building cloud security from scratch

21
Alex Stamos CTO, Artemis Internet Building Cloud Security from Scratch

Upload: alex-stamos

Post on 07-Nov-2014

3.848 views

Category:

Technology


1 download

DESCRIPTION

Ask any two cloud "experts" about whether you can trust cloud providers for running your security sensitive systems and you'll likely get three opinions. When our group of security experts turned to the task of building a robust, reliable, and secure infrastructure, we chose to disregard the conventional wisdom, ignore the FUD, and design controls that allow us to confidently build on AWS, Salesforce, and other cloud providers. This talk walks you through the steps necessary to build a trustworthy cloud infrastructure. We outline how you can deconstruct your security needs into specific technical goals, map those goals onto controls that are available in the cloud, and discuss what risks need to be accepted while others are mitigated. The talk includes detailed discussion of cryptographic, network and logical controls, and is best enjoyed by those with advanced knowledge of AWS.

TRANSCRIPT

Page 1: Building Cloud Security from Scratch

Alex StamosCTO, Artemis Internet

Building Cloud Security from Scratch

Page 2: Building Cloud Security from Scratch

What are we discussing today?

• Discuss the state of cloud security conventional wisdom

• Identify why that doesn’t work

• Think about how to build trust into our infrastructures…

FROM SCRATCH

Page 3: Building Cloud Security from Scratch

Who am I?

Alex [email protected]

• Co-Founder of iSEC Partners• CTO of Artemis Internet

We are building .secureand we are building it in the cloud

Page 4: Building Cloud Security from Scratch

Conventional WisdomWho shapes it?

The current keeper of the CW is the:

Page 5: Building Cloud Security from Scratch

Conventional WisdomWho is that?

Cloud Providers Security Vendors Old Guard

Page 6: Building Cloud Security from Scratch

Conventional WisdomWhere is it?

This wisdom is captured best here:

Page 7: Building Cloud Security from Scratch

Conventional WisdomWhat is it?

Page 8: Building Cloud Security from Scratch

Conventional WisdomWhat is it?

Compliance Model

Security Controls Model

Cloud Model

Very slow moving

Created by non-technologists

Defined in the age oftraditional infrastructures

REALITY!

Page 9: Building Cloud Security from Scratch

Conventional WisdomWhere does it go wrong?

Web VLAN

Load Balancers

Web Servers

App Server VLANApp Servers

DB VLAN

Corporate Network

Support VLAN

Backup SNMP

Logging Bastion

Internet

LBsHow would attackers penetrate this network in 1998?

How about today?

Page 10: Building Cloud Security from Scratch

Getting RealBugs we’ve seen

Operational

Lost Credentials

Overly Permissive Controls

Bad Auditing

Infrastructure

Poor Patching

Insecure Control Plane

Attacks from Corp

Application

Too-Loose Binding

Web/API Vulns

Bad Crypto

Page 11: Building Cloud Security from Scratch

Getting RealBugs we haven’t seen

Fantasy Issues

Hypervisor Breaks

Covert Channels/Timing Attacks

Physical Breaches

Page 12: Building Cloud Security from Scratch

Getting RealControls that match real risks

Operational

Lost Credentials

Overly Permissive Controls

Bad Auditing

• Limited accounts via IAM• Keep powerful creds off of instances• Use key managers to distribute creds, not on AMIs• Use limited accounts from Day 1• MFA on top-level accounts• Limit direct access, use management platforms when

possible• Use multiple top-level accounts with shared billing• No developers on production• Require all access via bastion host• Log every keystroke, all syslog to separate top-level

account

Page 13: Building Cloud Security from Scratch

Getting RealControls that match real risks

Infrastructure

Poor Patching

Insecure Control Plane

Attacks from Corp

• Continuous external and semi-external scanning• Auto-discover all instances via API• Use highly limited AMIs, install or chroot major services• Build control plane and asymmetric trust into AMI• Avoid SSH keys in AMI• SSH key per admin, revocable• Deploy corporate controls:

• Proxy or DPI firewall• NFR

• Use VPCs to strongly isolate critical services

Page 14: Building Cloud Security from Scratch

Getting RealControls that match real risks

Application

Too-Loose Binding

Web/API Vulns

Bad Crypto

• Security is a targeted feature• Create security engineering group early• Build small set of trusted, core components

• Input validation• Escaping on compositing • Session management• Crypto

• Build a separate, protected authentication cluster• Use self-proving requests internally, do not trust caller

blindly• Provision internal certs to all instances, use when

possible

Page 15: Building Cloud Security from Scratch

Cloud Strengths“What do we have on the spacecraft that’s good?”

Architecture and design benefits:• Out-of-band bootstrapped communication• Isolated network topologies (VPC)• Trusted 10.x space IPs

Defense against privileged cloud accounts:• Instance RAM• Ephemeral per-instance storage

Page 16: Building Cloud Security from Scratch

Cloud StrengthsSic Parvis Magna

UserData

Protected Instance Memory

Key Management Service

Crypto Keys

Encrypted MQ Messages

Encrypted DB Records

Encrypted EBS Volume

Service Creds

IPSec PSK

Secure Instance-Instance Network

Trustworthy Source IPs

Page 17: Building Cloud Security from Scratch

Architecting a Paranoid Application

App ServerELB

Authentication Service

Cred DB

Back-End Service

Back-End Service

User Data

Blob Store

App ServerApp ServerApp Server

Logging System

Page 18: Building Cloud Security from Scratch

[ ]The Authentication Token

• Primary Key• GUID

• Email• Real Name• Org ID

• Envelope Opening Key

• Group Membership• Admin Level• Perm Bits

Identity Context

Crypto KeysPermissions

AuthServer

Page 19: Building Cloud Security from Scratch

Per-Record Crypto

P = Plaintext Record for User1, member of GroupAC = CiphertextKs = Per-Record Symmetric Key

C=E(P,Ks)

Data Record = C + {Ks}User1 + {Ks}GroupA+ {Ks}Service1 + {Ks}Master

Page 20: Building Cloud Security from Scratch

Conclusions

1. Do not trust the conventional wisdom

2. Consider realistic threats for your org, adversaries

3. Build controls based upon AWS’s strengths

4. Build a paranoid application on any platform