Glib Pakharenko, profile picture
Uploaded byGlib Pakharenko
204 views

Cloud orchestration risks

The document outlines significant risks associated with cloud orchestration, including compromises in cloud security, governance issues, and segregation challenges. It emphasizes the difficulty of recovering from compromises and highlights the importance of using automation tools, proper access management, and implementing security best practices. Additionally, it discusses the transition from traditional infosec practices to a DevSecOps approach, while stressing the need for thorough monitoring, compliance checks, and avoiding hardcoded credentials.

Embed presentation

Download to read offline
Cloud orchestration risks Glib Pakharenko
Cloud orechstration stack
Cloud services (TOP layer)
Cloud services (TOP layer)
Kubernetes architecture
Kubernetes architecture
Risk #1: Compromise in the cloud A compromise to the degree described earlier is effectively irreparable, and the standard advice to "flatten and rebuild" every compromised system is simply not feasible or even possible if Active Directory has been compromised or destroyed. © https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise Recovery from a full compromise is extremely difficult requiring vast amounts of time. A likely scenario is that a victim may need to rebuild the domain from scratch. © https://securelink.net/insights/pentesting-stories-errors-limited-hygiene/
How to quickly rebuild infrastructure? • manual deployment guides xx pages long are not feasible • deployment automation even for small deployments: • Ansible/Chef/Puppet for nodes • Terraform for kubernetes deployments • Helm for applications deployments • CI/CD tools for deployments • managed services for quick setup (e.g. cloud database engine instead of database on IaaS) Risk #1: Compromise in the cloud
How to do IR in the cloud? • dedicated cloud account and infrastructure for security • logs collection and monitoring • containers compromise monitoring (who runs a shell there?) • cloud objects logs • kubernetes objects logs • netflow/sflow collection and monitoring • compliance monitoring (e.g. forseti) • monitor budget spendings (e.g. someone mines cryptocurrency on your infrastructure) Risk #1: Compromise in the cloud
How to manage access in the cloud? Consider that to have a good assurance about access revocation you need to redeploy the assets! © https://cloud.google.com/security/data-loss-prevention/revoking-user-access If you're concerned about the code integrity of your deployed apps, you may want to redeploy them (including any modules) with a known-good checkout from your version control system. Risk #1: Compromise in the cloud
How to manage access in the cloud? © https://cloud.google.com/security/compromised-credentials • Replace Service Account Private Keys (JSON and p12 files) • Regenerate API Keys • Reset OAuth2 Client ID Secrets • Remove Google Cloud SDK Credentials • Remove ssh keys from VMs • Revoke access to cloud SQL databases • Invalidate Browser Cookies • Delete all unauthorized resources • And many other cloud and kubernetes potential backdoors could exist Risk #1: Compromise in the cloud
Risk #2: Issues with governance in the cloud Consider the following issues with access management and resource provisioning: 1.Access management: a. Admins in the cloud objects. b. Admins in the Kubernetes objects. c. Admins in the applications and docker images (hardcoded credentials). 2.Kubernetes has more than hundred type of objects: a. How to authorize creation of new K8 objects? b. How to authorize creation of new docker images? c. How to authorize creation of new cloud objects (e.g. storage buckets)?
Key DevOps problem: 1.Old paradigm: InfoSec mandates through policy -> IT implements no longer works. 2.InfoSec -> transforms into -> DevSecOps: a. DevSecOps implements a one-click solution and IT just deploys that (through Terraform/Helm/CI etc.) 3.More responsibility comes to DevSecOps: a. If %CPU is overloaded due to the improper rules for web-firewall? b. If a proper workaround for the security bug (CVE) exists instead of updating the software? c. DevSecOps should follow the Technology policy (say Mongodb is banned, and we need to use Azure Cassandra). Risk #2: Issues with governance in the cloud
Risk #3: Issues with segregation The segregation should be implemented on many tires: 1.Consider the scenario for crypto-currency exchange. If we run the different blockchain nodes (BTC/LTC/Monero) in the same cluster than we’re very vulnerable if one is compromised. 2.Implement Pod<->Pod network level filtering (and encryption if possible). 3.Implement message queue security between microservices (in many deployments only access to the BUS is authorized). 4.Limit access from Pods to the Cloud service accounts (and consider the risk of SSRF bugs!). 5.Do not use shared secrets (say for Oauth2). 6.Limit commits ability to the main branch (e.g. only few seniors can handle pull requests). 7.Separate Prod/Test/Dev clusters and all cloud accounts.
Other important points 1.Do not hardcode credentials in any way. Use kubernetes secrets at least. 2.Watch for vulnerabilities in all infrastructure layers: a. Docker images (e.g. if there was no rebuild for 1 year image how many vulns are there). b. Cloud. c. K8 d. etc. 3.Implement hardening on all levels (Application/OS/Docker/K8/..) 4.The lack of knowledge about modern clouds inside teams leads to the security nightmare 5.Use signed Docker images and sign code and packages. 6.Use technology specific tools for compliance (e.g. K8 admission controllers, or WP core::integrity checking).
Other important points 7.Manual operations lead to mistake (e.g. publish service on the external IP -> implement firewall). 8.High speed of development leads to the lack of documentation (e.g. even all software requirements are in the Jira tickets). If you do not have an order now then you won’t have it in the cloud either. 9.Just copy->cloud of the enterprise infrastructure is costly and often ineffective. You need ot shift to the cloud paradigm of all development&deployment process. 10.It is very very hard to move monolithic application to the K8 and cloud microservices.

More Related Content

PDF
Container Security Deep Dive & Kubernetes
byAqua Security
 
PDF
Docker Security - Continuous Container Security
byDieter Reuter
 
PDF
Container Security
byJie Liau
 
PPTX
Understanding container security
byJohn Kinsella
 
PDF
Kubernetes deployment on bare metal with container linux
bymacchiang
 
PPTX
Docker Container Security - A Network View
byNeuVector
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PPTX
Security best practices for kubernetes deployment
byMichael Cherny
 
Container Security Deep Dive & Kubernetes
byAqua Security
 
Docker Security - Continuous Container Security
byDieter Reuter
 
Container Security
byJie Liau
 
Understanding container security
byJohn Kinsella
 
Kubernetes deployment on bare metal with container linux
bymacchiang
 
Docker Container Security - A Network View
byNeuVector
 
Kubernetes - Security Journey
byJerry Jalava
 
Security best practices for kubernetes deployment
byMichael Cherny
 

What's hot

PDF
How abusing the Docker API led to remote code execution same origin bypass an...
byAqua Security
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
PPTX
Docker Container Security
bySuraj Khetani
 
PDF
Cloud-native applications with Java and Kubernetes - Yehor Volkov
byKuberton
 
PDF
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
byDevOpsDays Riga
 
PPTX
K8s security best practices
bySharon Vendrov
 
PDF
Container Security
bySalman Baset
 
PPT
Container security
byAnthony Chow
 
PDF
Docker and kernel security
bysmart_bit
 
PDF
Veer's Container Security
byJim Barlow
 
PDF
Kubernetes - security you need to know about it
byHaydn Johnson
 
PDF
Ci/CD - Stop wasting time, Automate your deployments
byJerry Jalava
 
PDF
Practical Approaches to Container Security
byShea Stewart
 
PDF
Cloudstack at Spotify
byNoa Resare
 
PDF
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
byCodemotion
 
PDF
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
PDF
Best Practices for Developing & Deploying Java Applications with Docker
byEric Smalling
 
PDF
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 
PDF
Docker in the Oracle Universe / WebLogic 12c / OFM 12c
byFrank Munz
 
How abusing the Docker API led to remote code execution same origin bypass an...
byAqua Security
 
Docker London: Container Security
byPhil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
Docker Container Security
bySuraj Khetani
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
byKuberton
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
byDevOpsDays Riga
 
K8s security best practices
bySharon Vendrov
 
Container Security
bySalman Baset
 
Container security
byAnthony Chow
 
Docker and kernel security
bysmart_bit
 
Veer's Container Security
byJim Barlow
 
Kubernetes - security you need to know about it
byHaydn Johnson
 
Ci/CD - Stop wasting time, Automate your deployments
byJerry Jalava
 
Practical Approaches to Container Security
byShea Stewart
 
Cloudstack at Spotify
byNoa Resare
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
byCodemotion
 
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
Best Practices for Developing & Deploying Java Applications with Docker
byEric Smalling
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 
Docker in the Oracle Universe / WebLogic 12c / OFM 12c
byFrank Munz
 

Similar to Cloud orchestration risks

PDF
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PPTX
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
PPTX
Cloud Security_ Unit 4
byIntegral university, India
 
PPTX
10 tips for Cloud Native Security
byKarthik Gaekwad
 
PDF
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPTX
KubeSecOps
byKarthik Gaekwad
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
PDF
Cloud Security - Types, Common Threats & Tips To Mitigate.pdf
byDataSpace Academy
 
PDF
Securing Microservices in Containerized Environments
byDevOps.com
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PPTX
Security for AWS : Journey to Least Privilege (update)
bydhubbard858
 
PDF
Security for AWS: Journey to Least Privilege
byLacework
 
PDF
A-Throwaway-Deck-for-Cloud-Security-Essentials-2.0-SL.pptx.pdf
byjblac2025
 
PDF
Practical Guide to Securing Kubernetes
byLacework
 
PPTX
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
byBinu Ramakrishnan
 
PDF
Cloud-Native Security
byVMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
PPTX
Container security Familiar problems in new technology
byFrank Victory
 
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
Cloud Security_ Unit 4
byIntegral university, India
 
10 tips for Cloud Native Security
byKarthik Gaekwad
 
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
KubeSecOps
byKarthik Gaekwad
 
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
Cloud Security - Types, Common Threats & Tips To Mitigate.pdf
byDataSpace Academy
 
Securing Microservices in Containerized Environments
byDevOps.com
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Security for AWS : Journey to Least Privilege (update)
bydhubbard858
 
Security for AWS: Journey to Least Privilege
byLacework
 
A-Throwaway-Deck-for-Cloud-Security-Essentials-2.0-SL.pptx.pdf
byjblac2025
 
Practical Guide to Securing Kubernetes
byLacework
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
byBinu Ramakrishnan
 
Cloud-Native Security
byVMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
Container security Familiar problems in new technology
byFrank Victory
 

More from Glib Pakharenko

PPTX
Top mistakes that allows to make a successful pentest
byGlib Pakharenko
 
PPTX
State of cyber-security in Ukraine
byGlib Pakharenko
 
PDF
Fintech security
byGlib Pakharenko
 
DOCX
Огляд атак на критичну інфраструктуру в Україні
byGlib Pakharenko
 
PPTX
Кращі практики керування ризиками хмарних технологій
byGlib Pakharenko
 
PPTX
Кібер-атаки на критичну інфраструктуру в Україні
byGlib Pakharenko
 
DOC
Uisg5sponsorreport eng v03_ay
byGlib Pakharenko
 
PDF
Uisg5sponsorreport
byGlib Pakharenko
 
PPT
Using digital cerificates
byGlib Pakharenko
 
PPTX
Abra pocket office
byGlib Pakharenko
 
ODP
Utm
byGlib Pakharenko
 
PPT
Automating networksecurityassessment
byGlib Pakharenko
 
PPTX
социальные аспекты иб V3
byGlib Pakharenko
 
PPTX
Uisg opening
byGlib Pakharenko
 
PPT
Pentest requirements
byGlib Pakharenko
 
PPT
Kke
byGlib Pakharenko
 
PPT
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
byGlib Pakharenko
 
XLS
Uisg companies 4
byGlib Pakharenko
 
DOC
Кому нужна защита персональных данных
byGlib Pakharenko
 
DOC
Copy of Кому нужна защита персональных данных censored edition
byGlib Pakharenko
 
Top mistakes that allows to make a successful pentest
byGlib Pakharenko
 
State of cyber-security in Ukraine
byGlib Pakharenko
 
Fintech security
byGlib Pakharenko
 
Огляд атак на критичну інфраструктуру в Україні
byGlib Pakharenko
 
Кращі практики керування ризиками хмарних технологій
byGlib Pakharenko
 
Кібер-атаки на критичну інфраструктуру в Україні
byGlib Pakharenko
 
Uisg5sponsorreport eng v03_ay
byGlib Pakharenko
 
Uisg5sponsorreport
byGlib Pakharenko
 
Using digital cerificates
byGlib Pakharenko
 
Abra pocket office
byGlib Pakharenko
 
Utm
byGlib Pakharenko
 
Automating networksecurityassessment
byGlib Pakharenko
 
социальные аспекты иб V3
byGlib Pakharenko
 
Uisg opening
byGlib Pakharenko
 
Pentest requirements
byGlib Pakharenko
 
Kke
byGlib Pakharenko
 
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
byGlib Pakharenko
 
Uisg companies 4
byGlib Pakharenko
 
Кому нужна защита персональных данных
byGlib Pakharenko
 
Copy of Кому нужна защита персональных данных censored edition
byGlib Pakharenko
 

Cloud orchestration risks

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
    Risk #1: Compromisein the cloud A compromise to the degree described earlier is effectively irreparable, and the standard advice to "flatten and rebuild" every compromised system is simply not feasible or even possible if Active Directory has been compromised or destroyed. © https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise Recovery from a full compromise is extremely difficult requiring vast amounts of time. A likely scenario is that a victim may need to rebuild the domain from scratch. © https://securelink.net/insights/pentesting-stories-errors-limited-hygiene/
  • 8.
    How to quicklyrebuild infrastructure? • manual deployment guides xx pages long are not feasible • deployment automation even for small deployments: • Ansible/Chef/Puppet for nodes • Terraform for kubernetes deployments • Helm for applications deployments • CI/CD tools for deployments • managed services for quick setup (e.g. cloud database engine instead of database on IaaS) Risk #1: Compromise in the cloud
  • 9.
    How to doIR in the cloud? • dedicated cloud account and infrastructure for security • logs collection and monitoring • containers compromise monitoring (who runs a shell there?) • cloud objects logs • kubernetes objects logs • netflow/sflow collection and monitoring • compliance monitoring (e.g. forseti) • monitor budget spendings (e.g. someone mines cryptocurrency on your infrastructure) Risk #1: Compromise in the cloud
  • 10.
    How to manageaccess in the cloud? Consider that to have a good assurance about access revocation you need to redeploy the assets! © https://cloud.google.com/security/data-loss-prevention/revoking-user-access If you're concerned about the code integrity of your deployed apps, you may want to redeploy them (including any modules) with a known-good checkout from your version control system. Risk #1: Compromise in the cloud
  • 11.
    How to manageaccess in the cloud? © https://cloud.google.com/security/compromised-credentials • Replace Service Account Private Keys (JSON and p12 files) • Regenerate API Keys • Reset OAuth2 Client ID Secrets • Remove Google Cloud SDK Credentials • Remove ssh keys from VMs • Revoke access to cloud SQL databases • Invalidate Browser Cookies • Delete all unauthorized resources • And many other cloud and kubernetes potential backdoors could exist Risk #1: Compromise in the cloud
  • 12.
    Risk #2: Issueswith governance in the cloud Consider the following issues with access management and resource provisioning: 1.Access management: a. Admins in the cloud objects. b. Admins in the Kubernetes objects. c. Admins in the applications and docker images (hardcoded credentials). 2.Kubernetes has more than hundred type of objects: a. How to authorize creation of new K8 objects? b. How to authorize creation of new docker images? c. How to authorize creation of new cloud objects (e.g. storage buckets)?
  • 13.
    Key DevOps problem: 1.Oldparadigm: InfoSec mandates through policy -> IT implements no longer works. 2.InfoSec -> transforms into -> DevSecOps: a. DevSecOps implements a one-click solution and IT just deploys that (through Terraform/Helm/CI etc.) 3.More responsibility comes to DevSecOps: a. If %CPU is overloaded due to the improper rules for web-firewall? b. If a proper workaround for the security bug (CVE) exists instead of updating the software? c. DevSecOps should follow the Technology policy (say Mongodb is banned, and we need to use Azure Cassandra). Risk #2: Issues with governance in the cloud
  • 14.
    Risk #3: Issueswith segregation The segregation should be implemented on many tires: 1.Consider the scenario for crypto-currency exchange. If we run the different blockchain nodes (BTC/LTC/Monero) in the same cluster than we’re very vulnerable if one is compromised. 2.Implement Pod<->Pod network level filtering (and encryption if possible). 3.Implement message queue security between microservices (in many deployments only access to the BUS is authorized). 4.Limit access from Pods to the Cloud service accounts (and consider the risk of SSRF bugs!). 5.Do not use shared secrets (say for Oauth2). 6.Limit commits ability to the main branch (e.g. only few seniors can handle pull requests). 7.Separate Prod/Test/Dev clusters and all cloud accounts.
  • 15.
    Other important points 1.Donot hardcode credentials in any way. Use kubernetes secrets at least. 2.Watch for vulnerabilities in all infrastructure layers: a. Docker images (e.g. if there was no rebuild for 1 year image how many vulns are there). b. Cloud. c. K8 d. etc. 3.Implement hardening on all levels (Application/OS/Docker/K8/..) 4.The lack of knowledge about modern clouds inside teams leads to the security nightmare 5.Use signed Docker images and sign code and packages. 6.Use technology specific tools for compliance (e.g. K8 admission controllers, or WP core::integrity checking).
  • 16.
    Other important points 7.Manualoperations lead to mistake (e.g. publish service on the external IP -> implement firewall). 8.High speed of development leads to the lack of documentation (e.g. even all software requirements are in the Jira tickets). If you do not have an order now then you won’t have it in the cloud either. 9.Just copy->cloud of the enterprise infrastructure is costly and often ineffective. You need ot shift to the cloud paradigm of all development&deployment process. 10.It is very very hard to move monolithic application to the K8 and cloud microservices.