user? What does an attacker gain if they access as an admin? 24

25 Cloud Service Security Threats 4. Cloud Exposure of Systems & Data Consider the interconnection of hosts in the Cloud environment to your Enterprise: o Is there connectivity? o How is it controlled? o If an attacker compromises a Cloud host can they traverse to your on-premises Enterprise network? 25

26 Cloud Service Security Myths 1. Inherently Insecure 2. More Breaches 3. Physical Control of Data Provides Security 4. Too Difficult to Maintain 26

27 Penetration Tests & Securing Applications

28 Operational Risks Lost Credentials Overly Permissive Controls Inadequate Logging and Auditing 28

29 Operational Mitigations Limited accounts via IAM MFA on top-level accounts Limit direct access and use management platforms when possible No developers on production Require all access via bastion host Log every keystroke on top-level accounts. 29

30 Infrastructure Risks Poor Patching Insecure Control Plane Attacks from Corporate Network 30

31 Infrastructure Mitigations Continuous external and semi-external scanning. Auto-discover all instances via API Revocable SSH key per admin AWS Suggestions Use highly limited AMIs Use VPCs to strongly isolate critical services 31

32 Application Risks Too-loose binding Web/API vulnerabilities Bad cryptography 32

33 Application Mitigations Create security engineering group. Build a small set of trusted, core components Input Validation Session Management Cryptography Build a separated, protected authentication cluster Provision internal certs to all instances. 33

34 Concluding Lessons

35 Lessons Learned Easiest Entry Points Still Deliver General Control of Assets Data Security & Confidentiality Exposure of Enterprise Systems Traversal Paths into your Company Authentication & Access Control 35

36 Lessons Learned Easiest Entry Points Still Deliver If you rely solely on usernames and passwords you have a problem. The easiest methods to get usernames and passwords: o Guess them o Phishing o Ask for them 36

37 Lessons Learned General Control of Assets How much control do you have? Quite a lot but as much as you have on-prem? This trade off is probably important to consider You should use this consideration to decide: o Which systems you host in the Cloud? o What data you place in the Cloud? 37

38 Lessons Learned Data Security & Confidentiality is a great example So is online storage Do you trust your CSP? Do you trust their security? Perhaps you should only put data in the Cloud you can afford to: A. Lose B. Have exposed CipherClloud Vaultive 38

39 Lessons Learned Exposure of Enterprise Systems Microsoft The location of Enterprise Data has changed? Where is it now? If its accessible via a CSP, it s not behind the VPN It s globally accessible without the VPN What authentication exists between your data and the rest of the world? What types of authentication? Microsoft 39

40 Lessons Learned Traversal Paths into Your Company Threat Model differently not if, but when What happens when an attacker compromises a Cloud host Can they traverse into your organization via the Cloud presence? Only way to tell is to think about, test it, harden it. Continuous penetration tests. 40

41 Lessons Learned Authentication & Access Control Authentication for Cloud Services is key If you are using single-factor authentication for Cloud Services, you have a major problem. Especially for high-value accounts You need to offset authentication factors away from single points of failure 41

42 Lessons Learned Many options exist for MFA now, consider: o Google Authenticator open source, no support o Duo Authenticator closed source, enterprise support o Also consider how to use innovations like Yubikey (OTP) Think: if an attacker gets credentials MFA stop them getting in easily Native support is popping up cheaply built into platforms. 42

43 Lessons Learned Authentication & Access Control 43

44 Lessons Learned Authentication & Access Control 44

45 Recap Lessons for the Enterprise Easiest Entry Points Still Deliver General Control of Assets Data Security & Confidentiality Exposure of Enterprise Systems Traversal Paths into your Company Authentication & Access Control 45

46 Future Cloud Security Concerns

47 Additional Cloud Security Issues Hypervisor Breaks Covert Channels Timing Attacks Physical Breaches Key Compromises 47

48 Hypervisor Breaks Attackers break out of protected guest environments and take full control of the operating system hosting them. VM escape could open access to the host system and all other VMs running on that host Potentially giving adversaries significant elevated access to the host s local network and adjacent systems. 48

49 Hypervisor Breaks in the media Xen patch VENOM m-vulnerability-could-expose-virtual-machinesunpatched-host-systems 49

50 Key Management Loss of your key can result in loss of data Key provisioning and distribution challenges How does your Cloud Service Provider secure their Master Key? How is key revocation and key rotation handled? 50

51 Side Channel Attacks A side channel is any observable side effect of computation that an attacker could measure and possibly influence. Some error message that tells you a byte of some secret plaintext. Some timing information that tells you a bit of a secret key. 51

52 Side Channel Attacks Error Oracles Bad Padding Failure vs Success Timing Oracles Processor State Math Operations Cache Attacks 52

53 Points of contact Javed Samuel Technical Director NCC Group Security Services M: E: All trademarks used herein are the property of their respective owners 53

54 Cloud Security Gaps

55 Security Gaps in Cloud Computing Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service 55

56 Security Gaps in Cloud Computing Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues 56

57 Data Breaches Poorly designed multitenant cloud database A flaw in one client s application could allow an attacker access not only to that client s data, but every other client s data as well. Do you know all the security flaws in your applications? 57

58 Data Breaches Able to encrypt your data to reduce the impact of a data breach If the encryption key is lost then data is lost. Keeping offline backups of data to reduce the impact of a catastrophic data loss Increases your exposure to data breaches 58

59 Data Loss Malicious attackers. Accidental deletion by the cloud service provider. Physical catastrophes such as a fire or earthquake. Lost encryption key 59

60 Account hijacking Credentials and passwords reuse. Attacker may eavesdrop on your activities and transactions Or manipulate data and redirect your clients to illegitimate sites. Account or service instances may become a new base for the attacker. 60

61 Insecure API s and Interface Overall cloud services security is dependent upon the security of these APIs. Includes authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Often build upon these interfaces to offer valueadded services to their customers. 61

62 Denial of Service Force the victim cloud service to consume inordinate amounts of finite system resources Processor Power Memory Disk Space Network Bandwidth Denial-of-service (DDoS) attacks) cause: Intolerable system slowdown Confused and angry legitimate service users 62

63 Malicious Insiders May have access to potentially sensitive information. May have increasing levels of access to more critical systems. Even if encryption is implemented, if the keys are not kept with the customer, the system may still vulnerable to malicious insider attack. 63

64 Abuse of Cloud Services Not everyone wants to use cloud services for good. Cracking Encryption Keys DDos Attacks How will you detect people abusing your service? How will you define abuse? How will you prevent them from doing it again? 64

65 Insufficient Due Diligence Obligations on liability, response, or transparency create mismatched expectations. Applications that are dependent on internal network-level security controls to the cloud are dangerous. Ensure capable resources, and perform extensive internal and CSP due-diligence 65

66 Shared Technology Vulnerabilities Cloud service share infrastructure, platforms, and applications. Compromise of key piece of shared technology such as the hypervisor exposes the entire environment to a potential of compromise and breach. Potentially can affect an entire cloud at once (see Amazon Xen patch) 66

67 Cloud Vs. On-Prem Deployments 10 Benefits of Cloud Computing (Verio.com) 1. Achieve economies of scale increase volume output or productivity with fewer people. Your cost per unit, project or product plummets. 2. Reduce spending on technology infrastructure. Maintain easy access to your information with minimal upfront spending. Pay as you go (weekly, quarterly or yearly), based on demand. 67

68 Cloud Vs. On-Prem Deployments 3. Globalize your workforce on the cheap. People worldwide can access the cloud, provided they have an Internet connection. 4. Streamline processes. Get more work done in less time with less people. 5. Reduce capital costs. There s no need to spend big money on hardware, software or licensing fees. 68

69 Cloud Vs. On-Prem Deployments 6. Improve accessibility. You have access anytime, anywhere, making your life so much easier! 7. Monitor projects more effectively. Stay within budget and ahead of completion cycle times. 8. Less personnel training is needed. It takes fewer people to do more work on a cloud, with a minimal learning curve on hardware and software issues. 69

70 Cloud Vs. On-Prem Deployments 9. Minimize licensing new software. Stretch and grow without the need to buy expensive software licenses or programs. 10.Improve flexibility. You can change direction without serious people or financial issues at stake. 70