CG - Securing Your Cloud-Native DevOps: A Zero Trust Approach

okay um let's get started I think it's actually good that we don't have that many people here um so my talk is about Cloud native de Ops um you might have already heard about this term before um but you know but something that I'm going to explain

later um first of all um a bit of introduction about myself my name is Emma Fang and I'm based in London um so as you can picked up from a little bit of my accent I'm not from the US I came all the all the way from London and I'm A Cloud security architect at Ean as a consultant I love design and architect everything in the cloud for my clients um so epam just a little bit introduction about epam is a technology consultancy uh specialized in software engineering and uh product designs and we help our clients to accelerate and integrate security into their Cloud transformation programs so um alongside my work I also in uh volunteered in uh a

few UK based uh communities such as the women in cyber security Rees uh UK affiliate and um and I'm also one of the industry Advisory Board um committee for the computer science faculty at uh University of uh Buckingham so that's that's me okay um this is the agenda for today I would like to give you a you know a definition of what is cloud native de Ops you know when Cloud native how Cloud native affects the that Ops practice and then we will dive into the current for landscape looking at attack vectors that and share some examples of um some famous attacks um happening in the four to five years ago um I mean the last four to

five years not ago but um yeah and finally I will wrap the session up with some um strategies and best practices to help you secure your Cloud native de Ops environments um so okay without further Ado uh let's dive into our first topic so what is cloud native plus de Ops there's no no official definition of that but in general it's a principle that describe how people work together and to build and deploy application that could Leverage The scalability flexibility of the cloud environment um so it's often using Technologies like microservices uh pattern uh containers Service First Serv list functions and uh each of those microservices are implementing a business capability communicating via a API something like that between

different layers right as you can imagine if you work in Cloud native you know devop space you kind of know about this and it requires a lot of a lot of um automations and continuous improvements and close collaborations between teams and as a result we want to make sure that the product is faster time to Market and we can experience uh things like like you know benefits like uh reduce infrastructure overheat and uh we can allow our that people to innovate the product so as a security person um have you ever encountered uh the challenge where that which uh makes you actually panicking so recently I've got a cloud native project so I task I've been task us to um to um to to

secure the cloud native project and two weeks into the project I've been told Emma our application is actually being built I was like hang on I don't know about the security requirement for that for that uh application yet and then as an architect my first reaction is I need to gather all the requirements uh for this environment I need to gather everything I need to GA all component then I panic so if you experience something similar to that that's because you also experienc the problem of security challenges security challenges in the cloud native de of space so let me tell you a bit what is that um so the it is the speed of development

and and deployment so we want to the this environment needs speed which means that we want to push the Cod much much faster into production sometimes in the matter of minutes and it also makes it harder to have security gates to be implemented into the C pipelines and we want to keep up keep up with that speed so sometimes we think okay um you know the microservices environment is already kind of isolated and you know highly re re uh resilient and we have enough security but actually it's not how about the underlying infrastructure and the you know and the C and s sdlc process so yeah think about those things and this environment is often targeted by uh

threat actors so on this page is a little messy but um I'm going to talk you through this page um the St landscape uh and the trend for the cloud native environment is evolving the supply chain attacks Remain the uh the the major the major um concerns in the past few years as we know that everything is in the you know headlines for example you know the log forj has been around for two years but after two years it's still a problem why so that means that we are not patching FAS enough right so beyond the supply chain risk AI assisted codes has also gained popularity because our developers love AI we want to generate Cod from the

AI and faster and productivity all kind of you know benefits right um so um but the the thing is the question is are we trusting the Integrity of those system that providing us the the the you know the machine the the machine learning model that's providing us those um generating those uh codes for us so these all those questions raised and another thing I would like to mention is the misconfigurations just don't know just so surprised how much Mis communic uh miscommunication uh sorry misconfiguration r that we have experienced a tiny little errors could lead to a to a massive Bridge so we have seen so much in the headline so I'm going to walk walk through those attack

in a minute and we have professionals and Security Professionals looking into um the CL native security risk so oaps top 10 good job oaps because you are KN kneeling it however it's under development so I'm I'm doing some research into you know to into cognitive risk and then I I found this documents in oops however I mean after a few years it's still under development I know that this space is you know is constantly changing like you can't just Define a risk for the clown native uh security and just and just call a job done because it's evolving that is the fact and uh you also need to constantly you know increase your improve your

visibility of all everything all the infrastructure the components of your services but um yeah it's it's very challenging in this space okay um I know this Arch uh this architecture diagram is a little bit overwhelming for you some of you maybe um but as an architect I like diagrams so that's why I put this diagram here so on this page I broken down the cloud native environment into three key areas the developers environment dep of platform environment and the application slash infrastructure environment so let's start from the left button which is the developers environment so as a developers we all love IDE plug plins right uh we we use we use ID plugins to you know to improve our Co efficiency

productivity and everything like that in even security so um we want to use those tools we want to integrate those two as much as possible then it comes into the problem of you know are we trasting those extensions and then we move on to the DeVos plat platform where the build processes and the Cs the pipelines are happening repos and public container Registries are vulnerable to supply chain attack we already know that um and then wor thing about this is you know the CD pipeline those risk that's happening in the supply chain go down to the CSD Pipeline and get executed resulted in the remote command execution and then the the attack Ser extended to your uh application

environment first of all if if you move your eyes to the to the top left hand side you can see that I've labeled it as an exal attack surface because I just don't know what is the better word for that because that is external attack surface and all a lot of things like injection attack application security attack or exploiting everything on that application Level and then you have uh apis API misconfiguration that's so common and you know um you some someone is is handling the API keys in prop Po in properly and also you know the authenication tokens if you are not storing it in a secure place maybe it can it can get um you know

exploited and then I want to talk about the issue of unmanaged um environment right so that is that I what I meant is um something that's in Legacy that hasn't been you know that hasn't been on on your system that's kind of off records it could be someone that's stupid enough to use their personal credentials to create a a random cloud workl in your environment you just don't know that right yeah is it's difficult to have visibility on everything when your uh environment is so complicated there are so so much moving part so much uh you know apis cloud cloud storage and also um you know the microservices architecture so in this table I've gotten attack

technique that often used to exploit uh that we uh we can we seen that often used to exploit the cloud native environments in the world so I would like to point out two uh a couple of things um the first thing is the misconfiguration is often overlooked um because it's often the um entry point point for an attack and the second thing is the supply chain so supply chain has a large attack surface um open source dependencies and uh and the container images but um we also haven't forget the you know the protic uh software as well so in both cases those threats are not only affecting the service provider itself but also extended to its

customers which LEDs to uh a much greater impact I also want to remind you about the MIT attack tactics I I trust everyone of you have heard about it at some point so um so basically after the initial attack attacker the initial access attacker could look for ways to maximize their benefit within this environment they can spread across the network and they and they can use the uh techniques to try their tracks uh through using the the rookies and maintain a persistence by leaving a back door something like that okay the first thing I would want to talk about is the cloud misconfigurations so there is a statistics that I got somewhere um um it's it was reported uh 45%

there's a 45% increase in instance caused by misconfigurations in 2023 and misconfiguration could be anything that relevant to human errors and and they are normally H low hanging fruits for the attackers so um so we just experience a a global outage um the the blue the blue screen of death which is caused by a software updates by uh Cloud strike um and also this one is an example of not a malicious attack but it's a good example of um how a small operation error could cause impact on the global level and um and now on my board here I would like to talk about couple of um instance in deta well not in detail but

a little bit um so the first one is the midnight B instance so mbla is a Russian national nation state St actors so they use the password spray attack to compromise a nonproduction legacy tenant at in Microsoft environment then leverage and owe of uh application to access to the corporate environment such as the uh The Exchange Server so so this attack has taught us how vulnerable our system is if without things basic uh security controls like mfas another uh instance that I would like to uh reference to is the is the AI uh G uh GitHub repo data exposure that's happening in the 2023 um so as you know this AI project becomes so valuable Target for attackers

now so in this incidence the the Microsoft AI research team um instantly publish a bucket of private data such as secret and team messages to a public GE repo so the wor thing of this one is that the um some insecure token was used to share the data from the storage account and the access was overly permissive as a result this makes this attack possible and there are um you know a few a few uh instance that relevant to the um the S3 bucket and the cloud storage I don't need to mention them too much um I will include the link in the resource at the end of the talk you can look into them but it's very uh basic so those

attacks are all exploiting a very basic simple mistake in the environment okay supply chain attacks um solar winds is a very um popular one uh I don't need to go into too much details about it I think what makes it um the second one is the most interesting one um is the Travis API vabes so in this instance the public API C was used to fetch clear text logs and these logs contains sensitive information like uh user tokens then those user tokens were um Can potentially use for access to um services like GitHub and doah hub and the and the other one that is um Casia Runway attack so this is another quite famous ransomware that's exploiting the

cicd pipeline and injecting ransomware into the and that can be spread Downstream um into the those business and it also cause downtime for over a thousand um Downstream business I would like to talk about the um open source um supply chain attack separately to the you know the normal supply chain attack because it is it is um a very very popular attack surface so log for J um is a open source uh logging um as a logging package and then you you probably most of you already know about this attack I don't need to go into too much detail about it but you know this enables attacker to gain remote access to the application that used still Lo

for J and XD you's back door is another example um is where the open source vulnerability campaign that went on for three years without being discovered and the the worst thing about this is because the malicious code has been injected into each each of those versions of that of of the package which means it's difficult to track and to you know to to mitigate those risk so on the left uh on the right here I've uh I I included a diagram that I draw myself um so it it kind of explains the you know the tactic and the um and the the attack path of a actors how they exploit this environment um and then it's the cicd pipeline attacks

so um for the for every stage of the pipeline um from Cod to commit to uh to production um they can be a target for example taret can exploit how dependencies are put into downloading um into to execute those malicious packages and also um one thing I'd like to mention is the the tools like Jenkins and gab gab um are often used to um being exploited um to launch um attacks on the C pipelines so for example is a CI server uh the runners the insecure of credentials and secrets that happening in the CD Pipeline and there is um there is a um a Blog that um created by that's reported by the NCC group that had

published something like analyze 10 attack path through the security assessment of the cic PIP pipelines and this blog have highlighted a few techniques such as the share Runner can be a compromised to deploy malware and they extract credentials which used to deploy into the uh production systems um another interesting uh observation here is the uh visual studio so visual studio is a very popular IDE been I would use it 75% of developers are using them so a research have shown that um in an experimental attack that's the research the researcher have uh created a something that's very similar to the the genine um vs code uh vs the the VIS stud and uh they uploaded this version onto the

marketplace and a lot of people just downloading them they don't they don't know because they're using a typos scope um typos scope um techniques um so they they make it look like the real one but so that that is the consequences okay um so I included a um a very nice another very nice table here um to explain um what is the threat L the threat L scale of the devops basically the C pipeline security from um using a m attack framework um so it's just for your reference only but I high I highly recommended you to check out if you're interested and then uh finally is the clown Cloud identity attack in this one

I am going to talk about the famous uh OCTA attack so what happens in the OCTA Bridge it was in um October 2023 so a service account was extracted with because it was stored in a compromised Google account of an Octor employee and accounts was then used by threat actors to gain access to the the octa's customer support systems which resulted in a file that contains sensitive information such as uh session tokens to be compromised so these session tokens then leverage further to be penetration in penetrated into the internal system of the the customer of OCTA so this is a another example of supply chain attack but using cloud cloud cloud identity um as attack um and

this and although this initial compromise wasn't was wasn't successful but in 2023 uh sorry what but in 2024 in the cloud flare data this bridge I don't know whe How many of you know about this um the so the actors was able to establish a persistent access to the source code management system big big bucket using the token that's stolen from the OCTA instance so on the left I've used a a attack path diagram to demonstrate this uh this attack so as you can see that's um so the what I want to emphasize here is an attack could be uh the start of another another data Bridge so you know things U misconfigurations um Cloud identity

attack and everything like um and also supply chain attack are all interconnected and then um there is a grow there's a cow here so so I just want to highlight here that as this report shows that only 1% of the permissions are actively being used um by um the and the amount of workload um identities and permissions permissions got contributing to the rise of the accidental and malicious inside the inside the threats so these are all um exploits to allow the re actors to access to the cloud infrastructure so what are the Lessons Learned okay so so how long do we have um so the volume of attack against the cloud native enironment is increasing and attackers are adopting

their techniques to move faster and CD um workflow and DeVos environment are being targeted because of the amount of attack surface and the lack of detection and um the trust in the supply chain and the uh open source software are rooted in uh several factors for example um you know faster to time to Market and cost efficiency and collab operation these are all the benefits that our developers like about but the CH can be exploited by those threat actors to launch M massive campaign affecting hundreds of business okay now we finally go down to the zust security principles how many of you knows about zust please raise your hand I think that's everybody poly yeah

so it sounds Savvy is a Savvy words yes I agree with that and it's a term that has been used by a lot of Wenders to Market their product you know we've got Zer trust uh features we've got the all you know the like the the entire Zer trust package please buy our product yeah so you probably some people probably Hy about this term because of that and a lot a lot of people associated with the commercial product that does XY XYZ features however later do you know it's only a concept and a principle it's not a technology is not it's a collection of things that can um can achieve a pafic goal right so so in a de trust model

nothing is trusted no applications data databases uh services or infrastructure is trusted by default and everything including identities network uh infrastructure and applications must be a monitors and verifi for example when one piece of the infrastructure or application want to speak to another then it must be authenticated AC course according to a uh asset policy that is constantly changing it's constantly assessing the the authentication and then according to the access policy it will grant the do Grant the the access according according to the least privileg principle so that's the zero trust principle so how does the zero trust principle translate into Cloud native de devops controls so the ncsc defin Z TR principle into further seven principles

so how does those principles translate into this controls so let's start with identifying the cloud native not Cloud native asset the architecture identifying first the the you know the the the the way that you use to innovate things so you want to know where your your developers are getting the the third party packages the open sources um you want to be able to understand you know what is in your dat what is in your uh environments your data your codes your images where they they St and then know your user and service and device um identities so in in this case you want to assess your user and devices um and services behaviors so you

want to detect the anomalies um and you want to secure the workload identities and you want to project the the secret in the CSD pipelines and then you want to yeah you want to assess your your your your users Behavior so in order to do that you need to understand what is your devops workflow look like what is your CSD process and behavior and can you put can you do a t check into your workloads and also uh you want to audit Your Privilege accounts and then you use the policies to authorize your access access to all kind of environments you use just in time access and you can enforce a branch uh security I'll talk about that in the

minute and and then even for the apis you want to enable access policies for the apis um you want to in yeah we want to control which way API is talking to which Services right right and there's a tool that uh I put on the top here it's called cloud cloud infrastructure entitl management so this tool is often used to manage the um the cloud identities within the infrastructure environment and then you authenticate and authorize all the connections how how do you achieve that right first of all so you have so much devop tools and then how do you know that the developers are uh access to those St of tools and to to whatever they are they need to

access to to whatever the resource and environment they need to access to it's difficult to to do that unless you integrate your uh your Dev of tools with your IDP with your identity providers with your Enterprise identity providers and also enforce MFA on top of that and enforce conditional access policy for the workload identities I know that MFA might be difficult to uh Implement for your um for for your uh workload identities and then you want to enforce this service to service authentication now we focus and then we we talk about you know the the the monitoring of the users devices and services you could be using something like AI powers and automatic detection and real time time

observability um is often provided by the ebpf and security testing you know I don't need to mention about that but um there something there and Funtime scanning um don't forget about those tools those Savvy you know commercial tools like cspn K kspn and cwpp something like that yeah so those tools are all enabled monitoring and getting visibility into your environment at some points and finally don't trust any network so talking about network security you probably Mt MTS comes to the top of my head and then you probably think about micro segmentations what does that mean that means segmenting your uh environments into uh you know staging production and testing moment and then another thing is you also want

to segment you want to also use different Runner CI Runner to run the protective workload uh workload uh sorry to run the protected um job you don't want to mix them together you need to set the need to configur the the different segregation uh policies okay um now I'm going down to the very heavy um you know detail content for the next probably next six seven minutes I'm going to be quick about it um fast about it okay so how how do you secure your application environment you first start with establish your uh security Baseline to that you can use to harden your infrastructure environment use things like CIS Benchmark or you can use the

cloud when the Pacific ones for example Microsoft cloud security Benchmark if you're using a it's a free uh it's a free version of that then you want to um monitor your Cloud work work CLS and and use that to use tools like cspn um cnpp things like the cloud native application uh platform to um to detect your abnormal and abnormal behavior within your environment and your cloud workloads and you want to adopt uh runtime security for your container workflows uh workloads and also you want to detect your uh to monitor your uh infrastructure including the systems so you know that you don't have the shadow it and then um you want to implement uh the just in time policy and also the

zero PR privileged standing admin accounts so so developers no the the Ops the Ops people often use the admin access into your platform so you want to enforce thejus in time policy for that and and of course MFA I don't need to mention that too much U everybody knows about the benefit of MFA and although they are not they're not attack proof but they are good and then you want to enforce the um role based Access Control policies ARB back and um enable session reauthentication and timeout and you want block unauthorized and un um non compliance deployment using things like policy as code um and you can regularly your um infrastructure codes files to project to uh to detect

any misconfiguration and configuration drift and finally is the uh network security and and segmentation so there are a lot of things about it firstly you want to ensure that you segmenting your um your um the infrastructure that that used to uh host your application where your workload are running and then is to enable the um the protection for your the the traffic to prevent the protect your traffic going into your application Al or and you can use the uh ebpf to improve your network observability and enforce your Runner security so yeah that is something you can look into as well and don't forget network policy for the container and control um and to controls your traffic

flows within the cluster between Port and external traffic in the container um then um okay um then I want to talk about the securing how to secure your devop platform environments so first of all you want to regularly scan your codebase for volner abilities adopt the sbom yesterday we had a very nice talk as about eson in The Proving Ground if you don't know what eson is go to check that out and then and um you want to um restrict access to your code repository and your container image registry and in terms of in terms of your Cloud native dep of two two chain there's a couple thing I would want I would like to say about it so you want

to ensure that you uh that you only deploy or only adopt the verify uh third party dep of two uh two Integrations and you want to work with your search party team to work on that to to provide assessment on on those tools don't just adopt everything I know that a lot of application you know a lot of project teams they like to do their own stuff one team adopting you know dren Kings one adopting G gab something like that yeah it's it's really complicated in in the in the massive environment but the bottom line is you probably want to uh make that make that uh consistent system use the same tools across your organization not to use different

tools and then to secure your SD pipeline how do you do that audit and monitor your C cicd brandners so there's tools um there's I think there's there are tools that you can use which is based on the ebpf again and that can use to um improve your visibility on your cicd Runners and and secrets as Secrets within C pipeline is particularly vable because they can be everywhere there are so many secrets and don't hard code your secrets and that is and that is very basic security best practices um but unfortunately a lot of people do that still nowadays um and also you want to manage your secrets uh properly finally securing your developers environment some some

sometimes everybody just not um you know just not care about developers environment because they they wants them to innovate they wants them to to do the job that they need to but the thing is there are risk associated with that with that environment for example um you know developers can use their own personal um access codes access tokens access to your to your go code repository and your development environment and yeah all those things like that so my recommendation would be you want to enable single sign on and integrate your devop tools with your organizations identity provider using the identity uh Federation so that's the probably the first step you want to do then again you

want to ensure that you enable the just in time access then um IID like to talk a bit more about the extensions and integration security again third party security risk needs to be done needs to ensure that you are integrating the right tool and um and when you are getting something from the marketplace think twice or maybe third times before you actually you know integrate your your things you want to verify this is actually the the gening tool that you want to integrate and then finally uh is to implement Branch security so you want to project your branch you want to establish uh production uh policies um including approval workflows for the code changes so that comes down

to the change management the entire topic on the change management as well you want to secure access to your polic uh repository and the pipelines by applying different kind of permissions um yeah so that's it for securing your developers environment so what are the key takeaway ways in this session we have uh explored uh the complex for lscape of cloud native environment thank you very much for staying with me until now um so basically to you want to shift left uh shifting left is not is not enough you want to shift everywhere including every stage from the Cod to the uh to the deployment in your CS dep in your sdlc and also you want to harden

everything not just the application itself but including everything around it the identity providers the CSD Pipeline and the cloud platform and verify every single uh connections it's not just the application the services between the services but also verify your users access to the environment your developer access to the you know the the the def the the CI environment something like that and uh always assume Bridge which means that you want to exercising um want to exercise uh defense in depth so security controls on just one level is not going to be enough and um so Cloud native environment is not a sted state which means that you want to protect your um you want to ensure that

your runtime is the ensure the running application are monitor for the malicious activities or attacks and finally automate security um you can use tools and Technologies to streamline the um to streamline the securing and to secure your supply chain attaining um environment and also to enforce your security policies um by automating everything I think that's everything for my talk thank you very much um and so I have included my um you know my LinkedIn profile here so you can connect with me and there's a link here you can get all the resources that I use when I'm researching this talk um so I hope that you learn something from this but if you don't that's okay because I learned

something from it okay oh any questions sorry Emma thank you so much and I hope you're surviving our temperatures are a little bit different from here in London so um you mentioned at the beginning of your presentation the what the fact that developers value speed how as a security Cloud architect how do you articulate that you can achieve that value with all the things that you just described I I find that that's normally a point of contention is that this is a lot of stuff for us to do or for somebody to do how does that align with being being able to meet speed to Market demands for certain development products Mak sense that question yeah that makes

sense yeah thank you um so I think I thought I think uh speed is is crucial as well as security I wouldn't say that you don't want speed but you want but the thing is you want to have a framework you want to have a baseline that is already implementing to enable that speed so which means security is integrating within all the stages of your sdlc and within your environment uh you have you know you have things that can monitor for misconfigurations such as policies codes things things like that if you have implementing those um those those foundations in your environment you will be able to enable speed so that unfortunately this is not something that

that can be done fast it requires a very careful you know architecturing in and factoring your application something like that um yeah so that that is that's how I communicate uh you know how I um ask my my my developers to enforce security I know it's hard and um yeah because i' I've been there before and the thing is but luckily my my my developers are very buyant to my Approach when it comes to esom are there any automated tools we can use for scanning oh sorry I didn't know that as fun I think would you like to answer that question I have a friend I sorry I didn't put you on the spot but she

delivered a talk yesterday I think it's very good for her because she's an expert in that so I think it's better for her to explain this would you mind maybe we can talk after this but uh there are a open source tools which is by Anor trivy oasp oasp is the very well known the cyclon DX and uh trivy has like it is also integrated with Docker desktop so it becomes easy for you to use it and Anor has sift that is available open source you can just use it for free or if you use Anor as a whole it comes like with everything that integrates WP So yeah thank you thank you Emma is that a good answer yeah okay

great next one sorry I think mine is also an sbom question I work for Alan fredman at sisa on the sbom team um and so you I love that you mentioned sbom as a tool for like getting to know your architecture and what's in your Cloud environment so um we uh have these Community groups that talk about esom and one of the groups uh published a paper on how esom applies to cloud and they Identify some ways and where sbom falls short so are you using sbom for your Cloud environments and if you are how are you using it yeah I think esbon um so I think esbon can be used in the way that it can

also monitor not just the application packages but also the infrastructure environment as well as I think that is what I understand so for example infrastructure code template this can also be in the esbon um you know you can put I think esbon talking about esbon I mean if we fix our mindset into the is just about you know the the packages the third party libraries then I don't think that that's the right approach to use that my my thoughts about the sbon is in the future the sbon should be a repository that that's um that is a collection of what is the right uh templates what is the right infrastructure templates and that is what we want to use to enable U

compliance within the cloud environment I mean I might be wrong but that that's that's what I think about how how we can use espon to achieve this does that answer your question or no sorry I don't have anything sorry I'm I'm not that you know I'm not uh specialize in you know application security but I'm more towards the cloud but I think espon is a very good tool so I think it can be extended to to to do Cloud as well to ensure the Cloud's environment is compliant any more questions we are unfortunately out of time so we can definitely if you have some time to stay afterwards we can do that but thank you