Uploaded on

Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity. …

Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity.
* Private clouds arcitechture, with focusing
on Microsoft technologies
* Description of threats on cloud systems
* Secure developing & ways to penetrate
and attack systems hosted on cloud
environment

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,371
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
219
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cloud SecurityNimrod LuriaCTO | Q.rityInformation Security Lead | Hi-TechNimrod@Qrity.com
  • 2. It can be confusing Technical Institutional, Business Model and Usage System DC Operation & Management Security of the cloud architecture Operation Management Security of data center facility - virtualized environment - Operator access control - location, natural hazard, utility services - hypervisor - system privilege control Information Security - physical access control, monitoring - large distributed system (grif) - Unauthorized access control - isolation of processes - Incident response Communication security between user and cloud Security of data storage - patch and vulnerability management -reliability of communication path, QOS - physical location of storage for disaster - Antiviral software management -confidentiality and security of communication recovery, backup and geopolitical risks - Application management - isolation between data Information Lifecycle Management Information Lifecycle Management Data encryption and key management Client device security Cryptographic solution for communication, data and operation User authentication, access control, user monitoring hardware reliability and redundancyBusinessContinuit Cloud provider resiliency Disaster recovery planning and operation y Management and governance of cloud provider Availability and dependability of the system and the services BCP of cloud provider Compliance Laws and regulations conformity - Internal control Auditability and inquiry accommodation to users, third parties, administration and law enforcement - Personal data protection law Digital forensics - FISMA, HIPAA and others Data storage location and effect from local laws and regulations and privacy requirement SLA standards and guidelines Service level assurance Usability Portability/lock-in of data and applications - Process capability and scalability - Storage capacity and scalability Interoperability and the standardization (cloud to cloud, cloud to on-premise) Copyright © 2009-2010 Bottlenecks in data transfer Information-Technology 16/03/2010 3 Promotion Agency
  • 3. www.cloudsecurityalliance.org
  • 4. Agenda• Private cloud architecture• Microsoft Private Cloud Solutions• Top Cloud Computing Threats• Trust in the Cloud• Cloud Security: the challenges• Cloud Security Frame• Secure cloud architecture Q&A
  • 5. NIST working definition
  • 6. What Constitutes cloud computing? SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE
  • 7. 1 2 3 Standardize Identity with Standardize Management with Active Directory Virtualize with Hyper-V System Center 4 5 Enable Self Service with the Deploy One App on the Windows Free Self Service Portal Azure Platform
  • 8. Consuming and Delivering IT as a Service Compose Service Type Image Deploy Image SLA Requirements Attach Network Compliance Configure Image Requirements Service Self Service Configure Service Model Access Portal Requirements Configure Monitoring Load Estimates ConfigureApplication Reporting Owner Configure Billing Backup Info Configure Security Reporting Monitor Compliance
  • 9. User App VM VM VM VM Virtual FW 1 2 3 4 Secure VDI Hypervisor CLIENTS Support POLICY Virtual MachinesInternet SSL VPN HR ZONE DMZ Virtualized Security Services FINANCE ZONE Services DoS Protection .1 NAT .5 Firewall .2 Intrusion prevention .6 Policies Reporting Authentication .3 Real-time visibility .7 Encryption .4 Management & Compliance Traffic prioritization .8
  • 10. Microsoft Private Cloud Components SELF-SERVICE MANAGEMENTVIRTUALIZATION IDENTITY
  • 11. Trust in the Cloud Compliance and Risk Management Identity and Access ManagementInformation Protection Service Integrity Endpoint Integrity
  • 12. Security is the Major Issue13
  • 13. Cloud computing Risks• LOCK-IN UNDERTAKING MALICIOUS PROBES OR •• LOSS OF GOVERNANCE SCANS.• COMPLIANCE CHALLENGES DISTRIBUTED DENIAL OF SERVICE •• LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS) ACTIVITIES ECONOMIC DENIAL OF SERVICE (EDOS) •• CLOUD SERVICE TERMINATION OR FAILURE LOSS OF ENCRYPTION KEYS •• CLOUD PROVIDER ACQUISITION CONFLICTS BETWEEN CUSTOMER •• SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD• RESOURCE EXHAUSTION ENVIRONMENT• ISOLATION FAILURE COMPROMISE SERVICE ENGINE •• CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY •• MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION •• INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS •• DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD• INSECURE OR INEFFECTIVE DELETION OF DATA
  • 14. Commonly referenced cloud security Issues Amazon: Hey Spammers, Get Off My Cloud! Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html Bitbuckets Amazon DDoS - what went wrong Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/Many eggs Lightning Zaps Amazon Cloud – In-cloud federatedOne basket http://news.cnet.com/8301-1001_3-10263425-92.html Identity ManagementEntitlement Security issues with Google Docs Lack of StandardsManagement http://peekay.org/2009/03/26/security-issues-with-google-docs/ Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine in VM http://eprint.iacr.org/2009/474Data Provanence Data Remanence Location & PrivacyWhere did the data come from? You can check out but can’t leave Who looks at/after your data? And where? Jurisdictions?
  • 15. Demo• Configuring Baseline Security for the Private cloud
  • 16. Top Cloud Computing ThreatsThreat 1: Abuse and Nefarious Use of Cloud ComputingThreat 2: Insecure Interfaces and APIsThreat 3: Malicious InsidersThreat 4: Shared Technology IssuesThreat 5: Data Loss or LeakageThreat 6: Account or Service HijackingThreat 7: Unknown Risk Profile
  • 17. Abuse and Nefarious Use of Cloud ComputingDescription ExamplesCriminals continue to leverage IaaS offerings have hosted the Zeusnew technologies to improve botnet, InfoStealer trojan horses,their reach, avoid detection, and downloads for Microsoft Officeand improve the effectiveness and Adobe PDF exploits.of their activities. Cloud Additionally, botnets have usedComputing providers are IaaS servers for command andactively being targeted, controlpartially because their functions. Spam continues to be arelatively weak registration problem — as a defensive measure,systems facilitate anonymity, entire blocks of IaaS networkand providers’ fraud detection addresses have been publiclycapabilities are limited. blacklistRemediation Iaas PaaS SaaS• Stricter initial registration and validation processes.• Enhanced credit card fraud monitoring and coordination.• Comprehensive introspection of customer network traffic.• Monitoring public blacklists for one’s own network blocks.
  • 18. Insecure Interfaces and APIsDescription ExamplesReliance on a weak set of interfaces Anonymous access and/or reusableand APIs exposes organizations to tokens or passwords, clear-texta variety of security issues related authentication or transmission ofto confidentiality, integrity, content, inflexible access controlsavailability and accountability. or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies.Remediation Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS Ensure strong authentication and access controls areimplemented in concert with encrypted transmission. Understand the dependency chain associated with the API.
  • 19. Malicious InsidersDescription ExamplesThe level of access granted No public examples are available atcould enable such an adversary to this time.harvest confidential data or gaincomplete control over the cloudservices with little or no risk ofdetection.Remediation• Enforce strict supply chain management and conduct a comprehensive supplier assessment.• Specify human resource requirements as part of legal contracts.• Require transparency into overall information security and management practices, as well as compliance reporting. Iaas PaaS SaaS• Determine security breach notification processes.
  • 20. Description Shared Technology IssuesAttacks have surfaced in recent yearsthat target the shared technology insideCloud Computing environments. Diskpartitions, CPU caches, GPUs, and other Examplesshared elements were never designed • Joanna Rutkowska’s Red andfor strong compartmentalization. As a Blue Pill exploitsresult, attackers focus on how to impact • Kortchinksy’s CloudBurstthe operations of other cloud presentations.customers, and how to gainunauthorized access to data.Remediation• Implement security best practices for installation/configuration.• Monitor environment for unauthorized changes/activity.• Promote strong authentication and access control for administrative access and operations.• Enforce service level agreements for patching and vulnerability• remediation. Iaas PaaS SaaS• Conduct vulnerability scanning and configuration audits.
  • 21. Data Loss or LeakageDescriptionThe threat of data compromiseincreases in the cloud, due to the Examplesnumber of and interactionsbetween risks and challenges which Insufficient authentication,are either unique to cloud, or more authorization, and audit (AAA)dangerous because of the controls; inconsistent use ofarchitectural encryption and software keys.or operational characteristics of thecloud environmentRemediation• Implement strong API access control.• Encrypt and protect integrity of data in transit.• Analyzes data protection at both design and run time.• Implement strong key generation, storage and management, and destruction practices.• Contractually demand providers wipe persistent media before it is released into the pool.• Contractually specify provider backup and retention strategies. Iaas PaaS SaaS
  • 22. Account or Service HijackingDescription ExamplesAccount and service hijacking, Amazon EC2 Zeus Password stealing.usually with stolen credentials,remains a top threat. Withstolen credentials, attackerscan often access critical areasof deployed cloud computingservicesRemediation• Prohibit the sharing of account credentials between users an services.• Leverage strong two-factor authentication techniques where possible.• Employ proactive monitoring to detect unauthorized activity.• Understand cloud provider security policies and SLAs. Iaas PaaS SaaS
  • 23. Unknown Risk ProfileDescription ExamplesWhen adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A;functionality may be well Amazon refused.advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester-the internal security procedures, configuration cloud-computingqa.hardening, Htmlpatching, auditing, and logging? How are your dataand related logs stored andwho has access to them? What information if any willthe vendor disclose in the event of a security incident?Often such questions are not clearly answered or areoverlooked, leaving customers with an unknown riskprofile that mayinclude serious threats.Remediation• Disclosure of applicable logs and data.• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.).• Monitoring and alerting on necessary information. Iaas PaaS SaaS
  • 24. Fraud as a serviceWhat’s Required? • Buy the malware • Choose a server (“bulletproof hosting”) • Install malware on a server • Infect PCs • Keep the malware up-to-date
  • 25. Beyond Architecture: The Areas Of Critical Focus• Governance and Enterprise Risk Management• Legal and Electronic Discovery• Compliance and Audit• Information Lifecycle Management• Portability and Interoperability• Traditional Security, Business Continuity and Disaster Recovery• Data Center Operations• Incident Response, Notification and Remediation• Application Security• Encryption and Key Management• Identity and Access Management• Virtualization
  • 26. Analyzing Cloud Security• Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units33
  • 27. Cloud Security: the challenges Law & Compliance Provider & resource / data locationMulti-tenancy Risks Cross-border data movementSecurity of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA)Process isolation Limited audit ability Poor quality of evidenceData segregation Regulatory violation Auditing and compliance (PCI, ISO 27001)‘Data sharding ‘ (fragmentation across images) No risk transference for dataIdentity & Access Management Infrastructure misuse / break in Data Location & Mobility EU vs. US vs. China regulationsData Commingling (Government access).In-cloud segregation of data: difficult Differences in data protectionAccidental seizure of customer data between regions during forensic investigations Cost of keeping data hosting in EU Resilience & Availability Cloud Audit data is legally owned by Latency sensitive applications CSP and not client. Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand Insufficient capabilities to cater for over audit logs’. critical data Security Extremely difficult to involve law enforcement with CSP activities -Cloud lock in breach investigation/litigation. Lack of standards Security at multiple layers Lack of interoperability Virtual image provided by Limited service portability IaaS provider Incompatible management Platform stack provided processes by PaaS provider IaaS,PaaS issues + application security
  • 28. Cloud Security: the challenges Isolation Data risks CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation classify data. • Robust at system level (modulo kernel bugs) CSP’s cannot offer different levels • Issues at management plane of security based upon data • Memory hijacking sensitivity. No DLP – data leakage protection services offered. Virtual VM Security Infrastructure Guest OS needs security protectionPhysical 2 virtual mapping • at massive scaleCrypto doesn’t like virtual Security resilient VM life-cycleCurrent algorithms set to • secure, scalable, dynamicoptimise resource poolingCan’t always use specialised HWEncryption key management. Reliance on VM vendor security Issues with guest OS Security Can VMWare, Microsoft be trusted to implement kernel security correctly ?…
  • 29. Private Clouds and User Roles VMM Admin Delegated AdminVMM Admin Cloud ManagerScope: Everything Delegated AdminScope cannot be Scope: Host groups and Cloud Managermodified Clouds Self-Service UserCan take any action Scope: Clouds only Create cloud from Self-Service User physical capacity Subdivides clouds Scope: Clouds only Access to cloud Delegates clouds automatically gives Manages services and Includes all Self-Service VMs access to host groups User rights Includes all Cloud Authors templates Manager rights Shares resources Actions can be revoked Quota: Per-user limit
  • 30. User Roles and ScopeVMM Admin Delegated Admin Self Service Cloud User Manager
  • 31. Private Cloud Usage ScenariosVMM Admin creates a private cloud VMM Admin delegates the cloud to Cloud Manager Cloud Manager sub-divides the cloud and assigns it to Self-Service User Self Service User creates VMs and services in the cloud
  • 32. Security as a service
  • 33. Identity as a service (IDaaS)
  • 34. IAM Protocols and Standards• SAML• XACML• OAuth• OpenID• OATH• OpenAuth
  • 35. DemoSet Cloud CSRF (oneClick) to Stopmachine
  • 36. The future of cloud computing security• Infrastructure security – Greater transparency of security capabilities.• Data security and storage – Predicate encryption• Identity and access management – Hybrid IAM strategy• Security management – Unified Management function across CSP’s
  • 37. resources• http://www.cloudsecurityalliance.org/Research.html• http://csrc.nist.gov/groups/SNS/cloud- computing/index.html• Microsoft Security Compliance Manager – http://www.microsoft.com/downloads/en/details.aspx?FamilyI D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en• Build Your Own Private Cloud – http://www.microsoft.com/virtualization/en/us/private-cloud- get-started.aspx• http://blogs.technet.com/b/ddcalliance/archive/2010/02/1 6/dynamic-infrastructure-toolkit-for-system-center-dit-sc- sneak-peek-into-on-boarding.aspx
  • 38. Thank You ! Nimrod@Qrity.com