Cloud Security: Keeping Those Keys Safe

Cloud security: Keeping those keys safe

Jack Murgia, from Cloud Controllers, sent me an interesting query last week: “How does LabSlice ensure that the Amazon Web Services (AWS) Access Keys remain secure within the application?”

This is a great question, as the AWS Access Keys are the keys to the house for any business using the Amazon Web Services cloud. It’s true that our application stores more keys than most (we provide an AWS management service that utilizes our customers’ keys), but you will more than likely find keys used within your application, whether to upload files to cloud storage (S3) or within scripts that are launched by your application.

In fact, any cloud service provided by any vendor will ultimately involve some sort of key, certificate or credential authentication to give the application access to various cloud resources. So extend these ideas to the cloud of your choice…

We secure our cloud platform by:

  • Leveraging the inbuilt security controls of our development platform: In our case we use the ASP.NET Membership Services to manage application authentication and password storage, declarative security to limit access to sensitive parts of the application (eg. those that utilize AWS keys) and page security definitions to ensure that only particular users have access to particular pages. None of these controls are specific to the cloud, but security at home starts by making sure you have locked your doors and closed your windows.
  • Storing sensitive attributes in encrypted format on disk: Storing the AWS keys in encrypted format protects them from systems administrators and other management folk that may need to get console access to our application. It also ensures that the keys remain secure when nightly backups are taken and shipped to S3.
  • Running all key transactions over HTTPS, not just the login page: This seems to be a new trend in security (likely due to FireSheep) and we decided to adopt it as well. It’s a useful additional control to protect those AWS transactions that are run under the context of our customers’ AWS Access Keys.

But this is about cloud security…

Notice that the security controls we use have little to do with cloud computing. So is there anything cloud-related that we do to improve security? Turns out there is. I have come across three useful controls that are very cloud specific and that both us and our customers are implementing:

1.             Termination protection: This is a feature of the Amazon cloud that blocks APIs from terminating a machine. It’s somewhat of an operations control, to stop your administrator from mindlessly terminating a production machine. But it’s also a useful security control in case your Access Keys somehow leak out, or maybe to protect yourself against a malicious employee days before their own termination.

2.             Access Key permissions: By default most keys used in the cloud give global access to everything. As cloud vendors mature, so do the restrictions on these keys. If you’re using keys for limited activities (say, to upload files to S3) then it’s a good idea to restrict permissions solely to those activities. Our customers also limit the AWS Access Key permissions of the keys they use on our system. For example, Cloud Controller’s policy (see below) specifically forbids the ability to take snapshots, which is a good way to reduce their attack surface whilst using our system.

3.             Network access: Again, a specific control to Amazon, which can be mapped to your favorite provider. If you’re using Amazon then you would naturally want to use their Security Groups (firewall) to block public access to your RDP and SSH interfaces.

Notice the difference?

Whilst cloud does has its security controls, the vast majority of our efforts go into implementing and maintaining security using familiar techniques that have nothing to do with cloud computing. If you’re using the cloud then forget about cloud security. Go back to basics and learn about CIA and follow the OWASP Top 10 guide. Whilst cloud has valid security concerns, the vast majority of security compromises in the cloud will still end up due to a failure with the basics: Poor access control, vulnerability to command injection (eg. SQL) and inadequate logging and monitoring.


Sample key permissions from one of our customers (notice how they block our ability to take snapshots):

{

“Statement”: [

{

“Action”: [

“ec2:AttachVolume”,

“ec2:AuthorizeSecurityGroupIngress”,

“ec2:CreateKeyPair”,

“ec2:CreateSecurityGroup”,

“ec2:CreateVolume”,

“ec2:DetachVolume”,

“ec2:DescribeImages”,

“ec2:DescribeInstances”,

“ec2:GetConsoleOutput”,

“ec2:GetPasswordData”,

“ec2:RebootInstances”,

“ec2:RunInstances”,

“ec2:StartInstances”,

“ec2:StopInstances”,

“ec2:TerminateInstances”

],

“Effect”: “Allow”,

“Resource”: “*”

}

]

}

By Simon Ellis/CloudTweaks Contributor

LabSlice now offers consulting services for EC2 migration: http://LabSlice.com/Contact.

Sorry, comments are closed for this post.

Comics

At CloudTweaks, we're plugged into the cloud, the internet of things and all that the web has to offer. From wearable technology, to mobile computing, cloud computing and big data, CloudTweaks is your source for updates and news on the most innovative technology.

Popular

Top Viral Impact

IBM and SAP Announce Industry’s Largest Cloud Deal

IBM and SAP Announce Industry’s Largest Cloud Deal

IBM and SAP Announce Industry’s Largest Cloud Deal IBM and SAP have shaken the cloud computing world this afternoon with the announcement of one of the largest cloud deals in the industry’s history – bringing together two of the largest technology companies in a bid to offer a more holistic service to their clients. SAP…

Technology Advice Report: 2014 Business Intelligence Buying Trends

Technology Advice Report: 2014 Business Intelligence Buying Trends

Technology Advice Report: 2014 Business Intelligence Buying Trends For nearly every business, the concept of business intelligence is nothing new. Ambitious organizations have been searching for any type of data-driven advantage for some time now – perhaps for as long as they’ve existed. However, the historical use of competitive intelligence pales in comparison to the…

Cloud Infographic – The Internet Of Things In 2020

Cloud Infographic – The Internet Of Things In 2020

Cloud Infographic –  The Internet Of Things In 2020 The growing interest in the Internet of Things is amongst us and there is much discussion. Attached is an archived but still relevant infographic by Intel which has produced a memorizing snapshot at how the number of connected devices have exploded since the birth of the…

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014 The bring-your-own-device trend has been the subject of scrutiny ever since its initial formation. Given how quickly personal smartphones and tablets became a fixture in everyday life, it makes perfect sense that these mobile machines would slip into workplaces. While BYOD has caused headaches for many businesses,…

Featured Sponsors

Salesforce Service Cloud: Air Traffic Control For Your Customer

Salesforce Service Cloud: Air Traffic Control For Your Customer

Salesforce Service Cloud One of the greatest benefits of the increasingly reliable and ubiquitous state of cloud technology is the removal of business silos and the consolidation of information flow, both in-house and on the road. This is of particular importance to the many different types of professionals whose work involves customer relationship management (CRM).…

The Internet of Everything Opens Up The World

The Internet of Everything Opens Up The World

Shaping The World With New Technologies As a connected collection of intelligent objects, the Internet of Everything promises to open up those areas of the world hardest hit by economic, political and agricultural blights. Relatively inexpensive devices, paired with revolutionary energy sources and unprecedented access to information offer great promise to farmers and workers in…

Sponsors

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough You’ve been running your small business on QuickBooks, or a product like it, to automate your accounting function and produce basic financial reports. So, what’s wrong? Things just don’t seem to be working well. It takes too long to get a “picture” of how your business…

Placement Opportunities - Find Out!

Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

You can help continue to support our community by social sharing, sponsoring, partnering or contributing to this great educational resource.

Contact

CloudTweaks Media
Phone: 1 (212) 763-0021

Join Our Newsletter