1 / 27

Trusting the Cloud

Trusting the Cloud. Establishing Trust and Keeping Secrets Secure in the Cloud - Javier Godinez. Agenda. What Why? Cloud controls IAM Instance Metadata The Cloud API CloudHSM Building a secure cloudy keystore. What.

Download Presentation

Trusting the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Trusting the Cloud Establishing Trust and Keeping Secrets Secure in the Cloud - Javier Godinez

  2. Agenda • What • Why? • Cloud controls • IAM • Instance Metadata • The Cloud API • CloudHSM • Building a secure cloudy keystore

  3. What • There is a need to develop robust Cloud ready services that help us keep control of our data; we need systems that: • Allow us to take full advantage of the Cloud (autoscaling) • Protect our most sensitive data (crypto keys) • Give us (only us) access to our data (key custody) • Helps us encrypt as much as possible • Verifies access • Separates duties • Has layers of defense

  4. Why? • We all want to leverage the Public Cloud, but it is different: • Multitenant • Shared resources (e.g., AMI& EBS) • Elastic • Incredibly easy to make private resources public (e.g., S3)

  5. Why? • Cloud controls that amount to checkbox encryption or forces us to reveal private keys: • Offloading SSL at load balancers exposes your private keys to your Cloud provider • If you are using server side encryption (SSE) or transparent data encryption (TDE) your Cloud provider manages they keys (S3, EBS, RDS) • TDE does not protect you against SQL injection

  6. Cloud Controls Review

  7. Cloud Controls Review • Identity and Access Management • Roles: used to define permissions to access resources • Instance Profiles: used to pass role information to instances (hosts in EC2) Example: { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { JSON }, "Path": String, "Policies": [{ "Statement": [ { "Effect": "Allow", "Action": [ ”s3:GetObject" ], "Resource": “arn:aws:s3:::mybucket/*" } ] }] } }

  8. Cloud Controls Review • Identity and Access Management Dos and Don’ts • Use least privilege • Have few IAM administrators, don’t do this -> • If I can define any policy (PutRolePolicy) I can define any policy (split responsibilities) Example: { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { JSON }, "Path": String, "Policies": [{ "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }] } }

  9. Cloud Controls Review • The Metadata service • Delivers information into an instance through the hypervisor • Allows the instance to retrieve information about itself and its environment • It is also a mechanism by which you can run code to configure the instance on first boot • Can be accessed through a simple web call • http://169.254.169.254/latest/

  10. Cloud Controls Review • The Metadata service - Instance Metadata • Used to retrieve network information • Used to retrieve temporary application credentials Example: $ curl http://169.254.169.254/latest/meta-data/local-ipv4 172.16.0.23 $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ myrole $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myrole { … "AccessKeyId" : "ASIA9JD9238JHSJH8", "SecretAccessKey" : "...", "Token" : ...", "Expiration" : "2014-10-21T10:08:07Z" }

  11. Cloud Controls Review • The Metadata service – user-data • Can be used to configure your instance on boot • But your distro must support this feature (cloud-init) Example: $ curl http://169.254.169.254/latest/user-data #!/bin/bash -ex yum install httpd ...

  12. Cloud Controls Review • The Metadata service – dynamic data • Can be used to retrieve the instance identity document • Can be used to retrieve the instance identity signature • There isn’t much documentation, but we can use the signature with an Amazon provided certificate to verify the identity document is valid Example: $ curl http://169.254.169.254//latest/dynamic/instance-identity/document { "instanceId" : "i-ac9893a1", "billingProducts" : [ "bp-83872873" ], "accountId" : ”123456789098", "imageId" : "ami-kjhsk386s", "instanceType" : "m1.micro”, "architecture" : "x86_64", "pendingTime" : "2014-10-03T16:24:13Z", "region" : "us-west-2", "version" : "2010-08-31", "availabilityZone" : "us-west-2b”, "privateIp" : "10.0.21.234" } $ curl http://169.254.169.254//latest/dynamic/instance-identity/signature kjh34ljhlk34M7ZMBwMiUWtZ1L9XgsWCznV1LwYqNK+...

  13. Cloud Controls Review • Metadata service Dos and Don’ts • Avoid putting sensitive data in user-data • Protect it, e.g., ensure your http proxy does not relay for 169.254.169.254 • Infrastructure is code, so protect your code repos (without saying) * Nimbostratus by Andres Riancho: good read!

  14. Cloud Controls Review • The API • Can do anything that the CloudFormation and the Console can do and more • You can use it to list resources, run instances, copy files… Example: > require 'aws-sdk-core' => true > conn = Aws::EC2::Client.new(region: 'us-west-2') => #<Aws::EC2::Client> > conn.describe_instance_status => #<struct instance_statuses= [#<struct instance_id="i-6461046f", availability_zone="us-west-2a", events=[], instance_state=#<struct code=16, name="running">, system_status= #<struct status="ok", details= [#<struct name="reachability", ... Anything you can do I can do better… Yes I can, yes I can Yes I can! No you cant… Console API

  15. Cloud Controls Review • The CloudHSM • A hardware security module (HSM), SafeNet Luna HSM • Provides secure key storage and cryptographic operations • Helps you meet corporate, contractual and regulatory compliance requirements • An appliance that is connected to your VPC • A good place to keep symmetric and asymmetric keys

  16. Cloud Controls Review • The CloudHSM Setup • Configuration • Set a password • Initialize the HSM • Create an HSM key pair • Restart network interface • Create a partition Example: $ ssh manager@[hsm_ip_address] lunash:> user password lunash:> hsminit -label [luna_name] lunash:> sysconfregenCert lunash:> ntls bind eth0 lunash:> hsm login lunash:> partition create -partition [partition_name]

  17. Cloud Controls Review • The CloudHSM Setup • CloudHSM Client Setup • Copy server cert from HSM to client • Register server cert with client • Generate client cert • Copy client cert to HSM • Register the client • Assign the client partition Example: $ cd /usr/lunasa/bin $ sudoscp -i ~/.ssh/[private_key_file] manager@[hsm_ip_address]:server.pem . $ sudo ./vtladdServer -n [hsm_ip_address] -c server.pem $ sudo ./vtlcreateCert -n [client_name] $ scp -i ~/.ssh/[private_key_file] /usr/lunasa/cert/client/[client_name].pem manager@[hsm_ip_address]: $ ssh -i ~/.ssh/[private_key_file] manager@[hsm_ip_address] lunash:> client register -client [client_id] -hostname [client_name] lunash:> client assignPartition -client [client_id] -partition [partition_name]

  18. Cloud Controls Review • A few notes about the CloudHSM • Upfront setup cost of $5K • If you loose your admin password you loose your data • Does not play nice with autoscaling, client registration is static • It is not Cloud aware, that is it does not leverage e.g., IAM to make access determinations • It is built for the datacenter not for the Cloud even it if has Cloud in its name • Easily integrated with Java as a crypto provider • …but, it is still a good place to keep keys

  19. A Secure Cloud Environment

  20. A Secure Cloud Environment • So, we have some pretty good controls that we can take advantage of, what to do…? • How about combining these controls together to build a Secure Cloudy Keystore?

  21. A Secure Cloud Environment • Simple deployment where the CloudHSM is used to house all secrets and all hosts have access to all secrets • But it has all the weaknesses we pointed out previously

  22. A Secure Cloud Environment • Secure Cloudy Keystore • Centralize access to the HSM • Minimizes manual setup • Need to seed user pin in one place only • Verify access to keys using other controls

  23. A Closer Look: AWS API Metadata Service Cloud-init

  24. A Secure Cloud Environment • What can we verify through the API when an instance is requesting a secret? • Instance Profile/IAM Role • Role permissions • Instance Identity Document (IID) fields • IID signature • Request IP Address • Uptime • Etc…

  25. A Secure Cloud Environment • A review of our principles: • Isolates HSM interactions • Allow us to take full advantage of the Cloud • Protect our most sensitive data • Give us (only us) access to our data • Helps us encrypt as much as possible • Verifies access • Separates duties • Has layers of defense

  26. Questions?

  27. Thank You! Javier Godinez godinezj at gmail

More Related