Embed Size (px)
Citation preview
How do you ALL THE CLOUDS?henry canivel
Session Objectives
● Baseline understanding for cloud adoption needs
● Establish common security issues
● Recognize stakeholders and partners
● Introduce security tools, insights, and perspectives
whoami
● Currently an information security architect
● Security professional for 5+ years
● Developer background
● “Log Czar” sounds like a really cool job title
● Originally from the bay area, now in LA for ~2 years
● Interests: food things, travel, streaming, sports, learning new tech, mastering the 4 elements with a happy
attitude
Target Audience
● IT professional
○ sysadmin, devops
● Security professional (advisory)
● Engineer
What’s the plan?Agenda
● Quick intro: Cloud Security Challenges
● Cloud Adoption CMMI
● Getting Started
● Strategic + Tactical Recommendations
● Cloud Security Solutions + Tools
This talk is NOT:
→ Cloud migration strategy
→ Cloud workload planning
→ Incident Response
→ AppSec
General Cloud Challenges
● Security
● Governance/Privacy/Control
● Interoperability
● Cloud Spend Management
Security Challenges
● Sprawl of cloud accounts, types of cloud service providers● Misconfiguration and inadequate change control● Attribution (read: reliable identity and asset management)● Lack of cloud security architecture and strategy● Lack of visibility/control● Insufficient identity, credential, access and key management● Insecure Interfaces and APIs● Unknown publicly exposed servers and applications● Limited cloud usage visibility
Capability Maturity Model Integration
Where are you in your Cloud Adoption Journey?
Common Cloud Migration Strategies
Migration Strategies Keywords Flexibility Effort
Lift and Shift
Legacy SystemsApplications without business need for changeApplications with no heavy interaction with newer systemsTeams with limited Cloud skills Low Low
Refactor
Applications that need modernizationMinimize software architectural changesLimited cloud optimizations High Medium
Rebuild
Applications with agility and scalability needsAwareness of and leverages specific cloud provider feature sets and capabilities High High
Cloud Adoption CMMIInitial
Example: Proof of Concept
ManagedExample: Lift and Shift
Defined
Quantitatively Managed
OptimizingExample: Rebuild
Target Audience/Trajectory for Cloud Adoption
HOW DO YOU SECURE THIS?
What are you Protecting?
People
Data
Applications
Infra
Mission Objectives for Securing Cloud Adoption1. Dynamic visibility and discovery of Identities and Assets
2. Match cloud elasticity
3. Drive automated insights and analysis
4. Continuous monitoring
5. Repeatable policy enforcement
6. Identifying viable tools, designing effective management rubrics
7. Discover new attack vectors for cloud workload and service management
8. Continuous configuration assessment and reporting
9. Release blockers for aggressive configuration control enforcement
10. Inform security policy decision making
Shared Security Model
Cloud Service PortfolioCompute ServicesServices AWS Azure GCP
IaaS Amazon Elastic Compute Cloud Virtual Machines Google Compute Engine
PaaS AWS Elastic Beanstalk App Service and Cloud Services Google App Engine
Containers Amazon Elastic Compute Cloud Container Service Azure Kubernetes Service (AKS) Google Kubernetes Engine
Serverless Functions AWS Lambda Azure Functions Google Cloud Functions
Database ServicesServices AWS Azure GCP
RDBMS Amazon Relational Database Service SQL Database Google Cloud SQL
NoSQL: Key–Value Amazon DynamoDB Table StorageGoogle Cloud DatastoreGoogle Cloud Bigtable
NoSQL: Indexed Amazon SimpleDB Azure Cosmos DB Google Cloud Datastore
Storage ServiceServices AWS Azure GCP
Object Storage Amazon Simple Storage Service Blob Storage Google Cloud Storage
Virtual Server Disks Amazon Elastic Block Store Managed Disks Google Compute Engine Persistent Disks
Cold Storage Amazon Glacier Azure Archive Blob Storage Google Cloud Storage Nearline
File Storage Amazon Elastic File System Azure File Storage ZFS/Avere
Networking ServicesServices AWS Azure GCP
Virtual Network Amazon Virtual Private Cloud (VPC) Virtual Networks (VNets) Virtual Private Cloud
Elastic Load Balancer Elastic Load Balancer Load Balancer Google Cloud Load Balancing
Peering Direct Connect ExpressRoute Google Cloud Interconnect
DNS Amazon Route 53 Azure DNS Google Cloud DNS
Compute Services -
● Access control
● Asset management
● Location (zone)
● Integrity of critical business services and ops
Database Services -
● Data access
● Compliance and Audit
● Object level control
What are the Primary Concerns Across the Cloud Service Categories?
Storage Services -
● Encryption
● Availability
● Backup strategy
● Public exposure, access controls
Networking Services -
● Approved data flows/safelisted connection sources
● Standard network segmentation (QoS, trust zones)
● Nested controls
Perspective Description and Common Roles Involved
BusinessBusiness support capabilities to optimize business value with cloud adoption.Common Roles: Business Managers; Finance Managers; Budget Owners; Strategy Stakeholders
PeoplePeople development, training, communications, and change management.Common Roles: Human Resources; Staffing; People Managers.
Governance
Managing and measuring resulting business outcomes.Common Roles: CIO; Program Managers; Project Managers; Enterprise Architects; Business Analysts; Portfolio Managers.
PlatformDevelop, maintain, and optimize cloud platform solutions and services.Common Roles: CTO; IT Managers; Solution Architects.
Security
Designs and allows that the workloads deployed or developed in the cloud align to the organization’s security control, resiliency, and compliance requirements.Common Roles: CISO; IT Security Managers; IT Security Analysts; Head of Audit and Compliance.
OperationsAllows system health and reliability through the move to the cloud, and delivers an agile cloud computing operation.Common Roles: IT Operations Managers; IT Support Managers.
Stakeholders
● Technology○ Start with cloud native features and capabilities○ Qualify Cloud Service Provider offerings
● Tools○ Identify viable tools that address the operational inefficiencies
● Processes○ Assess all operational processes for choke points○ Cost operational inefficiencies, like manual tasks in your cloud management service
strategy
How do you SIMPLIFY this?Read: how do you optimize your overall TCO?
● Find tools that reduce your manual effort
● Focus on enabling for consistent baselining of
cloud adoption usage
● Find tools that enable you with more flexibility
● Prioritize your support systems and dependencies
● Prioritize the most painful, high effort, and
time-consuming tasks
○ e.g., user/owner attribution, assets, context
determination of workloads/projects
(Build vs Buy) x Operate = TCO
Understand the factors for your overall cost and prioritize to determine tool selections
Strategic Recommendations● Minimize time spent for manual tasks (for operator) - OpEx
● Drive for visibility○ e.g., cloud account configurations, inventory, identities
● Drives consistent outputs
● Ease of executing tool
● Drive for expansive coverage○ e.g., across multiple services, cloud service providers
● Drives consistent outputs
● Extendable or ability for you to leverage within your current tools (i.e., SIEM)
● Maximize existent skillsets, personnel, and operational strengths● Generates signal data
● Cost of tools - CapEx
● Level of support
● Actively maintained
● Ease to extend or customize
● Where/how to execute
○ i.e., as a standalone application? as a
library in code?
Other Areas of Consideration
● Freemium model (free to try basic capabilities)
● Data privacy and compliance aware analysis
and reporting
● Coverage of compute workload types
○ e.g., server, serverless, containerized
● Integrates with current operational tool suite
● Ability to cover multiple pain points/challenges
Common Cloud Security Solution Categories
● CWPP: Cloud workload protection platform○ Focus: containers
● CSPM: Cloud security posture management○ Focus: (mis)configuration, exposed services
● CASB: Cloud access security broker○ Focus: file handling and exposure○ Ideal: RBAC assessment, reinforcement
Modern Considerations for Protecting Cloud-Enabled Compute Workloads
● Infrastructure as Code now means infra is vulnerable to supply chain attacks
○ Not just traditional software!
● No Cloud Security Provider presumes their default configs/wizards are safe by
default
Tactical Recommendations
● Research
○ Delve into existing analysis of the security domains
○ Identify attack vectors for cloud security → identify viable use cases
● Tool discovery
○ Target tools that expose vulnerabilities you’re less familiar with
○ Track for CSP native vs external
○ Open source vs Closed source
● Attest or stage your progress
ResearchNeed some ideas? What is the landscape and how can you find tools?
https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF
https://www.aquasec.com/cloud-native-academy/cspm/cloud-security-scanner/
https://cloudsecwiki.com/index.html
https://www.comparitech.com/net-admin/cloud-security-tools/
https://tldrsec.com/tags/#cloud-security
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
https://www.threatstack.com/blog/50-essential-cloud-security-blogs-for-it-professionals-and-cloud-enthusiasts#Experts
https://netflix.github.io/chaosmonkey/
ResearchWhat are the attack vectors for cloud security? Potential ways to discover?
https://attack.mitre.org/matrices/enterprise/cloud/
https://d3fend.mitre.org/
● Cost of tools - CapEx
● Level of support
● Actively maintained
● Ease to extend or customize
● Where/how to execute
○ i.e., as a standalone application? as a
library in code?
Other Areas of Consideration
● Freemium model (free to try basic capabilities)
● Data privacy and compliance aware analysis
and reporting
● Coverage of compute workload types
○ e.g., server, serverless, containerized
● Integrates with current operational tool suite
● Ability to cover multiple pain points/challenges
GCP -
● https://cloud.google.com/products/security-and-identity
● https://cloud.google.com/asset-inventory
AWS -
● https://aws.amazon.com/products/security/
● https://aws.amazon.com/config
● https://aws.amazon.com/audit-manager
● https://aws.amazon.com/inspector
● https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Analyzer Tools: CSP native
https://github.com/nccgroup/ScoutSuite
https://github.com/duo-labs/cloudmapper
https://github.com/cloud-custodian/cloud-custodian
https://github.com/SecurityFTW/cs-suite
https://github.com/z0ph/aws-security-toolbox
https://github.com/marcin-kolda/gcp-iam-collector
https://github.com/nccgroup/azucar
https://github.com/tfsec/tfsec
https://github.com/salesforce/cloudsplaining
https://github.com/marcin-kolda/gcp-iam-collector
Analyzer Tools: Open source/Closed sourceConfiguration assessment
https://github.com/salesforce/cloud-guardrails
https://github.com/salesforce/policy_sentry
https://github.com/salesforce/terraform-provider-policyguru
https://github.com/cesar-rodriguez/terrascan
https://github.com/mykter/aws-security-cert-service-notes
https://github.com/tensult/cloud-reports
https://www.marcolancini.it/2020/blog-tracking-moving-clouds-with-c
artography/
https://komiser.io/
https://cloudsploit.com/
ScoutSuite
Prowler
Simulation: Test & validate detection and remediation controls, capabilities
https://github.com/splunk/attack_range
https://github.com/RhinoSecurityLabs/cloudgoat
https://sysdig.com/blog/gitops-k8s-security-configwatch/
https://github.com/OWASP/Serverless-Goat
https://github.com/nccgroup/sadcloud
https://github.com/bridgecrewio/terragoat
https://github.com/bridgecrewio/cfngoat
https://github.com/Netflix/security_monkey
http://flaws.cloud/
Summary
● Maturing cloud adoption from project-driven catalysts is hard● In order to scale, need to account for multiple perspectives and their drivers
● Need to identify what you’re protection
● Solidify your organization’s priorities, standards, and processes
● Identify multiple tools that help you work smarter, not just harder
○ Scale your discovery and analysis
○ Test and validate your progress with simulation tools
AppendixMiscellaneous resources and references
ReferencesURLsHow to use trust policies with IAM roles | Amazon Web ServicesAzure Security Compass 1.1Mitigating Cloud VulnerabilitiesCloud computing & virtualizationCSRC Topics - cloud & virtualization | CSRCNIST Cloud Computing Program - NCCPhttps://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHomeCIS: Shared Responsibility for Cloud Security: What You Need to KnowPart 1: AWS Continuous Monitoring | by Uber Privacy & SecurityPart 2: AWS Monitoring Case Studies | by Uber Privacy & SecurityIntroducing TerraGoat, a “vulnerable-by-design” Terraform training projectAWS Security Maturity RoadmapRCE to IAM Privilege Escalation in GCP Cloud BuildCloud Security Posture Management: Why You Need It NowWikipedia Capability Maturity Model Integration
trainingAWS Security Fundamentals (Second Edition)AWS training and certificationNetworking & Security Courseshttps://www.venturelessons.com/best-azure-security-courses/
Kaspersky Hybrid Cloud Security
Prisma Cloud by Palo Alto Networks
Trend Micro Deep Security
Sysdig Platform
CloudGuard IaaS by Check Point
Illumio Adaptive Security Platform (ASP)
Orca Security
Radware Cloud Native Protector
CloudGuard IaaS
Intezer Protect
ColorTokens Xtended ZeroTrust Platform
InsightVM (Nexpose)
Threat Stack
StackRox Kubernetes Security Platform
Qualys Cloud Platform
Armor Anywhere
Turbot
CWPP productsMorphisec Unified Threat Prevention Platform
Lacework
Fugue
Virsec Security Platform
CloudGuard Dome 9
Nutanix Beam
Hillstone CloudHive Microsegmentation Solution
McAfee Server Security Suite
Smart UPS
Sophos Central
Aqua Cloud Native Security Platform
Dome9 ARC
Symantec Cloud Workload Protection
Symantec Data Center Security
VMware Carbon Black App Control
Apcera platform
CloudAware
Uptycs
NetskopeMcAfee MVISIONPalo Alto Networks PrismaCisco CloudlockProofpointBitglassSymantec CloudSOCMicrosoft Cloud App SecurityFortinet FortiCASBCipherCloudStratoKeyForcepoint
CASB products
