professor: dr. kazem akbari hamed pishvayazdi, autumn 1391 1
TRANSCRIPT
Professor: Dr. Kazem AkbariHamed Pishvayazdi, Autumn 1391
1
Cloud Definition
Cloud Characteristics
oOn demand
o Pay-per-use : less investmento Pay-as-you-go
oElastic Capacity & Infinite Resources & ScalabilityoSelf-Service Interface & ManageabilityoSeparating user applications from the underlying infrastructure (usually via virtualization)
Resources that are abstract and virtualizedoUtility ComputingoBetter resource utilizationoReduce power (Green IT computing)oUbiquity of access (anywhere, anytime, …)oEase of management & Self-serviceoCustomization: More in IaaS and less in PaaS and SaaS
Cloud Security: Advantages & disadvantages
General Security Advantages
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery
5
Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks
6
Cloud Security Advantages (Cont.)Simplification of Compliance AnalysisData Held by Unbiased Party (cloud vendor
assertion)Low-Cost Disaster Recovery and Data Storage
SolutionsOn-Demand Security ControlsReal-Time Detection of System TamperingRapid Re-Constitution of ServicesAdvanced Honeynet Capabilities
7
“Ultimately, you can outsource responsibility but you can’t outsource accountability.”
8
Companies are still afraid to use clouds
9[Chow09ccsw]
10
Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%21%15%12% 9% 8% 6% 3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
Lots of Governance Issues Cloud Provider going out of business
Provider not achieving SLAs
Provider having poor business continuity planning
Data Centers in countries with unfriendly laws
Proprietary lock-in with technology, data formats
Mistakes made by internal IT security – several orders of magnitude more serious
11
12
Problems Associated with Cloud ComputingMost security problems stem from:
Loss of controlLack of trust (mechanisms)Multi-tenancy
These problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues,
but not related to above
13
Possible SolutionsMinimize Lack of Trust
Policy LanguageCertification
Minimize Loss of Control MonitoringUtilizing different cloudsAccess control managementIdentity Management (IDM)
Minimize Multi-tenancy
14
Cloud Forcing Key Issues
Separation between data owners and data processors
Anonymity of geography Anonymity of providerPhysical vs virtual controlsIdentity management
15
Key Problems of Tomorrow
Keeping pace with cloud changesGlobally incompatible legislation and policy
Non-standard Private & Public cloudsLack of continuous Risk Mgt & Compliance monitoring
Incomplete Identity Mgt implementationsResponse to security incidents
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Cloud Deployment ModelPublic Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that interoperate
or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and supporting
a specific community
NIST Deployment Models 17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal Resources
All cloud resources owned by or dedicated to enterprise
External Resources
All cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing between Ownership and Control
18
19
Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )
20
We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.
Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?
Of enterprises consider security #1 inhibitor to cloud adoptions
80%
Of enterprises are concerned about the reliability of clouds48%
Of respondents are concerned with cloud interfering with their ability to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
governance structure of IT organizations
21From [6] Cloud Security and Privacy by Mather and Kumaraswamy
Assessment responsibility
23
Password
SAML
KerberosPKI
Smart CardToken
LSPP/EAL4+ Digital CertificateThin Clients
Biometrics
HIPPA
VPN IPSEC
Accreditation
MILS
SSL
MLS
TCP Wrapper
Hardening
Cloud
XML Gateways
Secure Collaboration
Physical Access
Compliance
Secure Blades
H/W Crypto
SOX
Tripwire
Identity ManagementDAC
MAC
Cross Domain Systems
RSBAC
FIPS 140-2 PCIDSS
Trusted OS
Trusted Computing
GuardsSABI/TSABI
Cyber Security
SOA Security
SaaSLap
top Encryptio
n
Wireless
FederationFISM
A
* Not a complete collection
Security Implications of the Delivery Models
Service Security by Cloud Provider
Extensibility
SaaS Greatest Least
IaaS Least Greatest
PaaS Middle Middle
24
The lower down the stack the cloud provider stops, the more security youare tactically responsible for implementing and managing yourself
25
High-level cloud security concerns
ComplianceComplying with SOX, HIPPA
and other regulations may prohibit the use of clouds for some applications.
Comprehensive auditing capabilities are essential.
25
Less ControlMany companies and governments are uncomfortable with the idea of their
information located on systems they do not control. Providers must offer a high degree of
security transparency to help put customers at ease.
ReliabilityHigh availability will be a key concern. IT
departments will worry about a loss of service should outages occur. Mission critical
applications may not run in the cloud without strong availability guarantees.
Security ManagementProviders must supply easy, visual controls
to manage firewall and security settings for applications and runtime
environments in the cloud.
Data SecurityMigrating workloads to a shared network and compute infrastructure increases the
potential for unauthorized exposure. Authentication and access technologies
become increasingly important.
Attack CategoriesUnsafe ProgramsMisconfigured ProgramsBuggy Programs
Buffer Overflows Parsing Errors Formatting Errors Bad input to cgi bin
Malicious Programs Trojans Virus Worms Rootkits Botnets
Identity Theft
Applications Cross site scripting Injection flaws Malicious file execution
EavesdroppingSpamming IP SpoofingDoS/DDoSPeople
Social Engineering Weak passwords
26
Customer Pain PointsP - Privacy (Confidentiality)A - Authorization (Authentication)
I - IntegrityN - Non-Repudiation
27
The fundamentals of security haven’t changed for a long time.However, in the last few years due to viruses, worms, intrusions & DDoSattacks, another one has been added called “Assured Information Access”.
Threat ModelRisk 1: Resource Exhaustion*Risk 2: Customer Isolation Failure*Risk 3: Management Interface CompromiseRisk 4: Interception of Data in TransmissionRisk 5: Data leakage on Upload/Download,
Intra-cloud
28
Threat ModelRisk 6: Insecure or Ineffective Deletion of
Data*Risk 7: Distributed Denial of Service (DDoS)Risk 8: Economic Denial of Service*Risk 9: Loss or Compromise of Encryption
KeysRisk 10: Malicious Probes or Scans
29
Threat ModelRisk 11: Compromise of Service
Engine/Hypervisor*Risk 12: Conflicts between customer
hardening procedures and cloud environmentRisk 13: Subpoena and E-Discovery*Risk 14: Risk from Changes of Jurisdiction*Risk 15: Licensing Risks*
30
Threat ModelRisk 16: Network FailureRisk 17: Networking ManagementRisk 18: Modification of Network TrafficRisk 19: Privilege Escalation*Risk 20: Social Engineering Attacks
31
Threat ModelRisk 21: Loss or Compromise of Operation
LogsRisk 22: Loss or compromise of Security LogsRisk 23: Backups Lost or StolenRisk 23: Unauthorized Access to Premises,
Including Physical Access to Machines and Other Facilities
Risk 25: Theft of Computer Equipment.*
32
Overview
33
34
Mapping the Model to the Metal
Physical Physical Plant Security, CCTV, Guards
Compute & StorageHost-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trusted ComputingHardware & Software RoT & API’s
Security Control Model
Cloud Model
Compliance Model
PCI
HIPAA
GLBA
FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...
SOX
Find the Gaps!
35
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
CSA Guidance Domains
Governing in the Cloud2. Governance & Risk
Mgt
3. Legal
4. Electronic Discovery
5. Compliance & Audit
6. Information Lifecycle Mgt
7. Portability & Interoperability
Operating in the Cloud2. Traditional, BCM, DR
3. Data Center Operations
4. Incident Response
5. Application Security
6. Encryption & Key Mgt
7. Identity & Access Mgt
8. Storage
9. Virtualization
1. Understand Cloud Architecture
37
Legalbetween the laws the cloud provider must comply
with and those governing the cloud customerGain a clear expectation of the cloud provider’s
response to legal requests for information.Cross-border data transfers
38
Legal IssuesLiability
Contractual responsibilityFinancial compensationnot meeting SLALegal requests for informationProhibit data use by providerRestrict cross border transfer
Intellectual PropertyAll data including copies owned by clientState data rights in SLA clearly
39
Electronic DiscoveryOrganizations have control over the data they are
legally responsible for.Preserve data as authentic and reliable.
MetadataLogfiles
Mutual understanding of roles and responsibilities
40
Compliance & Audit
Classify data and systems to understand compliance requirements
Understand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive
certification scoping to beef up SAS 70 II, ISO 2700X
41
Information Lifecycle Mgtlogical segregation of information and
protective controls implementedUnderstand the privacy restrictions inherent
in dataData retention assurance easy, data
destruction may be very difficult.
42
Information Lifecycle ManagementInformation must be managed throughout the life
of the data (creation to destruction)Data classification should be put in placeData confidentialityData integrity Provider access needs to be defined and enforcedData retentionData destruction (harder to prove by CP)Cross-jurisdictional issuesNegotiate penalties for data breachesRBAC required
43
Portability & InteroperabilityUnderstand and implement layers of abstractionFor SaaS:
regular data extractions and backups to a usable formatFor IaaS:
deploy applications abstracted from the machine image.For PaaS:
“loose coupling” using SOA principlesUnderstand who the competitors are to your cloud
providers and what their capabilities are to assist in migration.
Advocate open standards.
44
Traditional, BCM/DRGreatest concern: insider threat
Onsite inspections of cloud provider facilities whenever possible.
BCP/DRP
Identify physical interdependencies in provider infrastructure.
45
Business ContinuityDisaster recovery plan
Is it comparable to client’s data center?
Can we do a BC audit?Location of recovery data centersSLA Guarantee Data Portability
46
Incident ResponseAny data classified private:
should always be encrypted
Application layer logging frameworks to:granular narrowing of incidents to a specific customer.
Cloud providers and customers need defined collaboration for incident response.
47
Application SecuritySecure software Development Lifecycle (SDL)
IaaS, PaaS and SaaS: differing trust boundaries for SDL
For IaaS, need trusted virtual machine images
Apply best practices available to harden DMZ host systems to virtual machines
Securing inter-host communications:no assumption of a secure channel between hosts
Understand malicious actors techniques
48
Encryption & Key MgtApplication providers not controlling backend
systems:Assure data is encrypted being stored on the backend
Use encryption : separate data holding from data usage.
Segregate the key management from the cloud provider hosting the data, creating a chain of separation.
49
50
51
Identity & Access MgtRobust federated identity management
Insist upon standards : primarily SAML, WS-Federation and Liberty ID-FF federation
Validate that cloud provider support: strong authentication natively via delegation support robust password policies
Consider implementing Single Sign-on (SSO)
Using cloud-based “Identity as a Service” providers may be a useful tool for
52
53
StorageStorage architecture and abstraction layers:
verify that the storage subsystem does not span domain trust boundaries
knowing storage geographical location is possible
Cloud provider’s data search capabilities
Storage retirement processes.
storage can be seized by a third party or government entity?
How encryption is managed on multi-tenant storage?
Long term archiving, will the data be available several years later?
54
VirtualizationVirtualized operating systems should be augmented by
third party security technology
Risk of insecure machine images provisioning.
Virtualization advantages :creating isolated environments better defined memory space, :minimize application instability
and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
55
56
Data Security in the Cloud Data will be
multi-tenant environments
Spanning multiple layers in the cloud stack
Accessed by various users, tenants, privileged cloud admins
various geographical locations
various contractual obligations/SLAs
various regulations and industry best practices
Secured by multiple technologies and services
57
A Shared, multi-tenant infrastructure increases potential for unauthorized exposure
58
Cyber Security (DPI) DPI refers to the ability to inspect all packet contents
Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)
MAC Header IP Header TCP/UDP Payload
DPI Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP
Switch
Servers
MAC Header IP Header TCP/UDP Payload
Router MAC Header IP Header TCP/UDP Payload
Firewall MAC Header IP Header TCP/UDP Payload
MAC Header IP Header TCP/UDP Payload
Traditional Network Devices
Governance & Enterprise Risk ManagementCSPs accept no responsibility for data they store in their
infrastructureBe clear on who owns the data SLAs include
availability service quality resolution times critical success factors, key performance indicators, etc.
Regular 3rd party risk assessments Require listings of all 3rd party relationshipsFor mission critical situations & PII examine creating a
private or hybrid cloudRisk Management
59
Physical/Personnel SecurityProtection against internal attacks
Ensure internal people can’t exploit the information to their gain
Restricted & Monitored access 24x7Background checks for all relevant
personnelAudit privileged users?Coordination of Admins (Hybrid Cloud)
60
PrivacyPrivate data
What is collected?Where is it stored?How is it stored?How is it used?How long is it stored?
Tagging of PII dataAccess control of PII dataProtection of digital identities & credentialsAccess policy for 3rd parties (e.g. Govt.
agency)How will 3rd parties protect my privacy?
61
Infrastructure Security
Network LevelHost LevelApplication Level
62
The Host LevelSaaS/PaaS
Both the PaaS and SaaS platforms abstract and hide the host OS from end users
Host security responsibilities are transferred to the CSP (Cloud Service Provider) You do not have to worry about protecting hosts
However, as a customer, you still own the risk of managing information hosted in the cloud services.
63
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
The Host Level (cont.) IaaS Host Security
Virtualization Software Security Hypervisor (also called Virtual Machine Manager (VMM))
security is a key a small application that runs on top of the physical machine
H/W layer implements and manages the virtual CPU, virtual memory,
event channels, and memory shared by the resident VMs Also controls I/O and memory access to devices.
Bigger problem in multitenant architecturesCustomer guest OS or Virtual Server Security
The virtual instance of an OS Vulnerabilities have appeared in virtual instance of an OS e.g., VMWare, Xen, and Microsoft’s Virtual PC and Virtual
Server Customers have full access to virtual servers.
64From [6] Cloud Security and Privacy by Mather and Kumaraswamy
What Are the Key Privacy Concerns?Typically mix security and privacySome considerations to be aware of:
StorageRetentionDestructionAuditing, monitoring and risk managementPrivacy breachesWho is responsible for protecting privacy?
65From [6] Cloud Security and Privacy by Mather and
Kumaraswamy
Network levelConfidentiality and integrity of data-in-transitLess or no system logging /monitoringReassigned IP address
Expose services unexpectedly Spammers using EC2 are difficult to identify
Availability of cloud resources Some factors, such as DNS, controlled by the cloud
provider. Physically separated tiers become logically
separated E.g., 3 tier web applications
66
Host level (IaaS)Hypervisor security
“zero-day vulnerability” in VM, if the attacker controls hypervisor
Virtual machine securitySSH private keys (if mode is not appropriately
set)VM images (especially private VMs)Vulnerable Services
67
Thank you !!!
68