Trusting the Cloud

Report
Agenda
What
Why?
Cloud controls
IAM
Instance Metadata
The Cloud API
CloudHSM
Building a secure cloudy keystore
What
There is a need to develop robust Cloud ready services that
help us keep control of our data; we need systems that:
Allow us to take full advantage of the Cloud (autoscaling)
Protect our most sensitive data (crypto keys)
Give us (only us) access to our data (key custody)
Helps us encrypt as much as possible
Verifies access
Separates duties
Has layers of defense
Why?
We all want to leverage the Public Cloud, but it is different:
Multitenant
Shared resources (e.g., AMI & EBS)
Elastic
Incredibly easy to make private resources public (e.g., S3)
Why?
Cloud controls that amount to checkbox encryption or
forces us to reveal private keys:
Offloading SSL at load balancers exposes your private keys to
your Cloud provider
If you are using server side encryption (SSE) or transparent
data encryption (TDE) your Cloud provider manages they keys
(S3, EBS, RDS)
TDE does not protect you against SQL injection
Cloud Controls Review
Cloud Controls Review
Identity and Access
Management
Example:
{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": { JSON },
"Path": String,
"Policies": [{
"Statement":
[{
"Effect": "Allow",
"Action": [ ”s3:GetObject" ],
"Resource": “arn:aws:s3:::mybucket/*"
}]
}]
}
Roles: used to define
permissions to access
resources
Instance Profiles: used to pass
role information to instances
(hosts in EC2)
}
Cloud Controls Review
Identity and Access
Management Dos and Don’ts
Example:
{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": { JSON },
"Path": String,
"Policies": [{
"Statement":
[{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}]
}
Use least privilege
Have few IAM administrators,
don’t do this ->
If I can define any policy
(PutRolePolicy) I can define any
policy (split responsibilities)
}
Cloud Controls Review
The Metadata service
Delivers information into an instance through the hypervisor
Allows the instance to retrieve information about itself and its
environment
It is also a mechanism by which you can run code to configure
the instance on first boot
Can be accessed through a simple web call
http://169.254.169.254/latest/
Cloud Controls Review
The Metadata service Instance Metadata
Used to retrieve network
information
Used to retrieve temporary
application credentials
Example:
$ curl
http://169.254.169.254/latest/metadata/local-ipv4
172.16.0.23
$ curl
http://169.254.169.254/latest/metadata/iam/security-credentials/
myrole
$ curl
http://169.254.169.254/latest/metadata/iam/security-credentials/myrole
{
…
"AccessKeyId" : "ASIA9JD9238JHSJH8",
"SecretAccessKey" : "...",
"Token" : ...",
"Expiration" : "2014-10-21T10:08:07Z"
}
Cloud Controls Review
The Metadata service – userdata
Can be used to configure your
instance on boot
But your distro must support
this feature (cloud-init)
Example:
$ curl
http://169.254.169.254/latest/user-data
#!/bin/bash -ex
yum install httpd
...
Cloud Controls Review
The Metadata service –
dynamic data
Can be used to retrieve the
instance identity document
Can be used to retrieve the
instance identity signature
Example:
$ curl
http://169.254.169.254//latest/dynamic/i
nstance-identity/document
{
"instanceId" : "i-ac9893a1",
"billingProducts" : [ "bp-83872873" ],
"accountId" : ”123456789098",
"imageId" : "ami-kjhsk386s",
"instanceType" : "m1.micro”,
"architecture" : "x86_64",
"pendingTime" : "2014-1003T16:24:13Z",
"region" : "us-west-2",
"version" : "2010-08-31",
"availabilityZone" : "us-west-2b”,
"privateIp" : "10.0.21.234"
}
There isn’t much documentation,
but we can use the signature
with an Amazon provided
certificate to verify the identity
$
document is valid
curl
http://169.254.169.254//latest/dynamic/i
nstance-identity/signature
kjh34ljhlk34M7ZMBwMiUWtZ1L9XgsWCznV1LwYq
Cloud Controls Review
Metadata service Dos and Don’ts
Avoid putting sensitive data in user-data
Protect it, e.g., ensure your http proxy does not relay for
169.254.169.254
Infrastructure is code, so protect your code repos (without
saying)
* Nimbostratus by Andres Riancho: good read!
Cloud Controls Review
The API
Example:
Can do anything that the
CloudFormation and the
Console can do and more
You can use it to list resources,
run instances, copy files…
Anything you can
do I can do
better…
Yes I can, yes I
can Yes I can!
API
No you
cant…
Console
> require 'aws-sdk-core'
=> true
> conn = Aws::EC2::Client.new(region:
'us-west-2')
=> #<Aws::EC2::Client>
> conn.describe_instance_status
=> #<struct
instance_statuses=
[#<struct
instance_id="i-6461046f",
availability_zone="us-west-2a",
events=[],
instance_state=#<struct code=16,
name="running">,
system_status=
#<struct
status="ok",
details=
[#<struct name="reachability",
...
Cloud Controls Review
The CloudHSM
A hardware security module (HSM), SafeNet Luna HSM
Provides secure key storage and cryptographic operations
Helps you meet corporate, contractual and regulatory
compliance requirements
An appliance that is connected to your VPC
A good place to keep symmetric and asymmetric keys
Cloud Controls Review
The CloudHSM Setup
Configuration
Example:
$ ssh manager@[hsm_ip_address]
Set a password
lunash:> user password
lunash:> hsm init -label [luna_name]
Initialize the HSM
lunash:> sysconf regenCert
lunash:> ntls bind eth0
Create an HSM key pair
Restart network interface
Create a partition
lunash:> hsm login
lunash:> partition create -partition
[partition_name]
Cloud Controls Review
The CloudHSM Setup
CloudHSM Client Setup
Copy server cert from HSM to
client
Example:
$ cd /usr/lunasa/bin
$ sudo scp -i ~/.ssh/[private_key_file]
manager@[hsm_ip_address]:server.pem .
$ sudo ./vtl addServer -n
[hsm_ip_address] -c server.pem
Register server cert with client
$ sudo ./vtl createCert -n [client_name]
Generate client cert
$ scp -i ~/.ssh/[private_key_file]
/usr/lunasa/cert/client/[client_name].pe
m manager@[hsm_ip_address]:
Copy client cert to HSM
Register the client
Assign the client partition
$ ssh -i ~/.ssh/[private_key_file]
manager@[hsm_ip_address]
lunash:> client register -client
[client_id] -hostname [client_name]
lunash:> client assignPartition -client
[client_id] -partition [partition_name]
Cloud Controls Review
A few notes about the CloudHSM
Upfront setup cost of $5K
If you loose your admin password you loose your data
Does not play nice with autoscaling, client registration is static
It is not Cloud aware, that is it does not leverage e.g., IAM to
make access determinations
It is built for the datacenter not for the Cloud even it if has
Cloud in its name
Easily integrated with Java as a crypto provider
…but, it is still a good place to keep keys
A Secure Cloud Environment
A Secure Cloud Environment
So, we have some pretty good controls that we can take
advantage of, what to do…?
How about combining these controls together to build a
Secure Cloudy Keystore?
A Secure Cloud Environment
Simple
deployment where
the CloudHSM is
used to house all
secrets and all
hosts have access
to all secrets
But it has all the
weaknesses we
pointed out
previously
A Secure Cloud Environment
Secure Cloudy
Keystore
Centralize access to
the HSM
Minimizes manual
setup
Need to seed user pin
in one place only
Verify access to keys
using other controls
A Closer Look:
AWS API
Metadata
Service
Cloud-init
A Secure Cloud Environment
What can we verify through the API when an instance is
requesting a secret?
Instance Profile/IAM Role
Role permissions
Instance Identity Document (IID) fields
IID signature
Request IP Address
Uptime
Etc…
A Secure Cloud Environment
A review of our principles:
Isolates HSM interactions
Allow us to take full advantage of the Cloud
Protect our most sensitive data
Give us (only us) access to our data
Helps us encrypt as much as possible
Verifies access
Separates duties
Has layers of defense
Questions?
Thank You!
Javier Godinez
godinezj at gmail

similar documents