Enterprise Cloud Security
1 like260 views
The document focuses on enterprise cloud security, highlighting the importance of tight configurations and the segregation of duties to mitigate breaches caused by configuration flaws and vulnerabilities. It discusses security control measures such as multi-factor authentication, role-based access controls, and encryption, alongside auditing and activity monitoring for operational integrity. Additionally, it addresses customer-managed key distribution for encrypted data, emphasizing best practices for maintaining secure cloud environments.
Enterprise Cloud Security
- 1. Davi Ottenheimer, Product Security Enterprise Cloud Security
- 2. Davi Ottenheimer __ -=(o '. '.-. /| '| || __):,_ > _ Product Security Making safety easier, faster, and more flexible
- 3. Cloud Trust Themes Service: benefits of tighter configs by relinquishing some control ● Flexibility across clouds ● Meet industry standards ● Advantage in trusted bridge builders
- 4. Cloud Trust Themes Common questions ● What can provider see (segregation of duties, AAA) ● What happens when provider detects a CVE or an incident ● How do we get operational logs ● Who is responsible for what ● Which key authorities can be used ● Where is the data really (can it disappear, can it not disappear)
- 5. Cloud Trust Themes Why it is so important to get Enterprise Cloud Security right ● Cause of breaches - configuration flaws, unpatched vulns ● Reputation loss, regulatory oversight and fines increasing https://www.computerweekly.com/news/450401190/UK-firms-could-face-122bn-in-data-breach-fines-in-2018
- 6. SALT. FOG.
- 7. https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
- 8. https://www.flickr.com/photos/39391550@N00/6116946646 What Does Cloud Security Look Like?
- 9. 60,000 Rivets - Per Plane 1. Normal Checklist - takeoff and landing routines 2. Emergency Checklist - minutes to make a critical decision “Life begins with a checklist...and it may end if you don’t use it” United States War Office Film 1-3301 How to Fly the B-26 http://www.flyingpenguin.com/?p=12965
- 10. Service Organization Control (SOC) PRIVACY & SECURITY INTEGRITY AVAILABILITY CONFIDENTIALITY AICPA SOC 2
- 11. DIY Checklists - Great Way to Learn! https://github.com/pkdone/MongoSecurityPlaypen WARNING: This project intentionally is NOT "production secure" The DIY SECURITY SERVICE LAYER
- 12. “...as a Service” is Less Complex, Fewer Errors On-premises Database as a ServiceSelf-managed in a cloud Managed features with minimal configuration Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening
- 13. Agenda Identity and Access Auditing Encryption Enterprise Cloud Security
- 14. Identity and Access Enterprise Cloud Security
- 15. Secure Access Controls ● Default Role is Closed ● Multi-Factor Authentication (MFA) Integration ● Role-based Access Controls (RBAC) for Projects, Users and Teams SECURITY USABILITY MFA Standards (e.g. fido) StrongWeak Poor Easy
- 16. Secure Access Controls ● Basic Checklist ○ In-flight data encryption (TLS 1.1+) ○ Authentication (SCRAM or LDAPS) ○ Traffic “firewall” (IP whitelist, default closed) ● Design Considerations ○ Dedicated VPC/Vnet: Isolated Single-tenant Cluster Nodes ○ Peered AWS VPCs (same region)
- 17. VPC Per Atlas Project AES At-Rest Encryption Secondary Secondary Primary Dedicated VPC (per project) ● Network default closed to public ● IP addresses explicitly whitelisted for inbound traffic ● User/password required to connect to database with configurable privileges ● Encryption ○ TLS In-Transit (Network) ○ AES At-Rest (Volume) Zone 1 Zone 2 Zone 3 Auth (SCRAM or LDAPS) IP Whitelist TLS In-Flight Encryption Application Server Environments
- 18. VPC Per Atlas Project AES At-Rest Encryption Secondary Secondary Primary ● Network default closed to public ● IP addresses explicitly whitelisted for inbound traffic ● User/password required to connect to database with configurable privileges ● Encryption ○ TLS In-Transit (Network) ○ AES At-Rest (Volume) ● Peering cluster VPC to app VPC = private network (can even reference VPC peered security groups) Zone 1 Zone 2 Zone 3 Auth (SCRAM or LDAPS) Your VPC for Application Servers VPC Peering Connection Peered VPC (per project)
- 19. IaaS Account Network Customer Replica Set Cluster Secondary Secondary Primary Zone 1 Zone 2 Zone 3 IaaS Unsharded Backup Service Data Flow Diagram
- 20. IaaS Account Network Query Router (mongos) Config Servers Customer IaaS Shard 0 2 2 1 Sharded Shard 1 2 2 1 Shard 2 2 2 1 Shard 3 2 2 1 Shard 3 2 2 1 Backup Service Data Flow Diagram
- 22. Activity Logs ● Records ○ Database Processes ○ Create, Read, Update, Delete (CRUD) ● Live feeds on all actions for monitoring/alerts ○ User or role modifications ○ Cluster deploy ○ Scale ○ Termination operations
- 23. Fine-grained monitoring and alerts
- 24. Fine-grained monitoring and alerts ● Monitoring and alerts provide full metrics on the state of your cluster’s database and server usage ● Automatic notifications when your database operations or server usage reach defined thresholds that affect your cluster's performance ● Combining our automated alerting with the flexible scale-up-and-out options in MongoDB Atlas, we can keep your database-supported applications always performing as well as they should
- 26. Real-time activity panel Insight by revealing what’s happening in your cluster live to diagnose: ○ Operations ○ Read/Writes ○ Network In/Out ○ Memory ○ Hottest Collections ○ Slowest Operations
- 28. Behavioral Advisor ● Always-on for dedicated clusters ● Delivers automated recommendations without perf overhead ○ Relevant stats on slow queries ○ Automated index suggestions ○ Existing indexes across clusters
- 29. Data Explorer ● Interact with data from within UI ● A convenient way to: ○ Run queries ○ See metadata about your databases & collections ○ View information about your indexes, including index usage statistics
- 30. Queryable Snapshots Query backup and restore data at document level in minutes ○ Identify whether data of interest has been ○ altered and pinpoint best time to ○ restore database by comparing ○ multiple snapshots
- 32. Service Levels Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Customer Customer Customer More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service
- 33. Service Use Cases Regulated / Top Secret (PII/PHI/PCI) Encrypted Data Secret (IP, Internal) Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service Confidential
- 34. AWS KMS: Delegated Master Keys Replica0 Replica Host (Linux, Windows…) Replica0 (mongod) Internal Keystore (Encrypted by Master Key) DB0 ECA Embedded Key Management Certificate PEM File CA Certificates File DB0 DB1 DBn DB1 DBn Replica1 Replica2 Atlas Enterprise Cloud Agent KMIP (create / get) KMSProxy
- 35. Partner Key Management Appliance: Master Keys Replica0 Replica Host (Linux, Windows…) Replica0 (mongod) Internal Keystore (Encrypted by Master Key) DB0 ESE Embedded Key Management Certificate PEM File CA Certificates File DB0 DB1 DBn DB1 DBnReplica1 Replica2 KMIP (create / get) Key management and keystore controlled by the organization, not the cloud service provider (https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tc-hybrid-sp1800- 19a-preliminary-draft.pdf)
- 36. IaaS Key Service Differences Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP and CKM_RSA_PKCS N/A GCP KMS AES-GCM-256 N/A 64kB N/A N/A Azure KV AES-256 RSA-2048 with RSA-OAEP and CKM_RSA_PKCS Single 2048-bit RSA block RSA-OAEP and CKM_RSA_PKCS RSA-PSS and CKM_RSA_PKCS http://docs.aws.amazon.com/kms/latest/developerguide/overview.html https://cloud.google.com/kms/docs/ https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy
- 37. For Instance: Migration Checklist Log Review Security Policy Review Identity and Access Control Configuration Encryption Key Management Disaster Recovery / Backup Redundancy / Resilience Networked Workloads Product Load / Scale Patching Cycles Abstracted Service Architecture
- 38. “...as a Service” is Less Complex, Fewer Errors On-premises Database as a ServiceSelf-managed in a cloud Managed features with minimal configuration Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening
- 39. https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
- 40. Enterprise Cloud Security Identity and Access Auditing Encryption
- 41. Davi Ottenheimer, Product Security Thank You