6. SMU Classification: Restricted
Cloud Actors
• Consumer: Person or organisation using cloud services
from a CSP
• Provider (CSP): An entity offering cloud services to
consumers
• Auditor: An entity that provide objective and
independent assessments of cloud services
• Broker: Manages use, performance, and/or delivery of
cloud services between CSPs and consumers. Often
Security-as-a-service (SecaaS) services are “brokering”
various types of access or data sent to/from cloud today
• Carrier: Some intermediary providing transport and
connectivity for cloud service
6
11. SMU Classification: Restricted
Cloud Security Incident
Dec 2013 - 40 million credit cards stolen on
POS system
– Investigation reveals initial malware was
introduced by Target’s refrigeration vendor
– Criminals used vendor’s credentials to access
Target’s cloud infrastructure
11
Use of
vendor
credentials
Boundary defence: Limit network access to vendor portal so
anyone who obtained the credentials would not be able to
access the vendor portal unless on a network allowed to
access the portal
Account monitoring and control: Require multi-factor
authentication to login vendor portal. Monitor usage of
vendor portal login. Profile accounts for normal activities and
usage patterns
Source: SANS Institute Case Study
12. SMU Classification: Restricted
Docker vulnerability exploitability
12
• Docker is a daemon that runs as root
• Older Docker does security by blacklisting kernel
calls
– What if there are those which is missed out?
“Shocker” code exploit
• CVE-2014-9357 Privilege escalation during
decompression of LZMA (.xz) archives
• 100k+ dockers @ Dockers hub
– In 2015, 15k+ dockers, 90% of the dockers contain
unverified exploitable vulnerabilities
Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
16. SMU Classification: Restricted
Cloud Security Challenges
Traditional security challenges applies but in
cloud these considerations are different…
• Resource location: Consumer do not know
exactly where their data lies
• Multi-tenancy issues: How to protect your
data/system from shared cloud resource
• Authentication, authorisation, information trust:
How to ensure your data accessibility &
ownership? Identity Access Management (IAM)
• System monitoring and logs: Auditability trial
• Service Level Agreement (SLA) 16
20. SMU Classification: Restricted
Other Standards and Guidelines
Industry based
• NIST (800-144): Guidelines on Security and Privacy in
Public Cloud Computing
• PCI DSS Cloud computing guidelines
Platform specific
• Centre of Internet Security (CIS) recommendations for
AWS Foundations / Azure / Google cloud
Application specific
• Open Web Application Security Project (OWASP) 2017
20
21. SMU Classification: Restricted
Cloud Policy and Planning
• Business justification for cloud
implementation
• Data classification
• System availability & accountability
• Admin & User accessibility
• Disaster recovery & Business continuity
• Risk assessment, mitigation & acceptance
21
22. SMU Classification: Restricted
Security Principles for Cloud Design
• Build in security at every layer
• Design for elasticity
• Design for failure
– “Blast radius” control
– System recovery
• Use different storage options
• Always having “feedback” loops
• Focus on CSA: Centralization,
Standardization, Automation
22
23. SMU Classification: Restricted
Security at every layer
“Stack” layer Controls
Application +
Presentation
WAF, IAM, Scans/Pen test
Accesscontrol(IAM)
Operating systems Configuration, Vulnerability Scan, Backup,
User & Privilege management
Data Encryption, Backups, DLP, Authorization
Network Access Controls, Firewalls, Routing,
DDoS Defences
Hypervisor Configuration, access controls, user &
Privileges management
23
24. SMU Classification: Restricted
Hypervisor Security Controls
• Foundational controls
– NTP,SNMP, etc
• Local firewall/network access controls
• Hardening and configuration
• Users and groups
• Patching
• Logging and Monitoring
• SELinux and/or multitenant isolation
measures
24
25. SMU Classification: Restricted
Virtualization security – CSP
• Assess CSP virtualization platform technology
• CSP internal security controls on virtualization
(e.g. virtual firewalls or IDS)
• CSP ISO certification, 3rd party cyber risk
assessment, annual audit
• Enquire on CSP’s administrative control of VM
environment
• Enquire on CSP segregation and separation of
VM zones / types
• Understand how multi-tenancy and VM isolation
are implemented & and alert of isolation breach
25
27. SMU Classification: Restricted
Cloud network security
• Virtual network appliances
– WAF, Load Balancer, Proxies, United Threat
management
– Vendors like Cisco, F5, Palo Alto, Fortinet,
Check point
• Data loss prevention (as network)
– Commonly offered by CASB
27
28. SMU Classification: Restricted
Host security – OS image
• (PaaS/IaaS) Instance / Image security one of the
most important consideration
• Standard approaches
– Patching
– Hardening
– Version control
– Access control
– Monitoring
– Anti-malware
• Cloud platform inventory management tool
– Amazon EC2 System manager
– AWS Inspector 28
30. SMU Classification: Restricted
Cloud Access Security Brokers
• 3rd party in helping organization govern
use and protect sensitive data in the cloud
30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
31. SMU Classification: Restricted
Key Management in Cloud
• Who does it? Consumer or CSP?
• Key generation
• Key storage, backup, recovery
• Key distribution
• Key destruction
• Cryptographic hardware (inbuilt or
Hardware security module [HSM])
– Often govern by standards (PCI)
31
38. SMU Classification: Restricted
38
References
• SANS Institute Case Study: Critical controls that could have
prevented Target breach
• SANS SEC545: Cloud Security Architecture and Operations
• Beyond lightning: A survey on security challenges in cloud
computing, Chunming Rong, Department of Electrical Engineering
and Computer Science, University of Stavanger, Normay
• Cloud computing: Overview and Research issues, Divya Kapil,
School of Computing, Graphic Era Hill University, Dehradun, India
• Cloud Security: A comprehensive guide to secure cloud computing,
Ronald L. Krutz and Russel Dean Vines
• Virtualization: Issues, Security Threats and solutions, Michael
Pearce, Ray Hunt, The University of Canterbury