Cloud Security Engineering - Tools and Techniques

Cloud Security Emerging Facets and Frontiers

Let us look at the
Cloud Security Insights Report
https://www.isc2.org/-/media/ISC2/Landing-
Pages/2019-Cloud-Security-Report-ISC2.ashx

Top Cloud security Findings
of 2019
• The top cloud security concern of
cybersecurity professionals is data loss
and leakage (64%)
• The top cloud security vulnerability is
unauthorised access through misuse of
employee credentials and improper
access controls
• Insecure interfaces and APIs is also top
cloud security vulnerability
• Misconﬁguration of cloud platforms
comes as the second most severe cloud
vulnerability

Cloud Security Incidents
• Data exposure incidents (27%)
• Malware infections (20%)
• Compromised accounts (19%)
• Vulnerability (17%)

Cloud Security Concerns
• Data Loss (64%)

• Data Privacy (62%)

• Compliance Concerns (39%)

• Exposure of Credentials (39%)

• Data Sovereignty (35%)

• Incident Response (29%)

Important concepts of this
chapter are the following
• Data loss and leakage (64%)
• Unauthorised access
• Insecure interfaces and APIs
• Misconﬁguration of cloud platforms

Case Studies
https://www.cybersecurity-insiders.com/top-5-
cloud-security-related-data-breaches/

Top data breaches
• Cambridge Analytica

• Accenture

• Verizon

• Booz Allen Hamilton

• Republican National Committee

• Election System & Software

CAMBRDIGE ANALYTICA
• Data of up to 87 million users was
compromised in this data leak which
included information such as found in the
Facebook public profile, page likes,
birthday and current city.
• Some Facebook users were found to have
granted app permissions to their news
feeds, timelines, and messages.
• All of the information gleaned from the
leaked data allowed Cambridge Analytica
to build political profiles of each Facebook
user and target specific political
advertisements to influence them in a
particular way.

Accenture
• World’s first Cyber Resilience startup
UpGuard discovered in its Cyber Risk
survey that Accenture left at least 4 AWS
S3 storage buckets unsecured.
• As a result of this flaw, the data on these
storage media was available for
download.
• The data exposed in this security goof-up
were authentication credentials, secret
API data, digital certificates, decryption
keys, customer data, and other meta info
which could be easily used by cyber
crooks to mint money.

Verizon
• Nice Systems, which is a 3rd party
vendor working for Verizon, committed a
configuration blunder on an AWS S3
bucket which exposed names,
addresses, account details, and pin
numbers of millions of US-based Verizon
customers.
• ‘Nice’ agreed that the mistake was
committed by one of its engineers who
reportedly created a cloud-based file
repository for storing customers call data
which is used by Verizon for backend
office and call center operations.

Booz Allen Hamilton
60,000 ﬁles were on a public access
on AWS S3 bucket owned by an
intelligence and defence contract of
Booz Allen.
The cache is said to have exposed
28GB of data and this includes
credentials of senior engineers,
passwords of US Government
systems, and over half a dozen of ﬁles
containing unencrypted passwords of
government contractors holding top
Secret Facility Clearance.

Republican National
Committee
• A 3rd party investigation commissioned
by Deep Root Analytics confirmed that
personal details of more than 198 million
American voters were exposed by a
security flaw on AWS S3 bucket owned
by Republican National Committee
(RNC).
• The exposed data includes birth dates,
phone numbers; self-reported racial
background, home & mailing address,
and party affiliation. This blunder was
committed by an engineer working for
Deep Root Analytics which was providing
data storage services for RNC.

Election Systems and
Software (ESS)
Virtually every registered voter information from
Chicago was available for public access when
the engineer working for ES&S left the AWS S3
bucket for public access.
The data was in downloadable format and is
said to have compromised personal info of more
than 1.8 million Chicago voters so far.
The data includes names, addresses, phone
numbers, driver’s license, and social security
numbers.
Moreover, the exposed database is reported to
have created at the time of US 2016 general
elections by the Chicago Board of Election
Commissioners.

Emerging threats
Leaked Keys

Malicious Insider

Brute Force Attacks

Remote Code Execution

Container Escapes

Supplychain Attacks

Malware

Cryptojacking

Ransomware

Publicly Accessible Resources
• The exposure of sensitive data or resources
through misconﬁgurations or similar modes

• Exposed DBs

• MongoDB

• ElasticSearch

• Redis

• Exposed Storage

• S3

• Google Cloud Storage

Risk Mitigations for
Publicly Accessible Resources
• Visibility to Internet facing conﬁgurations

• Continuous auditing for open storage and
ports

• Integrate network conﬁguration tests pre-
deployment through CI/CD

• Enforce authentication for DBs

• Encrypt sensitive data at rest

Leaked Access Keys
• Programmable IaaS + APIs = need for keys
in many places

• Keys leaked in many ways

• Hardcoded keys

• Code repo misconﬁgurations

• Code repo hacked

• Phishing

• Exploits

Case Study : Uber Breach
• In October 2016, two hackers
compromised Uber’s Github

• Github contained access keys to AWS

• Hackers stole PII on 57 million individuals

• Held data for ransom

• Publicly disclosed late 2017

Leaked Access Keys
Risk Mitigations
• Don’t hard code keys

• Build tests in CI/CD to search for keys

• Use key management solutions and SDKs
from cloud providers

• Audit code repositories for
misconﬁgurations

• Practice least privileges in code
repositories

Case Study : Malicious Insider
• IT employee terminated after four weeks

• Use former colleagues credentials to
access company AWS account

• Terminated 23 servers

• Estimated $700,000 is lose to the business

• Deleted data was unable to be recovered

Insider Threat Mitigations
• Internal training & awareness

• Practice least privileges

• Use of multi factor authentication

• Exit plan when employees leave

• Physical access removal

• Account access removal

• Disaster recovery plan

• Incident management plan

Brute Force Attacks
• Repeated attempts to guess username and
password combinations in an attempt to
gain unauthorised access

• SSH most common service to brute force
on public cloud workloads

• Popular infection vector and propagation
method for linux malware

Example -
Bread and Butter Attacks
• Recent malware campaigns

• Begins with Brute Force SSH

• Add user ‘butter’

• Downloads RAT

• RAT communicates with CNC

• RAT downloads XMR miner

• Reported by Gaurdicore

Example -
Bread and Butter Attacks
• Strong Passwords

• Monitor for repeated access attempts

• Key based auth when possible

• Restrict service port access

• WAF for internet facing apps

Remote Code Execution
• A vulnerability that allows code to be
executed from a remote attacker

• A frequent occurrence with so many
technology stacks, new CVEs every week

• Year old vulnerabilities still a major issue

• Very common infection vector in the cloud

Redis Exploit Example
• Honeypot running Redis 2.8.4 on Ubuntu
14.0.4

• Redis exposed to open internet (TCP port
6379)

• Redis quickly exploited by LUA vulnerability
CVE-2015-4335

• Exploit contains payload to download
install script

• Install script downloads backdoor, miner,
kills competitive miners, and setup
persistence.

RCE Mitigations
• Patch early and often

• Control network access to services

• Have incident response plans in place for
0-days ( there will always be new exploits )

• Reduce size of attack surface

• Minimal code base and OS foot print

Container Escapes
• A vulnerability that allows escape from a
sandbox or a container can mean access to
the host operating system or hypervisor.

• Biggest concern since popularisation of
containers

• Occurs from both misconﬁgurations and
exploits

• Containerised applications share host
resources, escape can lead to attacks on
other containers

• Container is not a full sandbox

Example : RUNC
Container Escape Vulnerability
• CVE - 2019 - 5736 : Execution of malicious
containers allow for container escape and
access to the host ﬁle system

• First major container escape of its kind

• Root user in the container or specially
crafted container could overwrite runc
binary with new binary of their choosing

• Runc used in most container platforms,
most notably Docker

Container Escape Mitigations
• Follow container best practices to minimise
the chance of successful escape

• Privileged container policy

• Read only root ﬁlesystem

• Prepare for rapid response to updating
container platforms and operating systems

Supplychain Compromise
• Trusted software is compromised

• Common vectors

• Container image repos

• Third party applications

• Open Source Projects

Docker Hub Image Backdoors
• May’ 17 - Feb’ 18 : 17 malicious images
uploaded to Docker Hub

• Images containing crypto jacking
capabilities

• Images downloaded over 5 million times

• First reported in September 2017, removed
in May 2018

• Attackers earned $90k

Supplychain
Compromise Mitigations
• Container Images

• Build Your Own

• Use oﬃcial images if needed

• Control access to the repos

• Image Scanning

• Use least privileges

• Git Signing

• Image Veriﬁcation

• Understand security of third party vendors

Malware
• Any software designed to damage a
computer, server, client, or network

• RATs, Trojans, Backdoors, Downloaders,
Ransomware etc.

• Recent Linux malware is modular in nature,
typically containing a backdoor,
propagation and mining modules

• Typically its a chain of events

• Shell scripts and binaries for Linux

Xbash combines BotNet, Ransomeware
in Worm that targets Linux and Windows
• Proliﬁc malware family reported in 2018

• Ransomware, coin mining, propagation and
botnet capabilities

• Self propagation by attacking weak
password and application vulnerabilities

• Ransomware is actually data destroying
and it attacks databases in Linux

• Developed in Python

Cloud Security Resistant
Malware
• Malware samples associated with threat actor
Rocke Group are now capable of uninstalling
cloud security products
• Rocke Group's modus operandi is exploiting
vulnerabilities in web services including Apache
Struts 2, Oracle WebLogic, and Adobe
ColdFusion, providing a backdoor for the
attacker to gain shell access
• The newly-discovered samples include
additional instructions to block popular security
products used on Alibaba and Tencent cloud
platforms, including Alibaba Threat Detection
Service, Alibaba CloudMonitor, Alibaba Cloud
Assistant, Tencent Host Security, and Tencent
Cloud Monitor.

Let us talk about
Cloud Security Standards
Following are the important standards

ISO / IEC 27017 : 2015

MTCS SS 584

CCM

NIST 800-53

Cloud Control Matrix (CCM)
• The Cloud Security Alliance Cloud
Controls Matrix (CCM) is speciﬁcally
designed to provide fundamental
security principles to guide cloud
vendors and to assist prospective
cloud customers in assessing the
overall security risk of a cloud
provider.
• Cloud Control Matrix Info Sheet
• Cloud Control Matrix Audit
• Cloud Control Matrix Gap Analysis

NIST SP 800-53
NIST Special Publication 800-53
covers the steps in the Risk
Management Framework that
address security control selection
for federal information systems in
accordance with the security
requirements in Federal
Information Processing
Standard (FIPS) 200.

ISO / IEC 27017: 2015
• ISO/IEC 27017:2015 gives guidelines for
information security controls applicable to the
provision and use of cloud services by
providing:
• Additional implementation guidance for
relevant controls speciﬁed in ISO/IEC
27002;
• Additional controls with implementation
guidance that speciﬁcally relate to cloud
services.
• This Recommendation | International Standard
provides controls and implementation
guidance for both cloud service providers and
cloud service customers.

Important concepts of this
chapter are the following
• The ISO 27017 : 2015
• NIST 800 SP 53
• Cloud Control Matrix

Best Practices
To prevent data breaches

To prevent mis conﬁgurations

To build a cloud security ecosystem

Best practices for a
Cloud Security Ecosystem
• Shared Responsibility Model

• Policy Definition

• CMDB Audit

• SIEM / Logging / Auditing

• IdP

• Configuration Management

• Orchestration Workflows

• Web Application Firewalls

• File Integrity Monitoring

• Continuous Integration

• Source Code Repositories

Best practices for avoiding
data breaches in cloud
• Audit for misconﬁguration in cloud

• Patch for known security vulnerabilities

• Enabling least privilege user permissions
and access

• Proactively monitor security events in the
cloud

• Using CASB and Machine Learning
Techniques for cloud monitoring

Best practices for mitigate cloud
attacks with configuration hardening
• Misconfiguration cloud result in typical attack
scenarios including several kill chain steps such
as reconnaissance, lateral movement, privilege
escalation, data acquisition, persistence and
data exfiltration
• For example, the private data of six million
Verizon users was exposed when maintenance
work changed a configuration and made an S3
bucket public.
• In practice, cloud providers provide tools that
enterprises can use to secure hosted assets.
While cloud providers must be vigilant in how
they protect their data centers, responsibility for
securing access to apps, services, data
repositories and databases falls on the
enterprises.

Best practices for securing
and hardening OS in Cloud
Hardening provides layers of security at the host level,
application level, operating system level, physical level,
user level, and all the sub levels. Following are some of
the important OS hardening steps.
Change SSH Default Port
• By default, SSH daemon listen on port 22 which
means if anyone ﬁgures out your IP address, an
attempt to connect to your server.
• You may avoid this using strong password, but still,
they can launch brute force attacks and disturb the
servers.
• The possible solution to this is changing the SSH
port so that even if someone knows the IP address,
they cant attempt to connect using the default SS
port.

Protection from brute force attacks
• Initiating the brute force is the common method used
by a hacker to take control of your web applications
such as WordPress, Joomla etc.
• You can use one of the two programs to harden your
Linux system from brute force that is SSHGuard and
Fail2Ban.
• SSHGuard continuously monitors the service from the
system and blocks recurring unsuccessful attempts.
• Fail2Ban is another alternative program to protect
your SSH port.
• They automatically update the iptables rule if it detects
any unsuccessful login attempts after reaching a
certain threshold.

Disabling Password Based Authentication
• If you’ve many users who often log in from public
computers, it might be cumbersome to exchange the
key every time. We recommend disabling password-
based authentication to avoid this condition
Protection from DDoS attacks
• Use the load balancers by configuring it to internet-
facing, such that server IP is not exposed to the internet.
• Use CDN to improve the performance and the security of
the server. By using the CDN, you are exposing the IP
address of the CDN provider and your Origin IP remains
unexposed.
• Leverage the IPTables to block suspicious requests,
bogus TCP flag, private subnet etc.Use either hardware-
based firewall or software-based firewall.

• Take Regular Backup
• Taking regular back saves you when the breach occurs. All
the cloud providers offer the daily backup feature. If you are
using AWS, Azure or Google Cloud then make sure to
enable daily snapshot. Using backup, you can restore the
entire VM and you will be back in business with a small
downtime.
• Update the OS Regularly
• OS should be regally updated whenever the new update is
released to make sure the servers are not exposed to the
latest security vulnerabilities.
• Keep the Ports Closed
• To run a website in Virtual Machine, you need to only keep
the ports 80 (HTTP) or 442 (HTTPS) open. AWS cloud
offers security group which allows you to open the required
ports. And for the more reﬁned control you can use the
network ACL. Similarly, Google Cloud offers Firewall rules
to make the necessary changes to ports.

Best practices for Cloud
Infrastructure Security
• Operating System Security
• Increase the security measures of
the underlying operating systems
using speciﬁc security hardening
tools. For example, Microsoft
Baseline Security Analyzer
(MBSA), Bastille Linux, etc.
• Install an Intrusion Detection
System (IDS), such as Open
Source Security (OSSEC) and
CISCO Security Agent (CSA), at
the operating system level.

Best practices for Cloud
Infrastructure Security
• Network Management
• Use customer RSA security
tokens or client SSL certiﬁcates
instead of access passwords in
the console mode.
• Limit the number of network ports
to the minimum. Except for public
services like HTTP/HTTPS, limit
the number of source IP
addresses authorised to connect,
especially to administrative remote
accesses services.

Emerging Security Tools
ScoutSuite

Prowler

CloudSploit

CloudMapper

CloudTracker

SkyArk

Lunar

Pacbot

Pacu

Scout Suite
• https://github.com/nccgroup/ScoutSuite
• Multi-Cloud Security auditing tool for AWS,
Google Cloud and Azure environments
• Scout Suite is an open source multi-cloud
security-auditing tool, which enables security
posture assessment of cloud environments.
• Using the APIs exposed by cloud providers,
Scout Suite gathers conﬁguration data for
manual inspection and highlights risk areas.
• Rather than going through dozens of pages
on the web consoles, Scout Suite presents a
clear view of the attack surface automatically.

Prowler
• Prowler is a command line tool for AWS
Security Best Practices Assessment,
Auditing, Hardening and Forensics
Readiness Tool.
• It follows guidelines of the CIS Amazon
Web Services Foundations Benchmark
(49 checks) and has 40 additional
checks including related to GDPR and
HIPAA.
• It covers best practices related to AWS
such as IAM, logging, monitoring,
networking, CIS level 1&2, Forensics,
GDPR, HIPAA etc.

CloudSploit
• CloudSploit scans is an open-source
project designed to allow detection of
security risks in an AWS account.
• These scripts are designed to run
against an AWS account and return a
series of potential misconﬁgurations and
security risks.
• CloudSploit provides free and paid
hosted versions of the cloud security
scanner with numerous additional
features:
• https://github.com/cloudsploit/scans

Cloud Mapper
• CloudMapper helps you analyze your Amazon Web
Services (AWS) environments.
• The original purpose was to generate network
diagrams and display them in your browser.
• It now contains much more functionality, including
auditing for security issues.
• Network Mapping Demo
• Report Demo
• Intro Post
• Post to show spotting misconﬁguration in networks
• Post to perform continuous auditing
• https://github.com/duo-labs/cloudmapper

SkyArk
• SkyArk is a cloud security project with two main scanning
modules: AWS Stealth and Azure Stealth
• SkyArk currently focuses on mitigating the new threat of Cloud
Shadow Admins, and helps organisations to discover, assess
and protect cloud privileged entities.
• Stealthy and undercover cloud admins may reside in every
public cloud platform and SkyArk helps mitigating the risk in
AWS and Azure.
• In defensive/pentest/risk assessment procedures - make sure
to address the threat and validate that those privileged entities
are indeed well secured.
• SkyArk deals with the new uprising threat of Cloud Shadow
Admins - how attackers can ﬁnd and abuse non-trivial and so-
called “limited” permissions to still make it through and escalate
their privileges and become full cloud admins.
• Furthermore, attackers can easily use those tricky speciﬁc
permissions to hide stealthy admin entities that will wait for
them as an undercover persistence technique.

Komiser
• Cloud Environment Inspector
• Analyze and manage cloud cost, usage,
security, and governance in one place.
• Control your usage and create visibility across
all used services to achieve maximum cost-
effectiveness.
• Detect potential vulnerabilities that could put
your cloud environment at risk.
• Get a deep understanding of how you spend
on the AWS, GCP, OVH, DigitalOcean and
Azure.
• https://github.com/mlabouardy/komiser

Perimeterator
• Perimeterator is a small project intended to allow for
continuous auditing of internet facing AWS services.
• It can be quickly deployed into AWS and will
periodically enumerate internet-facing IP addresses
for a number of commonly misconﬁgured AWS
resources.
• The results from this enumeration process are pushed
into a work queue for scanning by external scanner
'workers' in order to locate open network services.
• Scanner 'workers' can be deployed anywhere, and
are intended to be deployed into non-trusted
networks in order to provide a representation of
access to services from the "general internet”.
• All communication between Perimeterator
components occurs asynchronously through the use
of AWS SQS queues.

Pacu
• The AWS exploitation framework, designed for testing the
security of Amazon Web Services environments.
• Pacu is an open source AWS exploitation framework,
designed for offensive security testing against cloud
environments.
• Pacu allows penetration testers to exploit configuration flaws
within an AWS account, using modules to easily expand its
functionality. Current modules enable a range of attacks,
including user privilege escalation, backdooring of IAM users,
attacking vulnerable Lambda functions, and much more.
• Pacu is a fairly lightweight program, as it requires only
Python3.5+ and pip3 to install a handful of Python libraries.
• Pacu uses a range of plug-in modules to assist an attacker in
enumeration, privilege escalation, data exfiltration, service
exploitation, and log manipulation within AWS environments.
• https://github.com/RhinoSecurityLabs/pacu

CloudTracker
• CloudTracker helps you ﬁnd over-privileged IAM
users and roles by comparing CloudTrail logs
with current IAM policies.
• new open-source tool from Duo Security for
easily analyzing CloudTrail logs from Amazon
Web Services (AWS)!
• CloudTracker reviews CloudTrail logs to identify
the API calls made by an actor and compares
this with the IAM privileges that the actor has
been granted to identify privileges that can be
removed.
• CloudTracker requires you to have loaded your
CloudTrail logs into ElasticSearch.
• https://github.com/duo-labs/cloudtracker

Lunar
• This scripts generates a scored audit
report of a Unix host's security. It is
based on the CIS and other frameworks.
• Where possible there are references to
the CIS and other benchmarks in the
code documentation.
• It can also can perform a lockdown.
Unlike some other scripts it has
capability to backout changes. Files are
backed up using cpio to a directory
based on the date.
• https://github.com/lateralblast/lunar

Pacbot
• Policy as Code Bot (PacBot) is a platform for continuous
compliance monitoring, compliance reporting and security
automation for the cloud.
• In PacBot, security and compliance policies are implemented
as code.
• All resources discovered by PacBot are evaluated against
these policies to gauge policy conformance. The PacBot
auto-fix framework provides the ability to automatically
respond to policy violations by taking predefined actions.
• PacBot packs in powerful visualization features, giving a
simplified view of compliance and making it easy to analyze
and remediate policy violations.
• PacBot is more than a tool to manage cloud
misconfiguration, it is a generic platform that can be used to
do continuous compliance monitoring and reporting for any
domain.
• https://github.com/tmobile/pacbot

Enterprise Security Tools
• Azure Sentinel

• AWS Web Application Firewall

• AWS Network Firewall

• AWS Cloud Watch

• AWS Security Hub

• AWS Guard Duty

• AWS Cloud Trail

• AWS Cognito

• Netflix Aardvark

• Netflix Diffy

Azure Sentinel
• Cloud-native SIEM for intelligent security analytics and
Security Orchestration Automated Response Tool
(SOAR).
• https://github.com/Azure/Azure-Sentinel
• Azure Sentinel makes it easy to collect security data
across your entire hybrid organization from devices, to
users, to apps, to servers on any cloud.
• It uses the power of artiﬁcial intelligence to ensure you
are identifying real threats quickly and unleashes you
from the burden of traditional SIEMs by eliminating the
need to spend time on setting up, maintaining, and
scaling infrastructure.
• Sentinel is built on Azure Log Analytics. It collects
information from various security logs and turns the
information into a manageable form. The strongest
initial emphasis is on Microsoft 365.

Azure Sentinel
• Sentinel makes information more manageable
with machine learning, including built-in ML and
an optional module called Fusion. Third parties
can add “build-your-own” ML.
• They recognize patterns which are especially
suspicious, such as logging in from an unusual
IP address followed by a massive ﬁle download.
• Using these features, Sentinel takes its large
volume of incoming information and correlates it
into cases. A “case” is a group of related alerts
that all point to the same problem.
• Thus, presenting information as cases reduces
“alert fatigue”, where administrators receive
many redundant alerts.

Azure Sentinel
• An exciting feature of Sentinel is the ability to do
“hunting” and deep investigations of issues. The
process starts from the Cases page on the dashboard.
• Cases can be ﬁltered by criteria such as status and
severity. The page for a single case gives information
about the alerts it’s built out of. It shows triggered
alerts reasonings.
• Thus, the administrator looking at it can assign the
case to someone or click the “Investigate” button to
get more information. It’s also possible to run a
playbook to initiate a standardised procedure for
processing the case.
• The investigation page shows the information as a
graph. The nodes on the graph identify entities, such
as incidents, computers, and users. The admin can
click on any entity to get more information about it and
see connections to related entities.

AWS Web Application
Firewall (WAF)
• AWS WAF is a web application firewall that lets you monitor the
HTTP and HTTPS requests that are forwarded to CloudFront, and
lets you control access to your content.
• Based on conditions that you specify, such as the IP addresses
that requests originate from or the values of query strings,
CloudFront responds to requests either with the requested content
or with an HTTP 403 status code (Forbidden).
• WAF can be setup with the Application Load Balancer. WAF can
be connected to CloudFront (AWS’s CDN), which in turn can direct
traffic to the Application Load Balancer.
• If your application servers more of content that can be cached,
then having AWS CloudFront along with WAF. If your application
cluster needs to scale but most of it is dynamic content then going
for ALB is more reasonable.
• There is an added fixed cost for ALB (In addition to the variable
cost which is not significant though) for each month while
CloudFront cost is variable and consumption driven.
• It is also possible to have both CloudFront and ALB together
where you can add the WAF to CloudFront only.

AWS Web Application
Firewall (WAF)
• Protecting web applications is any Web
Application Firewall primary purpose.
• A powerful WAF should be able to protect
applications, data, APIs, and mobile app
backends from common cyber attacks such as
OWASP Top 10, zero-day threats, data leakage,
and DDoS attacks.
• Traffic filtering is one of the most practical and
important operations performed by a Web
Application Firewall.
• By filtering traffic based on a factors such as
HTTP headers, keywords, IP addresses, and
even URI strings, the Web Application Firewall
can prevent harmful interactions before they
reach an application.

AWS Network Firewall
• Network Firewalls (most predominantly
NextGen Firewalls) on AWS offer
network protection that compliment
the application protection provided by
Web Application Firewalls.
• While there is some overlap between
what a Network Firewall and Web
Application FIrewall protect (most
notably data), Network Firewalls
provide security over the entire
network perimeter which includes the
highly vulnerable port and protocol
levels.

AWS Network Firewall
• Packet Filtering: By monitoring all incoming and outgoing packets
the firewall can regulate which applications and hosts are allowed to
interact with the network.
• Virtual Private Network (VPN): Many modern firewalls offer VPN
technology to allow virtual point-to-point links between two nodes
through a safe and regulated source.
• Deep Packet Inspection (DPI): DPI is a method that inspects not
only the packet’s multiple headers, but also the actual data content
of the packet. In this way the firewall can filter protocol non-
compliances, viruses, spam, intrusions, or other defined criteria.
• Antivirus Inspection: Antivirus inspection checks packets for virus
that travel through the network to infect endpoint devices.
• Website Filtering: Website filtering is a technique used to check
incoming web pages to see if the page needs to be censored or
declined to show at all. Reasons for blockage could be advertising,
pornographic content, spyware, viruses and other unsafe content.
• DNS Reputation Filtering: By filtering content against a database
which records the reputation and validity of an IP address, firewalls
can block harmful content more easily.

AWS Cloud Watch
• Amazon CloudWatch is a monitoring and observability
service built for DevOps engineers, developers, site
reliability engineers (SREs), and IT managers.
• CloudWatch provides you with data and actionable
insights to monitor your applications, respond to
system-wide performance changes, optimise resource
utilisation, and get a uniﬁed view of operational health.
• CloudWatch collects monitoring and operational data
in the form of logs, metrics, and events, providing you
with a uniﬁed view of AWS resources, applications, and
services that run on AWS and on-premises servers.
• You can use CloudWatch to detect anomalous
behaviour in your environments, set alarms, visualise
logs and metrics side by side, take automated actions,
troubleshoot issues, and discover insights to keep your
applications running smoothly.

AWS Cloud Watch
Amazon CloudWatch is basically a
metrics repository. An AWS service
—such as Amazon EC2—puts
metrics into the repository, and you
retrieve statistics based on those
metrics.
If you put your own custom metrics
into the repository, you can retrieve
statistics on these metrics as well.

AWS Security Hub
• AWS Security Hub gives you a comprehensive view of your
high-priority security alerts and compliance status across AWS
accounts.
• There are a range of powerful security tools at your disposal,
from firewalls and endpoint protection to vulnerability and
compliance scanners.
• But oftentimes this leaves your team switching back-and-forth
between these tools to deal with hundreds, and sometimes
thousands, of security alerts every day.
• With Security Hub, you now have a single place that
aggregates, organizes, and prioritizes your security alerts, or
findings, from multiple AWS services, such as Amazon
GuardDuty, Amazon Inspector, and Amazon Macie, as well as
from AWS Partner solutions.
• Your findings are visually summarized on integrated dashboards
with actionable graphs and tables. You can also continuously
monitor your environment using automated compliance checks
based on the AWS best practices and industry standards your
organization follows.

AWS Cloud Trail
• AWS CloudTrail is a service that enables
governance, compliance, operational auditing,
and risk auditing of your AWS account.
• With CloudTrail, you can log, continuously
monitor, and retain account activity related to
actions across your AWS infrastructure.
• CloudTrail provides event history of your AWS
account activity, including actions taken
through the AWS Management Console, AWS
SDKs, command line tools, and other AWS
services.
• This event history simpliﬁes security analysis,
resource change tracking, and
troubleshooting.

AWS Guard Duty
• Amazon GuardDuty is a threat detection service that continuously
monitors for malicious activity and unauthorised behaviour to
protect your AWS accounts and workloads.
• With the cloud, the collection and aggregation of account and
network activities is simpliﬁed, but it can be time consuming for
security teams to continuously analyze event log data for potential
threats.
• With GuardDuty, you now have an intelligent and cost-effective
option for continuous threat detection in the AWS Cloud. The
service uses machine learning, anomaly detection, and integrated
threat intelligence to identify and prioritise potential threats.
• GuardDuty analyses tens of billions of events across multiple AWS
data sources, such as AWS CloudTrail, Amazon VPC Flow Logs,
and DNS logs. With a few clicks in the AWS Management
Console, GuardDuty can be enabled with no software or hardware
to deploy or maintain.
• By integrating with AWS CloudWatch Events, GuardDuty alerts are
actionable, easy to aggregate across multiple accounts, and
straightforward to push into existing event management and
workﬂow systems.

AWS Cognito
• Amazon Cognito is an Amazon Web Services (AWS) product that
controls user authentication and access for mobile applications on
internet-connected devices.
• The service saves and synchronises end-user data, which enables an
application developer to focus on writing code instead of building and
managing the back-end infrastructure. This can accelerate the mobile
application development process.
• Amazon Cognito collects a user's profile attributes into directories
called user pools that a mobile app or web app uses to configure
limited access to AWS resources.
• An identity pool consolidates end-user information, which client
access platforms, devices and operating systems receive to organize
federated identity groups.
• Data synchronises with AWS when a device is online, allowing an end
user to access the same information on another device. Data can
also be saved locally to a SQLite database while offline before
reconnecting.
• Amazon Cognito associates data sets with identities and saves
encrypted information as key or value pairs in the Amazon Cognito
sync store.

Netflix Diffy
• Diffy is a triage tool used during cloud-centric security
incidents, to help digital forensics and incident
response (DFIR) teams quickly identify suspicious
hosts on which to focus their response.
• Diffy is a digital forensics and incident response (DFIR)
tool developed by Netflix's Security Intelligence and
Response Team (SIRT).
• Diffy allows a forensic investigator to quickly scope a
compromise across cloud instances during an
incident, and triage those instances for followup
actions.
• Diffy is currently focused on Linux instances running
within Amazon Web Services (AWS), but owing to our
plugin structure, could support multiple platforms and
cloud providers.
• https://github.com/Netflix-Skunkworks/diffy

Netﬂix Aardvark
• Aardvark is a multi-account AWS IAM Access Advisor API
(and caching layer).
• AWS provides a service named Access Advisor that shows
all of the various AWS services that the policies of an IAM
Role permit access to and when (if at all) they were last
accessed.
• Today Access Advisor data is only available in the console,
so we created Aardvark to make it easy to retrieve at scale.
• Aardvark uses PhantomJS to log into the AWS console
and retrieve Access Advisor data for all of the IAM Roles in
an account. Aardvark stores the latest Access Advisor data
in a database and exposes a RESTful API.
• Aardvark supports threading to retrieve data for multiple
accounts simultaneously, and in practice refreshes data for
our environment daily in less than 20 minutes.
• https://github.com/Netﬂix-Skunkworks/aardvark

Netflix Repokid
• Repokid uses Access Advisor provided by Aardvark to remove permissions
granting access to unused services from the inline policies of IAM roles in an
AWS account.
• Repokid uses the data about services used (or not) by a role to remove
permissions that a role doesn’t need.
• It does so by keeping a DynamoDB table with data about each role that it
has seen including: policies, count of permissions (total and unused),
whether a role is eligible for repo or if it is filtered, and when it was last
repoed
• (“repo” is shortened from repossess — our verb for the act of taking back
unused permissions).
• Filters can be used to exclude a role from repoing if, for example, if it is too
young to have been accurately profiled or it is on a user-defined blacklist.
• Once a role has been sufficiently profiled, Repokid’s repo feature revises
inline policies attached to a role to exclude unused permissions.
• Repokid also maintains a cache of previous policy versions in case a role
needs to be restored to a previous state. The repo feature can be applied to
a single role, but is more commonly used to target every eligible role in an
account.
• https://github.com/Netflix/repokid

Cloud Virtual Machine Security

Virtual Machine Security
On-premise data centers typically rely on
physical, perimeter, and endpoint controls to
secure data stores.
In contrast, virtual data centers eliminate those
traditional entrance and egress points, forcing
organizations to take a new approach to security.
More problems arise because some of the virtual
machines are likely to be dormant (not running) at
some point in time.
These virtual machines cannot be easily kept up-
to-date, because typically this would require the
virtual machines to be started, updated and shut
down again, which is not only time-consuming,
but may also be a tedious process.

VM Security Concerns
• Multi Tenancy related Issues related to
different users within a cloud sharing the
same applications and the physical hardware
to run their VMs.
• This sharing can enable information leakage
exploitation and increases the attack surface
and the risk of VM-to-VM or VM-to
hypervisor compromise
• Virtualised servers have a limited number of
access points (NICs) available to all VMs.
This represents a critical security vulnerability
where compromising these access points
opens the door to compromise the VCI
including VMs, hypervisor or the vSwitch.

Virtual Machine Security
• Having differing scopes and requirements in their workloads,
organizations use virtualization technologies according to their
respective needs.
• For example, virtual machines (VMs) are a better fit for developers
and enterprises looking for flexibility in running multiple
applications, while containers are better for those requiring
scalable applications.
• Containers and VMs both offer means by which applications can
be run multiple times or isolated within a single platform, but they
differ in how they do it.
• Containers virtualize an operating system (OS) to run various
workloads in a single OS instance, while VMs virtualize hardware
to run instances of the OS.
• Thus, every instance of applications running on containers and
VMs poses a potential attack vector if it is vulnerable or
misconfigured.
• An instance running with unnecessary ports still set up on the
container or VM, for example, can be exploited to let hackers
sneak into the application’s server.

Hypervisor Security
Recommendations
The hypervisor manages how guest OSs access resources such as the central
processing unit (CPU), memory, network, and storage. It partitions the resources
to prevent the instances from intruding into one another’s resources.
The hypervisor is the underlying infrastructure behind applications running on
VMs, which makes their security of paramount importance. The U.S. National
Institute of Standards and Technology has detailed recommendations for
securing the hypervisor:
• Disable unused and unnecessary virtual hardware or services (e.g., clipboard
and file sharing) to lessen the attack surface.
• Keep an eye on the hypervisor for anomalous activities.
• Actively monitor the traffic between VMs; visibility to them should be explicitly
enabled.
• Track the instances and restrict the creation of VMs and virtual servers to
prevent virtualization sprawl, in which too many instances running lead to
inefficient management of physical and software resources.
• Use secure and encrypted communication protocols (e.g., Secure Sockets
Layer) to mitigate man-in-the-middle attacks or to protect data when
performing migration or storing VM images.
• Authenticate and ensure the integrity of the VM images stored in the server or
library.

Virtual Machine Security &
Isolation Models
• Fault Isolation: If one virtual machine contains a
buggy operating system, that OS can start
scribbling all over physical memory. These wild
rights must be contained within the VM
boundaries.
• Performance Isolation: Ideally VMs performance
would be independent of the activity going-on on
the hardware. This must be accomplished by
smart scheduling and resource allocation policies
in the monitor.
• Software Isolation: Most of the issues with
computers today are complex software
conﬁgurations. DLL hell on PCs, operating system
and library versions, viruses, and other security
threats. VMs are naturally isolated for each other
by running in separate software environments.

Cloud Container security
Image Level Security

Security Orchestration

Container Level Security

Operating System Control

Automation Measures

Container Vulnerabilities
Images are the blueprint of containers,
which use them to spin or run applications.
A vulnerable image begets a malware- or
hacking-prone container, and consequently,
the application itself becomes prone to
malware or hacking as well.
Identifying security gaps pre-runtime and
ﬁxing them accordingly before the image is
scheduled in an orchestration environment
will signiﬁcantly save time and effort
reworking on builds, as well as reduce
overhead and disruptions in the
application’s life cycle:

Container Security Measures
• Ensure that the container images are signed, authenticated,
and drawn from a trusted registry; when scanning images,
consider scanning the registries as well since registries can
be compromised and their images tampered with.
• Secure the daemon; restrict access to it or employ encrypted
communication protocols when exposing it in the network.
• Enforce the principle of least privilege; unlike with a
hypervisor, which acts as a central point of management, any
user, service, or application with access to the container’s
root account can get into other containers sharing the kernel.
• Isolate resources; properly conﬁgure control groups and
namespaces, that is, what and how much resources a
container is allowed to use.
• Bake security in to further reduce the need for extra builds;
Docker, for instance, has its own documentation on the built-
in security features of its engine that can serve as a reference

NIST Special Publication 800-190:
Application Container Security Guide
• Perhaps the most obvious source of security issues in a
containerized environment is problems lurking within
application images themselves.
• These can include outdated, insecure versions of software or
libraries; buggy applications; or even hidden malware.
• Tools that can scan for these vulnerabilities are essential, but
the NIST guidelines caution that these should be container-
aware, including the ability to scan all layers of a multilayer
containerized application.
• Flawed or malicious software isn’t the only threat. Poorly
configured images can also be a source of vulnerabilities.
• For example, an image might launch an extraneous daemon
or service that allows unwanted access from the network, or
it might be configured to run with more user privileges than
are necessary.
• Secrets stored within images, such as authentication keys or
certificates, are another danger to watch out for.

NIST recommends pulling images only from
trusted sources, such as private container
registries, but a poorly conﬁgured registry can
also be a security issue.
Access to the registry should require encrypted
and authenticated connections, preferably using
credentials that are federated with existing
network security controls.
Any efforts to secure container images can be
rendered meaningless if the registry can be
easily compromised.
Also, the registry should undergo frequent
maintenance to ensure that it doesn’t contain
stale images with lingering vulnerabilities.

• Container orchestration tools—of which
Kubernetes has become the leading example
—are another potential target of attack.
• Pay strict attention to securing the
administrative interface, especially in
scenarios where a single orchestrator
manages multiple applications.
• This may include such measures as strong,
two-factor authentication and at-rest
encryption of data.
• If you don't strictly scope access, a careless
or malicious user could potentially do all sorts
of mischief, from taking down apps to
launching rogue ones.

NIST also recommends configuring orchestrators
to separate network traffic into discrete virtual
networks, based on the sensitivity of the traffic
being transmitted.
The idea is that low-sensitivity workloads, such as
public-facing web apps, should be isolated from
high-sensitivity workloads, such as tax-reporting
software.
In addition, workloads should be distributed such
that each host runs containers only of a given
security level.
These measures make it much more difficult for a
malicious actor to gain access to sensitive data
when a low-sensitivity application such as a blog is
compromised.

• In general, NIST recommends deploying
and orchestrating clusters in ways that are secure
by default.
• Examples include end-to-end encryption of all
network trafﬁc between cluster nodes and mutually
authenticated network connections between cluster
members.
• The orchestrator should be able to introduce nodes
to the cluster securely, maintain a persistent identity
for each node throughout its lifecycle, and isolate
and remove compromised nodes without affecting
the overall security of the cluster.
• These measures are especially important in large-
scale environments that span multiple network
organizations and scale to hundreds of hosts and
thousands of containers.

In addition to container images and the
applications within them, containers themselves
can potentially become security issues.
One of the more serious concerns arises when
the container runtimes that launch and manage
containers—software such as containerd, CRI-
O, and rkt—themselves contain vulnerabilities.
NIST cautions that, left unpatched, such ﬂaws
can lead to “container escape” scenarios where
an attacker could potentially gain access to
other containers or the host operating system
itself, so admins should make installing runtime
security patches a high priority.

• Beyond this, administrators must pay
special attention to the many
conﬁgurable options available with
container runtimes.
• A misconﬁgured container might be able
to access too many devices, for
example, which could potentially affect all
containers running on the host.
• Other runtime options could allow a
container to make unsafe system calls,
mount sensitive directories in read-write
mode, and even compromise the host
OS.

• Containerized infrastructure also makes
scanning network traffic for security
threats more challenging.
• Containers deployed on multiple hosts
typically communicate over a virtual,
encrypted network, and they are
assigned dynamic IP addresses that
change continuously as applications are
scaled and load balanced by the
orchestrator.
• Detecting network traffic anomalies in
such an environment requires specialized,
application-aware network filtering tools.

• At the lowest level of the containerized
stack, the host OS represents the most
critical target for attacks. If compromised,
it can expose all of the containers running
on it.
• For this reason, NIST recommends
running a pared-down, container-speciﬁc
OS that limits the number of installed
components to the bare minimum of
software required to create and manage
containers.
• Fewer components means fewer potential
vulnerabilities that can be exploited.

• Even a minimised OS, however, will
not be immune to security
vulnerabilities.
• As they would with any software, it is
critical that administrators keep up
with OS security patches and apply
them promptly to all host instances in
the cluster.
• This includes not just the OS kernel,
but also the container runtime and any
other system services or components
recommended by the OS vendor.

• Proper OS conﬁguration is also essential.
In addition to mounting sensitive ﬁle
systems as read-only, NIST recommends
running the host OS as immutable
infrastructure, with no data stored
uniquely and persistently on the host.
• In addition, the host should not provide
any application-level dependencies
except those that have been packaged
and deployed as containers.
• These measures make the OS a more
trustworthy environment, with far fewer
avenues for attack.

• A persistent theme throughout the
NIST guidelines is the need for
automation of security processes,
particularly as the environment
scales to hundreds of hosts and
thousands of containers.
• Container orchestrators provide
some of this automation, but
container admins should also
seek to automate such functions
as vulnerability scanning and
software updates.

• Another lesson learned is that software
alone cannot guarantee security.
Containerization also requires that
organizations examine their processes and
teams and potentially adjust to the new
operational model.
• The ephemeral nature of containers may
call for different procedures than those
used with traditional servers.
• For example, incident response teams will
need awareness of the roles, owners, and
sensitivity levels of deployed containers
before they can know the proper steps to
take in the event of an ongoing attack.

Cloud Data Privacy Policies
Global Context

Main Challenges

Madrid Resolution

Global Context
• Policies on the creation of privacy legislation in
the European Union and the United States
differ. The United States favor a more laissez-
faire approach.
• Industry self regulation is favoured over federal
law.It is believed that businesses shape their
policies according to consumer preferences,
following economic theory.
• This theory implies that consumer preferences
determine market share, and that a higher
market share leads to higher proﬁts.
• The Payment Card Industry Data Security
Standards (PCI-DSS), discussed below, is an
example of a self regulation policy.

Main Challenges
• Complexity of risk assessment
in a cloud environment
• Emergence of new business
models and their implications
for consumer privacy
• Achieving regulatory
compliance.

Complexity of
Risk Assessment
• The complexity of cloud services
introduces a number of unknown
parameters.
• Service providers and consumers are
cautious, respectively, about offering
guarantees for compliance-ready
services and adopting the services.
• With service providers promoting a
simple way to ﬂow personal data
irrespective of national boundaries, a real
challenge arises in terms of checking the
data processing life cycle and its
compliance with legal frameworks.

Complexity of
Risk Assessment
• In a cloud service, there are many questions
needing to be addressed in order to determine
the risks to information privacy and security:
• Who are the stakeholders involved in the
operation?
• What are their roles and responsibilities?
• Where is the data kept?
• How is the data replicated?
• What are the relevant legal rules for data
processing?
• How will the service provider meet the
expected level of security and privacy?

Madrid Resolution
• To address these issues, the Madrid
Resolution states that every responsible
person shall have transparent policies with
regard to the processing of personal data.
• Stakeholders need to specify requirements for
cloud computing that meet the expected level
of security and privacy.
• In Europe, the European Network and
Information Security Agency (ENISA) provides
recommendations to facilitate understanding
of the shift in the balance of responsibility and
accountability for key functions such as
governance and control over data and IT
operations and compliance with laws and
regulations.

Cloud Identity Systems
Paradigm Shift

IAM Economics

IAM Workﬂow

Cloud IAM features
• Single Access Control Interface. Cloud
IAM solutions provide a clean and
consistent access control interface for all
cloud platform services. The same
interface can be used for all cloud
services.
• Enhanced Security. You can deﬁne
increased security for critical
applications.
• Resource-level Access Control. You can
deﬁne roles and grant permissions to
users to access resources at different
granularity levels.

A Paradigm Shift in Identity
Access Management Models
• Cloud application delivery of Identity
and Access Management Systems is
a paradigm shift from legacy models
• As a result of this shift, developers
will be primarily responsible for
Identity and Access Management
activities
• In cloud environments, IAM is
a commonly accepted best practice,
since there's no practical way to
secure resources without identity
management.

Cloud and Economics of IAM
The well-known beneﬁts of cloud
computing such as adaptive
pricing structure and faster, easier
deployment are also the drivers of
the cloud IAM market.
As the primary pattern for
security and governance in the
cloud, IAM SaaS is growing in
tandem with the increasing
migrations to cloud applications.

Cloud enabled Identities
• Modern cloud applications
are identity-enabled to provide
the security and governance
services that enterprises need.
• This is a major shift for many
organizations. It means that
instead of sysadmins and
operations, developers will need
to build the bulk of these
organizations' security and
governance features.

Cloud IAM Activities
• Have cloud applications check the IAM
system to determine access rights before
proceeding with operations
• Filter through data that applications are
allowed to use based on the identities of the
data, the application, and the application user
• Encrypt data communications as needed,
regardless of whether an authorised identity is
accessing it or not
• Encrypt data storage as needed
• Dynamically determine access rights and
limits while the application is running

Cloud IAM Workﬂow
• Process start
• Identity retrieval
• Identity validation
• Resource access using identity
• Identity validation and understanding of
limitations
• Resource access with authentication and
limitations
• Release of resources
• Process end

Multi Cloud Security Models
Gartner Insights

Shared Models

Data Strategy

A Multi Cloud Strategy
According to Gartner, a multi-cloud strategy
will be the common approach taken by 70
percent of enterprises by the end of this year.
With this being said, the adoption and
execution of a multi-cloud initiative can be a
daunting prospect, and the process itself can
be fairly complex.
It involves numerous focus areas -
automation and orchestration, cloud
connectivity, DevOps enablement and, of
course, cloud security – all requiring intensive
and speciﬁed technology, processes and
cultural innovation.

Understanding How
Shared Models Work
• Make sure that your organization’s business
partners and other stakeholders
understand how the shared security model
applies to you and your cloud vendors.
• Usually, cloud providers are responsible for
the security of their own infrastructure, and
they should be able to provide your
organization with some of the capabilities
you need in order to protect your data while
it’s in their infrastructure.
• Those capabilities include multi-factor
authentication vectors, encryption
technologies, and identity and access
management.

Understanding Accounts and
Deployment Zones
• Upholding the responsibilities of
your organization’s part of the
shared security model requires that
you understand the accounts and
deployment zones where you need
visibility to monitor for vulnerabilities.
• With that understanding, you can
properly deploy IDS and IPS devices
and analyze their logs or have a
trusted third party take care of that
for you while being informed as to
what’s going on in your network.

Attack Surface in a
Multi Cloud
• When integrating multicloud, companies
significantly expand their attack surface,
so security posture must be placed firmly
at the forefront of their minds.
• Applying a holistic approach will ensure
the agility afforded by adopting
multicloud architecture can be safely
utilized.
• As new technologies emerge, the
multicloud needs to provide the flexibility
to quickly and securely switch from one
service to another, regardless of the
service’s geography and topology

Data Strategy for Multi-Cloud
• In a multicloud architecture, it can be easy to
lose sight of data and where it resides. Often it’s
the case that IT staff may have visibility into
individual clouds through cloud-speciﬁc tools but
are unable to identify or correlate threats to data
across multiple cloud platforms.
• The best way to increase data visibility and
secure the multicloud environment is to ensure
security capabilities can be managed and
orchestrated from within the enterprise through a
single point of control.
• Any security tools that are put in place to secure
a business’ IT infrastructure need to seamlessly
share security control information, as well as
work harmoniously addressing cyber dangers
wherever they occur.

Cloud Security Engineering - Tools and Techniques

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Cloud Security Engineering - Tools and Techniques

Similar to Cloud Security Engineering - Tools and Techniques (20)

More from Gokul Alex

More from Gokul Alex (20)

Recently uploaded

Recently uploaded (20)

Cloud Security Engineering - Tools and Techniques