nebula webinar | private cloud security: practical solutions for a challenging problem

© 2015 Nebula, Inc. All rights reserved.

(cloud) Computing for the Enterprise

Private Cloud Security Practical Solutions for a Challenging Problem

Bryan D. Payne March 18, 2015


“Why Security Ma/ers In A Private Cloud”


Public Private


Private Network Internet

Storage

Email

LDAP NTP

VLAN Tunnels

SIEM

DNS PKI


Storage

Email LDAP NTP

VLAN Tunnels

SIEM

DNS

PKI


Storage

Email LDAP NTP

VLAN Tunnels

SIEM

DNS

PKI 1 2

3


Intelligence Services

Serious Organized Crime

Highly Capable Groups

MoFvated Individuals

Script Kiddies

Likelihood of A,ack

Sophis2ca2on & Likelihood of Exploita2on

Source: OpenStack Security Guide


Compromise User System

VM Breakout

API Vuln

Dashboard Vuln

Access Cloud As Admin

Access Cloud As Outsider

Access Cloud As User

View Other Instances

Abuse Cloud Resources

View Data In Cloud

View Data In Cloud

Modify LDAP

View External Data

Follow VLANs into Corp Net

Spear Phishing

IniMal Access Touch Cloud Exploit Cloud Exploit Enterprise

Compromise Instance


Known hardware and soIware OrchestraFon + = Security

Opportunity


API EndpointsWeb Dashboard

ComputeNode

ComputeNode

StorageNode

StorageNode

Guest

ManagementData

Management and Control Plane Services

Cloud Users / Administrators

Cloud Operators

Inst

ance

Inst

ance

Inst

ance

Inst

ance

External


OpenStack Projects “The Glue”


Cloud A/ack Vectors MiFgaFon Strategies

API Endpoints Service hardening, mandatory access controls, code audits

Web Dashboard CSP, expected domains, HTTPS, HSTS, allowed referrers

InformaMon Leakage SSL/TLS, disable memory dedup, randomize resource assign

VM Breakout Service hardening, mandatory access controls, code audits

Hardware Sharing Avoid bare metal instances, avoid device pass-‐through

Default Images Secure and maintain default images

Secondary AYacks Least priv, mandatory access controls, SSL/TLS, strong auth


Threat: Information Leakage

•  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage

•  Cross-VM attacks (timing, cache effects, etc)


Threat: VM Breakout •  Mandatory access controls

–  SELinux + KVM (SVirt) •  Build hardening

–  Remove unused device models from QEMU –  Compiler hardening flags

•  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc


Threat: Control Plane Compromise •  Layers of Security

–  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation

•  Primary Focus: Limit damage from a bad actor on the control plane


Threat: Vulnerabilities Upstream •  Targeted security audits

–  Work closely with OpenStack and Linux communities

•  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly


Threat: Poor Entropy for Instances •  Mix entropy from multiple sources

–  Hardware generated from multiple vendors

•  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools


Storage

Email LDAP NTP

VLAN Tunnels

SIEM

DNS

PKI


Email: [email protected] TwiYer: @bdpsecurity

nebula webinar | private cloud security: practical solutions for a challenging problem

Technology

admin access cloud

outsider access cloud

cloud computing

cloud view data

security opportunity

security maers

openstack security guide

user view