Susam Pal is a security architect at Walmart. He has 15 years of experience in information security with focus on developing PKI-based solutions, network security products, and cloud security services in organizations such as RSA Security, Walmart, etc. He has a keen interest in cloud security, mathematics, and open source software. He develops software in Python, Go, C, and C++. He has been a contributor to Apache Nutch, Open Sourced Vulnerability Database (OSVDB), the Web Application Security Consortium (WASC), Slimv, etc. He is an active open source author and contributor involved in developing and leading multiple projects such as TeXMe, Uncap,View the profile
About the talk
Susam Pal, Principal Engineer, WM Global Technology Services India Private Limited Prasoon Dwivedi, Senior Engineer, WM Global Technology Services India Private Limited This presentation will show how insight was achieved on a large scale into the security posture of a multi-cloud environment spread across multiple cloud service providers by using cloud provider APIs to pull security configuration data, normalize the data to a cloud-independent format, index it, analyze it, and detect security issues as well as violations of CIS benchmarks.
Hello and welcome to our session on Wednesday. Cloud security, monitoring and see is Smashbox evaluation of skin together by Michael and Lisa Saint Paul Airport and working together on Wednesday, security at a lot scheme for the last three years before going. Any further. Let me introduce myself. My name is, I'm a security architect at Walmart global technology. I've been working in the information security space for about 15 years of interest. I'm also very passionate about open source software ilovepuntagorda into
existing open source projects as well as right and maintain my own projects. It don't take a brief look at what we were discussing the session before we do that. Please feel free to ask questions your decision. Whatever you have any questions, let us know, take a brief. Look at our agenda here. We will start with a quick background about how we got into Cloud security. We will then discuss features of a multi Cloud security monitoring solution. We will spend a lot of time discussing the design of the solution to X which addresses the inconsistency of
Concepts terminology in between various clubs. Somebody show us. How does design can be used to implement serious Benchmark evaluation and Reporting across multiple clouds with some concrete examples and solution. We were talking about the industry standards out there, followed by a quick recap and confusion. Before we discuss our monitoring solution. Let us take a few moments to emphasize the importance of job security in the last several years, wanting a larger and larger
portion of the world close to clouds. The strength is going to continue for the foreseeable future predicts. That in this year, 2021 94% of workloads and compute instances will be processed by Crowder acceptance on top security. This increased emphasis on job security is very relevant. Today, interesting statistics in 2019 alone. There are seven point nine billion during the course compromised as I began working on security security monitoring tools that can work uniformly,
across multiple challenges, due to lack of standardization between the various Talk. Wireless data formats Concepts. And terminology also comes in terms of performance, running a ringtone on a large Cloud infrastructure, same one consisting of 100,000 people. Hundreds of databases, and someone can consume significant time. These observations broken motivation for us to start working on a dog security mode ringtone. Let us not discuss how to develop a cloud security. Monitoring solution that can work at Laskey. No matter what our prosecutor model train to, looks like we have
to follow process to ensure that this dude is being used correctly. This process, involves three important steps to protect security issues past the security issues, most importantly in the loop. Architecture of the solution has two important aspects, the framework and applicants that are four types of plugins that you can see here on this Slide the framework, which is not explicitly depicted in the mountain. Justice blankets in the back room. We have an open source reference implementation of this architecture in item
in the form of a fully functional top. Security monitoring to do it at the end of this presentation in Piketon. It is possible to implement this architecture in any other programming language. The Facebook is not part of the code that involves this individual plugins and establishes the communication between them interact with each other directly. But don't play games. Collect the top provider and pull claudita support for a neutral provider is as simple as writing a new plug in that Implement to specific proprietary interface records
from the leggings. These records are typically in the content areas. Collectives. The framework takes these records and sends them as input to all the configure tour. Begins and ends in Peril how to fix this record and send them to different storage or indexing systems, like, mongodb, elasticsearch, splint, or even relational databases. We have one in storage or indexing system. Miss Adams between the plugins are implemented in the framework there. Like, I mentioned earlier, the plugins are not even aware of each other. In the
communication between the plugins. It runs each building in its own process. These Heroes between the plugins are multi-processing use that are set up by the framework itself in this diagram with arrows going to take directly from one another because of what is going on here in the actual implementation. Do that is always the framework in between that is managing the skews. You may notice that the Facebook pics about data and feeds it to both the store and event begins at the same time because as we are storing all this way to install the systems. We also want to stop
looking for security issues. Specializes in looking at one type of security issue or a security issue. Found that even generate an event record. And even if it is just another Json object, that describes a security issue found by the event parking. They are plugins, take 7th record and send them all to salads. For example, it's the most important attributes and values from the easiest and fastest log out of it and send it to Beaver. Even plug in also, since all this later to store weapons that infected configure the solution. They
may want to get some of our destinations as alerting destinations to. For example, alert for security issues to Cisco receiver. We might want to alert to our last textes are next to that is why the screen book support using start looking as soon. This is the interface that about looking must implement. It is a simple class that it's just two methods. It hasn't been admitted that accept evictions parameters. This connection to septic to buy the Preamble from the configuration for an instant sheets. And object of this class. With this
Parliament, has the second, the second account on Android. Start biking has a simple interface to buy matters that identify the destination. For example, this could be IP address for database to post or even if I insisted but that knows how to take the record and I did to us tourist destination. As soon as this Mission could be something as simple as locusts bite, or could be a sophisticated as an index in elasticsearch. Analyzes. If the data in the record shows, a security issue in this example
are some different recording Finally, we have the electric in which direction event record and send it to another thing. Destination. The interface is exactly the same as Taro store wagons because they accept the consequences from the framework and send them to different destinations that one plug it has no knowledge of the other platoons is concerned only with its own. It does not even care about multi-processing and communication between Perkins on the complexity is expected in the Facebook. This design is inspired by the eunuchs
philosophy. The one thing and do it. Well, A quick look at the key features of the solution, we have discussed so far. The solution is cloud agnostic. The Facebook is not tightly coupled with any specific provider extensible. The solution is Agent plus because the student does not have to be. Installing within the computer running on the club. The entire solution can be done on any system independent of the club. It is past due to the usage. Of multi-processing is blocking his run as a separate process, which allows
plugins to run simultaneously on Independent course. It's supposed to rain in reports in multiple formats support systems out of the box that supports blank elasticsearch and mongodb. And these systems come with their own bass boat, and Reporting tools were examples, plan has been disposed and Griffin are for elasticsearch. Finally, the solution supports industry standards with these. We will see you later in the session. How easy it is to develop high-performance. Even begins to perform serious with only about 30 to 40 lines of code
for event planning. I don't see what the extra day. Looks like. When I go out looking into three top live in buckets identified by the three top level keys and cam FT stand for extended cam. Sensor,, The purpose of these keys will become clear in the next few slides. But I'll book it contains the original Jason objects, the godling receive from the cloud directly entire object as is inside your pocket. This is an example of an object. We have received from
the format of the store. Where is a lot of one cell provider to another example, on Google home. That is an object. So confused, too. If you like ponies or create a sports on this road, it would introduce a significant amount of cloud providers Pacific cheese and values in the playlist. This is Brenda e x t bucket confused. What is not available? Which blow recorder record from. This is an example of which Cloud connected to save this information. Commutative in reporting our wedding
time. We might want to narrow down by a specific type of the Houston Rocket underscore underscore interpreted. The operating system is interpreter, do not know all of this information is available in their own pocket, but the data is buried deep inside, a nested, Json object and the data is also in a medical provider, specific format of general concepts in the long run. If you can expect such general concepts of specific data and use me for me names and data format for them. This would make reading and Reporting much more convenient and also provided agnostic.
Finally the combo kit. It's a lot of information that comes from the other team book itself. We need to come for Carmen because these keys and values with the same across all plug-ins for all about 50, start time to serve version information that we can use in British and dashboards. Let us see another example here. The origin underscore type is used to record. The fact that this data was obtained using o clock That was a quick tour of our markets, loud security, monitoring design, architecture and data formats. I presume, we'll talk
about how we use this concept to help us. Perform automated child auditing and especially how to perform serious Benchmark. Evaluation paperwork at the stop software engineer at Walmart, or India information security, and security is one of my areas of Interest. No, coming back to the Asian dogs decision, ready to start out or dating. The effectiveness of a cloud auditing program, relies heavily on at school, but in case of a, more daunting task for a float
auditor to defend the school in a typical Town set up, there can be hundreds and thousands of hydrogenous resources working together to achieve the speed at which a cybersecurity landscape is changing. So this is very very, very fast and it makes the life of a security monitor. Center for information security or she is as we know it in short publishes benchmarks, for most of the prominent cloud service providers to these benchmarks from Sears are available for
Google home. So one day I was bored. This year has been smarter. This year has been passed her nothing but security and configuration Baseline, which an organization can follow in order to eliminate a common misconception in the throat with horses and hens security resources. Meaning of this year's best parks in Mount directly to one of the industry standard or compliance Preamble such as a framework and guidelines from the list is so hip hop songs and song. DCS benchmarks is a result of collaboration between industry,
experts information, security, practitioners. Subject matter, experts Cloud providers vendors in the hood, people at theaters. She is also makes a very conscious effort to give this Benchmark updated with the latest trends in cyber security. And hints for all such wisdom as a highly regarded in the industry and hundreds and thousands of businesses have already adopted case management for the auditing need, as well as to protect their resources. We already discussed that in a typical Cloud setup.
May have large number of different types of low cost. If a mineral resources and they range from databases virtual machine identity and access management systems basis of their applications and application services. So, see I use benchmarks for a given cloud provider covered, most of these resources of all. So let's say, for example, it was a machine offered by two different Cloud providers May differ in terms of how it can be configured. So this may cause potential risk in these resources are not. So she takes care of this
issue. Additional benchmarks or different benchmarks for So we have talked enough about information security and there has been talk about Implement and will do so by means of few examples. Sorana, skin over here. We see if she has been smart. She is Benchmark as good as your job and it recommends that for all the virtual machines in and subscription operating system. This must be encrypted. The next liability that I said behind this recommendation. So it is of utmost importance, for an organization, as well as an individual to protect its data. Data may be in motion or
it may Sentinel Storage account or desk while it's at rest. And when we do protect the date of Alex address is to prevent and what it it reads. So if you ended up your BM is this partition, you can prevent it from unwarranted read because it can only be read by actors. One position of the right into the best way. Interrupting every operating system disk partition protected confidentiality. No, in the next like we missed him by means of a small illustration. How the framework
implements is benchmark. So on your skin over here, you see for detangler boxes, each one of this rectangular boxes represents a drug plugin. So on the top left action, you see? This is responsible for talking to. That is your Cloud by means of apis and getting data about all the VM speed internet given the option. This plugin will also get information about the volumes and to do. So I can make one or more than one party today. Once they jumped out back and receive data about all the beams present in the given
data and analyze it into a DMV card p.m. Record is nothing but a Json object, which represents a machine and its state. This being recorded was then be passed on to one. Almost got like in responsible for a purse testing date in 2010 store from where this information can be useful for that analytics. And of ensuring that the operating system disc is encrypted. Different kinds of being with operating system. Disk partition is not interpret event. This event report
in, for this particular example, will be of type is your boys just infection even trip on this event record will then be passed on to store plug in which will be responsible for storing internet data store. This image award will also be intercepted by an elder Dragon, which will be responsible for sending out an engine. An example of alert can be an email sent out to all the stakeholders notifying them that there is such and such p.m. In there as your subscription wear operating system disk encryption. So this be the
framework, we have taboos implemented benchmark. I know. Let's see an example of an event report. So on a skin over here, we have a report from the previous exam. This record is of time as your BM was just giving it a scuba kit, which we have talked about earlier is better. The first packet is a hypocrite about the audit as well as data source, which is being audited. So, you see that their information about the cloud pitch for the previous example, is the powers did the subscription ID and other data to identify
the source as well as a prescription of the Easter buckets, and also have contextual and dragged it up like our state and state of operating system disk encryption. The next bucket chart for common will also contain other matter. What did a two piece in the Comm packet? Which are offered a special interest, the first field, the description field? Their description fee. Will you tell an auditor what exactly is wrong with the results which is being audited.
Such-and-such in the subscription building such-and-such ID, which has an encrypted partition? The other field which is of our interest is the remediation description. So that imitation description Fleet as a name, such as regenda, Cloud administrator, what's wrong with security configuration of a dinosaur managing. So, in this case, the resources and the remediation field will tell the administrator. Is your virtual machine getting such-and-such ID, which they're managing has an uninterrupted
desk and they must go on evaluating The Sweater Machine and improve the OS partition. So moving on, we'll see one more example to make the concept A Little More concrete. So the next Benchmark is again, for as your throat and it recommends that all the web apps. And then, as your subscription must use, latest version of PLS. We'll see if this determination mixing in the next time or transport layer protocol to safeguard data confidentiality and integrity motion between
upstream and downstream services. Industry. Standards such as pci-dss also recommends, that only version 1.2 of the earth must be used. Play versions before DS version, 1.2 have known vulnerabilities in them. So in order to use a fleece version, 1.2 of TLS. Moving on to the next Friday. We will see how the Play. But we have proposed implements its Benchmark Again by means of an illustration. So busy for rectangular boxes, each one of them to presents represent in Europe. So this thing is you're being plug-in is replaced by an insurer died as
a means of information, about all the web apps, which I put into that is or subscription has been sanitized and create the back. Records will be informed you can search it again, these parts, but it is processed by the critical part of the framework, which will be responsible for Intercepting the weather report and making sense out of it will be the given web app is using. Minimum configured version of the Arizona version. It won't do anything which is using a version of Taylor Swift.
What would be of time by Bob Dylan? It will again be stored by and receiving such. I'm moving on to the next plane. So on this side, we have the representation of a ventricle in form of a Json object. Again, we have two buckets industry coin. The AFC bracket will have along with the right information about the resort as well as the subscription. The competent again will have description intimidation. See, let's see how the description and Remediation field will look like for this particular event with configuration description will tell the
administrator at, they need to take a look at such and such as your web app and Because it's using a version of TLS, which is below the minimum configured version. The remediation field will also tell the Security administrator than that. They need to inspect. This is your back and make sure that it uses at least minimum. Minimum configured version of TLS 1.2. In this particular case. Are they moving on this princess to the end of a session in order to put into practice today,
in order to do? So, you'll need to find a or prepare a list of all the resources. Your organization is using which have occurred to you since you lost 22. Classified has no resources based on their importance to business. Next, you will need to find out all the industry-standard and compliance guidelines, your organization and business needs to follow. It is very likely that within your organization set up. You already have some kind of control and audit mechanism already in place, in which case, you can go through the list of all this year's
benchmarks, and identify the assessment which are applicable to your department. Even if you implement order CS benchmarks only provide basic level of security against security must concur with configuration. So it is highly suggested that you referred other standards and guidelines as well. You can refer guidelines from the SPCA or I used to. The Next Step will be the most crucial one in this chat. You will need to bring together all the required stakeholders. And along with them. You need to prepare an audit plan and define. It's Cadence. Also need to define the rules and responsibilities, but
most importantly, you need to find out the person or the team who will be responsible for acting on the audit findings and fixing the security system. The order in Boca, Raton in the station, has the most recent implementation of the project is called Cloud motto. Is it in writing and I highly recommend you all to go take a look at this right after the second you can start using it right of the retrofit it for the organization security needs biting more plug-in instead of the Facebook makes it very simple. All you need to do is a
few lines of God and you will be altered to the audit program in your organization. This concludes our session. We both appreciate you all for listening to us. Thank you very much for your time to post. Your questions will be more than happy to answer them.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.