The Cloud Migration Playbook Part 1: A Simple Primer To Complexity - - PowerPoint PPT Presentation

the cloud migration playbook
SMART_READER_LITE
LIVE PREVIEW

The Cloud Migration Playbook Part 1: A Simple Primer To Complexity - - PowerPoint PPT Presentation

Aug 27, 2022 156 likes •525 views

The Cloud Migration Playbook Part 1: A Simple Primer To Complexity Who Am I? Background Web Application Developer DevOps => DevSecOps InfoSec/Penetration Tester OWASP Hawaii Chapter Lead AWS Certifications AWS SysOps Associate AWS

slide-1
SLIDE 1

The Cloud Migration Playbook

Part 1: A Simple Primer To Complexity

slide-2
SLIDE 2

Who Am I?

Jason Sewell

  • Sr. Security Engineer

@sewell_jason AWS Certifications AWS SysOps Associate AWS Security Specialist AWS Solutions Architect (TBD) Background Web Application Developer DevOps => DevSecOps InfoSec/Penetration Tester OWASP Hawaii Chapter Lead

slide-3
SLIDE 3

Who Are You?

I am...

  • A CISO
  • A Technical Director
  • An Engineering Manager
  • A Security-Minded

Advocate I want to...

  • Lift and shift

existing on-prem applications to AWS

  • Understand the attack

surface of our AWS resources

  • Validate that proper

security measures are in place in our AWS environment

slide-4
SLIDE 4

What do we want to accomplish today?

slide-5
SLIDE 5

The AWS Shared Security Model

Where To Begin?

slide-6
SLIDE 6

“Through 2025, 99% of cloud security failures will be the customer’s fault.”

Source: Gartner, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/

But is it really shared…?

slide-7
SLIDE 7

Q: What’s the main thing we have to worry about? A: Misconfigurations

slide-8
SLIDE 8

Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records.

Source: DivvyCloud, 2020 Cloud Misconfigurations Report

In 2018 and 2019, 68% of the companies that suffered a data breach caused by a cloud misconfiguration were founded prior to 2010.

slide-9
SLIDE 9

Know Your Defaults

Convenience vs Security

DISCLAIMER: Also easier said than done...

slide-10
SLIDE 10

“It’s the same stuff, just in the cloud right?”

Kinda.

slide-11
SLIDE 11

First Things First

  • Identity
  • Data Storage

When performing a lift-and-shift or cloud migration you should start threat modeling and hardening 4 common areas:

  • Networking
  • Compute
slide-12
SLIDE 12

IAM

“Identity is the new perimeter”

  • Over 6000 unique

permissions in AWS ...and growing

  • Difficult to manage and

visualize permission boundaries

  • IAM is hard

Identity

slide-13
SLIDE 13

Attacks

  • Account Takeover

○ Brute Force Attempts ○ Password Spraying ○ Social Engineering

  • Credential Theft

○ Privilege Escalation ○ Resource Allocation ○ Persistence

slide-14
SLIDE 14

IAM (not gonna do this)

slide-15
SLIDE 15

Defenses

  • Single Sign

On/Federation (SSO)

  • MFA Enforcement
  • No Root User API keys
  • User Key Rotation
  • Role-Based Access

Control (RBAC)

  • Least Privilege IAM

policies

○ Use conditional policies ○ No wildcards ○ No AdministratorAccess

  • Disable unused regions
slide-16
SLIDE 16

S3

“Your favorite data breach news source”

  • S3
  • RDS
  • DynamoDB
  • Elasticache
  • SQS
  • ...more

Data Storage

slide-17
SLIDE 17

Attacks

  • Bucket Enumeration
  • Data Exfiltration
  • Resource Tampering
  • Payload Staging
slide-18
SLIDE 18

Bucket Enumeration

slide-19
SLIDE 19

Resource Tampering

slide-20
SLIDE 20

Data Exfiltration

slide-21
SLIDE 21

Defenses

  • S3: Turn on Block

Public Access

  • S3: Strict Bucket

Policies

  • RDS/Elasticache: No

public access, encrypt snapshots

  • SQS: No public queues,

encrypt messages

  • DynamoDB: Strict IAM

controls

slide-22
SLIDE 22

EC2

  • It’s still a server..
  • ...but in a whole new

environment.

The same old servers, except different.

Compute

slide-23
SLIDE 23

Attacks

  • Service Enumeration
  • Application Exploit

○ SSRF ○ RCE

  • Post-Exploit

○ Instance Metadata Access ○ Lateral Movement ○ Cryptojacking ○ Unencrypted Volume Access

slide-24
SLIDE 24

Service Enumeration

slide-25
SLIDE 25

Application Exploit (SSRF)

slide-26
SLIDE 26

Post-Exploitation

slide-27
SLIDE 27

Defenses

  • Server Hardening
  • Remove Default Users
  • Load Balancers & WAF
  • Encrypt Volumes
  • Protect Instance

Metadata

slide-28
SLIDE 28

VPC

The same old network, except different.

  • Networking is hard
  • Networking in the cloud

is hard AND different

Networking

slide-29
SLIDE 29

Attacks

  • Service Discovery
  • Data Exfiltration
  • Lateral Movement (VPC

Peering, VPN, Direct Connect)

  • Security Group

Backdoor(IAM/EC2)

  • Traffic Monitoring
slide-30
SLIDE 30

Defenses

  • Network Segmentation
  • Create Strict Security

Group and NACL Rules

  • Assign SG Rules to

Other Internal SGs

  • Use VPC Endpoints for

Internal Traffic

slide-31
SLIDE 31

OK..so how do we manage this?

Migrate Your Practices, Not Just Your Applications.

slide-32
SLIDE 32

Automation

Unleash the robot army.

  • DevSecOps / Security

Engineering

  • Infrastructure as Code
  • Monitor Events
  • Automate Remediation
  • Vulnerability Scanning
slide-33
SLIDE 33

Cloud Security Maturity Model

https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

slide-34
SLIDE 34

Organizations Cloud Native Security Tools Asset Management Training

🔦Pentesting /

Assessment

Where do you go from here...?

slide-35
SLIDE 35

Thank You. We Can Help: info@occamsec.com

https://www.linkedin.com/company/occamsec/ https://twitter.com/OccamSec