A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure) The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.

1. Security in the Cloud
Akash Mahajan

2. Akash Mahajan - Profile
Heard of that Web App Security Guy?
Am the chapter lead for OWASP Bangalore
Co-founded a security community; null
Kick-started an eco system for start-ups
Ever attended a Startup Saturday?
Realized that I love to learn about security!

3. You will not learn anything new today
The interesting part is learning why you
won’t learn anything new today

4. WHAT IS CLOUD COMPUTING?

5. “Today Internet is Cloud CD Based, if you use Google
your docs get stored in cloud, have you ever seen
Google software CD? No it’s not here, it’s in the
cloud. Called as Cloud CD! When you check, it
Cloud gives error because it is raining!!!! ”
- Vishwa Bandhu Gupta

6. Cloud computing is computing in which large
groups of remote servers are networked to
allow the centralized data storage, and
online access to computer services or
resources.
- From http://en.wikipedia.org/wiki/Cloud_computing

7. How is Cloud Computing different
From?
Grid computing
Distributed computing
Large Scale Clusters

8. Elasticity
is the degree to which a system is able
to adapt to workload changes

9. How do we get Elasticity?
by provisioning and de-provisioning resources
in an autonomic manner, such that at each
point in time the available resources match
the
current demand as closely as possible.

10. Autonomic Manner
The system makes decisions on its own,
using high-level policies; it will
constantly check and optimize its
status and automatically adapt itself to
changing conditions.

11. AWS Auto-scale – Example of Elasticity

12. The tech behind
cloud computing
is not new

13. WHAT MAKES UP THE CLOUD
COMPUTING STACK?

14. Virtualization
The main enabling technology for cloud computing

15. Service Oriented
Architecture
(SOA)
Breaking of business problems into services that can
be integrated

16. Programmable
APIs
Ability to interact with the services offered using
programs and the libraries provided

17. Management
Layer
Ability to interact with the services offered using a
web based front-end for management & billing

18. High Speed
Networks
All of the above talk to each other using
high speed networks

19. Cloud Computing Stack
Management Layer
Programmable APIs
Service Layer
OS Level Virtualization

20. OS LEVEL VIRTUALIZATION

21. What is Virtualization?
it separates a physical
computing device into one or
more "virtual" devices

22. OS Level Virtualization
It essentially creates a scalable
system of multiple
independent computing
devices.

23. OS Level Virtualization
Idle computing resources can be
allocated and used more efficiently

24. Virtualization provides agility
• Speed up IT operations
• Reduces cost by
increasing
infrastructure utilization

25. Virtualization provides automation
• Computing automates the process through
which the user can provision resources on-demand.
• By minimizing user involvement,
automation speeds up the process, reduces
labor costs and reduces human errors

26. SERVICE ORIENTED ARCHITECTURE
FOR CLOUD SERVICES

27. What does SOA contain?

28. Compute
processor , random access
memory,

29. Storage
persistent, redundant,
scalable, infinite and cheap

30. Network
all pervasive, based on TCP/IP
gigabit fast and more

31. Management
what we use to manage or
work with the service

32. Metrics and Measured Service
billing is like utility services
and every service is
measurable

33. PROGRAMMABLE APIS AND
MANAGEMENT LAYER

34. Programmable APIs
Start, stop, pause virtual
servers
ec2-run-instances
gcloud compute instances create

35. Management Layer
Basically a web based control panel

36. Management Layer

37. SERVICE MODELS

38. Cloud Service Models

39. Software As A Service
Meant for end users to consume a service
using applications and data storage

40. Platform As A Service
Meant for developers to utilize an integrated
development platform and framework

41. Infrastructure As A Service
Basic Cloud Service building blocks are given
like server instance, storage and network

42. DEPLOYMENT MODELS FOR THE
CLOUD

43. Cloud can be in your office too

44. Deployment Models
• Public
• Private
• Hybrid

45. Public Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use.

46. Private Cloud
Private cloud is cloud infrastructure operated
solely for a single organization, whether
managed internally or by a third-party, and
hosted either internally or externally

47. Hybrid Cloud
Hybrid cloud is a composition of two or more
clouds (private, community or public) that
remain distinct entities but are bound
together, offering the benefits of multiple
deployment models.

48. We will restrict our discussion about the security of the public cloud
SECURITY IN THE PUBLIC CLOUD

49. Shared Sense of
Security
Public cloud vendors and customers have a shared
sense of security

51. Shared
Responsibility of
security
Public cloud vendors and customers have to share
security responsibility

53. Division of Responsibility

54. Amazon AWS takes care of
• Physical Security (Nobody should walk away
with the server including Govt.)
• Host OS which runs the virtualization software
• Virtualization Security (Rogue VMs can't harm
others)

55. Amazon AWS takes care of
• Environmental Safeguards (DC is safe to run
servers)
• Administrative Controls (Policies and
Procedures)
• Certifications and Accreditations (SAS70, SOC1,
PCI, ISO27K1)

56. You take care of
• Guest OS (The Compute instance)
• Application Security (The application on the
compute instance)
• Data Security (The data being generated,
processed by the application)
• Network security for the guest &
applications
• Security Monitoring of Guest OS &
applications

57. A few public cloud vendors

58. Does Cloud Need
Security?
Wrong question to ask, the question should be…

59. Do we need to
worry about our
data, our infra, our
apps stored in the
public cloud?

60. Our apps in the public cloud
• This applies only to IAAS and PAAS as in
SAAS it is not our application
• An in secure app can expose underlying
infrastructure and data to theft, corruption
and exposure

61. Security Testing of Apps
• No different from testing any application for
security
• We might require permission to run
automated scanners against the app
• Ideal framework to test against is OWASP
Top 10 and OWASP Testing Guide

62. App Insecurity Scenario
• App has a Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the
server
• Attacker reads the credentials and starts
multiple large instances to mine bitcoins
• Victim saddled with a massive bill at the end of
the month

63. Our infra in the public cloud
• This applies only to IAAS as in SAAS and
PAAS it is not our application or infra
• Infrastructure vulnerabilities can derail any
app security in place.

64. Security Testing of Infra
• No different from testing server for security
• We may require permission to run
automated scanners against the server
• Ideal framework to test against is any
Penetration Testing Standard PTES /
OSSTMM

65. Infra Insecurity Scenario
• MySQL Production database is listening on external
port
• Developers work directly on production database
and require SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a brute force script and cracks the
password, gains full access to the database

66. HEARTBLEED – AN ILLUSTRATION OF AN
INFRASTRUCTURE VULNERABILITY

70. Servers (Infra)
were leaking
sensitive
information

71. What kind of information?
• Session IDs
• Usernames
• Password
• Server Certificate’s Private Keys

72. CloudFlare hosted a vulnerable server
A security researcher sent 2.5 million requests
and got the private keys

73. What is the big deal about that?
• Private Keys for the SSL certificate
can decrypt all past and future traffic
• Private Keys allow for impersonation of that
service as well.
• What if some website could pretend to be
https://examplebank.com ?

74. Armature Hour at AWS
• https://opbeat.com/blog/posts/amateur-hour-
at-aws/
• Amazon AWS took about 48 hours after
everyone knew about Heartbleed to patch
its servers and inform its customers
• This caused a lot of heart-ache and pain for
its customers

75. Our data in the public cloud
• This applies only all PAAS, IAAS and SAAS
• Our data can get leaked, exposed, stolen,
held ransom if we don’t take care of making
sure it is safe while being used, while being
transmitted and while being stored

76. Verifying Data Security through Testing
• This is a specialized testing requirement. A part
of this can be tested by looking at the system
and application architecture
• All the places where the data can be written,
sent, travel need to be looked at.
• Writing to storage, exposing APIs, backups and
even insider threats

77. Verifying Data uses Encryption
• Data at rest is encrypted
– This will ensure that if an attacker has access to the
disk/store, they can’t use the data
• Data in motion is encrypted
– This will ensure that if an attacker can sniff the network
traffic they can’t see &tamper the data
• Data in use (tmp files, key loaded in memory)
– This will ensue that if an attacker can’t do catastrophic
damage if they manage to gain access to a server

78. Secure Key Management
• Once we start using encryption for data
storage and data transmission, the encryption
keys need to be safeguarded against theft,
accidental loss
• A secure key management process will ensure
that at any point keys can be revoked and
reissued

79. Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database
wasn’t encrypted when initial backups were
done.
• Dev team moves to newer type SSDs and
doesn’t decommission older HDDs.
• Attacker finds older HDD, does forensics for
data recovery and sell the data for profit.

80. Cloud versus the IT department

81. How does being in
the cloud change
the traditional IT
department?

82. How do IT
departments
manage cloud
instances & data?

83. Does the company
Info sec policy still
apply?

84. Does the Countries
cyber laws still
apply?

85. How to applications get attacked?

86. What are the frameworks for testing cloud?
Can we follow some best practices ?
HOW DO YOU TEST FOR SECURITY?

87. Cloud Security Alliance
• Security Guidance Document
• https://cloudsecurityalliance.org/guidance/
csaguide.v2.1.pdf
• Covers 13 Critical Area Domains

88. European Network and Information Security
Agency (ENISA)
• Cloud Computing Information Assurance
Framework
• http://www.enisa.europa.eu/activities/risk-management/
files/deliverables/cloud-computing-
information-assurance-framework/
at_download/fullReport
• Covers 15 areas in OpSec & Identity &Access
Management

89. Frameworks are great, but
• They are too extensive to be actionable
• They are too generic for real world security
• They provide structure but lack incisive
steps that can be taken right now to
become secure

90. 10 STEPS TO SECURING A CLOUD
DEPLOYMENT (INFRASTRUCTURE)

91. Why Infrastructure first?
In all cases Cloud Service Provider (CSP) takes
care of physical security and the host
operating system. So we just need to worry
about the guest OS and all the
infrastructure running on it.

92. AWS and Rackspace Host OS Vuln
24th September 2014

93. AWS and Rackspace Host OS Vuln
From the Amazon AWS Blog
XEN Hypervisor Security Issues

95. 5 Pillars of Security in IAAS(AWS)
• Identity and Access Management
• Configuration and Patch Management
• Endpoint and Network Protection
• Vulnerability and Asset Management
• Data Protection

96. How the CSPs stack up for security?
CSP/Security
Feature
AWS Google
Compute
Engine
Microsoft
Azure
Rackspace
IAM YES YES YES Sort of
2FA for
Need to
Need to
YES* (Paid
NO
Management Layer
enable
enable
Service)
Network Isolation YES YES YES YES
Virtual Private
YES YES YES YES
Networks
Firewall YES YES YES YES
Centralized Logs
YES NO YES* NO
and Audit Trail
Encryption for
Storage
YES YES YES
Key Management YES YES YES YES
http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
http://t.co/tig66fyu9K-Thanks
to @govindk

97. The 10 steps are
1. Enumerate all the network interfaces
2. List all the running services
3. Harden Each Service separately based on best
practices
4. Secure Remote access for server management
(SSH, RDP)
5. Check Operating System Patch Levels

98. The 10 steps are
6. Harden the networking parameters of the
Kernel (Linux Specific)
7. Enable a Host Firewall
8. Do an inventory all user accounts on the
server and audit them
9. Enable Centralized Logging
10. Enable Encryption on disks, storage etc.

99. Demo for 10 steps

100. AWS IAM Best Practices
• Lock away your AWS account access keys
• Create individual IAM users
• Use groups to assign permissions to IAM
users
• Grant least privilege

101. AWS IAM Best Practices
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Use roles for applications that run on Amazon EC2
instances
• Delegate by using roles instead of by sharing
credentials
• Rotate credentials regularly

102. Real world security incidents we can all learn from
CASE STUDIES

103. Case Study 1
• Company Not following best practices
• Data loss
• Security Incident
• Catastrophic Business Failure

104. Case Study 1
CODESPACES AWS HACK

105. Anatomy of the attack
1. Distract by doing DDOS against the target
2. Gain access to the root credentials of AWS
3. All storage devices, hard disks, S3 storage
deleted
Company was a hosting company
They went bankrupt due to this and 100s of
customers lost all their data

106. Case Study 2 – Application Security
• Relatively benign bug causes major security
hole in the cloud

107. Case Study 2
APPLICATION (IN)SECURITY LOVES
XXE

108. Application (In)Security & XXE
• Researcher finds that, he can inject his own
file name and path in AWS EC2
• EC2 uses Auto Scaling
• Auto Scaling requires information to be
present on the EC2 instance
• Meta Web Server allows local HTTP
Requests to be made and server and its
credentials are pwned

109. Case Study 3 – Infrastructure
Security
• Un-patched server causes major security
breach

110. Case Study 3
INFRASTRUCTURE SECURITY FAIL

111. Browser Stack
• Old neglected server, not being used.
• Server is brought up to check something.
• Un patched server is left running on the
Internet without any network protection
• Attacker compromises the server, steals the
AWS credentials and manages to email all
its customers, how bad the company is

112. Conclusions
• Security in the cloud is really not very
different from regular security
• Same principles and processes apply
• Same tools and techniques apply
• IT folks need to simply understand what is
the best way to get the same thing done

113. Questions?
Contact
Twitter @makash
Linkedin https://linkd.in/webappsecguy
Email akashmahajan@gmail.com

114. Attributions
• Cloud Image Background from www.perspecsys.com
• Video of Vishwa Bandhu https://www.youtube.com/watch?v=ApQlMm39xr0
• Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons
• CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32
• Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/
3.0)], via Wikimedia Commons
• Toyota Robot at Toyota Kaikan
• AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-
on-demand.html
• SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/
• http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-
paas-iaas
• By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via
Wikimedia Commons
• Big Thanks to @govindk for fixing errors in Slide #96