Cloud Security
Agenda Amazon Web Services (AWS) Shared Responsibility Model Azure …. Network Security Access Controls Audit Controls
AWS Shared Responsibility Model -- hardening https://aws.amazon.com/compliance/shared-responsibility-model/
Azure Security Design and operational security https://azure.microsoft.com/en-us/support/trust-center/security/ Design and operational security -- security development lifecycle for their software. Identity and access -- MFA, AD Encryption & key management -- Azure key vault, IPSec protocol for data in transit, encryption for data at rest Penetration testing -- does themselves, has policy for you to do it Network security --Azure virtual network (own datacenter, private IP space, subnets and access control policies) Threat management --Microsoft Antimalware Monitoring, Logging and reporting Azure enables you to collect security events from Azure IaaS and PaaS. You can then use HDInsight to aggregate and analyze these events, and export them to on-premises security information and event management systems for ongoing monitoring. For applications that are deployed in Azure and virtual machines created from the Azure Virtual Machines Gallery, Azure enables a set of operating system security events by default
AWS Management Console Ways to secure? admin End users admin End users WAF corporate data center VPC subnet security group AWS Management Console Web/app EBS EC2 Web/App S3 AMI Database RDS virtual private cloud Limit attack vectors Same: Application, OS, DB (access, audit) Differ: ‘homogenous’ environment (network) Secure backups Same: encryption Differ: Volumes, Snapshots vs. physical security Internal vs. external Same: insider threat, external hackers, bots Differ: automation
Network controls Capabilities Constraints VPC Direct connect Subnets Route Tables NACLs Security Groups Monitoring IPS/IDS Human error Human error e.g. security groups wide open, enabling public IPs on ‘private’ services
Access controls Capabilities Constraints IAM STS Encryption Users, roles, groups Instance profiles STS Encryption KMS, HMS SSL Server-side vs. client-side Account specific IAM Region specific KMS Human error Human error – e.g. sharing keys, publishing access keys on github,
Audit Controls Capabilities Constraints CloudTrail Config Inspector CloudWatch + CloudTrail + Lambda AWS API only Human error – e.g. sharing keys, publishing access keys on github,
Takeaways – checklist from system perspective Define use cases Role based access control Authentication mechanism? Authorization mechanism? Audit mechanism? Encryption at rest Encryption in transit Domain boundary controls What can be automated? How can that be protected and audited?
Takeaways – checklist for evaluating service Access controls? Audit controls? Encryption of data at rest (including backups)? Encryption of data in transit? Network controls? Limits? Example of limit – S3 logging cannot be encrypted. S3 bucket name obfuscation. Route 53 DNS name hashing. SNS spam protection.