SlideShare ist ein Scribd-Unternehmen logo

Cumulonimbus fortification-secure-your-data-in-the-cloud

David Busby, CISSP
David Busby, CISSP

Cloud security, sounds like a myth does it not? Many organizations still cling to the belief that cloud services can not be used in a secure infrastructure in this session I'll cover emerging and available technologies which can help abate some of these concerns. Threat models - What's a side channel attack? - What's a co-residency attack? Amazon - Available amazon AWS compliance documentation and how it is relevant to secure infrastructure - Available amazon AWS services such as KSM and how they may be used to secure your deployments, VPC and netowrk isolation, IAM. Openstack - What's openstack bandit and why should I care? - What options do I have in my openstack deployment to secure my infrastructure and how are they relevant to my needs? Federated cloud infrastructure - What is it? - Why you need one - Ensuring secure "chain of custody" through to deployment Docker / LXC - What is container virtualization and how does it differ to regular virtualization? - How does this affect my attack surface? - Should I have this in production ? Security CI - How can security be part of your CI process? Emerging technologies - pki.oio - vaultproject.io - haka Telemetry processing - Why your logs are your most important data source - Handling thousands, millions or more lines per second - Using the right components Building the castle - Thoughts in putting this all together to produce infrastructure hardened from developer though to production.

Technologie
1 von 44
Downloaden Sie, um offline zu lesen
CUMULONIMBUS FORTIFICATION - SECURE YOUR DATA IN THE CLOUD David Busby | Information Security Architect | PerconaDavid Busby | Information Security Architect | Percona
Threat Models Quantifying Threats To Your DeploymentsQuantifying Threats To Your Deployments
3 Threat Models What is Threat Modeling?What is Threat Modeling? A Threat Model Is • Prioritized list of security enhancements for ● Concepts ● Requirments ● Design ● Implementation • Identify & Isolate ● Areas of Risk ● Potential Threats A Threat Model Is • Prioritized list of security enhancements for ● Concepts ● Requirments ● Design ● Implementation • Identify & Isolate ● Areas of Risk ● Potential Threats ... • Defining Scope • Understanding ● Possible Attack Vectors ● Countermeasures • Reduction of Risk • Some Examples ● OWASP ● Microsoft SDL ● Apple ... • Defining Scope • Understanding ● Possible Attack Vectors ● Countermeasures • Reduction of Risk • Some Examples ● OWASP ● Microsoft SDL ● Apple
4 Threat Models What is a Side Channel Attack?What is a Side Channel Attack? A Side Channel Attack Is • Indirect attacks to reveal secrets • In Cryptography ● Power Analysis ● Accoustic Analysis ● E.M Analysis ● Cache Timing • Children ● Are the masters of side channel attacks A Side Channel Attack Is • Indirect attacks to reveal secrets • In Cryptography ● Power Analysis ● Accoustic Analysis ● E.M Analysis ● Cache Timing • Children ● Are the masters of side channel attacks ... • In General ● Power Analysis ● Accoustic Analysis ● Keyboard Accoustics ● Inaudible frequencies ● E.M Analysis ● Noise Floor ● Weaponizing your pets ... • In General ● Power Analysis ● Accoustic Analysis ● Keyboard Accoustics ● Inaudible frequencies ● E.M Analysis ● Noise Floor ● Weaponizing your pets
5 Threat Models What is a Co-Residency Attack?What is a Co-Residency Attack? A Co-Residency Attack is • Indirect attacks to reveal secrets ● Against virtual guests on the hypervisor ● Pre-req for “Side Channel” attacks such as ● Cache Timing ● AWS EC2 ● White papers claim some 40% success rate ● Defated by dedicated EC2 option A Co-Residency Attack is • Indirect attacks to reveal secrets ● Against virtual guests on the hypervisor ● Pre-req for “Side Channel” attacks such as ● Cache Timing ● AWS EC2 ● White papers claim some 40% success rate ● Defated by dedicated EC2 option ... • AWS EC2 ● Dedicated Instances Option ● Prevents Co-Residency • Openstack ● Instances can be weighted ● Dedicate HW pool for “sensitive” trusted instances ● Dedicated a pool for everything else ... • AWS EC2 ● Dedicated Instances Option ● Prevents Co-Residency • Openstack ● Instances can be weighted ● Dedicate HW pool for “sensitive” trusted instances ● Dedicated a pool for everything else
Amazon AWS Compliance DocumentationCompliance Documentation
7 Amazon AWS Why should I care about compliance? Why should I care about compliance? A strong foundation • aws.amazon.com/compliance • You can't control the underlying infrastructure ● You want some assurance ● PCI DSS Level 1 ● No this doesn't make you PCI compliant ● Shared responsibility model A strong foundation • aws.amazon.com/compliance • You can't control the underlying infrastructure ● You want some assurance ● PCI DSS Level 1 ● No this doesn't make you PCI compliant ● Shared responsibility model ... • “A foolish man, which built his house upon the sand” ● No VM is secure if … ● Hypervisor is insecure ● Network is insecure ● DC is insecure ● Support staff are insecure ... • “A foolish man, which built his house upon the sand” ● No VM is secure if … ● Hypervisor is insecure ● Network is insecure ● DC is insecure ● Support staff are insecure
Amazon AWS Features / Services to Secure your DeploymentsFeatures / Services to Secure your Deployments
9 Amazon AWS Key Management ServiceKey Management Service Create, Store, Control Keys • Encryption Support for ● EBS, RDS*, S3, RedShift, … ● *not MySQL RDS • Key management ● Yearly rotation ● Retired not removed ● Service auto detects correct key for use Create, Store, Control Keys • Encryption Support for ● EBS, RDS*, S3, RedShift, … ● *not MySQL RDS • Key management ● Yearly rotation ● Retired not removed ● Service auto detects correct key for use ... • Key access controled through IAM ● Define key Administrators, Users • AES-GCM-256 • Hardened Security Appliance (HSA) ● HSM backed • Auditable usage ● CloudTrail ... • Key access controled through IAM ● Define key Administrators, Users • AES-GCM-256 • Hardened Security Appliance (HSA) ● HSM backed • Auditable usage ● CloudTrail
10 Amazon AWS Virtual Private CloudVirtual Private Cloud Isolated Cloud Resources • VPN ● IPSec VPN Tunnel Support ● Peer with ● DC's, Office, Other VPC • Routers can be configured ● internet access ● NAT • EIPs still work! Isolated Cloud Resources • VPN ● IPSec VPN Tunnel Support ● Peer with ● DC's, Office, Other VPC • Routers can be configured ● internet access ● NAT • EIPs still work! ... • Flow Logs ● Usefull for basic analytics ● Src dst srcport dstport bytes ● Can be pushed into Splunk ● CloudWatch + E.L.K ... • Flow Logs ● Usefull for basic analytics ● Src dst srcport dstport bytes ● Can be pushed into Splunk ● CloudWatch + E.L.K
11 Amazon AWS Identity and Access ManagementIdentity and Access Management User ACL • Can't restrict the root account ● Stop using it! ● Delete API keys! • Deploy MFA ● On all users ● Especially the root account User ACL • Can't restrict the root account ● Stop using it! ● Delete API keys! • Deploy MFA ● On all users ● Especially the root account ... • Create Groups ● Assign Users ● Ensure P.O.L.P ● • Advisory tools ● Netflix Security Monkey ● AWS Trusted Advisor ● Nimbsotratus ... • Create Groups ● Assign Users ● Ensure P.O.L.P ● • Advisory tools ● Netflix Security Monkey ● AWS Trusted Advisor ● Nimbsotratus
12 Amazon AWS Identity and Access ManagementIdentity and Access Management API Access • Create & Retire keys • API keys must be protected ● Disclosure can be ● Expensive ● Bit/Lite/Other Coin Mining ● Malware distribution ● DoS “stresser” ● Phishing ● Complete nuke API Access • Create & Retire keys • API keys must be protected ● Disclosure can be ● Expensive ● Bit/Lite/Other Coin Mining ● Malware distribution ● DoS “stresser” ● Phishing ● Complete nuke ... • Do not need instance access ● Snapshot ● Export ● Can even export to OVA ● Or attach to another instance ● Zero indication in traditional controls ● Deploy CloudTrail ● Even RDS ... • Do not need instance access ● Snapshot ● Export ● Can even export to OVA ● Or attach to another instance ● Zero indication in traditional controls ● Deploy CloudTrail ● Even RDS
13 Amazon AWS API keys in Pastebin / GithubAPI keys in Pastebin / Github
Openstack What is Openstack Bandit?What is Openstack Bandit?
15 Openstack BanditBandit “Security Linter” • Can be configured to error on ● “known bad” ● Default passwords ● Weak hashes ● Insecure methods ● Yaml.load ● Pickle.loads “Security Linter” • Can be configured to error on ● “known bad” ● Default passwords ● Weak hashes ● Insecure methods ● Yaml.load ● Pickle.loads ... • Deployed as part of CI process ● Similar to unit tests ● Force “build” failiure if ● Known insecure ● Insecure method ● Insecure use input ... • Deployed as part of CI process ● Similar to unit tests ● Force “build” failiure if ● Known insecure ● Insecure method ● Insecure use input
Openstack Features / Services to Secure your DeploymentsFeatures / Services to Secure your Deployments
17 Openstack NeutronNeutron Networking as a Service (NaaS) • VPNaaS ● IPSec VPN (similar to VPC) • “technology-agnostic, network abstraction” • Can leverage OpenVSwitch • TL;DR Virtualized switching infrastructure Networking as a Service (NaaS) • VPNaaS ● IPSec VPN (similar to VPC) • “technology-agnostic, network abstraction” • Can leverage OpenVSwitch • TL;DR Virtualized switching infrastructure
18 Openstack BarbicanBarbican Secure secrets management • REST API ● Cinder ● Kilo ● Glance ● Not yet ● Swift ● Blueprints exist ● Nova ● Blueprints exist Secure secrets management • REST API ● Cinder ● Kilo ● Glance ● Not yet ● Swift ● Blueprints exist ● Nova ● Blueprints exist ... • Looks to replicate KMS functionality • Can back onto HSM appliances • Currently an “emerging” feature ... • Looks to replicate KMS functionality • Can back onto HSM appliances • Currently an “emerging” feature
Docker What is docker?What is docker?
20 Docker What is conatiner virtualization?What is conatiner virtualization? RunC (formerly libcontainer) • Layered filesystem auFS ● Share read-only components ● Mount write per container • Namespacing & Groups ● Similar to LXC ● Cgroups control resources ● Namespaces helps provide isolation RunC (formerly libcontainer) • Layered filesystem auFS ● Share read-only components ● Mount write per container • Namespacing & Groups ● Similar to LXC ● Cgroups control resources ● Namespaces helps provide isolation ... • Each container gets ● Its own network stack ... • Each container gets ● Its own network stack
21 Docker How is this different?How is this different? Containers • All containers on a host run the same ● Host OS ● Kernel ● Some binaries & libs • Rightscale blog post Containers • All containers on a host run the same ● Host OS ● Kernel ● Some binaries & libs • Rightscale blog post
22 Docker Does this affect my attack surface?Does this affect my attack surface? Some caveats to docker • The daemon requires root ● Users in the docker group have access to the daemon ● Therefor docker group users should be considered as having root access ● Container breakout is entirely possible ● And has been proven before Some caveats to docker • The daemon requires root ● Users in the docker group have access to the daemon ● Therefor docker group users should be considered as having root access ● Container breakout is entirely possible ● And has been proven before ... • Possible to craft ● Malicious images ● Same as any VM ● Docker Security Pages ... • Possible to craft ● Malicious images ● Same as any VM ● Docker Security Pages
23 Docker Is it production ready?Is it production ready? If Properly Configured • As with any other technology ● Research the caveats ● And limitations ● Produce your threat-model ● And secure accordingly If Properly Configured • As with any other technology ● Research the caveats ● And limitations ● Produce your threat-model ● And secure accordingly Maybe ... • Docker & SELinux ● Dan Walsh (RedHat) • Docker Security Page • AWS Container Service Maybe ... • Docker & SELinux ● Dan Walsh (RedHat) • Docker Security Page • AWS Container Service
Federated clouds United federation of … cloud technologies (admit it you thought planets)United federation of … cloud technologies (admit it you thought planets)
25 Federated Clouds What is it?What is it? Taking cloud $vendors • Amazon • Rackspace • Google • HP • Digital Ocean • Linode • Etc ... Taking cloud $vendors • Amazon • Rackspace • Google • HP • Digital Ocean • Linode • Etc ... And through API's integrate with • Private cloud deployments ● Openstack ● Docker Swarm ● VMWare ● Etc ... And through API's integrate with • Private cloud deployments ● Openstack ● Docker Swarm ● VMWare ● Etc ...
26 Federated Clouds Why do I need one?Why do I need one? Develop & QA • On known common stack ● OS ● Application stack • Automate QA ● Spin instance / Container ● Deploy code from SCM ● Run tests • Automate deployment ● Build passes use Apis to push Develop & QA • On known common stack ● OS ● Application stack • Automate QA ● Spin instance / Container ● Deploy code from SCM ● Run tests • Automate deployment ● Build passes use Apis to push Production • Some services can import entire images ● AWS ● OVA (VMDK) ● Openstack ● Glance ● QCOW (preffered) ● Not supported by some $vendors Production • Some services can import entire images ● AWS ● OVA (VMDK) ● Openstack ● Glance ● QCOW (preffered) ● Not supported by some $vendors
27 Federated Clouds Ensuring a secure “chain of custody”Ensuring a secure “chain of custody” Develop & QA • Builds OK ● Store image ● Sign the image ● e.g. GPG ● “Appliance” can now be deployed Develop & QA • Builds OK ● Store image ● Sign the image ● e.g. GPG ● “Appliance” can now be deployed Production • Deploy appliance ● Verify signature • Post-deploy integration ● Ansible/puppet/chef • Fail over to new appliance • Retire old appliance • Retain API Audit logs Production • Deploy appliance ● Verify signature • Post-deploy integration ● Ansible/puppet/chef • Fail over to new appliance • Retire old appliance • Retain API Audit logs
Security CI How Security can be part of your CI processHow Security can be part of your CI process
29 Security CI Integrating Security in your CIIntegrating Security in your CI Extend your unit tests • Only allow “safe” methods ● For SQL ● Sanitize user input ● Test sanitization methods ● e.g. ● known “good” class / method ● Require compile args ● -pie -fPIE Extend your unit tests • Only allow “safe” methods ● For SQL ● Sanitize user input ● Test sanitization methods ● e.g. ● known “good” class / method ● Require compile args ● -pie -fPIE Fail securely • Fail builds on unsafe / non standard methods • Enforce security as a development standard Fail securely • Fail builds on unsafe / non standard methods • Enforce security as a development standard
Telemtry Processing Why is it your most important data source?Why is it your most important data source?
31 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... In AWS API calls are “invisible” • Sort of ... ● CloudTrail + SNS ● Alarm on specific API activity ● Instances ● Launch / Stop / Terminate ● Snapshot ● S3 ● Create / Delete / ACL changes In AWS API calls are “invisible” • Sort of ... ● CloudTrail + SNS ● Alarm on specific API activity ● Instances ● Launch / Stop / Terminate ● Snapshot ● S3 ● Create / Delete / ACL changes ... • KMS ● Keys ● Administration ● Retire / create ● Access ● IAM ● Add / delete MFA ● Keys generation / removal ● Etc ... ... • KMS ● Keys ● Administration ● Retire / create ● Access ● IAM ● Add / delete MFA ● Keys generation / removal ● Etc ...
32 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... In openstack • Logging is configured per component ● Cinder ● Nova ● Neutron ● Aka Quantum ● Keystone ● Barbican In openstack • Logging is configured per component ● Cinder ● Nova ● Neutron ● Aka Quantum ● Keystone ● Barbican ... • API calls are “invisible” ● To traditional IDS ● Push logs onto your own configuration ● Alert on set conditions ● Instances up / terminate ● Key creation / deletion ● Snapshots ● Network configuration ... • API calls are “invisible” ● To traditional IDS ● Push logs onto your own configuration ● Alert on set conditions ● Instances up / terminate ● Key creation / deletion ● Snapshots ● Network configuration
33 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... Traditional telemetry • Resource metrics ● CPU / RAM / IO ● Should include GPU ● Network ● IDS / IPS ● Host events ● Network Events Traditional telemetry • Resource metrics ● CPU / RAM / IO ● Should include GPU ● Network ● IDS / IPS ● Host events ● Network Events ... • Service metrics ● MySQL ● Running queries ● AHI ● Buffer pool ● Queue services ● Queue length ● Message size ● HTTPD ● Request load ... • Service metrics ● MySQL ● Running queries ● AHI ● Buffer pool ● Queue services ● Queue length ● Message size ● HTTPD ● Request load
34 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s ELK • ElasticSearch ● Indexing & Search ● Lucene • LogStash ● Log aggregation ● Mutation • Kibana ● Visualing interface for ElasticSearch ELK • ElasticSearch ● Indexing & Search ● Lucene • LogStash ● Log aggregation ● Mutation • Kibana ● Visualing interface for ElasticSearch ... • LogStash ● Can feed alerts to Nagios • Make it modular ● Deploy components on seperate nodes, where possible ● Also ensures availability ... • LogStash ● Can feed alerts to Nagios • Make it modular ● Deploy components on seperate nodes, where possible ● Also ensures availability
35 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s
36 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s Hadoop • OpenSOC ● 1.2M packets/sec RealTime ● Flume ● Ships log data ● Kafka ● Messaging system ● Storm ● Distributed job processing ● Runs “enrichment” ● Hadoop • OpenSOC ● 1.2M packets/sec RealTime ● Flume ● Ships log data ● Kafka ● Messaging system ● Storm ● Distributed job processing ● Runs “enrichment” ● ... • ElasticSearch ● ElasticSearch can back onto HDFS ● Greater analytics variety ● Map reduce • Alerting ● Storm jobs could run analytics, alert on set conditions. ... • ElasticSearch ● ElasticSearch can back onto HDFS ● Greater analytics variety ● Map reduce • Alerting ● Storm jobs could run analytics, alert on set conditions.
37 Telemtry Processing Don't over-engineer things!Don't over-engineer things!
Emerging Technologies Projects to keep an eye on, to help in your security.Projects to keep an eye on, to help in your security.
39 Emerging Tech Vaultproject.ioVaultproject.io Secret storage • API driven access to ● Secrets ● Dynamic secrets ● Aids auto-rotation ● Encryption service ● Encrypt / Decrypt data via API ● Leasing & Renewal Secret storage • API driven access to ● Secrets ● Dynamic secrets ● Aids auto-rotation ● Encryption service ● Encrypt / Decrypt data via API ● Leasing & Renewal ... • Similar to Barbican • HA Configurable ● Consul • Audit backend • Multiple integrations ● AWS ● MySQL ● PostgreSQL ... • Similar to Barbican • HA Configurable ● Consul • Audit backend • Multiple integrations ● AWS ● MySQL ● PostgreSQL
40 Emerging Tech Haka-Security.orgHaka-Security.org Developer friendly network security ? • LUA DSL ● Object Orientated ● Kibana suport ● Hakabana • Also for analytics ● Can analyse pcap files Developer friendly network security ? • LUA DSL ● Object Orientated ● Kibana suport ● Hakabana • Also for analytics ● Can analyse pcap files
Building The Castle Ok, I've got the idea. But how do I proceed?Ok, I've got the idea. But how do I proceed?
42 Building the Castle “Hardening” tips for the private cloud“Hardening” tips for the private cloud Tuning you'll want to do • Disable Pci Passthrough ● DMA • Openstack Nova ● Disable Soft Delete • Openstack Glance ● Disable delayed delete Tuning you'll want to do • Disable Pci Passthrough ● DMA • Openstack Nova ● Disable Soft Delete • Openstack Glance ● Disable delayed delete ... • Openstack cinder ● Enable volume encryption ● ISCSI packets ● Backups encrypted • Openstack Barbican ● Cinder support ● Can back onto a HSM ... • Openstack cinder ● Enable volume encryption ● ISCSI packets ● Backups encrypted • Openstack Barbican ● Cinder support ● Can back onto a HSM
43 Building the Castle “Hardening” tips for the private cloud“Hardening” tips for the private cloud Tuning you'll want to do ● Entropy sources ● Most use /dev/random ● Invest in HWRNG ● Rngd conf & deploy ● Feed /dev/random ● • Define instance assignment criteria • Define “trusted” images criteria Tuning you'll want to do ● Entropy sources ● Most use /dev/random ● Invest in HWRNG ● Rngd conf & deploy ● Feed /dev/random ● • Define instance assignment criteria • Define “trusted” images criteria ... • Disable “live migration” ● Copies memory, data etc over the network ● Libvirtd can be configured to encrypt transport manually ● No Horizon support at the time of writing ... • Disable “live migration” ● Copies memory, data etc over the network ● Libvirtd can be configured to encrypt transport manually ● No Horizon support at the time of writing
44 Building the Castle Closing thoughts & QAClosing thoughts & QA

Empfohlen

Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018Sergey Gordeychik
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 

Empfohlen

Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018Sergey Gordeychik
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
presentation
presentationpresentation
presentationaaron bishop
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...RootedCON
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 

Weitere ähnliche Inhalte

Was ist angesagt?

15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...RootedCON
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 

Was ist angesagt? (20)

15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through Infosec
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
presentation
presentationpresentation
presentation
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
Pa or die
Pa or diePa or die
Pa or die
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 

Andere mochten auch

Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Service Discovery in Distributed Systems
Service Discovery in Distributed SystemsService Discovery in Distributed Systems
Service Discovery in Distributed SystemsIvan Voroshilin
 
CoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersCoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersRamit Surana
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 
Stateful set in kubernetes implementation & usecases
Stateful set in kubernetes implementation & usecases Stateful set in kubernetes implementation & usecases
Stateful set in kubernetes implementation & usecases Krishna-Kumar
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 

Andere mochten auch (8)

Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basics
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Service Discovery in Distributed Systems
Service Discovery in Distributed SystemsService Discovery in Distributed Systems
Service Discovery in Distributed Systems
 
CoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersCoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux Containers
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for Docker
 
Stateful set in kubernetes implementation & usecases
Stateful set in kubernetes implementation & usecases Stateful set in kubernetes implementation & usecases
Stateful set in kubernetes implementation & usecases
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
SAP mm-overview
SAP mm-overviewSAP mm-overview
SAP mm-overview
 

Ähnlich wie Cumulonimbus fortification-secure-your-data-in-the-cloud

Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAmazon Web Services
 
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)DOCOMO Innovations, Inc.
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardShuen-Huei Guan
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalHoward Glynn
 
9 - Making Sense of Containers in the Microsoft Cloud
9 - Making Sense of Containers in the Microsoft Cloud9 - Making Sense of Containers in the Microsoft Cloud
9 - Making Sense of Containers in the Microsoft CloudKangaroot
 
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS Amazon Web Services
 
Austin Scales - Nexus - Bazaarvoice's Cloud Infrastructure
Austin Scales - Nexus - Bazaarvoice's Cloud InfrastructureAustin Scales - Nexus - Bazaarvoice's Cloud Infrastructure
Austin Scales - Nexus - Bazaarvoice's Cloud Infrastructurebazaarvoice_engineering
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)Amazon Web Services
 
Using AWS Well Architectured Framework for Software Architecture Evaluations ...
Using AWS Well Architectured Framework for Software Architecture Evaluations ...Using AWS Well Architectured Framework for Software Architecture Evaluations ...
Using AWS Well Architectured Framework for Software Architecture Evaluations ...Alexandr Savchenko
 
Journey Towards Scaling Your Application to Million Users
Journey Towards Scaling Your Application to Million UsersJourney Towards Scaling Your Application to Million Users
Journey Towards Scaling Your Application to Million UsersAdrian Hornsby
 
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOC
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOCBusiness Agility: Taking an App Global (at Speed) - Session Sponsored by ITOC
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOCAmazon Web Services
 
re:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupre:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupCloudHesive
 
AWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAnthony Palmer
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 

Ähnlich wie Cumulonimbus fortification-secure-your-data-in-the-cloud (20)

Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWS
 
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)
How to Manage Your Cloud by Drupal (DrupalCon CPH 2010)
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 final
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
9 - Making Sense of Containers in the Microsoft Cloud
9 - Making Sense of Containers in the Microsoft Cloud9 - Making Sense of Containers in the Microsoft Cloud
9 - Making Sense of Containers in the Microsoft Cloud
 
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
 
Austin Scales - Nexus - Bazaarvoice's Cloud Infrastructure
Austin Scales - Nexus - Bazaarvoice's Cloud InfrastructureAustin Scales - Nexus - Bazaarvoice's Cloud Infrastructure
Austin Scales - Nexus - Bazaarvoice's Cloud Infrastructure
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)
AWS re:Invent 2016: Born in the Cloud; Built Like a Startup (ARC205)
 
Using AWS Well Architectured Framework for Software Architecture Evaluations ...
Using AWS Well Architectured Framework for Software Architecture Evaluations ...Using AWS Well Architectured Framework for Software Architecture Evaluations ...
Using AWS Well Architectured Framework for Software Architecture Evaluations ...
 
Journey Towards Scaling Your Application to Million Users
Journey Towards Scaling Your Application to Million UsersJourney Towards Scaling Your Application to Million Users
Journey Towards Scaling Your Application to Million Users
 
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOC
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOCBusiness Agility: Taking an App Global (at Speed) - Session Sponsored by ITOC
Business Agility: Taking an App Global (at Speed) - Session Sponsored by ITOC
 
re:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupre:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetup
 
AWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent Recap
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 

Kürzlich hochgeladen

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Cumulonimbus fortification-secure-your-data-in-the-cloud

  • 1. CUMULONIMBUS FORTIFICATION - SECURE YOUR DATA IN THE CLOUD David Busby | Information Security Architect | PerconaDavid Busby | Information Security Architect | Percona
  • 2. Threat Models Quantifying Threats To Your DeploymentsQuantifying Threats To Your Deployments
  • 3. 3 Threat Models What is Threat Modeling?What is Threat Modeling? A Threat Model Is • Prioritized list of security enhancements for ● Concepts ● Requirments ● Design ● Implementation • Identify & Isolate ● Areas of Risk ● Potential Threats A Threat Model Is • Prioritized list of security enhancements for ● Concepts ● Requirments ● Design ● Implementation • Identify & Isolate ● Areas of Risk ● Potential Threats ... • Defining Scope • Understanding ● Possible Attack Vectors ● Countermeasures • Reduction of Risk • Some Examples ● OWASP ● Microsoft SDL ● Apple ... • Defining Scope • Understanding ● Possible Attack Vectors ● Countermeasures • Reduction of Risk • Some Examples ● OWASP ● Microsoft SDL ● Apple
  • 4. 4 Threat Models What is a Side Channel Attack?What is a Side Channel Attack? A Side Channel Attack Is • Indirect attacks to reveal secrets • In Cryptography ● Power Analysis ● Accoustic Analysis ● E.M Analysis ● Cache Timing • Children ● Are the masters of side channel attacks A Side Channel Attack Is • Indirect attacks to reveal secrets • In Cryptography ● Power Analysis ● Accoustic Analysis ● E.M Analysis ● Cache Timing • Children ● Are the masters of side channel attacks ... • In General ● Power Analysis ● Accoustic Analysis ● Keyboard Accoustics ● Inaudible frequencies ● E.M Analysis ● Noise Floor ● Weaponizing your pets ... • In General ● Power Analysis ● Accoustic Analysis ● Keyboard Accoustics ● Inaudible frequencies ● E.M Analysis ● Noise Floor ● Weaponizing your pets
  • 5. 5 Threat Models What is a Co-Residency Attack?What is a Co-Residency Attack? A Co-Residency Attack is • Indirect attacks to reveal secrets ● Against virtual guests on the hypervisor ● Pre-req for “Side Channel” attacks such as ● Cache Timing ● AWS EC2 ● White papers claim some 40% success rate ● Defated by dedicated EC2 option A Co-Residency Attack is • Indirect attacks to reveal secrets ● Against virtual guests on the hypervisor ● Pre-req for “Side Channel” attacks such as ● Cache Timing ● AWS EC2 ● White papers claim some 40% success rate ● Defated by dedicated EC2 option ... • AWS EC2 ● Dedicated Instances Option ● Prevents Co-Residency • Openstack ● Instances can be weighted ● Dedicate HW pool for “sensitive” trusted instances ● Dedicated a pool for everything else ... • AWS EC2 ● Dedicated Instances Option ● Prevents Co-Residency • Openstack ● Instances can be weighted ● Dedicate HW pool for “sensitive” trusted instances ● Dedicated a pool for everything else
  • 7. 7 Amazon AWS Why should I care about compliance? Why should I care about compliance? A strong foundation • aws.amazon.com/compliance • You can't control the underlying infrastructure ● You want some assurance ● PCI DSS Level 1 ● No this doesn't make you PCI compliant ● Shared responsibility model A strong foundation • aws.amazon.com/compliance • You can't control the underlying infrastructure ● You want some assurance ● PCI DSS Level 1 ● No this doesn't make you PCI compliant ● Shared responsibility model ... • “A foolish man, which built his house upon the sand” ● No VM is secure if … ● Hypervisor is insecure ● Network is insecure ● DC is insecure ● Support staff are insecure ... • “A foolish man, which built his house upon the sand” ● No VM is secure if … ● Hypervisor is insecure ● Network is insecure ● DC is insecure ● Support staff are insecure
  • 8. Amazon AWS Features / Services to Secure your DeploymentsFeatures / Services to Secure your Deployments
  • 9. 9 Amazon AWS Key Management ServiceKey Management Service Create, Store, Control Keys • Encryption Support for ● EBS, RDS*, S3, RedShift, … ● *not MySQL RDS • Key management ● Yearly rotation ● Retired not removed ● Service auto detects correct key for use Create, Store, Control Keys • Encryption Support for ● EBS, RDS*, S3, RedShift, … ● *not MySQL RDS • Key management ● Yearly rotation ● Retired not removed ● Service auto detects correct key for use ... • Key access controled through IAM ● Define key Administrators, Users • AES-GCM-256 • Hardened Security Appliance (HSA) ● HSM backed • Auditable usage ● CloudTrail ... • Key access controled through IAM ● Define key Administrators, Users • AES-GCM-256 • Hardened Security Appliance (HSA) ● HSM backed • Auditable usage ● CloudTrail
  • 10. 10 Amazon AWS Virtual Private CloudVirtual Private Cloud Isolated Cloud Resources • VPN ● IPSec VPN Tunnel Support ● Peer with ● DC's, Office, Other VPC • Routers can be configured ● internet access ● NAT • EIPs still work! Isolated Cloud Resources • VPN ● IPSec VPN Tunnel Support ● Peer with ● DC's, Office, Other VPC • Routers can be configured ● internet access ● NAT • EIPs still work! ... • Flow Logs ● Usefull for basic analytics ● Src dst srcport dstport bytes ● Can be pushed into Splunk ● CloudWatch + E.L.K ... • Flow Logs ● Usefull for basic analytics ● Src dst srcport dstport bytes ● Can be pushed into Splunk ● CloudWatch + E.L.K
  • 11. 11 Amazon AWS Identity and Access ManagementIdentity and Access Management User ACL • Can't restrict the root account ● Stop using it! ● Delete API keys! • Deploy MFA ● On all users ● Especially the root account User ACL • Can't restrict the root account ● Stop using it! ● Delete API keys! • Deploy MFA ● On all users ● Especially the root account ... • Create Groups ● Assign Users ● Ensure P.O.L.P ● • Advisory tools ● Netflix Security Monkey ● AWS Trusted Advisor ● Nimbsotratus ... • Create Groups ● Assign Users ● Ensure P.O.L.P ● • Advisory tools ● Netflix Security Monkey ● AWS Trusted Advisor ● Nimbsotratus
  • 12. 12 Amazon AWS Identity and Access ManagementIdentity and Access Management API Access • Create & Retire keys • API keys must be protected ● Disclosure can be ● Expensive ● Bit/Lite/Other Coin Mining ● Malware distribution ● DoS “stresser” ● Phishing ● Complete nuke API Access • Create & Retire keys • API keys must be protected ● Disclosure can be ● Expensive ● Bit/Lite/Other Coin Mining ● Malware distribution ● DoS “stresser” ● Phishing ● Complete nuke ... • Do not need instance access ● Snapshot ● Export ● Can even export to OVA ● Or attach to another instance ● Zero indication in traditional controls ● Deploy CloudTrail ● Even RDS ... • Do not need instance access ● Snapshot ● Export ● Can even export to OVA ● Or attach to another instance ● Zero indication in traditional controls ● Deploy CloudTrail ● Even RDS
  • 13. 13 Amazon AWS API keys in Pastebin / GithubAPI keys in Pastebin / Github
  • 14. Openstack What is Openstack Bandit?What is Openstack Bandit?
  • 15. 15 Openstack BanditBandit “Security Linter” • Can be configured to error on ● “known bad” ● Default passwords ● Weak hashes ● Insecure methods ● Yaml.load ● Pickle.loads “Security Linter” • Can be configured to error on ● “known bad” ● Default passwords ● Weak hashes ● Insecure methods ● Yaml.load ● Pickle.loads ... • Deployed as part of CI process ● Similar to unit tests ● Force “build” failiure if ● Known insecure ● Insecure method ● Insecure use input ... • Deployed as part of CI process ● Similar to unit tests ● Force “build” failiure if ● Known insecure ● Insecure method ● Insecure use input
  • 16. Openstack Features / Services to Secure your DeploymentsFeatures / Services to Secure your Deployments
  • 17. 17 Openstack NeutronNeutron Networking as a Service (NaaS) • VPNaaS ● IPSec VPN (similar to VPC) • “technology-agnostic, network abstraction” • Can leverage OpenVSwitch • TL;DR Virtualized switching infrastructure Networking as a Service (NaaS) • VPNaaS ● IPSec VPN (similar to VPC) • “technology-agnostic, network abstraction” • Can leverage OpenVSwitch • TL;DR Virtualized switching infrastructure
  • 18. 18 Openstack BarbicanBarbican Secure secrets management • REST API ● Cinder ● Kilo ● Glance ● Not yet ● Swift ● Blueprints exist ● Nova ● Blueprints exist Secure secrets management • REST API ● Cinder ● Kilo ● Glance ● Not yet ● Swift ● Blueprints exist ● Nova ● Blueprints exist ... • Looks to replicate KMS functionality • Can back onto HSM appliances • Currently an “emerging” feature ... • Looks to replicate KMS functionality • Can back onto HSM appliances • Currently an “emerging” feature
  • 20. 20 Docker What is conatiner virtualization?What is conatiner virtualization? RunC (formerly libcontainer) • Layered filesystem auFS ● Share read-only components ● Mount write per container • Namespacing & Groups ● Similar to LXC ● Cgroups control resources ● Namespaces helps provide isolation RunC (formerly libcontainer) • Layered filesystem auFS ● Share read-only components ● Mount write per container • Namespacing & Groups ● Similar to LXC ● Cgroups control resources ● Namespaces helps provide isolation ... • Each container gets ● Its own network stack ... • Each container gets ● Its own network stack
  • 21. 21 Docker How is this different?How is this different? Containers • All containers on a host run the same ● Host OS ● Kernel ● Some binaries & libs • Rightscale blog post Containers • All containers on a host run the same ● Host OS ● Kernel ● Some binaries & libs • Rightscale blog post
  • 22. 22 Docker Does this affect my attack surface?Does this affect my attack surface? Some caveats to docker • The daemon requires root ● Users in the docker group have access to the daemon ● Therefor docker group users should be considered as having root access ● Container breakout is entirely possible ● And has been proven before Some caveats to docker • The daemon requires root ● Users in the docker group have access to the daemon ● Therefor docker group users should be considered as having root access ● Container breakout is entirely possible ● And has been proven before ... • Possible to craft ● Malicious images ● Same as any VM ● Docker Security Pages ... • Possible to craft ● Malicious images ● Same as any VM ● Docker Security Pages
  • 23. 23 Docker Is it production ready?Is it production ready? If Properly Configured • As with any other technology ● Research the caveats ● And limitations ● Produce your threat-model ● And secure accordingly If Properly Configured • As with any other technology ● Research the caveats ● And limitations ● Produce your threat-model ● And secure accordingly Maybe ... • Docker & SELinux ● Dan Walsh (RedHat) • Docker Security Page • AWS Container Service Maybe ... • Docker & SELinux ● Dan Walsh (RedHat) • Docker Security Page • AWS Container Service
  • 24. Federated clouds United federation of … cloud technologies (admit it you thought planets)United federation of … cloud technologies (admit it you thought planets)
  • 25. 25 Federated Clouds What is it?What is it? Taking cloud $vendors • Amazon • Rackspace • Google • HP • Digital Ocean • Linode • Etc ... Taking cloud $vendors • Amazon • Rackspace • Google • HP • Digital Ocean • Linode • Etc ... And through API's integrate with • Private cloud deployments ● Openstack ● Docker Swarm ● VMWare ● Etc ... And through API's integrate with • Private cloud deployments ● Openstack ● Docker Swarm ● VMWare ● Etc ...
  • 26. 26 Federated Clouds Why do I need one?Why do I need one? Develop & QA • On known common stack ● OS ● Application stack • Automate QA ● Spin instance / Container ● Deploy code from SCM ● Run tests • Automate deployment ● Build passes use Apis to push Develop & QA • On known common stack ● OS ● Application stack • Automate QA ● Spin instance / Container ● Deploy code from SCM ● Run tests • Automate deployment ● Build passes use Apis to push Production • Some services can import entire images ● AWS ● OVA (VMDK) ● Openstack ● Glance ● QCOW (preffered) ● Not supported by some $vendors Production • Some services can import entire images ● AWS ● OVA (VMDK) ● Openstack ● Glance ● QCOW (preffered) ● Not supported by some $vendors
  • 27. 27 Federated Clouds Ensuring a secure “chain of custody”Ensuring a secure “chain of custody” Develop & QA • Builds OK ● Store image ● Sign the image ● e.g. GPG ● “Appliance” can now be deployed Develop & QA • Builds OK ● Store image ● Sign the image ● e.g. GPG ● “Appliance” can now be deployed Production • Deploy appliance ● Verify signature • Post-deploy integration ● Ansible/puppet/chef • Fail over to new appliance • Retire old appliance • Retain API Audit logs Production • Deploy appliance ● Verify signature • Post-deploy integration ● Ansible/puppet/chef • Fail over to new appliance • Retire old appliance • Retain API Audit logs
  • 28. Security CI How Security can be part of your CI processHow Security can be part of your CI process
  • 29. 29 Security CI Integrating Security in your CIIntegrating Security in your CI Extend your unit tests • Only allow “safe” methods ● For SQL ● Sanitize user input ● Test sanitization methods ● e.g. ● known “good” class / method ● Require compile args ● -pie -fPIE Extend your unit tests • Only allow “safe” methods ● For SQL ● Sanitize user input ● Test sanitization methods ● e.g. ● known “good” class / method ● Require compile args ● -pie -fPIE Fail securely • Fail builds on unsafe / non standard methods • Enforce security as a development standard Fail securely • Fail builds on unsafe / non standard methods • Enforce security as a development standard
  • 30. Telemtry Processing Why is it your most important data source?Why is it your most important data source?
  • 31. 31 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... In AWS API calls are “invisible” • Sort of ... ● CloudTrail + SNS ● Alarm on specific API activity ● Instances ● Launch / Stop / Terminate ● Snapshot ● S3 ● Create / Delete / ACL changes In AWS API calls are “invisible” • Sort of ... ● CloudTrail + SNS ● Alarm on specific API activity ● Instances ● Launch / Stop / Terminate ● Snapshot ● S3 ● Create / Delete / ACL changes ... • KMS ● Keys ● Administration ● Retire / create ● Access ● IAM ● Add / delete MFA ● Keys generation / removal ● Etc ... ... • KMS ● Keys ● Administration ● Retire / create ● Access ● IAM ● Add / delete MFA ● Keys generation / removal ● Etc ...
  • 32. 32 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... In openstack • Logging is configured per component ● Cinder ● Nova ● Neutron ● Aka Quantum ● Keystone ● Barbican In openstack • Logging is configured per component ● Cinder ● Nova ● Neutron ● Aka Quantum ● Keystone ● Barbican ... • API calls are “invisible” ● To traditional IDS ● Push logs onto your own configuration ● Alert on set conditions ● Instances up / terminate ● Key creation / deletion ● Snapshots ● Network configuration ... • API calls are “invisible” ● To traditional IDS ● Push logs onto your own configuration ● Alert on set conditions ● Instances up / terminate ● Key creation / deletion ● Snapshots ● Network configuration
  • 33. 33 Telemtry Processing In the ether no one can hear you scream ... In the ether no one can hear you scream ... Traditional telemetry • Resource metrics ● CPU / RAM / IO ● Should include GPU ● Network ● IDS / IPS ● Host events ● Network Events Traditional telemetry • Resource metrics ● CPU / RAM / IO ● Should include GPU ● Network ● IDS / IPS ● Host events ● Network Events ... • Service metrics ● MySQL ● Running queries ● AHI ● Buffer pool ● Queue services ● Queue length ● Message size ● HTTPD ● Request load ... • Service metrics ● MySQL ● Running queries ● AHI ● Buffer pool ● Queue services ● Queue length ● Message size ● HTTPD ● Request load
  • 34. 34 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s ELK • ElasticSearch ● Indexing & Search ● Lucene • LogStash ● Log aggregation ● Mutation • Kibana ● Visualing interface for ElasticSearch ELK • ElasticSearch ● Indexing & Search ● Lucene • LogStash ● Log aggregation ● Mutation • Kibana ● Visualing interface for ElasticSearch ... • LogStash ● Can feed alerts to Nagios • Make it modular ● Deploy components on seperate nodes, where possible ● Also ensures availability ... • LogStash ● Can feed alerts to Nagios • Make it modular ● Deploy components on seperate nodes, where possible ● Also ensures availability
  • 35. 35 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s
  • 36. 36 Telemtry Processing Data overload, handeling many lines/sData overload, handeling many lines/s Hadoop • OpenSOC ● 1.2M packets/sec RealTime ● Flume ● Ships log data ● Kafka ● Messaging system ● Storm ● Distributed job processing ● Runs “enrichment” ● Hadoop • OpenSOC ● 1.2M packets/sec RealTime ● Flume ● Ships log data ● Kafka ● Messaging system ● Storm ● Distributed job processing ● Runs “enrichment” ● ... • ElasticSearch ● ElasticSearch can back onto HDFS ● Greater analytics variety ● Map reduce • Alerting ● Storm jobs could run analytics, alert on set conditions. ... • ElasticSearch ● ElasticSearch can back onto HDFS ● Greater analytics variety ● Map reduce • Alerting ● Storm jobs could run analytics, alert on set conditions.
  • 37. 37 Telemtry Processing Don't over-engineer things!Don't over-engineer things!
  • 38. Emerging Technologies Projects to keep an eye on, to help in your security.Projects to keep an eye on, to help in your security.
  • 39. 39 Emerging Tech Vaultproject.ioVaultproject.io Secret storage • API driven access to ● Secrets ● Dynamic secrets ● Aids auto-rotation ● Encryption service ● Encrypt / Decrypt data via API ● Leasing & Renewal Secret storage • API driven access to ● Secrets ● Dynamic secrets ● Aids auto-rotation ● Encryption service ● Encrypt / Decrypt data via API ● Leasing & Renewal ... • Similar to Barbican • HA Configurable ● Consul • Audit backend • Multiple integrations ● AWS ● MySQL ● PostgreSQL ... • Similar to Barbican • HA Configurable ● Consul • Audit backend • Multiple integrations ● AWS ● MySQL ● PostgreSQL
  • 40. 40 Emerging Tech Haka-Security.orgHaka-Security.org Developer friendly network security ? • LUA DSL ● Object Orientated ● Kibana suport ● Hakabana • Also for analytics ● Can analyse pcap files Developer friendly network security ? • LUA DSL ● Object Orientated ● Kibana suport ● Hakabana • Also for analytics ● Can analyse pcap files
  • 41. Building The Castle Ok, I've got the idea. But how do I proceed?Ok, I've got the idea. But how do I proceed?
  • 42. 42 Building the Castle “Hardening” tips for the private cloud“Hardening” tips for the private cloud Tuning you'll want to do • Disable Pci Passthrough ● DMA • Openstack Nova ● Disable Soft Delete • Openstack Glance ● Disable delayed delete Tuning you'll want to do • Disable Pci Passthrough ● DMA • Openstack Nova ● Disable Soft Delete • Openstack Glance ● Disable delayed delete ... • Openstack cinder ● Enable volume encryption ● ISCSI packets ● Backups encrypted • Openstack Barbican ● Cinder support ● Can back onto a HSM ... • Openstack cinder ● Enable volume encryption ● ISCSI packets ● Backups encrypted • Openstack Barbican ● Cinder support ● Can back onto a HSM
  • 43. 43 Building the Castle “Hardening” tips for the private cloud“Hardening” tips for the private cloud Tuning you'll want to do ● Entropy sources ● Most use /dev/random ● Invest in HWRNG ● Rngd conf & deploy ● Feed /dev/random ● • Define instance assignment criteria • Define “trusted” images criteria Tuning you'll want to do ● Entropy sources ● Most use /dev/random ● Invest in HWRNG ● Rngd conf & deploy ● Feed /dev/random ● • Define instance assignment criteria • Define “trusted” images criteria ... • Disable “live migration” ● Copies memory, data etc over the network ● Libvirtd can be configured to encrypt transport manually ● No Horizon support at the time of writing ... • Disable “live migration” ● Copies memory, data etc over the network ● Libvirtd can be configured to encrypt transport manually ● No Horizon support at the time of writing
  • 44. 44 Building the Castle Closing thoughts & QAClosing thoughts & QA