CSG Fall 2016 – Security and Configuration in the Cloud, pt 1

Sarah Christen is introduces the workshop.

Bob Winding and Sharif Nijim – Notre Dame

• Cloud first – even distributed groups going cloud first
• VPCs: Share Services VPC with peering to Central Applications or Departmental VPCs; VPN Tunnels over I2 to campus; Be wary of implicit peering through campus routers.
• 80% central IT, 20% distributed
• Pauses to assess progress are built into the plan, with sprints to address issues. Inviting Mandian to campus to help establish 5 year security roadmap.
• Export controlled data
  • 22 projects on campus dealing with this kind of data
  • Gov Cloud new initiative to support research
  • NIST 800-171 DFAR-7012 – looks a lot like PCI DSS
    • AWS covers 1/3 of security controls in GovCloud
    • Talked to a half-dozen PIs – experiments generate lots of data, then they move data to a local spot for analysis, or design work that happens locally with specific apps.
    • Developed a compliance matrix and quick start template in Cloud Formation
      • Quick start builds shared services and multi-tenant project VPC
    • Want to create an environment in GovCloud that is cloistered for the work until it goes back to the sponsor.
• VDI – Using graphics intensive applications in the cloud
  • Looked at frame – delivers screen from remote desktop over video streams. Running pilot in US East
• Look at the RDP gateway as the audit boundary – doesn’t include the end user device
• Least privileges in IAM
• Working with Purdue to look at SaaS providers for security monitoring and log analysis
• AWS Security
  • Flipped IAM from least privilege to explicit deny of dangerous operations
    • Separation of control on IAM policy creation and application
    • Writing Lambda functions to undo changes that aren’t permitted
• Organizing security groups
  • Setting standards for common functions, like sysadmin access
  • Engineers have a hard time keeping things simple
  • Databases use security groups for access control, which simplifies auditing
• `Data security
  • Using Tripwire tuned precisely on systems with confidential information
  • Encryption at rest and backups
  • Replication of backups/snapshots to a separate account and region. If a credential is compromised can’t destroy both operational data and backup
• Future
  • Cloudfront WAF
    • Want to fully leverage Amazon’s tools to gain advantage
    • Realize that this increases lock-in with the vendor
  • Host IDS for selected sensitive systems – looking for things that don’t cause choke points
  • Comment from Bruce – “we’re on the verge of a post-firewall world”
    • At AWS have to use IP-address based controls across VPCs and shared services
• https://oit.nd.edu/cloud-first

Bob Turner – Wisconsin

• Somewhere between cloud experimentation and cloud aware.
• Trying to not yet deal with sensitive and restricted data in the cloud
• security requirements for accounts and VPCs
  • Working off script based on risk management framework
  • Using it for onboarding people into cloud environments
  • Working on audits and attestations
• Enforcing cloud controls (will also use for on campus environments)
  • Provisioning/De-provisioning
  • Going to try to use FEDRAMP checklist as a guide
  • Approval of risk by Executive able to accept on behalf of University
• Automated Templates (consultancy model)
  • Create a new account or migrate existing account under master
  • Pre-provisioned equipment templates with logging enabled
  • Configured for Shibboleth
  • Moving towards Duo for MFA
  • Activate AWS Config
  • Use (future) cloud security tool for initial verification and continuous monitoring
• Things to be concerned about
  • Holding on to root accounts and credentials
  • Challenges of CDM
  • Usual tools are not necessarily available
  • AWS tools have charges
  • Challenge of cloud vendors that don’t support SAML or federation
• Account management
  • Group email per department, including Office of Cybersecurity Rep
• Researcher accounts
  • must know their expected data (at present no Restricted or Sensitive data)
    • Google as a government service that has been pretty well vetted by US agencies

Sarah Christen – Cornell

• Cloud first according to IT Strategic plan written in 2013
• 54 accounts under master contract, hundreds outside
• Cloudification services has been an opportunity for central IT to partner with campus
• Requirements for being on master contract
  • Onboarding discussion
    • How billing works; unit responsibilities – how is this different than the data center?; Security and configuration requirements; Benefits; Discussion about joining tech community; central services available – Container service (will containerize and run code for fee), DevOps service
  • Attestation
    • Explicit agreement to policies
  • Shibboleth
  • Duo for MFA for console access
  • Activation for AWS Config and CloudTrail
  • CloudTrail logs sent to Security Office
• Onboarding – create account, configure Shib and Duo, lockdown root account, standard AD groups (admin, cloud group, security), activate Config and CloudTrail and configure CloudTrail logs to be sent to Security office as well as the VPC owner; activate Cloudcheckr and schedule review of how to use.
• CloudCheckr – allows those with accounts to see usage data; makes recommendations on how to save money; sends monthly invoices; runs continuous vulnerability scan; gives Security a view into all accounts
• Standard VPC setup – blogs.cornell.edu/cloudification/2016/04/08
• What about reseaerch accounts?
  • Easy onboarding without a lot of steps or complication
  • No intereference with research, no cost of performance overhead
  • Solutions for export controlled data and othe rcompliance requirements
  • Standard network config not always a good fit
  • Consultation and services – Docker, Data Storage, Training, Devops support

Mark Debonis – VaTech

• Cloud Aware -> Moving into CLoud Experiment
• One production VPC in AWS, five pre-production
• Moving towards both AWS and Azure offerings
• Manual provisioning process
  • Customer contacts CCS via Service Catalog for Cloud brokerage discussion
  • Difference in Azure (upfront) and AWS billing models – In Azure if you don’t use your commitment in a year you lose it
• Logins to Azure portal with VT AD account, Redirect to VT ADFS, Login and use Duo, Primary contact manages other users through Azure Admin portal with VT AD accounts

Kevin Murphy – UNL Lincoln

• Cloud first for SaaS
• Experimentation for PaaS and IaaS: Rackspace, Azure, AWS
• On VPC in Azure for disaster recovery (domain controllers, ADFS)
• VPC in progress for AWS
• Central IT is pushing cloud strategies, very little departmental participation. Research computing run by CS faculty, not interested in cloud computing.
• Security requirements: Federated logins (ADFS with Duo) for Azure. Shipping everything from IaaS to Splunk on campus
• Security requirements – manually creating accounts; No PII data in the cloud
• Been doing Azure StoreSimple device – hybrid solution.
• Moving PCI environment to the cloud with a managed service provider who will take the liability and run on AWS. “not extremely expensive”
• Challenges: Moving current architecture to IaaS can be prohibitively expensive – people build for peak loads, need to use elastic capabilities. Exploring PaaS options such as Azure Web Apps and DB services. Billing is a challenge.

Bereket Amdemichael, Daniel Tamiru, Georgetown

• Based their AWS cloud architecture on the work done at the CSG Cloud Architecture Working Group
• Added a proxy layer.
• IPSec VPN – Cisco
• Users only have access to specific VMs – have to access across the VPN
• VPC and group architecture is a “spirited discussion”
• When do they (security) need to be alerted when something isn’t right?
• Using Equinix for high speed transfer to AWS