SlideShare a Scribd company logo

Cloud security

n|u - The Open Security Community
n|u - The Open Security Community

This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.

Related slideshows

Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
1 of 18
Download to read offline
15 February 2020 1
AGENDA q About Cloud q Challenges Of Cloud Computing q Why Cloud Security? q Cloud Shared Responsibility Model q Scope of Security in Public Cloud q Cloud Security Penetration Testing
About Cloud: Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider (like – AWS, Azur). q Benefits of Cloud Computing: § Agility § Elasticity § Cost savings § Deploy globally in minutes q Cloud Deployment Model: § Private Cloud § Public Cloud § Hybrid Cloud q Cloud Services: § Software as a Service (SaaS) § Platform as a Service (PaaS) § Infrastructure as a Service (IaaS)
Challenges of Cloud Computing?
Why Cloud Security?
qData Breaches qData Loss qAccount Hijacking qInsecure APIs qDenial of Service qMalicious Insiders qAbuse of Cloud Services qInsufficient Due Diligence qShared Technology Issues Critical Threats as per CloudSecurity Alliance
Cloud security
Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
Shared Responsibility Model:
Scope of Security in Public Cloud:
Cloud Security Penetration Testing: q Static Application Security Testing (SAST) q Dynamic Application Security Testing (DAST) q Microsoft Secure Software Development Life Cycle: § Application Programming Interface (API) (e.g. HTTP/HTTPS) § Web and mobile applications that hosted by your organization § The application server and associated stack § Virtual machines and operating systems. q Basic Security Check/Tools: § AWS Inspector § Nmap § Identify misconfigured S3 buckets
Prerequisites before Cloud Penetration Testing: https://aws.amazon.com/security/penetration-testing/ q Legal Requirement: § Penetration Testing must comply with local and national law. § Written and Signed client authorization must be obtained. § During Penetration testing Data and PII’s must be handled as per GDPR (European), PDPA or Country specific Data Privacy Act. q AWS Customer Support Policy for Penetration Testing: Permitted Services: § Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers § Amazon RDS § Amazon CloudFront § Amazon Aurora § Amazon API Gateways § AWS Lambda and Lambda Edge functions § Amazon Lightsail resources § Amazon Elastic Beanstalk environments Prohibited Activities: § DNS zone walking via Amazon Route 53 Hosted Zones § Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS § Port flooding § Protocol flooding § Request flooding (login request flooding, API request flooding)
Threat Modeling – “STRIDE” :
OWASP Cloud Top 10 Security Risk
Cloud Penetration Testing Method: q Cloud Penetration Testing uses industry proven methodologies : § Open Source Security Testing Methodology Manual (OSSTMM) § NIST Cyber Security Framework - NIST SP 800-115 § OWASP Testing Guide
Reconnaissance and Research: q Standard Reconnaissance like – Records, Web, Network, IP/Port Fingerprinting. q Additional information gathering using – OSINT, People, Social Media. q Leverage DNS Record – MX, NS, SPF, TXT, Cname, A. q Look for Cloud Credentials – such as API key, Storage account key. q Identify DNS Record for S3 Bucket, like – abc.s3.amazon.com. q Enumerate all the backend API calls. q Conduct Research on: § Known Vulnerabilities § Common Misconfigurations § Exploitation Tools methods § Review Security Bulletin published by the CSP
LinkedIn: https://www.linkedin.com/in/susanta-roy/ Twitter: @bugpurush
References: q Cloud Security Alliance (CSA) q https://aws.amazon.com/compliance/csa/ q https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80 %90_10_Project

More Related Content

Cloud security

  • 2. AGENDA q About Cloud q Challenges Of Cloud Computing q Why Cloud Security? q Cloud Shared Responsibility Model q Scope of Security in Public Cloud q Cloud Security Penetration Testing
  • 3. About Cloud: Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider (like – AWS, Azur). q Benefits of Cloud Computing: § Agility § Elasticity § Cost savings § Deploy globally in minutes q Cloud Deployment Model: § Private Cloud § Public Cloud § Hybrid Cloud q Cloud Services: § Software as a Service (SaaS) § Platform as a Service (PaaS) § Infrastructure as a Service (IaaS)
  • 4. Challenges of Cloud Computing?
  • 6. qData Breaches qData Loss qAccount Hijacking qInsecure APIs qDenial of Service qMalicious Insiders qAbuse of Cloud Services qInsufficient Due Diligence qShared Technology Issues Critical Threats as per CloudSecurity Alliance
  • 8. Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
  • 10. Scope of Security in Public Cloud:
  • 11. Cloud Security Penetration Testing: q Static Application Security Testing (SAST) q Dynamic Application Security Testing (DAST) q Microsoft Secure Software Development Life Cycle: § Application Programming Interface (API) (e.g. HTTP/HTTPS) § Web and mobile applications that hosted by your organization § The application server and associated stack § Virtual machines and operating systems. q Basic Security Check/Tools: § AWS Inspector § Nmap § Identify misconfigured S3 buckets
  • 12. Prerequisites before Cloud Penetration Testing: https://aws.amazon.com/security/penetration-testing/ q Legal Requirement: § Penetration Testing must comply with local and national law. § Written and Signed client authorization must be obtained. § During Penetration testing Data and PII’s must be handled as per GDPR (European), PDPA or Country specific Data Privacy Act. q AWS Customer Support Policy for Penetration Testing: Permitted Services: § Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers § Amazon RDS § Amazon CloudFront § Amazon Aurora § Amazon API Gateways § AWS Lambda and Lambda Edge functions § Amazon Lightsail resources § Amazon Elastic Beanstalk environments Prohibited Activities: § DNS zone walking via Amazon Route 53 Hosted Zones § Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS § Port flooding § Protocol flooding § Request flooding (login request flooding, API request flooding)
  • 13. Threat Modeling – “STRIDE” :
  • 14. OWASP Cloud Top 10 Security Risk
  • 15. Cloud Penetration Testing Method: q Cloud Penetration Testing uses industry proven methodologies : § Open Source Security Testing Methodology Manual (OSSTMM) § NIST Cyber Security Framework - NIST SP 800-115 § OWASP Testing Guide
  • 16. Reconnaissance and Research: q Standard Reconnaissance like – Records, Web, Network, IP/Port Fingerprinting. q Additional information gathering using – OSINT, People, Social Media. q Leverage DNS Record – MX, NS, SPF, TXT, Cname, A. q Look for Cloud Credentials – such as API key, Storage account key. q Identify DNS Record for S3 Bucket, like – abc.s3.amazon.com. q Enumerate all the backend API calls. q Conduct Research on: § Known Vulnerabilities § Common Misconfigurations § Exploitation Tools methods § Review Security Bulletin published by the CSP
  • 18. References: q Cloud Security Alliance (CSA) q https://aws.amazon.com/compliance/csa/ q https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80 %90_10_Project