from 0 to secure in 1 minute - securing laas - nir valtman
TRANSCRIPT
![Page 1: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/1.jpg)
FROM 0 TO SECURE IN 1 MINUTENIR VALTMAN
![Page 2: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/2.jpg)
About me
I am working in as the <HEAD> Application Security </HEAD>
, except at
Neither of my previous startups succeeded!
1st time speaking publicly
But at least I invented few open source tools.
Mmmm… OH, AND
![Page 3: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/3.jpg)
Cloud security challenges and benefitsAnd more specifically, using IaaS automation and orchestration features for increasing the security
Dashboard Billing API
Orchestration
Hypervisor Controller Abstraction
PhysicalServers Network Storage
About the talk
![Page 4: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/4.jpg)
About the talk
Cloud Attack Vectors
Provider administration
Management console
Multi tenancy &
virtualization
Automation & API
Chain of supply
Side channel attack
Insecure instances
![Page 5: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/5.jpg)
Anatomy of a cloud hack
![Page 6: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/6.jpg)
Anatomy of a cloud hack – BrowserStack’s Story
Shell shock vulnerability on unused server
Found API key on the hacked server
Opened a firewall rule
and launched an instance using the API key
Attached a backup
volume to the instance
Found database credentials on backup device
Connected to DB
SOURCE: https://www.browserstack.com/attack-‐and-‐downtime-‐on-‐9-‐November
![Page 7: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/7.jpg)
Do we have the right tools?
SOURCE: http://ifail.info/wp-‐content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9
![Page 8: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/8.jpg)
Secure SDLC
Secure SDLC
Dynamic/Interactive application security testing (DAST/IAST)
Secure Infrastructure?
Secure Infrastructure?
Static code analysis
Software composition analysis
Secure Infrastructure?
The existing security tools for DevOps
Signing and Obfuscation
Check out code and Build Unit testing Quality control
Deployment to test
environment
Fetch latest builds
Integration testing
Packaging and archiving
Fetch release ready builds
Deployment to pre-‐prod
environment
Acceptance testing
Deployment to production
![Page 9: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/9.jpg)
Micro-‐Services Architecture
DEV OPS
ContinuousDelivery
1 hour
10 min
1 min
Architecture & deployments are changing
The billing cycles are being reduced
Google slashes cloud platform price again
Microsoftwill offer Azure by the minute to
take on Amazon’s cloud
Microsoft follows Google with by-‐the-‐minute cloud
blending
AUTO SCALING
![Page 10: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/10.jpg)
The challenge
How to do security when servers alive for 10 minutes?
Patch management Maintenance windows
Periodic vulnerability scanning
Hardening
![Page 11: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/11.jpg)
DON’T LET SECURITY TO HOLD YOU DOWN
![Page 12: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/12.jpg)
Introducing
Launch Configure and harden Scan Move to
Production
SOURCE: https://github.com/valtmanir/Cloudefigo
Based on the work made by Rich Mogull from Securosishttps://github.com/rmogull/PragmaticNetSecManagement
![Page 13: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/13.jpg)
Cloudefigo’s lifecycle
Server launch1Server loads security
configuration
Server encrypts disk volumes
Server scanned for vulnerabilities
Server moves to production
S3
2
3
4
5
![Page 14: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/14.jpg)
Components
Object Storage
Vulnerability Scanner Cloud-‐Init
Configuration Management IAM Roles Volume
Encryption
![Page 15: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/15.jpg)
Instance’s lifecycle
Launch
Update
Control
Scan
Production
Terminate
![Page 16: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/16.jpg)
LAUNCH
Prepare
Cloudinit
ü Each instance manages its own attributes§ Encryption keys § Remediation vs. production groups
ü Management of these attributes requires permissions
ü Permissions during launch > production
ü Thus, a dynamic IAM role is required
![Page 17: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/17.jpg)
LAUNCH
Prepare
Cloudinit
![Page 18: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/18.jpg)
LAUNCH
Prepare
Cloudinit
ü Executed in root permissions when image is launching.
ü Responsible for building the infrastructure for the following steps.
![Page 19: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/19.jpg)
LAUNCH
Prepare
Cloudinit
![Page 20: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/20.jpg)
LAUNCH
Prepare
Cloudinit
![Page 21: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/21.jpg)
UPDATE
OS update
Pre-‐requisites
Any risks?
ü CloudInit to update & upgrade software packages
ü The primary goal is to make sure the cloud instance is secure once upgraded
Need to make sure the pre-‐prod/test/CI environments include the recent operating system
updates as well!
![Page 22: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/22.jpg)
UPDATE
OS update
Pre-‐requisites
ü CloudInit to install the software packages required to operate: § Python + pip + wheel§ AWS SDK (Boto)§ Chef Client + Chef SDK (PyChef)
ü Download configurations and scripts from S3:§ Cloudefigo script§ Chef client initialization files
ü Cloudinit to create and attach a volume for application files and data.
![Page 23: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/23.jpg)
CONTROL
Chef Registration
Encrypt
ü The Chef clients register to the Chef Management server using the initialization files loaded from S3.
ü Once the client is registered, a policy is loaded and enforced on the instance.
![Page 24: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/24.jpg)
CONTROL
Chef Registration
Encrypt
Where should you keep your keys?
Cloud Provider On Premise 3rd Party
Protected Snapshots and backups
Snapshots, backups,subpoena and malicious insiders
Snapshots, backups and cloud provider’s malicious insiders
Vulnerable Maliciousinsider attacksand subpoena
Key exchange attacks
Key exchange attacks and subpoena (partial)
![Page 25: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/25.jpg)
CONTROL
Chef Registration
Encrypt
ü The volume to be encrypted using randomly generated key.§ The key is kept in S3 for later use.
ü The application database to be installed in the encrypted volume.
Instance 1
Instance 2
Instance 3
Bucket 2f3g
Bucket 5dw4
Bucket 8H7g
Key ID 5dw4
Key ID 8H7g
Key ID 2f3g
Key 1#Fd3
Key vFS3=
Key Bs$a
![Page 26: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/26.jpg)
CONTROL
Chef Registration
Encrypt
ü Dynamic S3 policy: access to the encryption key requires a referrer header that is generated based on attributes from the instance.
![Page 27: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/27.jpg)
CONTROL
Chef Registration
Encrypt
![Page 28: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/28.jpg)
CONTROL
Chef Registration
Encrypt
![Page 29: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/29.jpg)
SCAN
Automatic Scan
Analyze
ü A vulnerability scan to be launched automatically by the CloudInit script.
ü The deeper the scan, the longer it takes to move the instance to production.
![Page 30: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/30.jpg)
SCAN
AutomaticScan
Analyze
ü The results of the scan are analyzed by the Cloudefigo script.
ü Based on successful scan results – the instance to move to production or remain in the remediation group.
ü The lowest security risk severity can be defined.
![Page 31: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/31.jpg)
SCAN
AutomaticScan
Analyze
![Page 32: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/32.jpg)
SCAN
AutomaticScan
Analyze
![Page 33: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/33.jpg)
PRODUCTION
Least privileged role
Manage
ü Reminder: Permissions in launch > production
ü IAM role permissions reduced dynamically -‐contains read only access
![Page 34: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/34.jpg)
PRODUCTION
Least privileged role
Manage
ü For the ongoing operations – compensating controls are required.
ü Cloudefigomanagement script lists cloud instances and validates they are managed by Chef
ü Cloudefigo will set alert when someone will try to use access keys.
![Page 35: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/35.jpg)
PRODUCTION
Least privileged role
Manage
Building the CloudWatch alarm
![Page 36: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/36.jpg)
PRODUCTION
Least privileged role
Manage
![Page 37: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/37.jpg)
PRODUCTION
Least privileged role
Manage
![Page 38: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/38.jpg)
PRODUCTION
Least privileged role
Manage
![Page 39: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/39.jpg)
TERMINATE
Instance
EncryptionKeys
ü The life cycle ends once a server is terminated along with:§ Attached volumes§ IAM role
![Page 40: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/40.jpg)
TERMINATE
Instance
EncryptionKeys
ü The instance data still exists in backups/snapshots or provider storage
ü Encryption keys to be deleted with instance in order to make sure the backup data remains inaccessible (not implemented in this version)
![Page 41: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/41.jpg)
Wrapping Up
The new software architecture and applications delivery in cloud module disrupts traditional correctives controls
We need to adopt new thinking to automate security
Think how security automation can help you in moving your infrastructure forward. Faster.
![Page 42: From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman](https://reader033.vdocument.in/reader033/viewer/2022051709/587967e01a28ab1e388b7817/html5/thumbnails/42.jpg)
Questions
Nir Valtman@: nir.valtman (at) ncr.com w: www.ncr.com | www.valtman.orgin: www.linkedin.com/in/valtmanirt: @ValtmaNir
Did I mention that I’m HIRING? Building the A-‐TEAM!