Hamed Pishvayazdi, spring 1394
1
Cloud Definition
Cloud Characteristics
oOn demand
o Pay-per-use : less investmento Pay-as-you-go
oElastic Capacity & Infinite Resources & ScalabilityoSelf-Service Interface & ManageabilityoAbstraction: Resources that are abstract and virtualizedoUtility ComputingoBetter resource utilizationoReduce power (Green IT computing)oUbiquity of access (anywhere, anytime, …)oEase of management & Self-serviceoCustomization: More in IaaS and less in PaaS and SaaS
Cloud Security: Advantages & Disadvantages
General Security Advantages
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery
5
Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks
6
Cloud Security Advantages (Cont.)Simplification of Compliance AnalysisData Held by Unbiased Party (cloud vendor
assertion)Low-Cost Disaster Recovery and Data Storage
SolutionsOn-Demand Security ControlsReal-Time Detection of System TamperingRapid Re-Constitution of ServicesUsing cloud for security:
Defense or attackAdvanced Honeynet CapabilitiesDOSDecryption7
Responsibility & Accountability“Ultimately, you can outsource responsibility but
you can’t outsource accountability.”
8
Companies are still afraid to use clouds
9
10
Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%21%15%12% 9% 8% 6% 3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
11
Lots of Governance Issues Cloud Provider going out of business
Provider not achieving SLAs
Provider having poor business continuity planning
Data Centers in countries with unfriendly laws
Proprietary lock-in with technology, data formats
Mistakes made by internal IT security – several orders of magnitude more serious
12
13
Problems Associated with Cloud ComputingMost security problems stem from:
Loss of controlLack of trust (mechanisms)Multi-tenancy
These problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues,
but not related to above
Possible SolutionsMinimize Lack of Trust
Policy LanguageCertification
Minimize Loss of Control MonitoringUtilizing different cloudsAccess control managementIdentity Management (IDM)
Minimize Multi-tenancy
14
15
Cloud Forcing Key Issues
Separation between data owners and data processors
Anonymity of geography Anonymity of providerPhysical vs virtual controlsIdentity management
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Cloud Deployment Model
16
Public Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that interoperate
or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and supporting
a specific community
NIST Deployment Models
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal Resources
All cloud resources owned by or dedicated to enterprise
External Resources
All cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing between Ownership and Control
17
18
Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )
19
We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.
Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?
Of enterprises consider security #1 inhibitor to cloud adoptions
80%
Of enterprises are concerned about the reliability of clouds48%
Of respondents are concerned with cloud interfering with their ability to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
Governance structure of IT organizations
20
Assessment responsibility
22
High-level cloud security concerns
ComplianceComplying with SOX, HIPPA
and other regulations may prohibit the use of clouds for some applications.
Comprehensive auditing capabilities are essential.
22
Less ControlMany companies and governments are uncomfortable with the idea of their
information located on systems they do not control. Providers must offer a high degree of
security transparency to help put customers at ease.
ReliabilityHigh availability will be a key concern. IT
departments will worry about a loss of service should outages occur. Mission critical
applications may not run in the cloud without strong availability guarantees.
Security ManagementProviders must supply easy, visual controls
to manage firewall and security settings for applications and runtime
environments in the cloud.
Data SecurityMigrating workloads to a shared network and compute infrastructure increases the
potential for unauthorized exposure. Authentication and access technologies
become increasingly important.
Customer Pain PointsP - Privacy (Confidentiality)A - Authorization (Authentication)
I - IntegrityN - Non-Repudiation
23
The fundamentals of security haven’t changed for a long time.However, in the last few years due to viruses, worms, intrusions & DDoSattacks, another one has been added called “Assured Information Access”.
Threat ModelRisk 1: Resource Exhaustion*Risk 2: Customer Isolation Failure*Risk 3: Management Interface CompromiseRisk 4: Interception of Data in TransmissionRisk 5: Data leakage on Upload/Download,
Intra-cloud
24
Threat ModelRisk 6: Insecure or Ineffective Deletion of
Data*Risk 7: Distributed Denial of Service (DDoS)Risk 8: Economic Denial of Service*Risk 9: Loss or Compromise of Encryption
KeysRisk 10: Malicious Probes or Scans
25
Threat ModelRisk 11: Compromise of Service
Engine/Hypervisor*Risk 12: Conflicts between customer
hardening procedures and cloud environmentRisk 13: Subpoena and E-Discovery*Risk 14: Risk from Changes of Jurisdiction*Risk 15: Licensing Risks*
26
Threat ModelRisk 16: Network FailureRisk 17: Networking ManagementRisk 18: Modification of Network TrafficRisk 19: Privilege Escalation*Risk 20: Social Engineering Attacks
27
Threat ModelRisk 21: Loss or Compromise of Operation
LogsRisk 22: Loss or compromise of Security LogsRisk 23: Backups Lost or StolenRisk 23: Unauthorized Access to Premises,
Including Physical Access to Machines and Other Facilities
Risk 25: Theft of Computer Equipment.*
28
Overview
29
30
Mapping the Model to the Metal
31
Physical Physical Plant Security, CCTV, Guards
Compute & StorageHost-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trusted ComputingHardware & Software RoT & API’s
Security Control Model
Cloud Model
Compliance Model
PCI
HIPAA
GLBA
FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...
SOX
Find the Gaps!
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
33
CSA Guidance Domains
Governing in the Cloud2. Governance & Risk
Mgt
3. Legal
4. Electronic Discovery
5. Compliance & Audit
6. Information Lifecycle Mgt
7. Portability & Interoperability
Operating in the Cloud2. Traditional, BCM, DR
3. Data Center Operations
4. Incident Response
5. Application Security
6. Encryption & Key Mgt
7. Identity & Access Mgt
8. Storage
9. Virtualization
1. Understand Cloud Architecture
Governing Governing the cloudthe cloud
Legalbetween the laws the cloud provider must comply
with and those governing the cloud customerGain a clear expectation of the cloud provider’s
response to legal requests for information.Cross-border data transfers
35
Legal IssuesLiability
Contractual responsibilityFinancial compensationnot meeting SLALegal requests for informationProhibit data use by providerRestrict cross border transfer
Intellectual PropertyAll data including copies owned by clientState data rights in SLA clearly
36
Electronic DiscoveryOrganizations have control over the data they are
legally responsible for.Preserve data as authentic and reliable.
MetadataLogfiles
Mutual understanding of roles and responsibilities
37
Compliance & Audit
Classify data and systems to understand compliance requirements
Understand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive
certification scoping to beef up SAS 70 II, ISO 2700X
38
Information Lifecycle Mgtlogical segregation of information and
protective controls implementedUnderstand the privacy restrictions inherent
in dataData retention assurance easy, data
destruction may be very difficult.
39
Information Lifecycle ManagementFrom creation to destructionData classification Data confidentialityData integrity Provider Access needs be definedData retentionData destruction :harder to proveCross-jurisdictional issuesNegotiate penalties for data breachesAccess control: like RBAC
40
Portability & Interoperability
Understand and implement layers of abstractionFor SaaS:
regular data extractions and backups to a usable formatFor IaaS:
deploy applications abstracted from the machine image.For PaaS:
“loose coupling” using SOA principlesUnderstand who the competitors are to your cloud
providers and what their capabilities are to assist in migration.
Advocate open standards.
41
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Operating in Operating in the cloudthe cloud
Traditional, BCM/DRGreatest concern: insider threat
Onsite inspections of cloud provider facilities whenever possible.
BCP/DRP
Identify physical interdependencies in provider infrastructure.
44
Business ContinuityDisaster recovery plan
Is it comparable to client’s data center?
Can we do a BC audit?Location of recovery data centersSLA Guarantee Data Portability
45
Incident ResponseAny data classified private:
should always be encrypted
Application layer logging frameworks to:granular narrowing of incidents to a specific customer.
Cloud providers and customers need defined collaboration for incident response.
46
Application SecuritySecure software Development Lifecycle (SDL)
IaaS, PaaS and SaaS: differing trust boundaries for SDL
For IaaS, need trusted virtual machine images
Apply best practices available to harden DMZ host systems to virtual machines
Securing inter-host communications:no assumption of a secure channel between hosts
Understand malicious actors techniques
47
48
49
Cyber Security (DPI) DPI refers to the ability to inspect all packet contents
Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)
MAC Header IP Header TCP/UDP Payload
DPI Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP
Switch
Servers
MAC Header IP Header TCP/UDP Payload
Router MAC Header IP Header TCP/UDP Payload
Firewall MAC Header IP Header TCP/UDP Payload
MAC Header IP Header TCP/UDP Payload
Traditional Network Devices
Encryption & Key MgtNot controlling backend systems:
Assure data is encrypted being stored on the backend
Use encryption : separate data holding from data usage.
Segregate the key management from the cloud provider hosting the data, creating a chain of separation.
50
51
52
Identity & Access MgtRobust federated identity management
Insist upon standards : primarily SAML, WS-Federation and Liberty ID-FF federation
Validate that cloud provider support: strong authentication natively via delegation support robust password policies
Consider implementing Single Sign-on (SSO)
Using cloud-based “Identity as a Service” providers may be a useful tool for
53
54
Data & StorageStorage architecture and abstraction layers:
verify that the storage subsystem does not span domain trust boundaries
knowing storage geographical location is possible
Cloud provider’s data search capabilities
Storage retirement processes.
storage can be seized by a third party or government entity?
How encryption is managed on multi-tenant storage?
Long term archiving, will the data be available several years later?
55
PrivacyPrivate data
What is collected?Where is it stored?How is it stored?How is it used?How long is it stored?
Tagging of PII dataAccess control of PII dataProtection of digital identities & credentialsAccess policy for 3rd parties (e.g. Govt.
agency)How will 3rd parties protect my privacy?
56
Governance & Enterprise Risk ManagementCSPs accept no responsibility for data they store in their
infrastructureBe clear on who owns the data SLAs include
availability service quality resolution times critical success factors, key performance indicators, etc.
Regular 3rd party risk assessments Require listings of all 3rd party relationshipsFor mission critical situations & PII examine creating a
private or hybrid cloudRisk Management
57
VirtualizationVirtualized operating systems should be augmented by
third party security technology
Risk of insecure machine images provisioning.
Virtualization advantages :creating isolated environments better defined memory space, :minimize application instability
and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
58
Physical/Personnel SecurityProtection against internal attacks
Ensure internal people can’t exploit the information to their gain
Restricted & Monitored access 24x7Background checks for all relevant
personnelAudit privileged users?Coordination of Admins (Hybrid Cloud)
59
The Host Level
SaaS/PaaSBoth the PaaS and SaaS platforms abstract and
hide the host OS from end usersHost security responsibilities are transferred to
the CSP (Cloud Service Provider) You do not have to worry about protecting hosts
However, as a customer, you still own the risk of managing information hosted in the cloud services.
60
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
The Host Level (cont.)
61
Thank you !!!
62
Question????