Cloud security by Susanta - 2/15/2020

1. 15 February 2020
1

2. AGENDA
q About Cloud
q Challenges Of Cloud Computing
q Why Cloud Security?
q Cloud Shared Responsibility Model
q Scope of Security in Public Cloud
q Cloud Security Penetration Testing

3. About Cloud:
Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing.
Instead of buying, owning, and maintaining physical data centers and servers, you can access technology
services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider
(like – AWS, Azur).
q Benefits of Cloud
Computing:
§ Agility
§ Elasticity
§ Cost savings
§ Deploy globally in minutes
q Cloud Deployment
Model:
§ Private Cloud
§ Public Cloud
§ Hybrid Cloud
q Cloud Services:
§ Software as a Service (SaaS)
§ Platform as a Service (PaaS)
§ Infrastructure as a Service
(IaaS)

4. Challenges of Cloud Computing?

5. Why Cloud Security?

6. qData Breaches
qData Loss
qAccount Hijacking
qInsecure APIs
qDenial of Service
qMalicious Insiders
qAbuse of Cloud Services
qInsufficient Due Diligence
qShared Technology Issues
Critical Threats as per
CloudSecurity Alliance

8. Hackers attack every 39 seconds, on average
2,244 times a day. (University of Maryland)

9. Shared Responsibility Model:

10. Scope of Security in Public Cloud:

11. Cloud Security Penetration Testing:
q Static Application Security Testing (SAST)
q Dynamic Application Security Testing (DAST)
q Microsoft Secure Software Development Life Cycle:
§ Application Programming Interface (API) (e.g.
HTTP/HTTPS)
§ Web and mobile applications that hosted by
your organization
§ The application server and associated stack
§ Virtual machines and operating systems.
q Basic Security Check/Tools:
§ AWS Inspector
§ Nmap
§ Identify misconfigured S3
buckets

12. Prerequisites before Cloud Penetration
Testing:
https://aws.amazon.com/security/penetration-testing/
q Legal Requirement:
§ Penetration Testing must comply with local and national law.
§ Written and Signed client authorization must be obtained.
§ During Penetration testing Data and PII’s must be handled as per GDPR (European), PDPA or
Country specific Data Privacy Act.
q AWS Customer Support Policy for Penetration Testing:
Permitted Services:
§ Amazon EC2 instances, NAT Gateways,
and Elastic Load Balancers
§ Amazon RDS
§ Amazon CloudFront
§ Amazon Aurora
§ Amazon API Gateways
§ AWS Lambda and Lambda Edge functions
§ Amazon Lightsail resources
§ Amazon Elastic Beanstalk environments
Prohibited Activities:
§ DNS zone walking via Amazon Route 53 Hosted
Zones
§ Denial of Service (DoS), Distributed Denial of Service
(DDoS), Simulated DoS, Simulated DDoS
§ Port flooding
§ Protocol flooding
§ Request flooding (login request flooding, API request
flooding)

13. Threat Modeling – “STRIDE” :

14. OWASP Cloud Top 10 Security Risk

15. Cloud Penetration Testing Method:
q Cloud Penetration Testing uses industry proven methodologies :
§ Open Source Security Testing Methodology Manual (OSSTMM)
§ NIST Cyber Security Framework - NIST SP 800-115
§ OWASP Testing Guide

16. Reconnaissance and Research:
q Standard Reconnaissance like – Records, Web, Network, IP/Port Fingerprinting.
q Additional information gathering using – OSINT, People, Social Media.
q Leverage DNS Record – MX, NS, SPF, TXT, Cname, A.
q Look for Cloud Credentials – such as API key, Storage account key.
q Identify DNS Record for S3 Bucket, like – abc.s3.amazon.com.
q Enumerate all the backend API calls.
q Conduct Research on:
§ Known Vulnerabilities
§ Common Misconfigurations
§ Exploitation Tools methods
§ Review Security Bulletin published by the CSP

17. LinkedIn: https://www.linkedin.com/in/susanta-roy/
Twitter: @bugpurush

18. References:
q Cloud Security Alliance (CSA)
q https://aws.amazon.com/compliance/csa/
q https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80
%90_10_Project