Embed Size (px)
Citation preview
BSIDES TAMPA ‘17REDEFINING SECURITY IN A CLOUD-CENTRIC FUTURE
MITCH SPAULDING - BSIDES TAMPA - 2017
DISCLAIMER
My opinions, commentary, and discussion today are my own, not my employer(s)
My tweets and instagrams are my own. If they offend you, then you probably shouldn’t follow me.
I will not discuss anything about my employer(s) in any detail or extent
MITCH SPAULDING - BSIDES TAMPA - 2017
HOW THE CLOUD WORKS
It’s simple: It really is someone else’s hard drive.
The hard drive sits in multiple countries and is shared by lots of people
You are placing your trust in the third party to do its job: keep your data separate from other people’s data.
Security is either sold softly (ie. ‘we’ve got you covered’) or it is a hard sale (ie. ‘buy this feature and this to feel safe’)
MITCH SPAULDING - BSIDES TAMPA - 2017
UNDERSTANDING YOUR CLOUD
• SalesForce • ServiceNow • Office365 • Kronos
It is estimated that most large companies are leveraging between 600 - 1000 SaaS Applications on a daily basis.
• Rackspace • MSFT Azure • IBM SmartCloud • SoftLayer • Amazon AWS
• MSFT Azure • IBM BlueMix • Cloud Foundry • Google AppEngine
Cloud AppsCloud Infrastructure Platforms(SaaS)(IaaS) (PaaS)
Owner: Business Relationship Manager
Owner: Historically Legacy Infrastructure Teams
Owner: Sometimes Developers, other times it is Infrastructure
• SalesForce • ServiceNow • Office365 • Kronos
MITCH SPAULDING - BSIDES TAMPA - 2017
PIZZA - AS - A - SERVICE
Pepperoni
Cheese
Sauce
Toss Pizza
Dough
Heat
Oven
Electric/Gas
Dining Table
Pizza Made at Home(Your Data Center)
Pepperoni
Cheese
Sauce
Toss Pizza
Dough
Heat
Electric/Gas
Dining Table
Frozen Pizza(IaaS)
Pepperoni
Cheese
Sauce
Toss Pizza
Dough
Heat
Oven
Electric/Gas
Dining Table
Delivered Pizza(PaaS)
Pepperoni
Cheese
Sauce
Toss Pizza
Dough
Heat
Oven
Electric/Gas
Dining Table
Fine Dining ;)(SaaS)
Vendor Supplies
I Supply Responsible Party & Accountability
Oven
MITCH SPAULDING - BSIDES TAMPA - 2017
CLOUD SECURITY RESPONSIBILITY
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Local/On Premise(Your Data Center)
Applications
Data
Runtime
Middleware
O/S
Virtualization
Storage
Networking
Infrastructure(IaaS)
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Platform Apps(PaaS)
Servers
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Cloud Apps(SaaS)
Your Co.
Vendor
Shared Responsible Party & Accountability
MITCH SPAULDING - BSIDES TAMPA - 2017
SAAS RESPONSIBILITY CLARIFICATION
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Cloud Apps(SaaS)Cloud Apps have a shared
responsibility at the Application layer:
You are accountable for the user access functions, but overall app support (dev, MX, and MGMT) resides with the provider.
Administrative Tasks: • User Management • SOX • User Behavior Monitoring
Authentication
Authorization
Audit
Technical Tasks:
• Application Development • Application Upgrades • Application Management
Support
Your Co.
Vendor
Shared Responsible Party & Accountability
MITCH SPAULDING - MIKE SPAULDING - BSIDES TAMPA - 2017
UNDERSTANDING YOUR DATA IN THE CLOUD
• DropBox • Box • iCloud • Facebook
Information Sharing(SaaS)
Owner:Business Relationship Mgr.
Security Requirements
Authentication Authorization Confidentiality
Audit Non-Repudiation
Solutions
Company Modified PaaS Company Modified SaaS
Hybrid Cloud
Accountability
Business Owner Technical Owner Process Owner
Technical Requirements
Two-Factor Authentication Business Intelligence
Encryption Data Loss Prevention Verification Services
Business Requirements
Rights Management: Expiration Dates
Limited Distribution Ability to limit Users
Ability to Audit Activities
Stakeholders
Legal & Procurement Information Security
Architecture Infrastructure
Data Types
• PII • PHI • PCI • IP
Minecraft - As - A - Service The Maddog Saga
MIKE SPAULDING - BSIDES TAMPA - 2017
MULTITENANCY: HOW THEY MAKE THE CLOUD CHEAPER
A software architecture in which a single instance of software runs on a server and serves multiple tenants (or the sharing of a common cloud resource in our situation).
Risks: Data Leakage Insecure Configuration Crossover from other Tenants
Benefits: Lower Costs
Mitigation Strategy: Isolated Resources Security as a Foundation
MIKE SPAULDING - BSIDES TAMPA - 2017
API SECURITY (OR HOW MOST LARGE CLOUD HACKS HAPPEN)
These are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface.
Risks Account or Service HiJacking Insecure APIs Known Vulnerabilities Lack of Control
Benefits Customizable Services Integration with Internal Systems
Mitigation Strategies Evaluate the type and strength of the API Security Features. Security as a foundation
MIKE SPAULDING - BSIDES TAMPA - 2017
CLOUD PORTABILITY
Cloud Portability and Continuity of Operations is a set of policies and procedures that help to assure that your services continue.
Risks Denial of Service Vendor Lock-In Un-Exportable Services
Benefits Peace of Mind Structured Approach to BCP/DR
Mitigation Strategies Develop Business Continuity Plan Develop an Exit Strategy
MIKE SPAULDING - BSIDES TAMPA - 2017
CLOUD RELIABILITY
Cloud Architecture is more complex and abstract than traditional on-premise computing architectures.
Risks Denial of Service Risk is outside of your control Skills Atrophy
Benefits Higher Level of Service at a Lower Cost Redundancy, Load Balancing, Network Security
Mitigation Strategies Hybrid Cloud Option Documentation
MIKE SPAULDING - BSIDES TAMPA - 2017
DATA ENCRYPTION
Protecting your data both at rest and in-transit.
Risks Vendor Lock-In Un-Retrievable Data Proprietary Tooling
Benefits Minimized Potential for Data Loss Structured Approach for Data Management
Mitigation Strategies Establish an Independent Key Management Service Develop a Data Security Strategy/Standard
MIKE SPAULDING - BSIDES TAMPA - 2017
SECURITY AS A SERVICE (CASB)
Cloud providers are beginning to offer Security capabilities as a service. These services are both traditional (AAA) and non-traditional (cloud to cloud security)
Risks Improperly Positioned Services Skills Atrophy Proprietary Tooling
Benefits Higher Security Capability with lower barrier Ability to have a single security context across multiple vendors
Mitigation Strategies Security as a Foundation Security Auditing
MIKE SPAULDING - BSIDES TAMPA - 2017
TRADITIONAL SECURITY MIGRATED TO THE CLOUD
Leveraging Virtualized Software, many traditional security vendors have created cloud-based firewalls, IPS, reverse proxies, web application firewalls, and malware detection tools into many of the most popular cloud services.
Risks Improperly Positioned Services False Sense of Security
Benefits Easier transition to cloud services for current staff Ability to understand/visualize security posture
Mitigation Strategies Security as a Foundation Security Fundamentals
MIKE SPAULDING - BSIDES TAMPA - 2017
INTERNATIONAL PRIVACY/COMPLIANCE RISKS
The Data in the cloud is still YOUR DATA. Liability of the data is not transferred away, ultimately, YOU ARE responsible for how the data is handled.
Risks EU, Non-US resident data co-mingled Data residing within countries which do not have treaties with EU, Canada, etc.
Mitigation Strategies Ensure that Location specific services are enabled and that specific data centers are used for meeting international privacy compliance (make sure that German data stays on German servers) Leverage data centers that can handle both US and EU Data Privacy requirements, such as Canadian servers.
MIKE SPAULDING - BSIDES TAMPA - 2017
LEGALLY YOURS
REMEMBER: It is your data, how you use it is at your discretion.
No cloud provider will ever sign on as being 100% liable for your data and you must prove how they failed.
You will only get your portion of your money back (think of something like tires or a mattress). The warranty is limited to unused services only.
The model of the cloud is on shared services, so no respecting cloud provider will sign away their rights to you. Liability is limited and at most they go out of business and walk away from the mess. You will own the mess, not them.
YOUR DATA IS YOUR RESPONSIBILITY!
MIKE SPAULDING - BSIDES TAMPA - 2017
SO WHERE DO WE GO FROM HERE?
Everything is moving to the cloud - it is really hard to find an industry that has no cloud presence. Don’t fight the kool aid now!
Containerization and portability will be the next big wave for enterprises in the cloud.
Although infrastructure in the cloud is becoming very mainstream, we have yet to see the cloud ‘killer’ app. If we look at things like Facebook, SalesForce, or Box what we find is that we made it easier for a large number of people to do something that would previously be more complex or cumbersome.
Automation is already hitting the cloud, but we have not truly embraced it.
Machine learning will make coding in the cloud even easier for the less technical and sharing data will be almost too easy or simple.
MIKE SPAULDING - BSIDES TAMPA - 2017
THE SINGLE, BIGGEST QUESTION TO ASK YOUR CLOUD VENDOR
Where does your security end and my security begin?
MITCH SPAULDING - BSIDES TAMPA - 2017
THANK YOU
I appreciate your time today during this session.
If you need to reach me, try here:
https://www.linkedin.com/in/mitchspaulding13
I will be speaking about ‘Hacking the Millenial’ in April.
Columbus ISSA InfoSec Summit - April 20th & 21st 2017
I am looking for a job starting as early as June in Cincinnati, Ohio - Junior Analyst Role - so if you know someone, please share this with them.
I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Ideas, and the person that created Pizza as a Service - Albert Barron.
MIKE SPAULDING - BSIDES TAMPA - 2017
THANK YOU
I appreciate your time today during this session.
If you need to reach me, try here:
www.linkedin.com/in/therealfatherofmaddog @fatherofmaddog
I will be speaking about ‘Looking for Love in All the Wrong Places’ on April 21st.
Columbus ISSA InfoSec Summit - April 20th & 21st 2017
I am starting a ‘little business’ - keep an eye out on LinkedIn and Twitter
I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Ideas, and the person that created Pizza as a Service - Albert Barron.
