the cloud migration playbook
play

The Cloud Migration Playbook Part 1: A Simple Primer To Complexity - PowerPoint PPT Presentation

Aug 27, 2022 •156 likes •520 views

The Cloud Migration Playbook Part 1: A Simple Primer To Complexity Who Am I? Background Web Application Developer DevOps => DevSecOps InfoSec/Penetration Tester OWASP Hawaii Chapter Lead AWS Certifications AWS SysOps Associate AWS

  1. The Cloud Migration Playbook Part 1: A Simple Primer To Complexity

  2. Who Am I? Background Web Application Developer DevOps => DevSecOps InfoSec/Penetration Tester OWASP Hawaii Chapter Lead AWS Certifications AWS SysOps Associate AWS Security Specialist AWS Solutions Architect (TBD) Jason Sewell Sr. Security Engineer @sewell_jason

  3. Who Are You? I am... A CISO ● A Technical Director ● An Engineering Manager ● A Security-Minded ● Advocate I want to... Lift and shift ● existing on-prem applications to AWS Understand the attack ● surface of our AWS resources Validate that proper ● security measures are in place in our AWS environment

  4. What do we want to accomplish today?

  5. Where To Begin? The AWS Shared Security Model

  6. But is it really shared…? “Through 2025, 99% of cloud security failures will be the customer’s fault.” Source: Gartner, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/

  7. Q: What’s the main thing we have to worry about? A: Misconfigurations

  8. Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records. In 2018 and 2019, 68% of the companies that suffered a data breach caused by a cloud misconfiguration were founded prior to 2010. Source: DivvyCloud, 2020 Cloud Misconfigurations Report

  9. Know Your Defaults Convenience vs Security DISCLAIMER: Also easier said than done...

  10. “It’s the same stuff, just in the cloud right?” Kinda.

  11. First Things First When performing a lift-and-shift or cloud migration you should start threat modeling and hardening 4 common areas: Identity Networking ● ● Data Storage Compute ● ●

  12. Identity Over 6000 unique ● permissions in AWS ...and growing IAM Difficult to manage and ● visualize permission “Identity is the new boundaries perimeter” IAM is hard ●

  13. Account Takeover ● Brute Force Attempts ○ Password Spraying ○ Social Engineering ○ Credential Theft Attacks ● Privilege Escalation ○ Resource Allocation ○ Persistence ○

  14. IAM (not gonna do this)

  15. Single Sign ● On/Federation (SSO) MFA Enforcement ● No Root User API keys ● User Key Rotation ● Role-Based Access ● Defenses Control (RBAC) Least Privilege IAM ● policies Use conditional policies ○ No wildcards ○ No AdministratorAccess ○ Disable unused regions ●

  16. Data Storage S3 ● RDS ● DynamoDB ● S3 Elasticache ● SQS ● “Your favorite data breach ...more ● news source”

  17. Bucket Enumeration ● Data Exfiltration ● Attacks Resource Tampering ● Payload Staging ●

  18. Bucket Enumeration

  19. Resource Tampering

  20. Data Exfiltration

  21. S3: Turn on Block ● Public Access S3: Strict Bucket ● Policies RDS/Elasticache: No ● public access, encrypt Defenses snapshots SQS: No public queues, ● encrypt messages DynamoDB: Strict IAM ● controls

  22. Compute EC2 It’s still a server.. ● ...but in a whole new ● environment. The same old servers, except different.

  23. Service Enumeration ● Application Exploit ● SSRF ○ RCE ○ Attacks Post-Exploit ● Instance Metadata Access ○ Lateral Movement ○ Cryptojacking ○ Unencrypted Volume Access ○

  24. Service Enumeration

  25. Application Exploit (SSRF)

  26. Post-Exploitation

  27. Server Hardening ● Remove Default Users ● Load Balancers & WAF ● Defenses Encrypt Volumes ● Protect Instance ● Metadata

  28. Networking Networking is hard ● VPC Networking in the cloud ● is hard AND different The same old network, except different.

  29. Service Discovery ● Data Exfiltration ● Lateral Movement (VPC ● Peering, VPN, Direct Connect) Attacks Security Group ● Backdoor(IAM/EC2) Traffic Monitoring ●

  30. Network Segmentation ● Create Strict Security ● Group and NACL Rules Assign SG Rules to ● Other Internal SGs Defenses Use VPC Endpoints for ● Internal Traffic

  31. OK..so how do we manage this? Migrate Your Practices, Not Just Your Applications.

  32. DevSecOps / Security ● Engineering Infrastructure as Code ● Automation Monitor Events ● Automate Remediation ● Unleash the robot army. Vulnerability Scanning ●

  33. Cloud Security Maturity Model https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

  34. Organizations 🔦 Pentesting / Cloud Native Security Tools Assessment Asset Training Management Where do you go from here...?

  35. Thank You. We Can Help: info@occamsec.com https://www.linkedin.com/company/occamsec/ https://twitter.com/OccamSec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fast Track DC Migration with Cloud 3.0 Reap the benefits of the local cloud and Fast-Track Data

Fast Track DC Migration with Cloud 3.0 Reap the benefits of the local cloud and Fast-Track Data

MINT MANAGEMENT TECHNOLOGIES Fast Track DC Migration with Cloud 3.0 Reap the benefits of the local cloud and Fast-Track Data Center Migration with Cloud 3.0 Challenges Ideal Solution Desired Outcomes This public cloud infrastructure is

341 views • 5 slides
Can Network Science Help Re-Write the Privacy Playbook? Erin Kenneally, M.F.S., J.D. CAIDA|

Can Network Science Help Re-Write the Privacy Playbook? Erin Kenneally, M.F.S., J.D. CAIDA|

Can Network Science Help Re-Write the Privacy Playbook? Erin Kenneally, M.F.S., J.D. CAIDA| Elchemy W3C Data Usage & Control Workshop MIT | 6 Oct 2010 Gameplan Incumbent playbook Problems with playbook Playbook

328 views • 14 slides
Playbook and START START Tools START Tools been produced to ease workloads during Cloud

Playbook and START START Tools START Tools been produced to ease workloads during Cloud

Playbook and START START Tools START Tools been produced to ease workloads during Cloud Migrations and to assist System Integrators. Pulls together existing Microsoft Tools with an easy to use interface Developed in conjunction with

203 views • 19 slides
The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap

The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap

The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap Commercial Implications Longevity Questions Dan Siewers Executive Director, Systems Engineering at Fox (TV, Film & Sports) Brinton

481 views • 16 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
You shall not PaaS ?! Let us be your guide to a successful cloud migration Matthias Haeussler,

You shall not PaaS ?! Let us be your guide to a successful cloud migration Matthias Haeussler,

You shall not PaaS ?! Let us be your guide to a successful cloud migration Matthias Haeussler, Thorsten Jakoby Agenda Brief information speakers and Novatec Application details Initial problem High level migration path

694 views • 56 slides
#MicroFocusCyberSummit SecureData Sentry Accelerate your migration to cloud workloads Alistair

#MicroFocusCyberSummit SecureData Sentry Accelerate your migration to cloud workloads Alistair

#MicroFocusCyberSummit SecureData Sentry Accelerate your migration to cloud workloads Alistair Rigg & Phil Sewell #MicroFocusCyberSummit Enterprise Cloud Trends and Risks Cloud Trends Security Risks and Concerns An average of Cloud is

905 views • 34 slides
Burning Down the Cloud Burning Down The Cloud Cloud Migration Lessons Time Warner Cable Charter

Burning Down the Cloud Burning Down The Cloud Cloud Migration Lessons Time Warner Cable Charter

Burning Down the Cloud Burning Down The Cloud Cloud Migration Lessons Time Warner Cable Charter Communications Time Warner Cable Charter Communications OpenStack DevOps Steven Travis, sltravis7@gmail.com David Medberry,

560 views • 23 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Context: Infrastructure-as-a-Service Clouds Client API Cloud Controller VM VM Machine VM VM VM Machine Machine

919 views • 73 slides
Migration to Cloud. Optimization and Security George Kouimintzis Commercial Director NSS

Migration to Cloud. Optimization and Security George Kouimintzis Commercial Director NSS

TM Migration to Cloud. Optimization and Security George Kouimintzis Commercial Director NSS Company >Founded by Engineers >Values (Flexibility, Trust, Effectiveness) >Solutions Oriented >Value Add Distributor >Method

383 views • 20 slides
Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large datacenters for infrastructures in large datacenters for Cloud Computing Cloud Computing Workshop on Management of Cloud Systems ( Workshop on

489 views • 23 slides
Live Migration @Alibaba Cloud: issues settled & challenges remain Chao Zhang Email:

Live Migration @Alibaba Cloud: issues settled & challenges remain Chao Zhang Email:

1111 Live Migration @Alibaba Cloud: issues settled & challenges remain Chao Zhang Email: zhuoxi.zc@alibaba-inc.com 1111 1 2 4 3 Challenges of Live LM Application@ Performance Tuning Future challenges Alibaba Cloud Migration

313 views • 19 slides
Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates

Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates

Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates without user downtime CloudOpen Dublin 2015 #whoami Name: Tim Mackey Current roles: XenServer Community Manager and Evangelist; occasional coder

740 views • 29 slides
Transactional Migration of Inhoiogeneous Coiposite Cloud Applications Josef Spillner, Manuel

Transactional Migration of Inhoiogeneous Coiposite Cloud Applications Josef Spillner, Manuel

Transactional Migration of Inhoiogeneous Coiposite Cloud Applications Josef Spillner, Manuel Ramrez Lpez Service Prototyping Lab (blog.zhaw.ch/splab) Sep 12, 2018 | 4th CloudWays @ 7th ESOCC Zrcher Fachhochschule Our research on

591 views • 12 slides
I just want milk that tastes like real milk QUTs Migration of Staff Email to the Cloud

I just want milk that tastes like real milk QUTs Migration of Staff Email to the Cloud

#THETA2015 I just want milk that tastes like real milk QUTs Migration of Staff Email to the Cloud Michael Boyle Assoc Director, Infrastructure Services Nathan Howard Project Manager This work is licensed under

472 views • 24 slides
WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration?

WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration?

WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration? Washington Capitals 2018 Why migration? Birmingham Children Hospital, Cardiac Surgery Group ENGLAND Ohio State University Electrical Engineering Faculty

818 views • 58 slides
What is an HPC Work)low ? Applica'on View Run$me

What is an HPC Work)low ? Applica'on View Run$me

Slide 1 HPC Work)low Performance Karen L. Karavanic New Mexico Consortium & Portland State University David Montoya (LANL) August 2, 2016 UNCLASSIFIED - LA-UR-16-23542 Operated by Los Alamos National Security, LLC for the U.S.

351 views • 22 slides
Using Container-specific Sysnames Andrew Deason June 2019 OpenAFS Workshop 2019 1 The Problem

Using Container-specific Sysnames Andrew Deason June 2019 OpenAFS Workshop 2019 1 The Problem

Using Container-specific Sysnames Andrew Deason June 2019 OpenAFS Workshop 2019 1 The Problem Say /afs/cell/bin/gcc /afs/cell/@sys/bin/gcc RHEL6 running docker RHEL7, SLES12 --volume /afs:/afs Containers get amd64_rh6 , not

337 views • 11 slides
C-2 DRAWER SYSTEMS AND SLIDES Standard Drawer Finishes: Grey, White and Stainless Steel

C-2 DRAWER SYSTEMS AND SLIDES Standard Drawer Finishes: Grey, White and Stainless Steel

C-2 DRAWER SYSTEMS AND SLIDES Standard Drawer Finishes: Grey, White and Stainless Steel Tool free assembly and removal of drawer Silent system gurantees smooth running Full adjustment (up, down, left, right) Standard

1.43k views • 90 slides
loops continued Genome 559: Introduction to Statistical and Computational Genomics Prof. James

loops continued Genome 559: Introduction to Statistical and Computational Genomics Prof. James

loops continued Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas Review Pick variable names that are descriptive Comment your code if it complex (# sign) for <element> in <object>: Use

588 views • 19 slides
S. Longo CSG meeting Slide 1/10 Alfresco Document Manager status: Alfresco Document

S. Longo CSG meeting Slide 1/10 Alfresco Document Manager status: Alfresco Document

S. Longo CSG meeting Slide 1/10 Alfresco Document Manager status: Alfresco Document Manager is up and running at http://sbdocserver.pd.infn.it:5210/alfresco Authentication and group mapping is done through sbldap.fe.infn.it

461 views • 10 slides
Time Management for System Administrators www.EverythingSysAdmin.com Top 5 #1 Create a

Time Management for System Administrators www.EverythingSysAdmin.com Top 5 #1 Create a

Hit The Ground Running: Time Management for System Administrators www.EverythingSysAdmin.com Top 5 #1 Create a Mutual Interruption Shield #2 Turn Chaos Into Routines #3 Record All Requests #4 Keep 365 Todo-Lists Each Year #5

553 views • 27 slides
CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2:

CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2:

CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2: Introduction/Linux Basics Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance Learning Version) System

547 views • 50 slides
Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1)

Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1)

Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1) Ordinary list Install new system, programs and OS updates Monitoring system and trying to Tune performance Adding and removing users

762 views • 22 slides

More recommend