into the cloud: - institute for security technology studies (ists)
TRANSCRIPT
IntotheCloud:Theprosandconsofhostingserversinpublic,
private,andhybridClouds
AdamGoldstein‐ITSecurityEngineer,DartmouthCollegeand
DartmouthCyber‐securityInitiative
SecuringtheeCampus2010–Hanover,NHJuly19,2010
DartmouthCyber‐SecurityInitiative(CSI)
• TheCSIisongoingcollaborationbetweenfaculty,staff,andstudents
• FocusedonprojectsaimedatimprovingthesecurityoftheCollege'sinformationsystems.
• Studentparticipantsinlastyear:– 6undergraduates(CSandThayer)– 2Mastersstudents(CSandThayer)– 3PhDcandidates(CS)
CloudComputing‐Definitions
• SoftwareasaService(SaaS)– GoogleApps,Salesforce.com,MSBPOS
• PlatformasaService(PaaS)– GoogleAppEngine,MSAzure,Force.com
• InfrasctuctureasaService(IaaS)– AmazonEC2– RackspaceCloud– GoGrid
TheAppealofIaaS
• WhatmakeshostingserversintheCloudattractive:– Lowcost– Easeofuse– Scalability– Minimalinfrastructurerequirements– Pay‐for‐usecostmodel
CloudPricing(Jul2010)Rackspace :RAM Hourly
256MB $0.015
2048 MB $0.12
8192 MB $0.48
Amazon EC2 :RAM/CPUs Hourly
1.7GB/1 Small $0.085
1.7GB/5 High CPU Med. $0.17
7.5GB/4 Large $0.34
17GB/6.5 High Mem XL $0.50
7GB/20 High CPU XL $0.68
69GB/26 Hi Mem XXXXL $2.40
CloudPricing(Jul2010)Rackspace :RAM Hourly Monthly
256MB $0.015 $10.95
2048 MB $0.12 $87.60
8192 MB $0.48 $350.40
Amazon EC2 :RAM/CPUs Hourly Monthly
1.7GB/1 Small $0.085 $61.20
1.7GB/5 High CPU Med. $0.17 $122.40
7.5GB/4 Large $0.34 $244.80
17GB/6.5 High Mem XL $0.50 $360.00
7GB/20 High CPU XL $0.68 $489.60
69GB/26 Hi Mem XXXXL $2.40 $1,728.00
PotentialLimitationsofIaaS
• SomeofthecommonlycitedlimitationsofhostingserversintheCloudinclude:– Securityconcerns– Bandwidthlimitations– Serviceavailability– Legalissues
DartmouthIaaSStudy
• GeneralDepartmentinterestintheCloud
• Phase1‐CSIinitiatedastudyofIaaSsecurity• ResearchedusingIaaSforsecurityservices
• IdentifiedpotentialriskofattacksfromCloud
• IdentifiedpotentialriskstocustomersofCloudproviders
• Phase2–CostisamaindriverforIaaS.Isitworthit?:• IaaSDecisionTree
• CloudMetrics
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
DartmouthIaaSStudy
• An8question“decision‐tree”whichquicklyallowsDartmouthITadministratorstodeterminewhetheraservermightbeaneligiblecandidateforIaaS
• “Cloudmetrics”forbandwidth,storagecapacity,processingpower,andusagepatternstohelpITstaffdeterminewhetheritismorecosteffectivetohostaserverinthecloudorkeepitinhouse.
DecisionTree‐SensitiveData
Doestheserverhouse,transmit,orprocesssensitivedatasuchas:– PersonallyIdentifiableInformation(PII)
– ProtectedHealthInformation(PHI)– InstitutionalorPersonalFinancialRecords– AcademicRecords
– SensitiveIntellectualPropertyorResearchData
DecisionTree‐SensitiveData?
IfYes–reconsiderhostinginthecloud
• Limitedauditingcapabilities:
– Cannotaccessfunctionsneededforthoroughauditing– CustomerAgreementspreventcertaintypesofauditing
• LimitedSecurityControls:IaaSserversnotprotectedbyfirewallsandIDS/IPS
• Web‐basedAdminConsole:Serverinstancesareonlyprotectedbyusername/password
Muchmoreonthislater…
DecisionTree‐MissionCriticalServices?
IfYes,reconsiderhostinginCloud:– Providershaveverylimitedliabilityintheeventofoutages
– Cansuspendorterminateserversiftheyareunderattack,whetherornotitistheCustomer’sfault
DecisionTree‐Uploads?
Doestheserverrequirelargeandfrequentuploads?
IfYes,reconsiderhostingintheCloud– Uploadspeedsareslow– One‐timeloadsmaybeOK,butfrequentuploadsmaysignificantlyhinderusability
DecisionTree‐DataRetentionPolicies?
IfYes,reconsiderhostingintheCloud– Noguaranteeproviderwillcontinuetoofferserviceforrequiredretentiontime
– Theremaybechallengesinretrievingrecordsiftheserviceissuspended
– IaaSprovidersdonothavepublishedretentionpolicies
DecisionTree–OtherConcerns• DoestheserverrequireanunsupportedOS?
• DoestheserverneedtobeconnectedtoperipheraldevicesoraSAN?
• Aretheresoftwarelicensingissuesthatpreventserverfromrunningincloud?– USBdongle– IPrestrictions
• Isphysicalaccesstotheserverrequired?
DecisionTree‐Summary
265DartmouthServersassessed
AccordingtoDecision‐tree: 211notcandidatesforCloud 54canbeconsidered–Let'sreviewcost
CloudMetrics‐Servercost
Toconsider:• Serversizing
– RAM– CPU– Storage
• CompareCosts– StandAlone– VirtualServer– CloudInstance
CloudPricing(July2010)Rackspace :RAM Hourly Monthly
256MB $0.015 $10.95
2048 MB $0.12 $87.60
8192 MB $0.48 $350.40
Amazon EC2 :RAM/CPUs Hourly Monthly
1.7GB/1 Small $0.085 $61.20
1.7GB/5 High CPU Med. $0.17 $122.40
7.5GB/4 Large $0.34 $244.80
17GB/6.5 High Mem XL $0.50 $360.00
7GB/20 High CPU XL $0.68 $489.60
69GB/26 Hi Mem XXXXL $2.40 $1,728.00
CloudMetrics–ServerCost
Serverrun‐timerequirementcangreatlyinfluencecost/benefit
– Cloudofferingsbecomemoreattractiveiftheserverdoesnotneedtorun24/7
CloudMetrics–ServerCostAnalysis
Dartmouthserverthatisonlyusedoneweekamonth:
• Currentdedicatedserver:– ~$145/monthhardware+additionalcosts(backup,power,cooling)
• MovetoDartmouthVirtualMachine:~$24/month
• HostintheCloud:– AmazonEC2:$3.70/month– RackSpaceCloud:$2.40/month
ServerCosts‐VMvs.Cloud
• Requiredserveruptimecriticalfactor• ForDartmouth,ifserverneedstorun
24/7,cheapertorunonin‐housevirtualmachine
• $24/monthforVM• ~$60/monthforCloud
CloudMetrics–Bandwidthcosts
ForDartmouth:
• Cost/savingsnegligible• CheaperinCloudif:
– aserveruses3timesmoreInternetbandwidththaninternal
• Ofmorethan650serversreviewed,only4%metthatratio
• And,$2.00wasthegreatestmonthlysavingsforaserver‐mostwere<$0.50amonth
CloudMetrics‐Risks
EveniftherearecostsavingsintheCloud,makesuretoconsiderotherfactors:
– Securityconcerns– Legalissues– Availabilityrequirements
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
SecurityServicesintheCloud‐Why
• Again,generaldepartmentinterestinresearchingIaaS(e.g.it’scheap)
• CSIisfocusedonSecurity• Manysecurity“services”couldbegood
candidatesforthecloud• Onlyneededforashorttime• Notneeded24/7• Notmission‐critical• Limitedsensitivedata*
SecurityServicesintheCloud:Examples
Externalvulnerabilityscanningandpenetrationtesting
ExternalservicemonitoringApplicationandsoftwareevaluationSecuritytooltraining
SecurityServicesintheCloud:AcceptableUsePolicies
Ingeneral,probingyourownsystemsfromthecloudisallowed
MostAUP’spreventprobingthecloudserviceswithoutexplicitconsentfromthevendor
AcceptableUsePolicies:Examples
RackspaceCloud:
“Unauthorizedaccesstooruseofdata,systemsornetworks,includinganyattempttoprobe,scanortestthevulnerabilityofasystemornetworkortobreachsecurityorauthenticationmeasureswithoutexpressauthorizationoftheownerofthesystemornetwork”
AmazonEC2:
“YoumaynotusetheServicestoviolatethesecurityorintegrityofanynetwork,computerorcommunicationssystem,softwareapplication,ornetworkorcomputingdevice(each,a“System”).Prohibitedactivitiesinclude:
Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
Interception. Monitoring of data or traffic on a System without permission.”
AcceptableUsePolicies:TestingagainsttheCloud
RackspaceAUP:“Youmaynotattempttoprobe,scan,penetrateortest
thevulnerabilityofaRackspaceCloudsystemornetworkortobreachtheRackspaceCloud'ssecurityorauthenticationmeasures,whetherbypassiveorintrusivetechniques,withouttheRackspaceCloud'sexpresswrittenconsent.”
TestFindings‐Scanning
• ConductedNMAPscansofbothDartmouthDataCenters
• Cloudprovidersdidnotblockscansorraisealertsontheactivity
• /22subnets(1024hosts)averaged35seconds
• Maxrtttimeoutof100msproducedaccurateresults
TestFindings–Scanning
• Usedscanresultstocreatea“FirewallMap”
• Comparedopenportswithflowdatatomakefirewallrecommendations
• Internalscannerstillneededtotestprivateaddresses
TestFindings–VulnerabilityScanning
• ComputingServicesroutinelyconductsvulnerabilityscansfromaninternalserver
• SamescanswereconductedfromtheCloud
• Again,noblocksoralertsweregeneratedfromthevendor
• ExploittoolswerealsoinstalledontheCloudservers.
TestFindings–VulnerabilityScanning(2)
• Scanof904servers• Almost30,000possibletestsperhost• Completedin<2hours
ScanningfromtheCloud‐CostAnalysis
Currentdedicatedscanningserver:~$145/monthhardware+additionalcosts(backup,power,cooling)
MovetoDartmouthVirtualMachine:~$24/month
HostintheCloud:AmazonEC2:$3.70/monthRackSpaceCloud:$2.40/month
ExploringIaaSofferings‐S3Storage
AmazonSimpleStorageService(S3):• Cloudstorageforanytypeofdata• ComparabletoNetwork‐attachedStorage(NAS)
• Accessiblefrommultiplesystemssimultaneously
ExploringIaaSofferings‐EBSStorage
AmazonElasticBlockStorage(EBS)• CloudstoragethatcanbeattachedtoEC2instances
• ComparabletoStorageAttachedNetwork(SAN)
• CanonlybeaccessedbyoneEC2instanceatatime
ExploringIaaSofferings–StoragePricing
AmazonS3• $0.15perGB‐monthofdatastored
• $0.01per1,000PUTrequests(saving)
• $0.01per10,000GETrequests(loading)
AmazonEBSVolumes• $0.10perGB‐monthofprovisionedstorage
• $0.10per1millionI/Orequests
• $0.15perGB‐datatransferredout
• Free–Datatransferin(until6/30/2010)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
GatheringStorm?
IftheCloudcanbeusedforgood,canitalsobeusedforevil?
AppealoftheCloudto“Mal‐users”
WhyusetheCloudformaliciouscomputing?• Cheap• Powerful• Temporarysystems• Withfraudanincreasingmotivatorof“mal‐users”,lessskillorinterestincompromisingsystems
• Anonymous?
AccesstotheCloud
Onlyavalidcreditcardande‐mailaddressarerequiredtosetupacloudserver.
Serversarecontrolledviaweb‐consoleandSSH.EasytoaccessthroughTororananonymizer
StealingAmazoncredentialscanallowamal‐usertosetupCloudservers.
CheapPower
Usingownequipmentforprocessorintensivetasksislikelycostprohibitive
AmazonEC2High‐CPUExtraLargeInstance• 7GBofmemory• 20CPUs• 1690GBofinstancestorage• Price:$0.25‐0.68perinstancehour
MinimalTechnicalControls
Fromourtesting,nosecuritycontrolsonwhatcanberuninthecloud
Receivednowarningsforscanning,vulnerabilityprobes,orexploits
AttacksfromtheCloud?
• Dartmouthhasblocked42attacksfromAmazonandRackspaceServersinthepast6months
• Otherschoolshavereportedsimilarfindings
• Asmallpercentoftotalblocks,butindicatespotentialtrend
AttacksfromtheCloud?
• IfthemodelworksforAmazon,coulditworkformorenefarious“companies”
• Or,adifferentview…• “Thebiggestcloudontheplanetisownedby…thecrooks”
http://www.networkworld.com/community/node/58829
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
RiskstoCustomers‐IPaddressing• Filtering/blacklisting
• Attacksfromthecloudtoyournetwork?• Willitbehardtodetectorblockattacksfrompopular
cloudservices?• Willyoubeblockedifotherhostsincloudarecreating
problems?“iftheRackspaceCloudIPnumbersassignedto
youraccountarelistedonanabusedatabase…theRackspaceCloudmaytakereasonableactiontoprotectitsIPnumbers,includingsuspensionand/orterminationofyourservice,regardlessofwhethertheIPnumberswerelistedasaresultofyouractions;”
RisktoCustomers–CloudImageTrojans
FromolderAmazonEC2AUP:
“YoumaynotshareorpublishAmazonMachineImages(“AMIs”)orothercontentorapplicationsontheAWSWebsitethatareintendedtocause,orhavetheconsequenceofcausing,theusertobeinviolationofthetermsandconditionsofthisAgreement.”
RiskstoCustomers–DenialofService
• Nocontrolofinboundfilteringtocloudservers• SomeAUP’sstatethataservercanbeblockedifunder
attack• AmazonCustomerAgreement
“…suspendaccesstoServices…intheeventofadenialofserviceattackorotherattackontheService”
• FromGoGridAUP:“GoGridmayalsodisableCustomer'sserviceifGoGridsuspectsthatsuch
serviceisthetargetofanattackorinanywayinterfereswithservicesprovidedtoothercustomers,evenifCustomerisnotatfault.”
• Willscansorotherprobesagainstacloudserverbeenoughtohavetheproviderblockit?
Riskstocustomers–Limitedsecurityauditing
Again,AUPsprohibitperformingsecuritytestsagainstcloudservers
Minimalunderstandingofback‐endsecurity• Whatcancloudcompaniesaccess?• Whatcontrolsdotheyhaveinplace?(HR,Auditing)
Riskstocustomers–Dataretention/e‐discovery
• NopublishedpoliciesonhowCloudprovidershandlee‐discoveryrequests
• Whatremainswhenserverorstorageisdeleted?
• DoCloudprovidersperformtheirownbackups?Whatistheirretentionpolicy?
• Doproviderscollectandretainaccesslogs?
Riskstocustomers–AdministrativeConsole
• Providersuseaweb‐basedadminconsoletocontrolserverinstances
• Consoleaccountsuseusername/password
• Doesn’tmatterhowwellyoulockdownserversifattackercangetconsolecredentials• Phishing/spearfishing• Sharingcredentials• Guessing• Sniffing
Riskstocustomers–AdministrativeConsole
Whataboutaccesscodeandprivatekeys?Itmaybedifficultforadminstosecurethemappropriately• Keyslikelywrittentoscriptsandstoredincleartext
• Keyslikelysharedamongsystemadministrators
• Potentialformalwaretostealkeys?
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
Possiblesolution?PrivateCloud
InternalPrivateClouds:providesimilaruserexperiencetoRackSpaceandAmazonEC2butruninyourDataCenter• Eucalyptus–Commercially‐backedopen‐sourceinternalcloud
• VMWarevCloud,Citrix,andothers
PrivateCloud
BenefitsofinternalCloud:• Reducedsecurityrisk• Fewerbandwidthlimitations• Inmanycases,lowercostthanIaaSprovidersandenterprisevirtualizationsolutions
Potentialusesofinternalcloud• Facultyandstudentcourseworkandresearch• Testanddevelopmentsystems• Short‐termproductionservers
PrivateCloud–Costcomparison
Serverwith2GBofRAM• Dedicatedserver:~$100amonth• CloudProvider:~$60amonth• VMWare:~$24amonth• InternalCloud:~12amonth
DCloud‐DartmouthEucalyptusProject
• OpensourceCloudsoftware• WorkswithopensourceXENorKVMvirtualization
• ImplementsAmazonspecificationsforEC2,S3,andEBS
• CompliantwithAmazonAPIandtoolsuite• Supportsbuildingahybrid‐cloudwithAmazon
Dcloud‐EucalyptusArchitecture
HybridCloud
• CombiningpublicandprivateClouds• Microsoft,VMWare,andEucalytpus/Amazonallhaveofferings
• Potential:• DisasterRecovery• Elasticity• Lowercostredeundancy
• Securitystillaconcern
Thanks!
AdamGoldstein
ITSecurityEngineer
PeterKiewitComputingServices
RyanSpeers–Dartmouth2011
RickyMelgares–Dartmouth2011