shared responsibility in action
DESCRIPTION
TRANSCRIPT
Mark Nunnikhoven @marknca
Shared Responsibility
…In Action
MODELLING SECURITY on AWS
Traditional Responsibility Model
!
Operating System
Application
Account Management
You
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer
Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network Configuration
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer
More info on the model is available at http://aws.amazon.com/security
Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network Configuration
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization
Verify
Compliance information available at http://aws.amazon.com/compliance
Common View
More information on the model at http://aws.amazon.com/security
Infrastructure
Container
Abstract
Better View
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
Service Type *aaS
SQS, S3, Route53 Abstract SaaS
RDS, EMR, OpsWorks Container PaaS
EC2, EBS, VPC Infrastructure IaaS
Service Examples
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
Less responsibilities
More responsibilities
Distribution of Security
Options : Responsibilities
Distribution of Security
Rough correlation between # of options & level of responsibilities
RE:BOOT
Critical embargoed bug discovered in Xen, details at http://4mn.ca/1rcXTTN
Protecting Instances
A small percentage of instances on EC2 are scheduled for a reboot
For EC2
Nothing for cloud-native architectures
Manage availability for traditional architectures
For RDS
Nothing for Multi-AZ instances
Standard maintenance window for single instances
Actions to Take
POODLE
CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption
Attack forces an older cipher choice, details at http://4mn.ca/1EYfBEA
For ELB
Select a non-affected cipher suite (e.g., ELBSecurityPolicy-2014-10)
For Web Servers
Enable TLS_FALLBACK_SCSV
Disable support for SSL 3.0*
Disabling SSL 3.0 may cause compatibility issues
Actions to Take
Shellshock
More info on bash at http://www.gnu.org/software/bash
(){}; attack
10/10 vulnerability : widespread & easy to exploit
Steps to protection
Update bash
Use an intrusion prevention system
Actions to Take
Applied at the boundary
Majority of traditional controls are applied at the boundary
Shifting Controls
Applied to each instance
Same controls required in AWS, now applied to the instance
Shifting Controls
Watch the demo in action at http://4mn.ca/1sY3YK4
“View Source”, find cgi URL to exploit
Run attack via curl
Return contents of /etc/passwd with a simple custom header
Add intrusion prevention controls to the instance
Intrusion prevention resets connection when attack is detected
Options : Responsibilities
Where does you deployment fall on the scale?
Learn more at
testdrive.trendmicro.com
Thank you!
Follow me on Twitter @marknca