security in a cloud context
play

Security in a cloud context David Crooks, for the EGI CSIRT Lessons - PowerPoint PPT Presentation

Oct 16, 2022 •402 likes •571 views

Security in a cloud context David Crooks, for the EGI CSIRT Lessons learned from recent incidents www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Cloud Security EGI

  1. Security in a cloud context David Crooks, for the EGI CSIRT Lessons learned from recent incidents www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142

  2. Cloud Security EGI Conference 2019 2 EGI CSIRT: Security in a cloud context

  3. Features of cloud security • Separation between resource provider and application running on top • Split responsibility for security between infrastructure (eg Openstack) and application/service • Applications/services potentially run by non-admins (by design!) • Reuse of images • Potential double edged sword: allows ready source for secure images... • ... but one insecure config could have wide impact EGI Conference 2019 3 EGI CSIRT: Security in a cloud context

  4. Incidents EGI Conference 2019 4 EGI CSIRT: Security in a cloud context

  5. What kind of incidents? • Weak passwords • Brute force attacks • Misconfigured services • Unexpected or unintended access to running VMs • Network storage with open permissions • Remote access mechanisms without proper controls EGI Conference 2019 5 EGI CSIRT: Security in a cloud context

  6. Attack via NFS • Highlight particular example on FedCloud • EGI-20160509 • Attacker gained access to two FedCloud machines via world writeable NFS instances • Contextualised via orchestrator service with vulnerable configuration • Investigation spanned many sites • Setup is easy using these services, but can lead to propagation of config flaws EGI Conference 2019 6 EGI CSIRT: Security in a cloud context

  7. Months later EGI Conference 2019 7 EGI CSIRT: Security in a cloud context

  8. Attack via NFS • VMs created which were again vulnerable • But: detected prior to exploitation • EGI-20161013-01 and EGI-20161124-01 • Emphasises importance of taking action following incidents to avoid reoccurrence • And the importance of good monitoring! • Particularly true in a cloud context • In this case, lead to review of best practices EGI Conference 2019 8 EGI CSIRT: Security in a cloud context

  9. What could be done? EGI Conference 2019 9 EGI CSIRT: Security in a cloud context

  10. Community and education • Maintain good links between Cloud and Security teams • User education on importance of secure configuration and use of strong passwords/other access methods EGI Conference 2019 10 EGI CSIRT: Security in a cloud context

  11. SECANT • Security cloud assessment framework • https://github.com/CESNET/secant • Developed by CESNET • Checks security characteristics of virtual machines and their images • Combines external and internal checks • Aims at • typical configuration errors • vulnerabilities commonly misused by Internet attackers • Being developed for AppDB EGI Conference 2019 11 EGI CSIRT: Security in a cloud context

  12. Notes on good practice • Signed images - ideally use images from trusted sources only • If not, look at SECANT? • Storage encryption • Remote logging and security auditing EGI Conference 2019 12 EGI CSIRT: Security in a cloud context

  13. Notes on good practice • Match security groups to running VMs • Shutdown VMs not in use (and isolate/update them when they come up) • Don’t keep sensitive data in the images • Monitor network activity EGI Conference 2019 13 EGI CSIRT: Security in a cloud context

  14. Notes on good practice • Network isolation of cloud services • Restrict access from cloud instance to hypervisor • Isolate tenants; avoid memory optimisation which uses de-duplication • Keep software patched! EGI Conference 2019 14 EGI CSIRT: Security in a cloud context

  15. Other cloud communities • Work done in US by Trusted-CI • https://trustedci.org/cloud-service-provider-security- best-practices EGI Conference 2019 15 EGI CSIRT: Security in a cloud context

  16. Any questions? EGI Conference 2019 16 EGI CSIRT: Security in a cloud context

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline

Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline

Amsterdam 12 th June 2019 Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act

663 views • 42 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Cloud Computing Tom Hendrickx RESEARCH QUESTION Define Cloud Computing in context of the higher

Cloud Computing Tom Hendrickx RESEARCH QUESTION Define Cloud Computing in context of the higher

Cloud Computing Tom Hendrickx RESEARCH QUESTION Define Cloud Computing in context of the higher education and research community in general and of an NREN in specific. CLOUD COMPUTING SaaS PaaS STaaS IaaS Utility GRID computing

458 views • 9 slides
Security & Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik,

Security & Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik,

Security & Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik, Preeti Aggarwal and Shilpa Bahl Ansal University, Gurgaon- 122011, India 1 mmchaturvedi@ansaluniversity.edu.in Indian Context The potential uptake

1.27k views • 28 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS15 Workshop on Cloud Security Lille, June 30, 2015 Cloud Security Today Security = key concern in cloud adoption for the

2.73k views • 33 slides
CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns Hopkins University What is Cloud Computing ? Lets hear from the experts 2 What is Cloud Computing ? The infinite wisdom of the crowds (via

709 views • 38 slides
Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Agenda Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard 2. To detail the deployment considerations and related initiatives Wong Onn Chee, Cloud

352 views • 6 slides
Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief

Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief

Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief Solutions Architect AWS Public Sector team Khawaja Shams Cloud Architect Jet Propulsion Labs / NASA QCon New York 2012 Agenda Identity &

594 views • 21 slides
Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French

Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French

Accessing Samba from Linux. Whats new? Whats faster? Whats better? Steve French Principal Systems Engineer Primary Data Legal Statement T h i s w o r k r e p r e s e n t s t h e v i e w s o f t h e a u t h o r ( s ) a n d d o e

480 views • 28 slides
Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

create your own exercise Christoph Schmidt, Team 1 Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how the NSA uses its access to the Backbone Goal 2: Understanding how MITM attacks can be done

1.02k views • 82 slides
Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound, Cameroun Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathmatiques de Bordeaux quipe MACISA, Laboratoire International de

960 views • 46 slides
Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale

Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale

Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale , Carlos Maltzahn * , John May , John Bent , Scott Brandt * * UC Santa Cruz, ISSDM, PDSI Lawrence Livermore National Laboratory

516 views • 22 slides
syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor Summit October 12, 2019

syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor Summit October 12, 2019

syzkaller Mark Johnston markj@FreeBSD.org FreeBSD Bay Area Vendor Summit October 12, 2019 System Call Fuzzing: What? Common syscall usage patterns cover a small space Why would you ever call send(2) after listen(2) ? Increase

744 views • 12 slides
Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Security and Protection Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction About security Security components Lectures System administration introduction 1 Operating System

517 views • 35 slides
Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE

Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE

Katacryptology Robert Erra LSE WEEK 2014 Catacrypt ? Why should you Katacryptology trust or not your favorite cryptotool ? RSA PreSE 1 Robert Erra PreSE 2 LSE WEEK 2014 PreSE 3 PreSE 5 PostSE 1 July 17, 2014 PostSE 3 Back to RSA

922 views • 44 slides
Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

1 Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago; Ruhr University Bochum 2 2000 Cohen cryptosystem Public key: vector of integers K = ( K 1 ; : : : ; K N ) { X; : : : ; X } N .

1.84k views • 164 slides

More recommend