Cloud security
•
1 j'aime•201 vues
Cloud security by Susanta - 2/15/2020
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Cloud security
Similaire à Cloud security (20)
Plus de n|u - The Open Security Community
Plus de n|u - The Open Security Community (20)
Dernier
Dernier (20)
Cloud security
- 2. AGENDA q About Cloud q Challenges Of Cloud Computing q Why Cloud Security? q Cloud Shared Responsibility Model q Scope of Security in Public Cloud q Cloud Security Penetration Testing
- 3. About Cloud: Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider (like – AWS, Azur). q Benefits of Cloud Computing: § Agility § Elasticity § Cost savings § Deploy globally in minutes q Cloud Deployment Model: § Private Cloud § Public Cloud § Hybrid Cloud q Cloud Services: § Software as a Service (SaaS) § Platform as a Service (PaaS) § Infrastructure as a Service (IaaS)
- 4. Challenges of Cloud Computing?
- 6. qData Breaches qData Loss qAccount Hijacking qInsecure APIs qDenial of Service qMalicious Insiders qAbuse of Cloud Services qInsufficient Due Diligence qShared Technology Issues Critical Threats as per CloudSecurity Alliance
- 8. Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
- 10. Scope of Security in Public Cloud:
- 11. Cloud Security Penetration Testing: q Static Application Security Testing (SAST) q Dynamic Application Security Testing (DAST) q Microsoft Secure Software Development Life Cycle: § Application Programming Interface (API) (e.g. HTTP/HTTPS) § Web and mobile applications that hosted by your organization § The application server and associated stack § Virtual machines and operating systems. q Basic Security Check/Tools: § AWS Inspector § Nmap § Identify misconfigured S3 buckets
- 12. Prerequisites before Cloud Penetration Testing: https://aws.amazon.com/security/penetration-testing/ q Legal Requirement: § Penetration Testing must comply with local and national law. § Written and Signed client authorization must be obtained. § During Penetration testing Data and PII’s must be handled as per GDPR (European), PDPA or Country specific Data Privacy Act. q AWS Customer Support Policy for Penetration Testing: Permitted Services: § Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers § Amazon RDS § Amazon CloudFront § Amazon Aurora § Amazon API Gateways § AWS Lambda and Lambda Edge functions § Amazon Lightsail resources § Amazon Elastic Beanstalk environments Prohibited Activities: § DNS zone walking via Amazon Route 53 Hosted Zones § Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS § Port flooding § Protocol flooding § Request flooding (login request flooding, API request flooding)
- 13. Threat Modeling – “STRIDE” :
- 14. OWASP Cloud Top 10 Security Risk
- 15. Cloud Penetration Testing Method: q Cloud Penetration Testing uses industry proven methodologies : § Open Source Security Testing Methodology Manual (OSSTMM) § NIST Cyber Security Framework - NIST SP 800-115 § OWASP Testing Guide
- 16. Reconnaissance and Research: q Standard Reconnaissance like – Records, Web, Network, IP/Port Fingerprinting. q Additional information gathering using – OSINT, People, Social Media. q Leverage DNS Record – MX, NS, SPF, TXT, Cname, A. q Look for Cloud Credentials – such as API key, Storage account key. q Identify DNS Record for S3 Bucket, like – abc.s3.amazon.com. q Enumerate all the backend API calls. q Conduct Research on: § Known Vulnerabilities § Common Misconfigurations § Exploitation Tools methods § Review Security Bulletin published by the CSP
- 18. References: q Cloud Security Alliance (CSA) q https://aws.amazon.com/compliance/csa/ q https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80 %90_10_Project