Recommended
More Related Content
What's hot
What's hot (20)
Recently uploaded
Recently uploaded (20)
Microwaves vs Humans: How to secure your cloud
- 1. M I C R O W A V E S V S H U M A N S
- 6. W E ’ R E D O N E A U T O M A T I N G , R I G H T ? • Config management • Infrastructure as code • CI/CD for infrastructure • Automated IaaS Provisioning
- 7. 4 A R E A S T O I M P R O V E • One-Off tasks • Disposable Infrastructure • Networking • Security Monitoring
- 11. “Lord Packet Cuddles” or “sg-116b7e3e4169”
- 13. V P N ≠ S E C U R E
- 16. S E C U R I T Y M O N I T O R I N G • SSH success/failures • Failed login attempts • Password resets • SSH egress • Dependent services
- 18. C O R R E L A T I O N • IaaS change log • Version control updates • Continuous Deployment log • What happened?
- 20. T H A N K S ! @ D L A P I D U Z
Editor's Notes
- Microwaves are great, right? Can make coffee, defrost a chicken, pretty ok stuff But according to a WH official they can turn into cameras and spy on us You may laugh at it but it is kind of how we feel for everything in the cloud https://flic.kr/p/2rTc1
- Whenever there is a new research paper out with edge security implications we all start to freak out And we get calls about how does this impact us. Are all our credit cards going to get stolen because of the SHA1 collisions paper publication? The answer is probably no…
- One approach is to say FAKE NEWS! Security research is fake news Lets all set the password to “password1” and forget about it all Whats the worst thing that could happen.
- I don’t think anyone here would say “lets totally ignore security” But I’d bet that most of you know more than one thing that could be improved What I want to say here today is that we should stop worrying about the fringe cases and look for lower hanging fruits that you might not even know are there. - The main problem in reality is not microwaves spying on us but humans making poor choices. And because we are now in a DevOps world where developers have a lot more power on our production systems we need to watch out for those things. My main argument is that we should stop letting people do “insecure” things and build automated processes that secure our systems
- • When we talk about security we don’t talk in absolutes though. A system will not suddenly become more secure because there are less humans touching it • We talk in terms of posture, in the face of an attacker, how likely are we to resist an attack. • Having “mycat” as password doesn’t mean that I am going to get hacked but it makes it a whole lot easier than using a 4k key https://unsplash.com/search/security?photo=fPxOowbR6ls
- But we have configuration management, we even have tests for our configuration management, that is all we need, right?? There are many ways to do config management and automation, Have you thought how security impacts all that automation? And there are a lot of things that we can improve as a community
- • 4 main sections of things we can improve ◦ One off tasks ◦ Disposability ◦ Networking ◦ Monitoring
- One-off tasks • Configure keys, Install an SSH key, setup TLS certificates, create your scaffolding infrastructure • All one-off, right? Nope. The fact that you don’t do it often it doesn’t mean that you shouldn’t automate it
- • If you automate the one-off tasks they become regular tasks Repetition makes mastery • Your security posture becomes very different once your keys are rotated daily instead of yearly. If a key is compromised it will be a problem for a day at most and if you know about it you can just run the task to rotate everything
- “But if you have your key compromised even for a minute an attacker can add a backdoor on your system!” You say… • Right, the next thing is that we need to treat infrastructure as disposable and have automated systems to replace it • I love the idea of Docker of having uptime for servers as a countdown instead of a measure of pride What does it mean to have disposable infrastructure? https://upload.wikimedia.org/wikipedia/commons/3/3f/Trash_Recycling_with_Disposal_Containers.jpg
- It doesn’t mean being able to set the services on fire or trashing your laptop. It means being able to rebuild your servers, containers, networks without caring about the individual components. It means having automated processes so anyone can click a button and recreate everything. It means having HA so your system can handle components being down. If you have to give your subnets a name then we are in trouble. (BTW I just named my favorite security group Lord Packet Cuddles) https://flic.kr/p/cQbkVS
- Now that we have automated processes to do one-off tasks and have disposable infrastructure with scripts to generate it we should talk about one of the lowest hanging fruits after that. That is networking. When we set networks up we tend to be somewhat lazy. “This is a private subnet”, “This is a public subnet”. Everything on each subnet can talk to each other! If I am on the VPN I can talk to everything
- Please stop trusting networks! For real, we have to stop. VPN, select IPs, CIDR blocks can be use as a layer but you should still limit access. Your thermostat probably doesn’t need access to your servers For each group of VMs you want to segregate create a different subnet. Use bastion hosts to access them if necessary. You can create VMs with multiple network interfaces.
- We should leverage all the automation to create stricter rules. Instead of trusting full subnets, you can trust security groups. And create as many security groups as you need, stop opening SSH for all the boxes! The further segmentation you have the less likely user derived (aka human) screwups are going happen.
- After all this automation we have improved quite a bit our security posture Everything is fantastic, I have the super duper system that no one can penetrate. Welllll…. Are we sure that we haven’t been owned? How can we tell? We need monitoring! Duh I have monitoring I monitoring all the CPUs, all the memories, all the four golden signals!
- J’acuse! It is great that you availability monitoring but you also need security monitoring. Are you monitoring failed login attempts? SSH success/failures? One of my favorite security metrics is SSH egresses, are people trying to create tunnels into your network? https://www.nasa.gov/images/content/64944main_ffs_gallery_mcc_hires2.jpg
- Remember to apply all the same rules for your security monitoring and solutions too. Security tools are often a point of entry for attackers.
- This are all just ideas on how we can all improve our security. This is not about complex or advanced stuff The cloud.gov built almost all this stuff in a shoestring budget using public cloud. The APIs and the tools are out there and its a matter of just using them. I am likely going to use one of your systems and you are probably going to use one of mine. We can all benefit from better automation in infrastructure and security. Once you set all of this up you are going to love it. Manual password/key/infrastructure rotation sucks https://flic.kr/p/bD6jZH
- Thank you so much, I’d love to chat more about new approaches to prevent human mishaps and improve automation. Stay paranoid my friends