This document summarizes security best practices for cloud computing. It discusses how security in the cloud requires a shared responsibility model between the cloud provider and customer. It recommends implementing least privilege access, defense in depth strategies like isolating environments and regular patching, and knowing your system through strong authentication and authorization. Specific best practices covered include using multi-factor authentication, limiting exposed services, expiring unnecessary permissions, and preventing lateral movement between hosts. The document promotes keeping systems simple and securing the full technology stack.

1. Security on the Cloud
DevFest Kuala Lumpur 2018
Tu Pham
CTO @ Eway
1

2. CTO @ Eway
Technologies: Java, Python, all kind of databases and Cloud
platform from Google, Aws to Azure
Interests: Cloud computing, machine learning, system
architecture.
Husband, Father, GDE, Open source contributor
Tu Pham
foto: Lars Kruse, Aarhus Universitet
2

3. EWAY Can Power that
User Identify Social User Modeling Social CRM
Advertising Network Smart Finance Solutions Affiliate Network
3

4. Current system
> 100 000 users
- 5 SEA countries and US, UK,
AU
- 100 TBs data warehouse
- 5 TBs of new raw data every
day
- Hundred of jobs daily
Images by ConnieZhou
4

5. Let’s compare: 100 TB
- 458,130,581.25 book (200
pages of 240,000 characters)
- 26,214,400 MP3 files (with
4MB average file size)
Images by ConnieZhou
5

6. From 2009, we bring success to
hundred of thousands online
m a r k e t i n g c a m p a i g n s f o r
advertiser and hundred of millions
credit score for finance industry
based on our big data system.
6

7. Sample of Credit Scoring with
Social Activity
7

8. Organize the world’s
information and make it
universally accessible and
useful.
Our mission is aligned with Google’s mission
With Sundar Pichai - CEO of Google
2
8

9. Our Partners
Just Google
9

10. “It takes 20 years to build a reputation and
few minutes of cyber-incident to ruin it.”
-- Stephane Nappo --
Global Chief Information Security Officer at Société Générale International Banking
10

11. HOW TO PROTECT
YOUR SYSTEM, PARTNERS &
CUSTOMERS ?
11

12. Infrastructure Has Changed
EARLY 2000’s MID 2000’s NOW
Buying Hardware
12

13. Infrastructure Has Changed
EARLY 2000’s MID 2000’s NOW
Infrastructure As a ServiceBuying Hardware
13

14. Cybercrime Has Also Changed
Single Actors
EARLY 2000’s MID 2000’s NOW
14

15. Cybercrime Has AlsoChanged
Single Actors Highly Organized Groups
EARLY 2000’s MID 2000’s NOW
15

16. About Criminal Activity
EARLY 2000’s MID 2000’s NOW
16

17. Cybercrime is Flourishing
508 is the average
number of applications
in an enterprise
Evolution of AdversariesExpanding Attack Surfaces Overwhelmed Defenses
37% of US companies
face 50,000+ alerts
per month
390,000 new malicious
programs every day with
a viable ecosystem
Forbes, 2014
FireEye, 2015
AV-TEST, 2016
17

18. Today’sAttacks Have Several Stages
18

19. Who is being targeted? BIG
19

20. 20

21. Who is being targeted?And Small
21

22. 22

23. 23

24. SECURITY IN THE CLOUD
24

25. “Legacy systems are more difficult to keep updated because
enterprises may have to go around to several hundred thousand
platforms to check and update security systems. It’s easier for
legacy systems to fall behind.”
-- David Linthicum --
Senior Vice President, Cloud Technology Partners
25
The Cloud Can be Secure And More Secure

26. Challenges of being Secure in the Cloud
SECURITY TOOLSARE
Complicated to use
Difficult to deploy
Expensive to manage
and tune
HUMAN EXPERTISE IS
Hard to find
Harder to keep
Very expensive
THREAT INTELLIGENCE
AND SECURITY CONTENT
Gets stale quickly
Requires specific
know-how
Validation required to avoid
false positives
26

27. Cloud Security – NewApproach
The Principles of security do not change
but your Approach to security needs to
change:
• Security best practices are no different in the cloud
• You need to apply the same security standards to
cloud workloads as applied to on-premises
• Understand the Shared Responsibility of Cloud
Security
27

28. • Security Monitoring
• Log Analysis
• Vulnerability Scanning
• Network Threat Detection
• Security Monitoring
• Secure Coding and Best Practices
• Software and Virtual Patching
• Configuration Management
• Access Management (including multi-
factor authentication)
• Access Management
• Configuration Hardening
• Patch Management
• TLS/SSL Encryption
• Network Security
Configuration
• Web Application Firewall
• Vulnerability Scanning
• Application level attack monitoring
• Hypervisor Management
• System Image Library
• Root Access for Customers
• Managed Patching (PaaS, not IaaS)
• Logical Network Segmentation
• Perimeter Security Services
• External DDOS, spoofing, and
scanning monitored
APPS
CUSTOMER ALERT LOGICMICROSOFT
VIRTUAL MACHINES
NETWORKING
INFRASTRUCTURE
SERVICES
Cloud Security is a Shared, but not Equal, Responsibility
28

29. 29

30. YOU NEED ASOLUTION ?
30

31. WebApp
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
CLOUD INSIGHT
Signatures &
Rules
Anomaly
Detection
Machine
Learning
Integrated value chain delivering full stack security, experts included
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations
Center
ACTIVEWATCH
DETECTION &
PROTECTION
Web Security
Manager
Log
Manager
Threat
Manager
ALL IN ONE DEFENDER 31

32. Security Has Changed
32

33. BEST PRACTICE
33

34. Top Security Best Practices
Know Thy System - Keep It Simple and thus Secure
Goal: KISS comes from ‘Keep It Simple, Stupid’. You can only secure a
system that you can completely understand
Do
Keep things simple. Prefer simplicity over a complex and specific
architecture.
Ensure others can understand the design.
Use standardized tooling that others already know how to use.
Draw high-level data flow diagrams.
34

35. Top Security Best Practices
Know Thy System - Require strong authentication
Goal: Use credential-based authentication and user session
management to grant access
Do
Use credential-based authentication and user session management
where the session information is passed by the user
Use API keys for service authentication
Use a password manager to store distinct passwords for each
service a user accesses.
Use purpose-built credential sharing mechanisms when sharing is
required (1password for teams, LastPass, etc.)
35

36. Top Security Best Practices
Know Thy System - Require two-factor authentication
Goal: Require 2FA (or MFA) on all services internal or external to prevent
attackers from reusing or guessing a single credential such as a
password.
Do
Use an SSO (Single Sign On) solution with MFA.
For services / servers that can not support SSO, use the service’s
individual MFA features (e.g. GitHub / Google MFA / Authy).
Servers carrying secrets or widespread access (or any other
potentially sensitive data) should verify the user’s identity end to end.
36

37. Top Security Best Practices
Least Privilege - Do not expose unnecessary services
Goal: Limiting the amount of reachable or usable services to the
necessary minimum.
Do
List all services presented to the network (Internet and Intranets).
Justify the presence of each port or service.
37

38. Top Security Best Practices
Least Privilege - Do not grant or retain permissions that are no
longer needed
Goal: Expire user access to data or services when users no longer need
them
Do
Use role-based access control (allows for easy granular escalation of
privileges, only when necessary).
Routinely review user’s access permissions and expire access
automatically when unused.
Automatically disable API keys after not having been used for a given
period of time and notify the user.
38

39. Top Security Best Practices
Defense in Depth - Do not allow lateral movement
Goal: Make it difficult or impossible for an attacker to move from one host
in the network to another host
Do
Prevent inbound network access to services on a host from clients
that do not need access to the service through either host-based
firewall rules, network firewall rules
Clearly enforce which teams have access to which set of systems.
Alert on network flows being established between difference
services.
39

40. Top Security Best Practices
Defense in Depth - Isolate environments
Goal: Separating infrastructure and services from each other in order to
limit the the impact of a security breach
Do
In cases where two distinct systems are used to govern access or
authorization (e.g. Okta / Duo / Authy), ensure that no single user or
role has administrative permissions across both systems.
Use separate sets of credentials for different environments.
40

41. Top Security Best Practices
Defense in Depth - Patch Systems
Goal: Ensuring systems and software do not contain vulnerabilities when
these are found in software over time
Do
Establish regular recurring maintenance windows in which to patch
software.
Ensure individual systems can be turned off and back on without
affecting service availability.
Enable automatic patching where possible.
Check web application libraries and dependencies for vulnerabilities.
41

42. Top Security Best Practices
Services
Cloud IAM: Fine-grained identity and access management
Resource Manager: Hierarchically manage resources on GCP
Stacktrace: Distributed tracing from GCP
Access Transparency: Expand your visibility over your cloud provider
through near real-time logs
Forseti Security: Open-source security tools for GCP
Security Key Enforcement / Titan Security Key: Enforce the use of
security keys to help prevent phishing
Cloud Data Loss Prevention: Discover and redact sensitive data
42

43. JOIN THE FLIGHT
DevFest Kuala Lumpur 2018
Twitter: @phamptu
Slideshare: /phamphuongtu
Email: tupp@eway.vn
43