Jazoon 13: Deploying trusted developer sandboxes in Amazon's cloud
Post on 27-Jun-2015
DESCRIPTIONBy Jason Brazile, Remi Locherer, Ronnie Brunner, Netcetera, Switzerland http://guide.jazoon.com/#/submissions/145 As Infrastructure as a Service (IaaS) offerings in the cloud become more compelling, new collaboration possibilities emerge. A large European agency wished to offer vast satellite imagery free of charge to users who develop good applications for it. Instead of sending data to developers, why not offer a dev environment in the cloud? This talk describes an automated trusted remote Java development sandbox hosted in the Amazon cloud that uses strong encryption for system authentication and file system services, Security-conscious users can trust that their application intellectual property won't be leaked while trusting neither the cloud provider nor the operators who deploy and maintain the cloud-based sandbox service running on top of it.
- 1. Deploying trusted developer sandboxes in Amazons cloudJason Brazile, Remi Locherer, and Ronnie Brunner
2. This talk potential cases for cloud storage & remote dev/test automated read-only system images not-too-inconvenient encryption everywhere Not a takeaway Pre-Snowden, but complies w/ 4 of 5 Schneiers tips http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance| 3. Background: ESA Study: 2009-2011 potential use-cases: Cloud for free* data access Cloud for remote development (*)https://www.google.com/?q=ESA+Earth+Observation+Data+Policy|ESRIN/Contract Nr. 227700/09/I-SB final report (245 pages) 4. The CIOP case Big, free-ish, Data Distinct, proprietary, software devs Slow test data distribution to code developers Devs nervous about code leakingProprietary Algorithm A devd by XInstead, lead the users to the data (in the cloud)|Proprietary Algorithm B devd by Y 5. But Security ESA less concerned about hacking science data than their endusers algorithms and brand damage Data = not really sensitive Code = sensitive Soln cant be too inconvenient | 6. The Cloud Sandbox Prototype NFSuser a/home/aX.509 derived ssh key/home/bldapportalcatalog/home/c ESA/CIOP DMZ/datasandbox a user bExisting X.509 certsnfs mount of encfs encrypted /home/aencfs sshdESA private netsandbox b encfs sshdsandbox c encfs sshd user c|sandbox images basically read-only ldap config limits user c to sandbox cAdmin 7. First Time Usagessh identity automatically derived from users existing X.509 certificate|Single encfs passphrase can decrypt both 1. users /home and 2. shared /validate 8. Daily Usagessh identity automatically derived from users existing X.509 certificateldap directory centralized access control to machines and nfs mounts|Single encfs passphrase can decrypt both 1. users /home and 2. shared /validate 9. Encrypted File system choices SL6| 10. Details: just the OS... name: fedora-xfce summary: Fedora with xfce os: The only change needed: name: fedora name: sl version: 16 version: 6 hardware: partitions: "/": size: 5 packages: - @base - @base-x - @fonts - @xfce-desktop - @critical-path-xfce access_key: yourawsaccesskey secret_access_key: youawssecretkey account_number: youramazonaccountnumber cert_file: /root/.ec2/yourcertificate.pem key_file: /root/.ec2/yourprivatekey.pemNote: boxgrinder is sleeping. Now we use appliance-creator| 11. Details: server customization (~500 lines) # ldap configuration yum install -y openldap-clients openldap-servers nss-pam-ldapd # prepare ldap cert cd /etc/openldap/cacerts openssl genrsa -out cert.key 2048 openssl req -new -key cert.key -out cert.csr -subj"/C=IT/L=Default City/O=Default Company Ltd/CN=192.168.11.10" /usr/sbin/cacertdir_rehash /export/certs/ cat /etc/fstab chmod +x /etc/profile.d/encfs.sh# load fuse kernel module at boot cat /dev/null 2>&1 EOF chmod +x /etc/sysconfig/modules/encfs.modules yum install -y openssh-ldap echo 'AuthorizedKeysCommand# home directory encryption # fuse-2.8.3-1.el6 works, fuse-2.8.3-3.el6_1 "fusermount -u" does not work. /usr/libexec/openssh/ssh-ldap-wrapper' >> /etc/ssh/sshd_config yum install -yfuse-2.8.3-1.el6# for ssh-ldap-helper fuse-encfs-1.7.4-1.el6.i686ln -s /etc/openldap/ldap.conf /etc/ssh/ldap.conf pwgen Firewall Nfs/autofs/fuse-encfs Crytpsetup-luks Openssh-ldap Syslog| 13. Takeaways potential cases made for cloud storage (test data) & remote dev access automated read-only system images (server & client) not-too-inconvenient encryption everywhere github.com/netceteragroup/esa-ciop-sandbox-image-proto