into the cloud: - institute for security technology studies (ists)

IntotheCloud:Theprosandconsofhostingserversinpublic,

private,andhybridClouds

AdamGoldstein‐ITSecurityEngineer,DartmouthCollegeand

DartmouthCyber‐securityInitiative

SecuringtheeCampus2010–Hanover,NHJuly19,2010

DartmouthCyber‐SecurityInitiative(CSI)

•  TheCSIisongoingcollaborationbetweenfaculty,staff,andstudents

•  FocusedonprojectsaimedatimprovingthesecurityoftheCollege'sinformationsystems.

•  Studentparticipantsinlastyear:–  6undergraduates(CSandThayer)–  2Mastersstudents(CSandThayer)–  3PhDcandidates(CS)

CloudComputing‐Definitions

•  SoftwareasaService(SaaS)–  GoogleApps,Salesforce.com,MSBPOS

•  PlatformasaService(PaaS)–  GoogleAppEngine,MSAzure,Force.com

•  InfrasctuctureasaService(IaaS)– AmazonEC2– RackspaceCloud– GoGrid

TheAppealofIaaS

• WhatmakeshostingserversintheCloudattractive:– Lowcost– Easeofuse– Scalability– Minimalinfrastructurerequirements– Pay‐for‐usecostmodel

CloudPricing(Jul2010)Rackspace :RAM Hourly

256MB $0.015

2048 MB $0.12

8192 MB $0.48

Amazon EC2 :RAM/CPUs Hourly

1.7GB/1 Small $0.085

1.7GB/5 High CPU Med. $0.17

7.5GB/4 Large $0.34

17GB/6.5 High Mem XL $0.50

7GB/20 High CPU XL $0.68

69GB/26 Hi Mem XXXXL $2.40

CloudPricing(Jul2010)Rackspace :RAM Hourly Monthly

256MB $0.015 $10.95

2048 MB $0.12 $87.60

8192 MB $0.48 $350.40

Amazon EC2 :RAM/CPUs Hourly Monthly

1.7GB/1 Small $0.085 $61.20

1.7GB/5 High CPU Med. $0.17 $122.40

7.5GB/4 Large $0.34 $244.80

17GB/6.5 High Mem XL $0.50 $360.00

7GB/20 High CPU XL $0.68 $489.60

69GB/26 Hi Mem XXXXL $2.40 $1,728.00

PotentialLimitationsofIaaS

•  SomeofthecommonlycitedlimitationsofhostingserversintheCloudinclude:– Securityconcerns– Bandwidthlimitations– Serviceavailability– Legalissues

DartmouthIaaSStudy

•  GeneralDepartmentinterestintheCloud

•  Phase1‐CSIinitiatedastudyofIaaSsecurity•  ResearchedusingIaaSforsecurityservices

•  IdentifiedpotentialriskofattacksfromCloud

•  IdentifiedpotentialriskstocustomersofCloudproviders

•  Phase2–CostisamaindriverforIaaS.Isitworthit?:•  IaaSDecisionTree

•  CloudMetrics

SeminarAgenda

•  Introductions•  CloudDecisionTree•  CalculatingtheCloud‐Metrics

•  PleasantSkiesorGatheringStorm•  SecurityServicesintheCloud•  “Mal‐Users”intheCloud•  RisktoCustomers

•  ThePotentialofPrivateClouds*Interactiveexercisesthroughout

DartmouthIaaSStudy

•  An8question“decision‐tree”whichquicklyallowsDartmouthITadministratorstodeterminewhetheraservermightbeaneligiblecandidateforIaaS

•  “Cloudmetrics”forbandwidth,storagecapacity,processingpower,andusagepatternstohelpITstaffdeterminewhetheritismorecosteffectivetohostaserverinthecloudorkeepitinhouse.

DecisionTree‐SensitiveData

Doestheserverhouse,transmit,orprocesssensitivedatasuchas:–  PersonallyIdentifiableInformation(PII)

–  ProtectedHealthInformation(PHI)–  InstitutionalorPersonalFinancialRecords–  AcademicRecords

–  SensitiveIntellectualPropertyorResearchData

DecisionTree‐SensitiveData?

IfYes–reconsiderhostinginthecloud

•  Limitedauditingcapabilities:

–  Cannotaccessfunctionsneededforthoroughauditing–  CustomerAgreementspreventcertaintypesofauditing

•  LimitedSecurityControls:IaaSserversnotprotectedbyfirewallsandIDS/IPS

•  Web‐basedAdminConsole:Serverinstancesareonlyprotectedbyusername/password

Muchmoreonthislater…

DecisionTree‐MissionCriticalServices?

IfYes,reconsiderhostinginCloud:– Providershaveverylimitedliabilityintheeventofoutages

– Cansuspendorterminateserversiftheyareunderattack,whetherornotitistheCustomer’sfault

DecisionTree‐Uploads?

Doestheserverrequirelargeandfrequentuploads?

IfYes,reconsiderhostingintheCloud– Uploadspeedsareslow– One‐timeloadsmaybeOK,butfrequentuploadsmaysignificantlyhinderusability

DecisionTree‐DataRetentionPolicies?

IfYes,reconsiderhostingintheCloud– Noguaranteeproviderwillcontinuetoofferserviceforrequiredretentiontime

– Theremaybechallengesinretrievingrecordsiftheserviceissuspended

–  IaaSprovidersdonothavepublishedretentionpolicies

DecisionTree–OtherConcerns•  DoestheserverrequireanunsupportedOS?

•  DoestheserverneedtobeconnectedtoperipheraldevicesoraSAN?

•  Aretheresoftwarelicensingissuesthatpreventserverfromrunningincloud?– USBdongle–  IPrestrictions

•  Isphysicalaccesstotheserverrequired?

DecisionTree‐Summary

265DartmouthServersassessed

AccordingtoDecision‐tree:  211notcandidatesforCloud  54canbeconsidered–Let'sreviewcost

CloudMetrics‐Servercost

Toconsider:•  Serversizing

– RAM– CPU– Storage

•  CompareCosts– StandAlone– VirtualServer– CloudInstance

CloudPricing(July2010)Rackspace :RAM Hourly Monthly

256MB $0.015 $10.95

2048 MB $0.12 $87.60

8192 MB $0.48 $350.40

Amazon EC2 :RAM/CPUs Hourly Monthly

1.7GB/1 Small $0.085 $61.20

1.7GB/5 High CPU Med. $0.17 $122.40

7.5GB/4 Large $0.34 $244.80

17GB/6.5 High Mem XL $0.50 $360.00

7GB/20 High CPU XL $0.68 $489.60

69GB/26 Hi Mem XXXXL $2.40 $1,728.00

CloudMetrics–ServerCost

Serverrun‐timerequirementcangreatlyinfluencecost/benefit

–  Cloudofferingsbecomemoreattractiveiftheserverdoesnotneedtorun24/7

CloudMetrics–ServerCostAnalysis

Dartmouthserverthatisonlyusedoneweekamonth:

•  Currentdedicatedserver:– ~$145/monthhardware+additionalcosts(backup,power,cooling)

•  MovetoDartmouthVirtualMachine:~$24/month

•  HostintheCloud:– AmazonEC2:$3.70/month– RackSpaceCloud:$2.40/month

ServerCosts‐VMvs.Cloud

•  Requiredserveruptimecriticalfactor•  ForDartmouth,ifserverneedstorun

24/7,cheapertorunonin‐housevirtualmachine

•  $24/monthforVM•  ~$60/monthforCloud

CloudMetrics–Bandwidthcosts

ForDartmouth:

•  Cost/savingsnegligible•  CheaperinCloudif:

–  aserveruses3timesmoreInternetbandwidththaninternal

•  Ofmorethan650serversreviewed,only4%metthatratio

•  And,$2.00wasthegreatestmonthlysavingsforaserver‐mostwere<$0.50amonth

CloudMetrics‐Risks

EveniftherearecostsavingsintheCloud,makesuretoconsiderotherfactors:

–  Securityconcerns–  Legalissues–  Availabilityrequirements

SeminarAgenda




SecurityServicesintheCloud‐Why

•  Again,generaldepartmentinterestinresearchingIaaS(e.g.it’scheap)

•  CSIisfocusedonSecurity•  Manysecurity“services”couldbegood

candidatesforthecloud•  Onlyneededforashorttime•  Notneeded24/7•  Notmission‐critical•  Limitedsensitivedata*

SecurityServicesintheCloud:Examples

Externalvulnerabilityscanningandpenetrationtesting

ExternalservicemonitoringApplicationandsoftwareevaluationSecuritytooltraining

SecurityServicesintheCloud:AcceptableUsePolicies

Ingeneral,probingyourownsystemsfromthecloudisallowed

MostAUP’spreventprobingthecloudserviceswithoutexplicitconsentfromthevendor

AcceptableUsePolicies:Examples

RackspaceCloud:

“Unauthorizedaccesstooruseofdata,systemsornetworks,includinganyattempttoprobe,scanortestthevulnerabilityofasystemornetworkortobreachsecurityorauthenticationmeasureswithoutexpressauthorizationoftheownerofthesystemornetwork”

AmazonEC2:

“YoumaynotusetheServicestoviolatethesecurityorintegrityofanynetwork,computerorcommunicationssystem,softwareapplication,ornetworkorcomputingdevice(each,a“System”).Prohibitedactivitiesinclude:

Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.

Interception. Monitoring of data or traffic on a System without permission.”

AcceptableUsePolicies:TestingagainsttheCloud

RackspaceAUP:“Youmaynotattempttoprobe,scan,penetrateortest

thevulnerabilityofaRackspaceCloudsystemornetworkortobreachtheRackspaceCloud'ssecurityorauthenticationmeasures,whetherbypassiveorintrusivetechniques,withouttheRackspaceCloud'sexpresswrittenconsent.”

TestFindings‐Scanning

•  ConductedNMAPscansofbothDartmouthDataCenters

•  Cloudprovidersdidnotblockscansorraisealertsontheactivity

•  /22subnets(1024hosts)averaged35seconds

•  Maxrtttimeoutof100msproducedaccurateresults

TestFindings–Scanning

•  Usedscanresultstocreatea“FirewallMap”

•  Comparedopenportswithflowdatatomakefirewallrecommendations

•  Internalscannerstillneededtotestprivateaddresses

TestFindings–VulnerabilityScanning

•  ComputingServicesroutinelyconductsvulnerabilityscansfromaninternalserver

•  SamescanswereconductedfromtheCloud

•  Again,noblocksoralertsweregeneratedfromthevendor

•  ExploittoolswerealsoinstalledontheCloudservers.

TestFindings–VulnerabilityScanning(2)

•  Scanof904servers•  Almost30,000possibletestsperhost•  Completedin<2hours

ScanningfromtheCloud‐CostAnalysis

Currentdedicatedscanningserver:~$145/monthhardware+additionalcosts(backup,power,cooling)

MovetoDartmouthVirtualMachine:~$24/month

HostintheCloud:AmazonEC2:$3.70/monthRackSpaceCloud:$2.40/month

ExploringIaaSofferings‐S3Storage

AmazonSimpleStorageService(S3):•  Cloudstorageforanytypeofdata•  ComparabletoNetwork‐attachedStorage(NAS)

•  Accessiblefrommultiplesystemssimultaneously

ExploringIaaSofferings‐EBSStorage

AmazonElasticBlockStorage(EBS)•  CloudstoragethatcanbeattachedtoEC2instances

•  ComparabletoStorageAttachedNetwork(SAN)

•  CanonlybeaccessedbyoneEC2instanceatatime

ExploringIaaSofferings–StoragePricing

AmazonS3•  $0.15perGB‐monthofdatastored

•  $0.01per1,000PUTrequests(saving)

•  $0.01per10,000GETrequests(loading)

AmazonEBSVolumes•  $0.10perGB‐monthofprovisionedstorage

•  $0.10per1millionI/Orequests

•  $0.15perGB‐datatransferredout

•  Free–Datatransferin(until6/30/2010)

SeminarAgenda




GatheringStorm?

IftheCloudcanbeusedforgood,canitalsobeusedforevil?

AppealoftheCloudto“Mal‐users”

WhyusetheCloudformaliciouscomputing?•  Cheap•  Powerful•  Temporarysystems•  Withfraudanincreasingmotivatorof“mal‐users”,lessskillorinterestincompromisingsystems

•  Anonymous?

AccesstotheCloud

Onlyavalidcreditcardande‐mailaddressarerequiredtosetupacloudserver.

Serversarecontrolledviaweb‐consoleandSSH.EasytoaccessthroughTororananonymizer

StealingAmazoncredentialscanallowamal‐usertosetupCloudservers.

CheapPower

Usingownequipmentforprocessorintensivetasksislikelycostprohibitive

AmazonEC2High‐CPUExtraLargeInstance•  7GBofmemory•  20CPUs•  1690GBofinstancestorage•  Price:$0.25‐0.68perinstancehour

MinimalTechnicalControls

Fromourtesting,nosecuritycontrolsonwhatcanberuninthecloud

Receivednowarningsforscanning,vulnerabilityprobes,orexploits

AttacksfromtheCloud?

•  Dartmouthhasblocked42attacksfromAmazonandRackspaceServersinthepast6months

•  Otherschoolshavereportedsimilarfindings

•  Asmallpercentoftotalblocks,butindicatespotentialtrend

AttacksfromtheCloud?

•  IfthemodelworksforAmazon,coulditworkformorenefarious“companies”

•  Or,adifferentview…•  “Thebiggestcloudontheplanetisownedby…thecrooks”

http://www.networkworld.com/community/node/58829

SeminarAgenda




RiskstoCustomers‐IPaddressing•  Filtering/blacklisting

•  Attacksfromthecloudtoyournetwork?•  Willitbehardtodetectorblockattacksfrompopular

cloudservices?•  Willyoubeblockedifotherhostsincloudarecreating

problems?“iftheRackspaceCloudIPnumbersassignedto

youraccountarelistedonanabusedatabase…theRackspaceCloudmaytakereasonableactiontoprotectitsIPnumbers,includingsuspensionand/orterminationofyourservice,regardlessofwhethertheIPnumberswerelistedasaresultofyouractions;”

RisktoCustomers–CloudImageTrojans

FromolderAmazonEC2AUP:

“YoumaynotshareorpublishAmazonMachineImages(“AMIs”)orothercontentorapplicationsontheAWSWebsitethatareintendedtocause,orhavetheconsequenceofcausing,theusertobeinviolationofthetermsandconditionsofthisAgreement.”

RiskstoCustomers–DenialofService

•  Nocontrolofinboundfilteringtocloudservers•  SomeAUP’sstatethataservercanbeblockedifunder

attack•  AmazonCustomerAgreement

“…suspendaccesstoServices…intheeventofadenialofserviceattackorotherattackontheService”

•  FromGoGridAUP:“GoGridmayalsodisableCustomer'sserviceifGoGridsuspectsthatsuch

serviceisthetargetofanattackorinanywayinterfereswithservicesprovidedtoothercustomers,evenifCustomerisnotatfault.”

•  Willscansorotherprobesagainstacloudserverbeenoughtohavetheproviderblockit?

Riskstocustomers–Limitedsecurityauditing

Again,AUPsprohibitperformingsecuritytestsagainstcloudservers

Minimalunderstandingofback‐endsecurity•  Whatcancloudcompaniesaccess?•  Whatcontrolsdotheyhaveinplace?(HR,Auditing)

Riskstocustomers–Dataretention/e‐discovery

•  NopublishedpoliciesonhowCloudprovidershandlee‐discoveryrequests

•  Whatremainswhenserverorstorageisdeleted?

•  DoCloudprovidersperformtheirownbackups?Whatistheirretentionpolicy?

•  Doproviderscollectandretainaccesslogs?

Riskstocustomers–AdministrativeConsole

•  Providersuseaweb‐basedadminconsoletocontrolserverinstances

•  Consoleaccountsuseusername/password

•  Doesn’tmatterhowwellyoulockdownserversifattackercangetconsolecredentials•  Phishing/spearfishing•  Sharingcredentials•  Guessing•  Sniffing

Riskstocustomers–AdministrativeConsole

Whataboutaccesscodeandprivatekeys?Itmaybedifficultforadminstosecurethemappropriately•  Keyslikelywrittentoscriptsandstoredincleartext

•  Keyslikelysharedamongsystemadministrators

•  Potentialformalwaretostealkeys?

SeminarAgenda




Possiblesolution?PrivateCloud

InternalPrivateClouds:providesimilaruserexperiencetoRackSpaceandAmazonEC2butruninyourDataCenter•  Eucalyptus–Commercially‐backedopen‐sourceinternalcloud

•  VMWarevCloud,Citrix,andothers

PrivateCloud

BenefitsofinternalCloud:•  Reducedsecurityrisk•  Fewerbandwidthlimitations•  Inmanycases,lowercostthanIaaSprovidersandenterprisevirtualizationsolutions

Potentialusesofinternalcloud•  Facultyandstudentcourseworkandresearch•  Testanddevelopmentsystems•  Short‐termproductionservers

PrivateCloud–Costcomparison

Serverwith2GBofRAM•  Dedicatedserver:~$100amonth•  CloudProvider:~$60amonth•  VMWare:~$24amonth•  InternalCloud:~12amonth

DCloud‐DartmouthEucalyptusProject

•  OpensourceCloudsoftware•  WorkswithopensourceXENorKVMvirtualization

•  ImplementsAmazonspecificationsforEC2,S3,andEBS

•  CompliantwithAmazonAPIandtoolsuite•  Supportsbuildingahybrid‐cloudwithAmazon

Dcloud‐EucalyptusArchitecture

HybridCloud

•  CombiningpublicandprivateClouds•  Microsoft,VMWare,andEucalytpus/Amazonallhaveofferings

•  Potential:•  DisasterRecovery•  Elasticity•  Lowercostredeundancy

•  Securitystillaconcern

Thanks!

AdamGoldstein

ITSecurityEngineer

PeterKiewitComputingServices

[email protected]

RyanSpeers–Dartmouth2011

RickyMelgares–Dartmouth2011

into the cloud: - institute for security technology studies (ists)

Documents