From Zero to Secure in 1 Minute

Similar documents
From 0 to Secure in 1 Minute APPSEC IL Moshe Ferber CCSK, CCSP

Cloud Security:Threats & Mitgations

How to Grow and Transform your Security Program into the Cloud

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Backup and Recovery of SAP Systems on Windows / SQL Server

Nessus Agents. October 2015

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Architecture Overview

Zabbix for Hybrid Cloud Management

The Nexpose Expert System

McAfee Database Security. Dan Sarel, VP Database Security Products

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

DIY Device Cloud Documentation

Proactively Secure Your Cloud Computing Platform

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

Building and Managing a Standard Operating Environment

Security Issues in Cloud Computing

8070.S000 Application Security

Building Energy Security Framework

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

SERENA SOFTWARE Serena Service Manager Security

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Automated Configuration of Open Stack Instances at Boot Time

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

SECURE, ENTERPRISE FILE SYNC AND SHARE WITH EMC SYNCPLICITY UTILIZING EMC ISILON, EMC ATMOS, AND EMC VNX

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

MIGRATIONWIZ SECURITY OVERVIEW

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

DiamondStream Data Security Policy Summary

Cloud-Security: Show-Stopper or Enabling Technology?

OpenStack. Orgad Kimchi. Principal Software Engineer. Oracle ISV Engineering. 1 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Cloud Security Overview

Vistara Lifecycle Management

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Using vrealize Code Stream

Automated Application Provisioning for Cloud

Securing Data in Oracle Database 12c

WHITEPAPER. Nessus Exploit Integration

How To Use Anibom Smart Cloud For Business

Cloud Models and Platforms

Protecting the un-protectable Addressing Virtualisation Security Challenges

ovirt self-hosted engine seamless deployment

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

SERVER CLOUD DISASTER RECOVERY. User Manual

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

PCI DSS 3.0 Compliance

Security & Cloud Services IAN KAYNE

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

TECHNOLOGY WHITE PAPER Jan 2016

Securing SharePoint 101. Rob Rachwald Imperva

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

eeye Digital Security Product Training

IT Security & Compliance. On Time. On Budget. On Demand.

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

AVLOR SERVER CLOUD RECOVERY

How to Keep a Cloud Environment Current, Secure and Available October 16, 2014

Time to Value: Successful Cloud Software Implementation

Dueling Banjos - Cloud vs. Enterprise Security: Using Automation and (Sec)DevOps NOW

Goals. Understanding security testing

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

How To Image A Single Vm For Forensic Analysis On Vmwarehouse.Com

Passing PCI Compliance How to Address the Application Security Mandates

Automate Your BI Administration to Save Millions with Command Manager and System Manager

Cloud Security Training Days 3 and 4 Syllabus

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

GigaSpaces XAP.NET Administration Training ADMINISTRATION, MONITORING AND TROUBLESHOOTING GIGASPACES XAP.NET DISTRIBUTED SYSTEMS

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

CompTIA Cloud+ 9318; 5 Days, Instructor-led

McAfee Public Cloud Server Security Suite

KERALA STATE IT MISSION ICT Campus, Vellayambalam, Trivandrum Phone: , , Fax:

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

CONQUERING COMPLIANCE ISSUES WITH RHN SATELLITE AND TENABLE NESSUS SECURITY

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

The Defense RESTs: Automation and APIs for Improving Security

Using SUSE Studio to Build and Deploy Applications on Amazon EC2. Guide. Solution Guide Cloud Computing.

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

An Oracle White Paper June Oracle Linux Management with Oracle Enterprise Manager 12c

BeBanjo Infrastructure and Security Overview

NEXT-GENERATION, CLOUD-BASED SERVER MONITORING AND SYSTEMS MANAGEMENT

Transcription:

From Zero to Secure in 1 Minute Securing IaaS Nir Valtman & Moshe Ferber Black Hat Asia 2015

About us Moshe Ferber Nir Valtman Passionate about information security. Involved in numerous startups and initiatives sometimes with success, sometimes not Popular industry speakers and lecturers that s why we are here. Instructor for Cloud Security (CCSK) that is what I really like doing. CISO Retail in NCR Corporation. We own a private cloud & offering SaaS Yes we do security!

About the talk Cloud security challenges and benefits And more specifically, using IaaS automation and orchestration features for increasing security on our servers. Dashboard Billing API Orchestration Hypervisor Controller Abstraction Physical Servers Network Storage

Provider administration Insecure instances Management console Side channel attack Cloud attack vectors Multi tenancy & virtualization Chain of supply Automation & API

Anatomy of a cloud hack BrowserStack story Shell shock vulnerability on unused server Found API key on hacked server Using API key opened a firewall rule and launch an instance Attached a backup volume to the instance Found database credential on backup device Connected to DB

The billing cycle is reducing 1 hour 10 min 1 min

How to do security when servers alive for 10 minutes? Patch management Maintenance windows Periodic vulnerability scanning Hardening

Introducing Cloudefigo A fully automatic tool for: Launch Configure and harden Scan Move to production Source code: http://www.cloudefigo.org/ Based on the work made by Rich Mogull from Securosis https://github.com/rmogull/pragmaticnetsecmanagement

Cloudefigo Lifecycle 1 Server launch 2 Server loads security configuration S3 3 Server encrypts disk volumes 5 Server moves to production 4 Server scanned for vulnerabilities

Components Object Storage - AWS S3 A storage architecture that manage data as object. Files are stored along with metadata and unique identifier. Access is usually by HTTP/S. Security Scanner We use Nessus since it s very popular. There are commercial products with built in integration to AWS though: http://www.tenable.com/products/nessus CloudInit CloudInit is a package (originally introduced by Ubuntu) that handles early initialization of a cloud instance. Configuration management We have used Chef, because it is open source and very integrative to our environment. https://www.getchef.com/. AWS IAM Role IAM roles provide permissions for resources. Instances can be assign with an IAM Roles that will determine which resources inside AWS the instance can access. Encryption We have used Full Disk Encryption open source software called dm-crypt. https://code.google.com/p/cryptsetup/wiki/dmcrypt

Instance Lifecycle Launch Terminate Update Production Control Scan

Launch Prepare CloudInit o Each machine manage its own attributes o Encryption keys o Remediation vs production groups. o Management of these attributes require permissions. o Permissions during launch > production o Thus, a dynamic IAM role is required.

Launch Prepare CloudInit

Launch Prepare o Executed in root permissions when image is launching. o Responsible for building the infrastructure for the following steps. CloudInit

Launch Prepare CloudInit

Update OS update Prerequisites o CloudInit to update & upgrade software packages. o Primary goal is to make sure the cloud instance is secure once upgraded.

Update OS update Prerequisites o CloudInit to install the software packages required to operate: Python + pip + wheel. AWS SDK (Boto) Chef Client + Chef SDK (PyChef) o Download configurations and scripts from S3: Cloudefigo script. Chef client initialization files. o Cloudinit to create and attach a volume for application files and data.

Update OS update Prerequisites

Control Chef Registration Encrypt o The Chef clients register to the Chef Management server using the initialization files loaded from S3. o Once the client is registered, a policy is loaded and enforced on the instance.

Control Chef Registration Encrypt o The volume to be encrypted using randomly generated key. The key is kept in S3 for later use. o The application database to be installed in the encrypted volume.

Control Chef Registration o Dynamic S3 policy: access to key require a referrer header that is generated based on attributes from the instance. Encrypt

Control Chef Registration Encrypt

Scan Automatic Scan o A vulnerability scan to be launched automatically by CloudInit script. o The deeper the scan, the longer it takes to move to production. Analyze

Scan Automatic Scan Analyze o The results of the scan are analyzed by the Cloudefigo script. o Based on scan results the instance to move to production or remain in the remediation group. o The lowest security risk severity can be defined.

Scan Automatic Scan Analyze

Production Least privileged role o Reminder: Permissions in launch > production o IAM role permissions reduced dynamically - contains read only access Manage

Production Least privileged role Manage o For the ongoing operations a compensating control is required to locate unmanaged instances. o Cloudefigo management script lists cloud instances and validates they are managed by Chef. o Unmanaged instance can move to remediation, forensics (not implemented in the current version)

Production Least privileged role Manage

Terminate instance o The life cycle ends once a server is terminated along with: Attached volumes IAM role Encryption Keys

Terminate instance Encryption Keys o The instance data still exist in backups/snapshots or provider storage. o Encryption keys to be deleted with instance in order to make sure the backup data remain inaccessible (not implemented in this version)

Wrapping up o Instance launched using Cloudefigo management script o Installed security configurations. o Encrypted the volume. o Scanned for vulnerabilities. o Moved to production. And all of it is automatic and secured

Questions Moshe Ferber @: moshe@onlinecloudsec.com w: www.onlinecloudsec.com in: www.linkedin.com/in/mosheferber Nir Valtman @: nir.valtman@ncr.com w: www.ncr.com www.valtman.org in: www.linkedin.com/in/valtmanir t: @ValtmaNir

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information