Cloud Security: Keeping Those Keys Safe

Cloud security: Keeping those keys safe

Jack Murgia, from Cloud Controllers, sent me an interesting query last week: “How does LabSlice ensure that the Amazon Web Services (AWS) Access Keys remain secure within the application?”

This is a great question, as the AWS Access Keys are the keys to the house for any business using the Amazon Web Services cloud. It’s true that our application stores more keys than most (we provide an AWS management service that utilizes our customers’ keys), but you will more than likely find keys used within your application, whether to upload files to cloud storage (S3) or within scripts that are launched by your application.

In fact, any cloud service provided by any vendor will ultimately involve some sort of key, certificate or credential authentication to give the application access to various cloud resources. So extend these ideas to the cloud of your choice…

We secure our cloud platform by:

  • Leveraging the inbuilt security controls of our development platform: In our case we use the ASP.NET Membership Services to manage application authentication and password storage, declarative security to limit access to sensitive parts of the application (eg. those that utilize AWS keys) and page security definitions to ensure that only particular users have access to particular pages. None of these controls are specific to the cloud, but security at home starts by making sure you have locked your doors and closed your windows.
  • Storing sensitive attributes in encrypted format on disk: Storing the AWS keys in encrypted format protects them from systems administrators and other management folk that may need to get console access to our application. It also ensures that the keys remain secure when nightly backups are taken and shipped to S3.
  • Running all key transactions over HTTPS, not just the login page: This seems to be a new trend in security (likely due to FireSheep) and we decided to adopt it as well. It’s a useful additional control to protect those AWS transactions that are run under the context of our customers’ AWS Access Keys.

But this is about cloud security…

Notice that the security controls we use have little to do with cloud computing. So is there anything cloud-related that we do to improve security? Turns out there is. I have come across three useful controls that are very cloud specific and that both us and our customers are implementing:

1.             Termination protection: This is a feature of the Amazon cloud that blocks APIs from terminating a machine. It’s somewhat of an operations control, to stop your administrator from mindlessly terminating a production machine. But it’s also a useful security control in case your Access Keys somehow leak out, or maybe to protect yourself against a malicious employee days before their own termination.

2.             Access Key permissions: By default most keys used in the cloud give global access to everything. As cloud vendors mature, so do the restrictions on these keys. If you’re using keys for limited activities (say, to upload files to S3) then it’s a good idea to restrict permissions solely to those activities. Our customers also limit the AWS Access Key permissions of the keys they use on our system. For example, Cloud Controller’s policy (see below) specifically forbids the ability to take snapshots, which is a good way to reduce their attack surface whilst using our system.

3.             Network access: Again, a specific control to Amazon, which can be mapped to your favorite provider. If you’re using Amazon then you would naturally want to use their Security Groups (firewall) to block public access to your RDP and SSH interfaces.

Notice the difference?

Whilst cloud does has its security controls, the vast majority of our efforts go into implementing and maintaining security using familiar techniques that have nothing to do with cloud computing. If you’re using the cloud then forget about cloud security. Go back to basics and learn about CIA and follow the OWASP Top 10 guide. Whilst cloud has valid security concerns, the vast majority of security compromises in the cloud will still end up due to a failure with the basics: Poor access control, vulnerability to command injection (eg. SQL) and inadequate logging and monitoring.


Sample key permissions from one of our customers (notice how they block our ability to take snapshots):

{

“Statement”: [

{

“Action”: [

“ec2:AttachVolume”,

“ec2:AuthorizeSecurityGroupIngress”,

“ec2:CreateKeyPair”,

“ec2:CreateSecurityGroup”,

“ec2:CreateVolume”,

“ec2:DetachVolume”,

“ec2:DescribeImages”,

“ec2:DescribeInstances”,

“ec2:GetConsoleOutput”,

“ec2:GetPasswordData”,

“ec2:RebootInstances”,

“ec2:RunInstances”,

“ec2:StartInstances”,

“ec2:StopInstances”,

“ec2:TerminateInstances”

],

“Effect”: “Allow”,

“Resource”: “*”

}

]

}

By Simon Ellis/CloudTweaks Contributor

LabSlice now offers consulting services for EC2 migration: http://LabSlice.com/Contact.

Sorry, comments are closed for this post.

IBM and SAP Announce Industry’s Largest Cloud Deal

IBM and SAP Announce Industry’s Largest Cloud Deal

IBM and SAP Announce Industry’s Largest Cloud Deal IBM and SAP have shaken the cloud computing world this afternoon with the announcement of one of the largest cloud deals in the industry’s history – bringing together two of the largest technology companies in a bid to offer a more holistic service to their clients. SAP…

The Industries That The Cloud Will Change The Most

The Industries That The Cloud Will Change The Most

The Industries That The Cloud Will Change The Most Cloud computing is rapidly revolutionizing the way we do business. Instead of being a blurry buzzword, it has become a facet of everyday life. Most people may not quite understand how the cloud works, but electricity is quite difficult to fathom as well. Anyway, regardless of…

Cloud Infographic: Cloud Public, Private & Hybrid Differences

Cloud Infographic: Cloud Public, Private & Hybrid Differences

Many people have heard of cloud computing. There is however a tremendous number of people who still cannot differentiate between Public, Private & Hybrid cloud offerings.  Here is an excellent infographic provided by the group at iWeb which goes into greater detail on this subject. Infographic source: iWeb About Latest Posts simon Latest posts by…

Cloud Infographic: Most Used Cloud Apps

Cloud Infographic: Most Used Cloud Apps

Cloud app and analytics company, Netskope released its quarterly Cloud Report. The new report reveals that enterprise employees are using an average of 397 different cloud apps (most of which are unsanctioned), when IT estimated they have 40-50 — that’s a tenfold underestimation. Below is an infographic provided courtesy of the group at Netskope which goes into further detail.…

Cloud Infographic – Cyber Security And The New Frontier

Cloud Infographic – Cyber Security And The New Frontier

Cyber Security: The New Frontier The security environment of the 21st century is constantly evolving, and it’s difficult to predict where the next threats and dangers will come from. But one thing is clear: the ever-expanding frontier of digital space will continue to present firms and governments with security challenges. From politically-motivated Denial-of-Service attacks to…

CONNECT TO THE CLOUD

 

Cloud Logo Sponsors

hp Logo CityCloud-PoweredByOpenstack-Bluesquare_logo_100x100-01
cisco_logo_100x100 vmware citrix100
Site 24x7


Contributor Spotlight

Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Contact

CloudTweaks Media
Phone: 1 (212) 763-0021

Branded Content Programs

Advertising