Elastic Security

Icon

Security for the Cloud

May 10, 2012 • 21:20 1

Launch of HP Cloud with OpenStack

We’ve been busy lately with the second version of Elastic Detector, that supports Amazon EC2, Terremark’s vCloud Express and Eucalyptus. Today we’re thrilled to announce support of another leading cloud infrastructure: HP Cloud. Please find the complete announcement here.

We are strong believers in OpenStack and we have participated to the private beta of HP Cloud, in order to be ready from day one. We are happy to start our partnership with HP Cloud, with the goal of bringing added security services to the HP Cloud customers.

Filed under: Cloud Computing, Elastic Security, IaaS, Solutions, , ,

September 19, 2011 • 21:22 0

CloudyScripts for vCloud

Starting from now, CloudyScripts – our popular open-source library (more than 10000 downloads up to now) that aims at relieving administrators from finicky scripting details to secure and manage cloud infrastructures - now supports the vCloud API in addition to Amazon EC2. vCloud is the cloud stack provided by VMWare and already adopted by around 30 hosting providers worldwide.

The first script we provide retrieves all open internet services for a given vCloud organization/account and checks if a service is actually running on that port. Unused open ports represent a means for attackers to deploy rogue publicly available services and may – in the case of providers like Terremark, who charges explicitly for every publicly available internet service – even be linked to additional costs.

As usual, the script can be executed locally by installing a gem from the open-source library, by using the CloudyScripts web-service, or by starting a DevPay AMI within Amazon EC2. We will be happy for any feedback and open to implement or customize scripts on demand!

Filed under: Solutions, ,

September 2, 2011 • 14:38 0

AWS Security Alert: Insecure RDP Server Configuration

What is the Problem?

Some days ago, I received a mail from Amazon AWS telling me that one of our security groups gives public access (that is, an ACL with value “0.0.0.0/0″) to the port TCP/3389, which by default runs the Remote Desktop Protocol on Windows machines. The reason for this their mail is that “a new Internet worm has been discovered in the wild that spreads via the above protocol [...]“. To remedy this danger, they  ”suggest that you audit your Amazon EC2 security group settings and restrict access to only the instances and IP addresses that need access“.

I checked the configuration, found out that fortunately no service instance is running in that security group, but fixed the wrong configuration. While I appreciated the notification, I have two points of critique:

  • My colleague, who wanted to reproduce such an alert by adding port TCP/3389 with public address to one of his security groups, has not been notified yet. This raises the question, how often such a security group audit is run by AWS.
  • When checking my security groups, I realized that I had also other critical ports open, e.g. port SSH/22, that may be subject to future attacks, but for which I didn’t receive a security notification. What about those other sensitive ports?

How to fix this?

In order to make AWS’s recommendation of auditing security groups easy to perform by anybody, we implemented a ruby-script that retrieves all security groups and identifies permissions that give public access to critical ports, i.e. ports that we consider such sensitive that accessibility may cause critical damage to your machines. For now, we check against the ports 22 (SSH), 23 (telnet), 389 (LDAP), 1433 (MSSQL), 3306 (MySQL), 3389 (RDP), 5432 (Postgres), and 5500 (VNC).

The script is part of the CloudyScripts open source project and thus can be either installed and run locally by yourself or executed from this web-site. We hope to help make your EC2 cloud more secure! Any feedback or collaboration is welcome!

Filed under: AWS, Solutions, , ,

August 26, 2011 • 16:08 0

Detect useless Snapshots and Volumes in the Amazon EC2 Cloud

Do you know that problem? You started and stopped server instances on the Amazon Cloud, performed snapshots of instances or EBS volumes, and after some weeks or months you find the EC2 console totally cluttered. There are lots of unattached volumes with completely meaningless IDs and dozens of nameless snapshots, for which you even don’t know what they actually contain. Having all that data lying around does not only compromise your usage experience in the web-console, but also increments the probability of data leakage and accidental loss. And even worse, you need to pay for that mess and invest some time to regularly clean it up – manually and carefully to avoid the deletion of unique data or backups that might actually be needed for recovery purposes in the future.

We at SecludIT wrote an open-source script to address this problem and published it in on our CloudyScripts site. The script identifies two types of resources that might be considered for cleanup:

  • Snapshots: when the number of snapshots that exist for the same EBS volume exceed a certain configurable number, you can safely delete the oldest ones
  • Volumes: when a volume is not linked to any instance and is not used since more than a day, it is probably useless

We are aware that there are very complete AWS cost control and optimization solutions on the market (e.g. Cloudyn or Cloudrows). However, in case you simply want to clean up your account from time to time without registering for a new service, the script should be quite helpful. I run it every week now!

Let us know if you consider this useful and if you have propositions to improve it!

Filed under: AWS, Solutions, , , ,

June 16, 2011 • 09:02 0

How to increase security and visibility of Amazon EC2 instances?

Amazon EC2 administrators have to deal with daily problems such as:

  • Ensuring security of new instances,
  • Detecting performance and capacity problems,
  • Keeping track of the modifications on the infrastructure.

We would like to provide you some insights in our solution to address those problems and to facilitate the life of cloud-administrators by detecting security related issues and events: Elastic Detector. What makes this product unique is that it is fully automated and agentless. You can see how Elastic Detector works on this short video:


Filed under: AWS, Cloud Computing, Elastic Security, IaaS, Internals, Secure Cloud, Solutions, , , , , , , , , ,

March 23, 2011 • 16:30 0

Impressions from CloudOps Summit

Last week I attended the CloudOps Summit in Frankfurt. The motto of this conference was “Run the Cloud” and the central idea to show how cloud computing is already used today, how hands-on solutions and architectures look like, how cloud systems are operated, and what tools are already available.

While web-startups almost immediately understand the advantages of public cloud infrastructures such as Amazon EC2, Rackspace or GoGrid and already use those intensively to avoid up-front investments into hardware, scale their infrastructure dynamically to their needs, and benefit from a pay-per-usage model, established enterprises are much more hesitant in adoption – mostly due to security concerns, fear of vendor lock-in, the costs for migrating their legacy data, or the constraints of remaining compatible with existing software. This leads to the funny situation that the big ones listen carefully to learn from the new and small ones.

The conference started with a couple of short 6-minute “lightning talks” and was followed by parallel tracks about architecture, management, operations, and presentations of startups.

Some highlights from the Lightening talks

Jean-Paul Schmetz explained in his keynote that cloud computing means that everything becomes software in the cloud – storage, memory, CPU – they all have become resources that can be created and destroyed programatically on demand. Hardware are fixed assets that requires planning, budgeting, and thus accurate predictions of the future, something very hard to achieve in a world of constantly-changing requirements and needs.

Chris Boos sees in cloud computing the big opportunity for system administrators to ged rid of the boring part of operations and maintenance and to concentrate on the interesting and challenging tasks of creating new things. Cloud computing and its inherent need for automation actually liberate the rare IT experts and revalue their skills.

Nicolas Plögert from Sharewise showed how his company outsourced almost all non-critical business processes to more than a dozen of web-services – communication, billing, customer relations management to name a few.

Florian von Kurnatkowski told us that even the automative industrie wants to make their internal network (ENX) more flexible by transforming it into a cloud infrastructure.

Startups

In the startup tracks (in which I presented Elastic Detector, our cloud security monitoring service) there were a couple of interesting products around cloud infrastructures:

ScaleUp builds software that helps providers to build their own public clouds. There focus is on account management, provisioning, and managing the “point of purchase”, i.e. the spot where providers and consumers meet.

Scalarium provides a SaaS product that allows to deploy and scale web-application for Amazon EC2.

CloudSafe allows to store and share critical documents in the cloud. All data is encrypted and different access models are supported.

CentralStationCRM is a CRM SaaS product targeting small companies that are over-whelmed by the complexity of products like Salesforce.

SemYou aims to combine the simplicity of an app-store with the flexibility of SaaS applications. There goal is that users can activate any kind of web-application with a single click on their computer that will run transparently in the cloud.

Impossible Software allows to create “dynamic videos” where logos and brands can be integrated in video templates.

Thanks to the organizers for their great work and looking forward to another CloudOps Summit in Frankfurt next year! All presentations are available behind this link.

Filed under: Cloud Computing, Discussions, Solutions,

January 4, 2011 • 10:00 5

Why The Perimeter Must Become Virtual

The Perimeter is a key concept in the world of information security and even older than that. In its original sense, it means a path that surrounds an area. In the context of information security, this path consists of an ensemble of protection mechanisms that surround your information: they include physical walls and physical protection around servers in a data-center and logical walls (firewall, intrusion prevention systems, anti-virus protection).

In the world of cloud infrastructures (IaaS), it is not so easy to determine the “area” that is supposed to be surrounded. Resources are shared among different clients (multi-tenancy) and they are allocated in data-centers of external providers (outsourcing). Moreover, computing resources get virtual – physical resources are transparently shared – and elastic – they are allocated and destroyed on demand. Since this can be done via APIs in a programmable and automated way, cloud computing infrastructures are highly dynamic and volatile. How can one build a perimeter around a moving target?

Well, the short answer is: the perimeter must also become virtual, highly dynamic, and automated.

Let’s have a look at an example: A new web application is being launched. There should be an automated verification process that checks the firewall rules, the access rights of users, the level of patches and if they are automated, if backups are being done, that performs an external audit of the application (using a SaaS service for instance), even the deployment of a Web application firewall in front of it – just to name a few steps. This does not eliminate the need for including security during the development life-cycle, but unless we can deliver such an automated service, we will hear complaints about the time to get new services online and continue to have insecure application online (maybe in an another cloud :-) ).

Filed under: Cloud Computing, Elastic Security, IaaS, Solutions,

December 30, 2010 • 17:00 4

Read-Only Credentials For EC2

A common concern of EC2 users with regard to using third-party tools like Elastic Detector is the fact that those tools require the users’ AWS EC2 credentials to work. In the wrong hands, those credentials can be misused to cause significant damage by e.g. shutting down instances. Fortunately, AWS provides a solution called Identity and Access Management (IAM).

In this blog-post, we want to give you a step-by-step hands-on description how to use IAM to generate “Read-Only” credentials for EC2, i.e. credentials that allow third-party providers to call only those API methods that retrieve information, and prevent API calls that modify something. With the help of the IAM command line tools it is possible to define groups of users and associate a certain policy to them, which defines which API calls are allowed under which conditions.

1. Install IAM Client Tools
First of all, you need to download the IAM command line tools from Amazon and deploy them on your machine.

Therefore, go to http://aws.amazon.com/developertools/4143 and click the download button.

Unzip the downloaded file. Detailed Installation Instructions can be found in the README file.

Basically, the EC2 Credentials (the “root” credentials) must be written into a specific file, the environment variables $AWS_IAM_HOME$ (path to IAM directory created during unzip) and $AWS_CREDENTIAL_FILE$ (path to credentials file) must be set, and the tools included into the environment path (variable $PATH$).

Make a test if the tools are correctly installed by typing:

iam-userlistbypath -h

The tool should respond by showing you all options of that command.

2. Create A Group
Create a group ExternalProviders.

iam-groupcreate -g ExternalProviders

Check that the group was successfully created.

iam-grouplistbypath

You should see something like

arn:aws:iam::123456789012:group/ExternalProviders

3. Create A User
Create a user named Secludit for the group ExternalProviders.

iam-usercreate -g ExternalProviders -u Secludit -k

Store the credentials that are displayed. Those are your read-only credentials.
Check if the user was created and linked to the group

iam-userlistgroups -u Secludit

You should see something like

arn:aws:iam::123456789012:group/ExternalProviders

4. Add The Read-Only Policy
The following command adds a policy named ReadOnly to the group ExternalProviders.

iam-groupaddpolicy -g ExternalProviders
-p ReadOnly -e Allow
-a cloudwatch:GetMetricStatistics
-a cloudwatch:ListMetrics
-a ec2:Describe* -r '*'

The option -a specifies which API calls are allowed. Our specification tells IAM that all calls of the EC2 API are allowed that start with ‘Describe’ (e.g. DescribeInstances, DescribeSecurityGroups, DescribeSnapshots, etc) and to use the CloudWatch API to retrieve statistics.

Now execute the following command to be sure that everything worked fine.

iam-grouplistpolicies -p ReadOnly -g ExternalProviders -v

You should see

{“Version”:”2008-10-17″,”Statement”:
[{"Effect":"Allow",
"Action":["ec2:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"],
“Resource”:["*"]}]}

5. Revoke The Credentials
Last, but not least – here is how to revoke the credentials. You do not need to remove them from the third party provider tools you use, you can do simply the following do invalid them:

iam-groupdelpolicy -g ExternalProviders -p ReadOnly

This removes the policy and thus revokes any access rights for all users of the group ExternalProviders.

Note: for most EC2 management consoles (that e.g. allow to launch or stop machines), read-only credentials are not enough. Consult your third-party provider to know exactly which API calls need to be enabled. You can do a lot more and finer-grained restrictions with IAM than shown in this post, e.g. restrict access to certain IP addresses or specific resources. Don’t hesitate to contact us for questions on that topic.

Filed under: AWS, Solutions, ,

December 20, 2010 • 20:24 1

Elastic Detector Private Beta

After more than 6 months of development following another 6 months of trying to understand the most important security needs of people that use infrastructure clouds today, we released our monitoring and security tool called Elastic Detector as private beta.

Elastic Detector runs as Software as as Service (noblesse oblige ;-) ) and allows you to easily and fully automatically monitor and secure your virtual machines on Amazon EC2. Our idea is to take away the burden of configuring and deploying monitoring (and later also firewall rules and access rights) in dynamic infrastructures. By inspecting characteristics and security perimeter of an infastructure via different means, we reduce human interventions to a minimum.

We have granted access to a limited number of users during a closed beta-phase. If you are interested to participate during the private beta phase (until end of January), you can contact us under private-beta {at} secludit-dot-com.

Filed under: Internals, Solutions

September 22, 2010 • 21:57 2

Multi-factor authentication with Google apps

I have just realized that my last post was about the Multi-Factor Authentication (MFA) on Amazon Web Services, what a coincidence or is it fashion? Anyway, I’m really happy to see that authentication is finally getting some good solutions, and this is an important step to achieve secure clouds.

So, back to the Google announcement. We have been using Google Apps for more than one year now and it is really an easy way to share everything, from documents to calendars. In this case, the second factor authentication uses your telephone. I’ve followed the clear instructions to setup the MFA, installing Google authenticator in my iPhone. Everything was done in 5 minutes and it works!

I’ve to say that I would like to know more about the algorithm that generates the one-time codes, but it really solves the problem of signing in on untrusted terminals, and you can even use it on your everyday computer if you don’t mind having your phone with you and tapping the code.

But there was a problem: I could not get my iPhone synced (contacts, emails, calendars) with the Google account using MFA. I could use the Google Apps but I’m used to use the iPhone default applications so I’ll have to wait for Apple to support the Google MFA…

Yet an integration problem or another example of the usability vs security issue? Any thoughts?

Filed under: Discussions, Secure Cloud, Solutions

Twitter Updates

Follow

Get every new post delivered to your Inbox.