Download - How do you ALL THE CLOUDS?
![Page 1: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/1.jpg)
How do you ALL THE CLOUDS?henry canivel
![Page 2: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/2.jpg)
Session Objectives
● Baseline understanding for cloud adoption needs
● Establish common security issues
● Recognize stakeholders and partners
● Introduce security tools, insights, and perspectives
![Page 3: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/3.jpg)
whoami
● Currently an information security architect
● Security professional for 5+ years
● Developer background
● “Log Czar” sounds like a really cool job title
● Originally from the bay area, now in LA for ~2 years
● Interests: food things, travel, streaming, sports, learning new tech, mastering the 4 elements with a happy
attitude
![Page 4: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/4.jpg)
Target Audience
● IT professional
○ sysadmin, devops
● Security professional (advisory)
● Engineer
![Page 5: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/5.jpg)
What’s the plan?Agenda
● Quick intro: Cloud Security Challenges
● Cloud Adoption CMMI
● Getting Started
● Strategic + Tactical Recommendations
● Cloud Security Solutions + Tools
This talk is NOT:
→ Cloud migration strategy
→ Cloud workload planning
→ Incident Response
→ AppSec
![Page 6: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/6.jpg)
General Cloud Challenges
● Security
● Governance/Privacy/Control
● Interoperability
● Cloud Spend Management
![Page 7: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/7.jpg)
Security Challenges
● Sprawl of cloud accounts, types of cloud service providers● Misconfiguration and inadequate change control● Attribution (read: reliable identity and asset management)● Lack of cloud security architecture and strategy● Lack of visibility/control● Insufficient identity, credential, access and key management● Insecure Interfaces and APIs● Unknown publicly exposed servers and applications● Limited cloud usage visibility
![Page 8: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/8.jpg)
Capability Maturity Model Integration
![Page 9: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/9.jpg)
Where are you in your Cloud Adoption Journey?
![Page 10: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/10.jpg)
Common Cloud Migration Strategies
Migration Strategies Keywords Flexibility Effort
Lift and Shift
Legacy SystemsApplications without business need for changeApplications with no heavy interaction with newer systemsTeams with limited Cloud skills Low Low
Refactor
Applications that need modernizationMinimize software architectural changesLimited cloud optimizations High Medium
Rebuild
Applications with agility and scalability needsAwareness of and leverages specific cloud provider feature sets and capabilities High High
![Page 11: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/11.jpg)
Cloud Adoption CMMIInitial
Example: Proof of Concept
ManagedExample: Lift and Shift
Defined
Quantitatively Managed
OptimizingExample: Rebuild
![Page 12: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/12.jpg)
Target Audience/Trajectory for Cloud Adoption
HOW DO YOU SECURE THIS?
![Page 13: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/13.jpg)
What are you Protecting?
People
Data
Applications
Infra
![Page 14: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/14.jpg)
Mission Objectives for Securing Cloud Adoption1. Dynamic visibility and discovery of Identities and Assets
2. Match cloud elasticity
3. Drive automated insights and analysis
4. Continuous monitoring
5. Repeatable policy enforcement
6. Identifying viable tools, designing effective management rubrics
7. Discover new attack vectors for cloud workload and service management
8. Continuous configuration assessment and reporting
9. Release blockers for aggressive configuration control enforcement
10. Inform security policy decision making
![Page 15: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/15.jpg)
Shared Security Model
![Page 16: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/16.jpg)
Cloud Service PortfolioCompute ServicesServices AWS Azure GCP
IaaS Amazon Elastic Compute Cloud Virtual Machines Google Compute Engine
PaaS AWS Elastic Beanstalk App Service and Cloud Services Google App Engine
Containers Amazon Elastic Compute Cloud Container Service Azure Kubernetes Service (AKS) Google Kubernetes Engine
Serverless Functions AWS Lambda Azure Functions Google Cloud Functions
Database ServicesServices AWS Azure GCP
RDBMS Amazon Relational Database Service SQL Database Google Cloud SQL
NoSQL: Key–Value Amazon DynamoDB Table StorageGoogle Cloud DatastoreGoogle Cloud Bigtable
NoSQL: Indexed Amazon SimpleDB Azure Cosmos DB Google Cloud Datastore
Storage ServiceServices AWS Azure GCP
Object Storage Amazon Simple Storage Service Blob Storage Google Cloud Storage
Virtual Server Disks Amazon Elastic Block Store Managed Disks Google Compute Engine Persistent Disks
Cold Storage Amazon Glacier Azure Archive Blob Storage Google Cloud Storage Nearline
File Storage Amazon Elastic File System Azure File Storage ZFS/Avere
Networking ServicesServices AWS Azure GCP
Virtual Network Amazon Virtual Private Cloud (VPC) Virtual Networks (VNets) Virtual Private Cloud
Elastic Load Balancer Elastic Load Balancer Load Balancer Google Cloud Load Balancing
Peering Direct Connect ExpressRoute Google Cloud Interconnect
DNS Amazon Route 53 Azure DNS Google Cloud DNS
![Page 17: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/17.jpg)
Compute Services -
● Access control
● Asset management
● Location (zone)
● Integrity of critical business services and ops
Database Services -
● Data access
● Compliance and Audit
● Object level control
What are the Primary Concerns Across the Cloud Service Categories?
Storage Services -
● Encryption
● Availability
● Backup strategy
● Public exposure, access controls
Networking Services -
● Approved data flows/safelisted connection sources
● Standard network segmentation (QoS, trust zones)
● Nested controls
![Page 18: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/18.jpg)
Perspective Description and Common Roles Involved
BusinessBusiness support capabilities to optimize business value with cloud adoption.Common Roles: Business Managers; Finance Managers; Budget Owners; Strategy Stakeholders
PeoplePeople development, training, communications, and change management.Common Roles: Human Resources; Staffing; People Managers.
Governance
Managing and measuring resulting business outcomes.Common Roles: CIO; Program Managers; Project Managers; Enterprise Architects; Business Analysts; Portfolio Managers.
PlatformDevelop, maintain, and optimize cloud platform solutions and services.Common Roles: CTO; IT Managers; Solution Architects.
Security
Designs and allows that the workloads deployed or developed in the cloud align to the organization’s security control, resiliency, and compliance requirements.Common Roles: CISO; IT Security Managers; IT Security Analysts; Head of Audit and Compliance.
OperationsAllows system health and reliability through the move to the cloud, and delivers an agile cloud computing operation.Common Roles: IT Operations Managers; IT Support Managers.
Stakeholders
![Page 19: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/19.jpg)
● Technology○ Start with cloud native features and capabilities○ Qualify Cloud Service Provider offerings
● Tools○ Identify viable tools that address the operational inefficiencies
● Processes○ Assess all operational processes for choke points○ Cost operational inefficiencies, like manual tasks in your cloud management service
strategy
![Page 20: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/20.jpg)
How do you SIMPLIFY this?Read: how do you optimize your overall TCO?
● Find tools that reduce your manual effort
● Focus on enabling for consistent baselining of
cloud adoption usage
● Find tools that enable you with more flexibility
● Prioritize your support systems and dependencies
● Prioritize the most painful, high effort, and
time-consuming tasks
○ e.g., user/owner attribution, assets, context
determination of workloads/projects
![Page 21: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/21.jpg)
(Build vs Buy) x Operate = TCO
Understand the factors for your overall cost and prioritize to determine tool selections
![Page 22: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/22.jpg)
Strategic Recommendations● Minimize time spent for manual tasks (for operator) - OpEx
● Drive for visibility○ e.g., cloud account configurations, inventory, identities
● Drives consistent outputs
● Ease of executing tool
● Drive for expansive coverage○ e.g., across multiple services, cloud service providers
● Drives consistent outputs
● Extendable or ability for you to leverage within your current tools (i.e., SIEM)
● Maximize existent skillsets, personnel, and operational strengths● Generates signal data
![Page 23: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/23.jpg)
● Cost of tools - CapEx
● Level of support
● Actively maintained
● Ease to extend or customize
● Where/how to execute
○ i.e., as a standalone application? as a
library in code?
Other Areas of Consideration
● Freemium model (free to try basic capabilities)
● Data privacy and compliance aware analysis
and reporting
● Coverage of compute workload types
○ e.g., server, serverless, containerized
● Integrates with current operational tool suite
● Ability to cover multiple pain points/challenges
![Page 24: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/24.jpg)
Common Cloud Security Solution Categories
● CWPP: Cloud workload protection platform○ Focus: containers
● CSPM: Cloud security posture management○ Focus: (mis)configuration, exposed services
● CASB: Cloud access security broker○ Focus: file handling and exposure○ Ideal: RBAC assessment, reinforcement
![Page 25: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/25.jpg)
Modern Considerations for Protecting Cloud-Enabled Compute Workloads
● Infrastructure as Code now means infra is vulnerable to supply chain attacks
○ Not just traditional software!
● No Cloud Security Provider presumes their default configs/wizards are safe by
default
![Page 26: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/26.jpg)
Tactical Recommendations
● Research
○ Delve into existing analysis of the security domains
○ Identify attack vectors for cloud security → identify viable use cases
● Tool discovery
○ Target tools that expose vulnerabilities you’re less familiar with
○ Track for CSP native vs external
○ Open source vs Closed source
● Attest or stage your progress
![Page 27: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/27.jpg)
ResearchNeed some ideas? What is the landscape and how can you find tools?
https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF
https://www.aquasec.com/cloud-native-academy/cspm/cloud-security-scanner/
https://cloudsecwiki.com/index.html
https://www.comparitech.com/net-admin/cloud-security-tools/
https://tldrsec.com/tags/#cloud-security
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
https://www.threatstack.com/blog/50-essential-cloud-security-blogs-for-it-professionals-and-cloud-enthusiasts#Experts
https://netflix.github.io/chaosmonkey/
![Page 28: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/28.jpg)
ResearchWhat are the attack vectors for cloud security? Potential ways to discover?
https://attack.mitre.org/matrices/enterprise/cloud/
https://d3fend.mitre.org/
![Page 29: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/29.jpg)
● Cost of tools - CapEx
● Level of support
● Actively maintained
● Ease to extend or customize
● Where/how to execute
○ i.e., as a standalone application? as a
library in code?
Other Areas of Consideration
● Freemium model (free to try basic capabilities)
● Data privacy and compliance aware analysis
and reporting
● Coverage of compute workload types
○ e.g., server, serverless, containerized
● Integrates with current operational tool suite
● Ability to cover multiple pain points/challenges
![Page 30: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/30.jpg)
GCP -
● https://cloud.google.com/products/security-and-identity
● https://cloud.google.com/asset-inventory
AWS -
● https://aws.amazon.com/products/security/
● https://aws.amazon.com/config
● https://aws.amazon.com/audit-manager
● https://aws.amazon.com/inspector
● https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Analyzer Tools: CSP native
![Page 31: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/31.jpg)
https://github.com/nccgroup/ScoutSuite
https://github.com/duo-labs/cloudmapper
https://github.com/cloud-custodian/cloud-custodian
https://github.com/SecurityFTW/cs-suite
https://github.com/z0ph/aws-security-toolbox
https://github.com/marcin-kolda/gcp-iam-collector
https://github.com/nccgroup/azucar
https://github.com/tfsec/tfsec
https://github.com/salesforce/cloudsplaining
https://github.com/marcin-kolda/gcp-iam-collector
Analyzer Tools: Open source/Closed sourceConfiguration assessment
https://github.com/salesforce/cloud-guardrails
https://github.com/salesforce/policy_sentry
https://github.com/salesforce/terraform-provider-policyguru
https://github.com/cesar-rodriguez/terrascan
https://github.com/mykter/aws-security-cert-service-notes
https://github.com/tensult/cloud-reports
https://www.marcolancini.it/2020/blog-tracking-moving-clouds-with-c
artography/
https://komiser.io/
https://cloudsploit.com/
![Page 32: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/32.jpg)
ScoutSuite
![Page 33: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/33.jpg)
Prowler
![Page 34: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/34.jpg)
Simulation: Test & validate detection and remediation controls, capabilities
https://github.com/splunk/attack_range
https://github.com/RhinoSecurityLabs/cloudgoat
https://sysdig.com/blog/gitops-k8s-security-configwatch/
https://github.com/OWASP/Serverless-Goat
https://github.com/nccgroup/sadcloud
https://github.com/bridgecrewio/terragoat
https://github.com/bridgecrewio/cfngoat
https://github.com/Netflix/security_monkey
http://flaws.cloud/
![Page 35: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/35.jpg)
Summary
● Maturing cloud adoption from project-driven catalysts is hard● In order to scale, need to account for multiple perspectives and their drivers
● Need to identify what you’re protection
● Solidify your organization’s priorities, standards, and processes
● Identify multiple tools that help you work smarter, not just harder
○ Scale your discovery and analysis
○ Test and validate your progress with simulation tools
![Page 36: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/36.jpg)
![Page 37: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/37.jpg)
![Page 38: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/38.jpg)
AppendixMiscellaneous resources and references
![Page 39: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/39.jpg)
ReferencesURLsHow to use trust policies with IAM roles | Amazon Web ServicesAzure Security Compass 1.1Mitigating Cloud VulnerabilitiesCloud computing & virtualizationCSRC Topics - cloud & virtualization | CSRCNIST Cloud Computing Program - NCCPhttps://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHomeCIS: Shared Responsibility for Cloud Security: What You Need to KnowPart 1: AWS Continuous Monitoring | by Uber Privacy & SecurityPart 2: AWS Monitoring Case Studies | by Uber Privacy & SecurityIntroducing TerraGoat, a “vulnerable-by-design” Terraform training projectAWS Security Maturity RoadmapRCE to IAM Privilege Escalation in GCP Cloud BuildCloud Security Posture Management: Why You Need It NowWikipedia Capability Maturity Model Integration
trainingAWS Security Fundamentals (Second Edition)AWS training and certificationNetworking & Security Courseshttps://www.venturelessons.com/best-azure-security-courses/
![Page 40: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/40.jpg)
Kaspersky Hybrid Cloud Security
Prisma Cloud by Palo Alto Networks
Trend Micro Deep Security
Sysdig Platform
CloudGuard IaaS by Check Point
Illumio Adaptive Security Platform (ASP)
Orca Security
Radware Cloud Native Protector
CloudGuard IaaS
Intezer Protect
ColorTokens Xtended ZeroTrust Platform
InsightVM (Nexpose)
Threat Stack
StackRox Kubernetes Security Platform
Qualys Cloud Platform
Armor Anywhere
Turbot
CWPP productsMorphisec Unified Threat Prevention Platform
Lacework
Fugue
Virsec Security Platform
CloudGuard Dome 9
Nutanix Beam
Hillstone CloudHive Microsegmentation Solution
McAfee Server Security Suite
Smart UPS
Sophos Central
Aqua Cloud Native Security Platform
Dome9 ARC
Symantec Cloud Workload Protection
Symantec Data Center Security
VMware Carbon Black App Control
Apcera platform
CloudAware
Uptycs
![Page 41: How do you ALL THE CLOUDS?](https://reader031.vdocuments.mx/reader031/viewer/2022012517/61911f344dd3395b341cc4a6/html5/thumbnails/41.jpg)
NetskopeMcAfee MVISIONPalo Alto Networks PrismaCisco CloudlockProofpointBitglassSymantec CloudSOCMicrosoft Cloud App SecurityFortinet FortiCASBCipherCloudStratoKeyForcepoint
CASB products