Recent hacks to IaaS platforms revealed that we need to master the attack vectors used: Automation and API attack vector, insecure instances and management dashboard with wide capabilities. Those attack vectors are not unique to Cloud Computing but there are magnified due to the cloud characteristics. The fact is that IaaS instance lifecycle is accelerating, nowadays we can find servers that are installed, launched, process data and terminate – all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic.
In the presentation, Nir plans to introduce the open source tool called “Cloudefigo” and explain how it enables accelerated security lifecycle. Nir will demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the demo, Cloudefigo will leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server’s communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.
2. About
me
I
am
working
in as
the
<HEAD> Application
Security </HEAD>
,
except
at
Neither
of
my
previous
startups
succeeded!
1st time
speaking
publicly
But
at
least
I
invented
few
open
source
tools.
Mmmm…
OH,
AND
3. Cloud
security
challenges
and
benefits
And
more
specifically,
using
IaaS automation
and
orchestration
features
for
increasing
the
security
Dashboard Billing API
Orchestration
Hypervisor Controller Abstraction
Physical
Servers
Network Storage
About
the
talk
4. About
the
talk
Cloud
Attack
Vectors
Provider
administration
Management
console
Multi
tenancy
&
virtualization
Automation
&
API
Chain
of
supply
Side
channel
attack
Insecure
instances
6. Anatomy
of
a
cloud
hack
– BrowserStack’sStory
Shell
shock
vulnerability
on
unused
server
Found
API
key
on
the
hacked
server
Opened
a
firewall
rule
and
launched
an
instance
using the
API
key
Attached
a
backup
volume
to
the
instance
Found
database
credentials
on
backup
device
Connected
to
DB
SOURCE:
https://www.browserstack.com/attack-‐and-‐downtime-‐on-‐9-‐November
7. Do
we
have
the
right
tools?
SOURCE:
http://ifail.info/wp-‐content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9
8. Secure
SDLC
Secure
SDLC
Dynamic/Interactive
application
security
testing
(DAST/IAST)
Secure
Infrastructure?
Secure
Infrastructure?
Static
code
analysis
Software
composition
analysis
Secure
Infrastructure?
The
existing
security
tools
for
DevOps
Signing
and
Obfuscation
Check
out
code
and
Build
Unit
testing Quality
control
Deployment
to
test
environment
Fetch
latest
builds
Integration
testing
Packaging
and
archiving
Fetch
release
ready
builds
Deployment to
pre-‐prod
environment
Acceptance
testing
Deployment
to
production
9. Micro-‐Services
Architecture
DEV OPS
Continuous
Delivery
1
hour
10
min
1
min
Architecture
&
deployments
are
changing
The
billing
cycles
are
being
reduced
Googleslashes
cloud
platform
price
again
Microsoft will
offer
Azure
by
the
minute
to
take
on
Amazon’s
cloud
Microsoft follows
Google
with
by-‐the-‐minute
cloud
blending
AUTO
SCALING
10. The
challenge
How
to
do
security
when
servers
alive
for
10
minutes?
Patch
management
Maintenance
windows
Periodic
vulnerability
scanning
Hardening
12. Introducing
Launch
Configure
and
harden
Scan
Move
to
Production
SOURCE: https://github.com/valtmanir/Cloudefigo
Based
on
the
work
made
by
Rich
Mogull from
Securosis
https://github.com/rmogull/PragmaticNetSecManagement
16. LAUNCH
Prepare
Cloudinit
ü Each
instance
manages
its
own
attributes
§ Encryption
keys
§ Remediation
vs.
production
groups
ü Management
of
these
attributes
requires
permissions
ü Permissions
during
launch
> production
ü Thus,
a
dynamic
IAM role
is
required
21. UPDATE
OS
update
Pre-‐
requisites
Any
risks?
ü CloudInit to
update
&
upgrade
software
packages
ü The
primary
goal
is
to
make
sure
the
cloud
instance
is
secure
once
upgraded
Need
to
make
sure
the
pre-‐prod/test/CI
environments
include
the
recent
operating
system
updates
as
well!
22. UPDATE
OS
update
Pre-‐
requisites
ü CloudInit to
install
the
software
packages
required
to
operate:
§ Python
+
pip
+
wheel
§ AWS
SDK
(Boto)
§ Chef
Client
+
Chef
SDK
(PyChef)
ü Download
configurations
and
scripts
from
S3:
§ Cloudefigo script
§ Chef
client
initialization
files
ü Cloudinit to
create
and
attach
a
volume
for
application
files
and
data.
23. CONTROL
Chef
Registration
Encrypt
ü The
Chef
clients
register
to
the
Chef
Management
server
using
the
initialization
files
loaded
from
S3.
ü Once
the
client
is
registered,
a
policy
is
loaded
and
enforced
on
the
instance.
24. CONTROL
Chef
Registration
Encrypt
Where
should
you
keep
your
keys?
Cloud
Provider On
Premise 3rd Party
Protected Snapshots
and
backups
Snapshots,
backups,
subpoena
and
malicious
insiders
Snapshots,
backups
and
cloud
provider’s
malicious
insiders
Vulnerable Malicious
insider
attacks
and
subpoena
Key exchange
attacks
Key
exchange
attacks
and
subpoena
(partial)
25. CONTROL
Chef
Registration
Encrypt
ü The
volume
to
be
encrypted
using
randomly
generated
key.
§ The
key
is
kept
in
S3
for
later
use.
ü The
application
database
to
be
installed
in
the
encrypted
volume.
Instance
1
Instance
2
Instance
3
Bucket
2f3g
Bucket
5dw4
Bucket
8H7g
Key
ID
5dw4
Key
ID
8H7g
Key
ID
2f3g
Key
1#Fd3
Key
vFS3=
Key
Bs$a
26. CONTROL
Chef
Registration
Encrypt
ü Dynamic
S3
policy:
access
to
the
encryption
key
requires
a
referrer
header
that
is
generated
based
on
attributes
from
the
instance.
29. SCAN
Automatic
Scan
Analyze
ü A
vulnerability
scan
to
be
launched
automatically
by
the
CloudInit script.
ü The
deeper
the
scan,
the
longer
it
takes
to
move
the
instance
to
production.
30. SCAN
Automatic
Scan
Analyze
ü The
results
of
the
scan
are
analyzed
by
the
Cloudefigo script.
ü Based
on
successful
scan
results – the
instance
to
move
to
production
or
remain
in
the
remediation
group.
ü The
lowest
security
risk
severity
can
be
defined.
34. PRODUCTION
Least
privileged
role
Manage
ü For
the
ongoing
operations
– compensating
controls
are
required.
ü Cloudefigo management
script
lists
cloud
instances
and
validates
they
are
managed
by
Chef
ü Cloudefigo will
set
alert
when
someone
will
try
to
use
access
keys.
40. TERMINATE
Instance
Encryption
Keys
ü The
instance
data
still
exists
in
backups/snapshots
or
provider
storage
ü Encryption
keys
to
be
deleted
with
instance
in
order
to
make
sure
the
backup
data
remains
inaccessible
(not
implemented
in
this
version)
41. Wrapping
Up
The
new
software
architecture
and
applications
delivery
in
cloud
module
disrupts
traditional
correctives
controls
We
need
to
adopt
new
thinking
to
automate
security
Think
how
security
automation
can
help
you
in
moving
your
infrastructure
forward.
Faster.
42. Questions
Nir
Valtman
@:
nir.valtman (at)
ncr.com
w:
www.ncr.com
|
www.valtman.org
in:
www.linkedin.com/in/valtmanir
t:
@ValtmaNir
Did
I
mention
that
I’m
HIRING?
Building
the
A-‐TEAM!