O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Cloud security introduction

Próximos SlideShares
Cybercrime and Security
Cybercrime and Security
Carregando em…3

Confira estes a seguir

1 de 38 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Cloud security introduction (20)


Mais recentes (20)

Cloud security introduction

  1. 1. Master of Applied Information Systems Mar 2018 Cloud Security Introduction
  2. 2. SMU Classification: Restricted Agenda • Introduction: What is Cloud computing • Cloud Security incident • Cloud Security challenges • Cloud Standards & Guidelines • Cloud Policy and Planning • Cloud Security Controls • Cloud Architecture and Design • Summary 2
  3. 3. SMU Classification: Restricted Disclaimer • Non-comprehensive • Best effort updated • Cloud fast changing environment 3
  4. 4. SMU Classification: Restricted Cloud computing definition • On-demand self service – Ensure one-sidely provision computing capabilities • Broad network access • Resource pooling • Rapid elasticity • Measured service *Defined by NIST 4
  5. 5. SMU Classification: Restricted NIST Reference Architecture 5 Source: NIST SP500-292 NIST Cloud Computing Reference Architecture
  6. 6. SMU Classification: Restricted Cloud Actors • Consumer: Person or organisation using cloud services from a CSP • Provider (CSP): An entity offering cloud services to consumers • Auditor: An entity that provide objective and independent assessments of cloud services • Broker: Manages use, performance, and/or delivery of cloud services between CSPs and consumers. Often Security-as-a-service (SecaaS) services are “brokering” various types of access or data sent to/from cloud today • Carrier: Some intermediary providing transport and connectivity for cloud service 6
  7. 7. SMU Classification: Restricted Cloud deployment model 7 Source: https://image.slidesharecdn.com/4-theenterprisecloudcomputingparadigm-131130040800-phpapp02/95/cloud- computing-principles-and-paradigms-4-the-enterprise-cloud-computing-paradigm-4-638.jpg
  8. 8. SMU Classification: Restricted Cloud computing key technologies • Virtualisation Types 8 Source: https://image.slidesharecdn.com/1-150328170334-conversion-gate01/95/1introduction-to- virtualization-27-638.jpg
  9. 9. SMU Classification: Restricted Cloud computing key technologies • Containers 9 Source: https://thecustomizewindows.com/2014/ 07/container-based-virtualization
  10. 10. SMU Classification: Restricted Cloud computing key technologies • Software defined networking 10 Source: https://commsbusiness.co.uk/features/software-defined-networking-sdn-explained/
  11. 11. SMU Classification: Restricted Cloud Security Incident Dec 2013 - 40 million credit cards stolen on POS system – Investigation reveals initial malware was introduced by Target’s refrigeration vendor – Criminals used vendor’s credentials to access Target’s cloud infrastructure 11 Use of vendor credentials Boundary defence: Limit network access to vendor portal so anyone who obtained the credentials would not be able to access the vendor portal unless on a network allowed to access the portal Account monitoring and control: Require multi-factor authentication to login vendor portal. Monitor usage of vendor portal login. Profile accounts for normal activities and usage patterns Source: SANS Institute Case Study
  12. 12. SMU Classification: Restricted Docker vulnerability exploitability 12 • Docker is a daemon that runs as root • Older Docker does security by blacklisting kernel calls – What if there are those which is missed out? “Shocker” code exploit • CVE-2014-9357 Privilege escalation during decompression of LZMA (.xz) archives • 100k+ dockers @ Dockers hub – In 2015, 15k+ dockers, 90% of the dockers contain unverified exploitable vulnerabilities Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
  13. 13. SMU Classification: Restricted Security responsibility - AWS 13 Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  14. 14. SMU Classification: Restricted Security responsibility - Microsoft 14 Source: https://blogs.msdn.micr osoft.com/azuresecurity /2016/04/18/what-does- shared-responsibility-in- the-cloud-mean/
  15. 15. SMU Classification: Restricted Cloud Providers 15
  16. 16. SMU Classification: Restricted Cloud Security Challenges Traditional security challenges applies but in cloud these considerations are different… • Resource location: Consumer do not know exactly where their data lies • Multi-tenancy issues: How to protect your data/system from shared cloud resource • Authentication, authorisation, information trust: How to ensure your data accessibility & ownership? Identity Access Management (IAM) • System monitoring and logs: Auditability trial • Service Level Agreement (SLA) 16
  17. 17. SMU Classification: Restricted Traditional security challenges 17 • Network security ▪ Firewalls ▪ NIDS/NIPS ▪ Proxies • Host security/ Virtualization ▪ HIDS/HIPS ▪ Configure management ▪ Roles/Privileges • Data security ▪ Encryption rest / transit ▪ Key management • Vulnerability assessment and Penetration testing • Security Policy • Application security ▪ Secure coding ▪ WAFs • Database Security • Data Disposal • Solution architecture Standards & Guidelines
  18. 18. SMU Classification: Restricted Cloud Security Alliance (CSA) 18
  19. 19. SMU Classification: Restricted CSA Reference Architecture 19
  20. 20. SMU Classification: Restricted Other Standards and Guidelines Industry based • NIST (800-144): Guidelines on Security and Privacy in Public Cloud Computing • PCI DSS Cloud computing guidelines Platform specific • Centre of Internet Security (CIS) recommendations for AWS Foundations / Azure / Google cloud Application specific • Open Web Application Security Project (OWASP) 2017 20
  21. 21. SMU Classification: Restricted Cloud Policy and Planning • Business justification for cloud implementation • Data classification • System availability & accountability • Admin & User accessibility • Disaster recovery & Business continuity • Risk assessment, mitigation & acceptance 21
  22. 22. SMU Classification: Restricted Security Principles for Cloud Design • Build in security at every layer • Design for elasticity • Design for failure – “Blast radius” control – System recovery • Use different storage options • Always having “feedback” loops • Focus on CSA: Centralization, Standardization, Automation 22
  23. 23. SMU Classification: Restricted Security at every layer “Stack” layer Controls Application + Presentation WAF, IAM, Scans/Pen test Accesscontrol(IAM) Operating systems Configuration, Vulnerability Scan, Backup, User & Privilege management Data Encryption, Backups, DLP, Authorization Network Access Controls, Firewalls, Routing, DDoS Defences Hypervisor Configuration, access controls, user & Privileges management 23
  24. 24. SMU Classification: Restricted Hypervisor Security Controls • Foundational controls – NTP,SNMP, etc • Local firewall/network access controls • Hardening and configuration • Users and groups • Patching • Logging and Monitoring • SELinux and/or multitenant isolation measures 24
  25. 25. SMU Classification: Restricted Virtualization security – CSP • Assess CSP virtualization platform technology • CSP internal security controls on virtualization (e.g. virtual firewalls or IDS) • CSP ISO certification, 3rd party cyber risk assessment, annual audit • Enquire on CSP’s administrative control of VM environment • Enquire on CSP segregation and separation of VM zones / types • Understand how multi-tenancy and VM isolation are implemented & and alert of isolation breach 25
  26. 26. SMU Classification: Restricted Cloud network security • Most CSP have flat network design • Virtual Private Cloud (Vnet + VPC) 26 Source: https://blogs.msdn.microsoft.com/premier_developer/2017/09/17/differentiating-between-azure-virtual-network- vnet-and-aws-virtual-private-cloud-vpc/
  27. 27. SMU Classification: Restricted Cloud network security • Virtual network appliances – WAF, Load Balancer, Proxies, United Threat management – Vendors like Cisco, F5, Palo Alto, Fortinet, Check point • Data loss prevention (as network) – Commonly offered by CASB 27
  28. 28. SMU Classification: Restricted Host security – OS image • (PaaS/IaaS) Instance / Image security one of the most important consideration • Standard approaches – Patching – Hardening – Version control – Access control – Monitoring – Anti-malware • Cloud platform inventory management tool – Amazon EC2 System manager – AWS Inspector 28
  29. 29. SMU Classification: Restricted Identity Access Management • Main purpose: Authentication, Authorisation & Auditability • Assign to groups, person, process, resource • Federated identities, tokenization • RBAC 29 Source: http://mscerts.wmlcloud.com/program ming/identity%20and%20access%20 management%20%20%20iam%20arc hitecture%20and%20practice.aspx
  30. 30. SMU Classification: Restricted Cloud Access Security Brokers • 3rd party in helping organization govern use and protect sensitive data in the cloud 30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
  31. 31. SMU Classification: Restricted Key Management in Cloud • Who does it? Consumer or CSP? • Key generation • Key storage, backup, recovery • Key distribution • Key destruction • Cryptographic hardware (inbuilt or Hardware security module [HSM]) – Often govern by standards (PCI) 31
  32. 32. SMU Classification: Restricted AWS Key Management 32 Source: https://image.slidesharecdn.com/encryptionkeymanagementbillshin-150410130029-conversion-gate01/95/encryption- and-key-management-in-aws-18-638.jpg?cb=1428688942
  33. 33. SMU Classification: Restricted Azure Key Management 33 Source:https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs .Components.WeblogFiles/00/00/01/03/78/6076.SQLServerConnector.png
  34. 34. SMU Classification: Restricted Cloud Architecture & Design • Depends on – Consumer needs • Security policies and compliance • Services required • Network connectivity – CSP’s offerings – CASB’s offerings – Application dependencies 34
  35. 35. SMU Classification: Restricted AWS VPC model 35 This model have: 1. Public subnet 2. Private subnet 3. Routing 4. NAT gateway 5. Virtual Private Gateway (VPG) 6. IPSec connectivity Able to route private address to VPG Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/Case3_Diagram.png
  36. 36. SMU Classification: Restricted Azure Simple DMZ 36 Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks- dmz-nsg-fw-udr-asm This DMZ have 3 subnets: - 10.0.0.x (security) - 10.0.1.x (web) - 10.0.2.x (app) DMZ with security in Place “Blast radius” limit
  37. 37. SMU Classification: Restricted Summary • Cloud security considerations – Security policies using cloud – Cloud standards and guidelines – Cloud controls – Cloud architecture and design • Cloud rapidly evolving 37
  38. 38. SMU Classification: Restricted 38 References • SANS Institute Case Study: Critical controls that could have prevented Target breach • SANS SEC545: Cloud Security Architecture and Operations • Beyond lightning: A survey on security challenges in cloud computing, Chunming Rong, Department of Electrical Engineering and Computer Science, University of Stavanger, Normay • Cloud computing: Overview and Research issues, Divya Kapil, School of Computing, Graphic Era Hill University, Dehradun, India • Cloud Security: A comprehensive guide to secure cloud computing, Ronald L. Krutz and Russel Dean Vines • Virtualization: Issues, Security Threats and solutions, Michael Pearce, Ray Hunt, The University of Canterbury