Old Man Yells at Cloud Computing Presented by: Terry Labach - - PowerPoint PPT Presentation

Old Man Yells at Cloud Computing

Presented by: Terry Labach Information Security Services, IST December 4, 2019

Old Man Yells at Cloud Computing

Old Man Yells at Cloud Computing PAGE 2

The plan for today

• What’s all this cloud computing stuff?
• Security, isn’t that what we’re paying for?
• What could possibly go wrong?
• What is to be done?

Old Man Yells at Cloud Computing PAGE 3

• What is to be done?

What is cloud computing?

“A distributed system is a system where I can’t get my work done because a computer has failed because a computer has failed that I’ve never even heard of.”

Leslie Lamport, c. 1990

Old Man Yells at Cloud Computing PAGE 4

What is cloud computing?

“A distributed system cloud is a system where I can’t get my work done because a computer has done because a computer has failed that I’ve never even heard

• f.”

Leslie Lamport , c. 1990 Me, today

Old Man Yells at Cloud Computing PAGE 5

No, really, what is cloud computing?

Cloud computing can be viewed in many ways…

• a collection of technologies
• an operational model
• an operational model
• a business model
• provision of computing resources from a shared infrastructure

Old Man Yells at Cloud Computing PAGE 6

Cloud computing infrastructure models

• Public cloud
• Using resources wholly hosted and operated off your premises by a 3rd party cloud service

provider

• Resources provided by infrastructure that is also used by other clients

Private cloud

Old Man Yells at Cloud Computing PAGE 7

• Private cloud
• Using resources provided by infrastructure only used by your organization, whether hosted
• n-site or elsewhere
• Hybrid cloud
• Using both of the above models

Cloud computing service models

• Infrastructure as a service (IaaS)
• computing infrastructure, provisioned and managed over the internet
• Software as a service (SaaS)
• allows users to connect to and use apps over the Internet
• allows users to connect to and use apps over the Internet
• Platform as a service (PaaS)
• complete development and deployment environment in the cloud

Old Man Yells at Cloud Computing PAGE 8

Cloud computing operation models

• Mimic traditional data centre concepts of servers, platforms,

networking, etc.

• This can result in users misconfiguring or inefficiently using

cloud resources because they are thinking about traditional architectures. architectures.

Old Man Yells at Cloud Computing PAGE 9

So cloud computing is?

• Using someone else's computers!

Old Man Yells at Cloud Computing PAGE 10

Where can I get some sweet, sweet cloud?

• Microsoft Azure
• Amazon Web Service (AWS), Amazon

Elastic Compute Cloud (EC2)

• Google Cloud Platform
• Google Cloud Platform
• And many others…

Old Man Yells at Cloud Computing PAGE 11

Clouds with benefits

• faster to provision
• can reduce downtime
• can save money
• can be more secure

Old Man Yells at Cloud Computing PAGE 12

Clouds with benefits?

• faster to provision
• can reduce downtime (or not)
• can save money (or not)
• can be more secure (or not)

Old Man Yells at Cloud Computing PAGE 13

Why are you scared of clouds?

• Have you ever really looked at them?

Old Man Yells at Cloud Computing PAGE 14

Why are you scared of clouds?

• Misconceptions about the cloud mean that organizations do

not manage cloud resources as they should.

• Let’s look at a recent, well-publicized example.

Old Man Yells at Cloud Computing PAGE 15

The Capital One breach

• Capital One is one of the largest banks in the United States
• In 2019, a lone hacker managed to obtain the sensitive personal

information of more than 100 million people, despite security measures

• Capital One didn’t become aware of the breach until more than
• Capital One didn’t become aware of the breach until more than

three months after the fact

Old Man Yells at Cloud Computing PAGE 16

What happened?

• Hacker exploited a flaw in a firewall on an Amazon Web Services cloud server
• Firewall had been misconfigured, allowing it access to all resources belonging to the

client

• The attacker crafted web requests that were passed through the firewall and resulted

in data being returned from the underlying databases because they appeared to in data being returned from the underlying databases because they appeared to coming from the misconfigured firewall

• Server Side Request Forgery (SSRF)
• "AWS was not compromised in any way and functioned as designed," Amazon said in

a statement

Old Man Yells at Cloud Computing PAGE 17

The Capital One breach revealed

• What We Can Learn from the Capital One Hack
• https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
• Preventing The Capital One Breach
• https://ejj.io/blog/capital-one
• https://ejj.io/blog/capital-one
• Information on the Capital One Cyber Incident
• https://www.capitalone.com/facts2019/

Old Man Yells at Cloud Computing PAGE 18

But I thought that the cloud was more secure?

You’re expecting this level of security…

Old Man Yells at Cloud Computing PAGE 19

Nope!

Old Man Yells at Cloud Computing PAGE 20

…but this is what you get.

Security is not a commodity

• Cloud vendors don’t understand:
• your business processes
• the sensitivity of your data
• your legal and other requirements

Old Man Yells at Cloud Computing PAGE 21

What do cloud vendors think about security?

• "The AWS Cloud has a shared responsibility model. AWS manages security of the
• cloud. You are responsible for security in the cloud.“
• https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

Old Man Yells at Cloud Computing PAGE 22

So, what can go wrong with cloud security?

• In general:
• errors to configure services as desired to protect data and operations
• refusal to follow security policy due to ignorance or hubris, leading to breaches and problems
• failure to monitor operations and flag anomalies for investigation, preventing detection of flaws

Old Man Yells at Cloud Computing PAGE 23

Data breaches

• Hackers stole the personal data of 57 million customers and drivers from Uber in

October 2016

• Company concealed the hack for more than a yearand paid hackers $100,000 to delete

info.

• Loss included names, email addresses and phone numbers of 50 million Uber riders

Old Man Yells at Cloud Computing PAGE 24

• Loss included names, email addresses and phone numbers of 50 million Uber riders

and personal information of about 7 million drivers

• Attackers accessed a private GitHub coding site used by Uber software engineers
• Used login credentials they obtained there to access data stored on Amazon Web

Services

Misconfiguration

• Information on over 120 million American households was found in a massive database

left exposed on the web in 2017 by marketing analytics company Alteryx

• Included addresses, ethnicity, interests and hobbies, income, right down to what kind
• f mortgage the house was under and how many children lived at the property.
• 248 different data fields for each household

Old Man Yells at Cloud Computing PAGE 25

• 248 different data fields for each household
• Data was sitting in Amazon Web Services storage
• Open to anyone with an AWS account

Architecture design failure

• Accenture left private data across four unsecured cloud servers, exposing highly

sensitive passwords and secret decryption keys that could be used to decrypt traffic between Accenture and its customers

• Data could be downloaded without a password
• Some passwords were stored in plaintext

Old Man Yells at Cloud Computing PAGE 26

• Some passwords were stored in plaintext
• Credentials also found that appear to relate to Accenture's access to Google's Cloud

Platform and Microsoft's Azure

Account hijacking

• In 2014, attacker gained access to the AWS control panel of company Code Spaces and

demanded money in exchange for relinquishing control

• Company refused, and attacker began deleting data and virtual machines
• There were replicated services and backups, but those were all controllable from the

same control panel

Old Man Yells at Cloud Computing PAGE 27

same control panel

• This destroyed the company

Insecure interfaces

• Facebook data breach affecting over 50 million accounts
• Vulnerability introduced into code in July 2017 and only discovered in September 2018
• Attackers used “View As,” a feature that lets people see what their own profile looks

like to another Facebook user. The vulnerability resulted in the generation of an access token that had the permissions of the Facebook mobile app, not for the

Old Man Yells at Cloud Computing PAGE 28

access token that had the permissions of the Facebook mobile app, not for the viewer, but for the other Facebook user, which could be used to take over their account

Inadequate controls

• 120 million unique identification numbers issued to Brazilian citizens and to tax-paying

foreigners exposed in 2018

• index.html on cloud storage account had been renamed index.html_bkp, revealing

the directory’s contents

• Access not prohibited through .htaccess configuration

Old Man Yells at Cloud Computing PAGE 29

• Access not prohibited through .htaccess configuration
• Discoverers attempted to contact and warn the cloud server owner
• took several weeks, as the initial emails were returned as receiving addresses were invalid
• more time passed until customers of the server owner locked down data

Shadow IT

• In any organization, always he case that individuals, teams, departments (& faculties)

use their own computing infrastructure apart from enterprise-wide

• a server in a corner office may pose small risks
• using unauthorized cloud services poses greater risks

When using a cloud service, setting up a new server takes a credeit card and a few

Old Man Yells at Cloud Computing PAGE 30

• When using a cloud service, setting up a new server takes a credeit card and a few

minutes

• If users don’t configure appropriately, data at risk
• What happens in case of a breach, when central IT knew nothing about the service

being used?

What do we do now?

• Don’t rush apps into the cloud
• “All the cool kids are doing it” is not a rationale
• Analyze needs, gaps, and costs first
• The cloud is not always the best place for apps
• Invest in human expertise
• Cloud computing is complex, and security is not a commodity
• Hire experts or train your own

Old Man Yells at Cloud Computing PAGE 31

What do we do now?

• Secure all data and infrastructure
• Encryption of data and traffic
• Backups, lots of backups
• Duplication and redundancy
• Design for security
• Must understand and manage users, devices, data
• Separate administrative roles
• Cloud hosted sites, services, logs must be audited periodically to ensure correct

configuration and operation

Old Man Yells at Cloud Computing PAGE 32

Conclusions

• The cloud is with us for a while (until the next shiny thing comes along)
• Cloud operations are not like those in a traditional data centre (not just security, but

networking, backup…)

• Cloud operations have to treated as a different way of providing IT services
• Outsourcing to the cloud doesn’t make things more secure, but it does change the

way you secure your data

Old Man Yells at Cloud Computing PAGE 33

Think before you cloud

"Architects draw detailed plans before a brick is laid

• r a nail is hammered. Programmers and software

engineers don't. Can this be why houses seldom

Old Man Yells at Cloud Computing PAGE 34

engineers don't. Can this be why houses seldom collapse and programs often crash?"

Leslie Lamport

Resources

• How to evaluate cloud vendors?
• EDUCAUSE has an evaluation checklist to assist in evaluating vendor security and

gaps

• https://library.educause.edu/resources/2016/10/higher-education-community-vendor-

assessment-toolkit

Old Man Yells at Cloud Computing PAGE 35

Sources

• https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-

million-people-s-data

• https://www.forbes.com/sites/thomasbrewster/2017/12/19/120m-american-households-exposed-in-

massive-consumerview-database-leak/#34733c447961

• https://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/
• https://www.infoworld.com/article/2608076/murder-in-the-amazon-cloud.html
• https://www.infoworld.com/article/2608076/murder-in-the-amazon-cloud.html
• https://www.pingidentity.com/en/company/blog/posts/2018/facebook-data-breach-highlights-api-

vulnerabilities.html

• https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-

brazilian-citizens/

• https://www.networkworld.com/article/2997152/five-ways-shadow-it-in-the-cloud-hurts-your-

enterprise.html

Old Man Yells at Cloud Computing PAGE 36

IST Information Security Services

• Mission: To provide information security expertise to the campus community and

provide services in the areas of network security monitoring and vulnerability management.

• https://uwaterloo.ca/information-systems-technology/about/organizational-
• https://uwaterloo.ca/information-systems-technology/about/organizational-

structure/information-security-services

Old Man Yells at Cloud Computing PAGE 37

Terry Labach

• Information Security Services team, IST
• Web application security consulting
• User security education
• I can provide custom information security

I can provide custom information security training to your department. Contact me for details.

terry.labach@uwaterloo.ca 519-888-4567 x45227

Old Man Yells at Cloud Computing PAGE 38

Questions?

Old Man Yells at Cloud Computing PAGE 39