Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity.
* Private clouds arcitechture, with focusing
on Microsoft technologies
* Description of threats on cloud systems
* Secure developing & ways to penetrate
and attack systems hosted on cloud
environment
7. What Constitutes cloud computing?
SOFTWARE
AS A SERVICE
PLATFORM
AS A SERVICE
INFRASTRUCTURE
AS A SERVICE
8. 1 2 3
Standardize Identity with Standardize Management with
Active Directory Virtualize with Hyper-V System Center
4 5
Enable Self Service with the Deploy One App on the Windows
Free Self Service Portal Azure Platform
9. Consuming and Delivering IT as a Service
Compose
Service Type Image
Deploy
Image
SLA Requirements
Attach
Network
Compliance Configure Image
Requirements
Service
Self Service Configure Service
Model Access
Portal Requirements
Configure
Monitoring
Load Estimates Configure
Application Reporting
Owner
Configure
Billing Backup
Info
Configure
Security
Reporting Monitor
Compliance
10. User App
VM VM VM VM
Virtual FW 1 2 3 4
Secure VDI
Hypervisor
CLIENTS Support
POLICY Virtual Machines
Internet
SSL VPN
HR ZONE
DMZ
Virtualized
Security
Services FINANCE ZONE
Services
DoS Protection .1 NAT .5
Firewall .2 Intrusion prevention .6
Policies Reporting Authentication .3 Real-time visibility .7
Encryption .4
Management & Compliance Traffic prioritization .8
14. Cloud computing Risks
• LOCK-IN
UNDERTAKING MALICIOUS PROBES OR •
• LOSS OF GOVERNANCE
SCANS.
• COMPLIANCE CHALLENGES
DISTRIBUTED DENIAL OF SERVICE •
• LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS)
ACTIVITIES
ECONOMIC DENIAL OF SERVICE (EDOS) •
• CLOUD SERVICE TERMINATION OR FAILURE
LOSS OF ENCRYPTION KEYS •
• CLOUD PROVIDER ACQUISITION
CONFLICTS BETWEEN CUSTOMER •
• SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD
• RESOURCE EXHAUSTION ENVIRONMENT
• ISOLATION FAILURE COMPROMISE SERVICE ENGINE •
• CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY •
• MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION •
• INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS •
• DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD
• INSECURE OR INEFFECTIVE DELETION OF DATA
15. Commonly referenced cloud security Issues
Amazon: Hey Spammers, Get Off My Cloud!
Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html
Bitbucket's Amazon DDoS - what went wrong
Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/
Many eggs Lightning Zaps Amazon Cloud – In-cloud federated
One basket http://news.cnet.com/8301-1001_3-10263425-92.html
Identity Management
Entitlement Security issues with Google Docs Lack of Standards
Management http://peekay.org/2009/03/26/security-issues-with-google-docs/
Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile
Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf
Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html
Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare
http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine
in VM http://eprint.iacr.org/2009/474
Data Provanence Data Remanence Location & Privacy
Where did the data come from? You can check out but can’t leave Who looks at/after your data?
And where? Jurisdictions?
18. Top Cloud Computing Threats
Threat 1: Abuse and Nefarious Use of Cloud Computing
Threat 2: Insecure Interfaces and APIs
Threat 3: Malicious Insiders
Threat 4: Shared Technology Issues
Threat 5: Data Loss or Leakage
Threat 6: Account or Service Hijacking
Threat 7: Unknown Risk Profile
19. Abuse and Nefarious Use of Cloud Computing
Description Examples
Criminals continue to leverage IaaS offerings have hosted the Zeus
new technologies to improve botnet, InfoStealer trojan horses,
their reach, avoid detection, and downloads for Microsoft Office
and improve the effectiveness and Adobe PDF exploits.
of their activities. Cloud Additionally, botnets have used
Computing providers are IaaS servers for command and
actively being targeted, control
partially because their functions. Spam continues to be a
relatively weak registration problem — as a defensive measure,
systems facilitate anonymity, entire blocks of IaaS network
and providers’ fraud detection addresses have been publicly
capabilities are limited. blacklist
Remediation Iaas PaaS SaaS
• Stricter initial registration and validation processes.
• Enhanced credit card fraud monitoring and coordination.
• Comprehensive introspection of customer network traffic.
• Monitoring public blacklists for one’s own network blocks.
20.
21. Insecure Interfaces and APIs
Description Examples
Reliance on a weak set of interfaces Anonymous access and/or reusable
and APIs exposes organizations to tokens or passwords, clear-text
a variety of security issues related authentication or transmission of
to confidentiality, integrity, content, inflexible access controls
availability and accountability. or improper authorizations, limited
monitoring and logging capabilities,
unknown service or API
dependencies.
Remediation
Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS
Ensure strong authentication and access controls are
implemented in concert with encrypted transmission.
Understand the dependency chain associated with the API.
22. Malicious Insiders
Description Examples
The level of access granted No public examples are available at
could enable such an adversary to this time.
harvest confidential data or gain
complete control over the cloud
services with little or no risk of
detection.
Remediation
• Enforce strict supply chain management and conduct a comprehensive supplier
assessment.
• Specify human resource requirements as part of legal contracts.
• Require transparency into overall information security and
management practices, as well as compliance reporting.
Iaas PaaS SaaS
• Determine security breach notification processes.
23. Description Shared Technology Issues
Attacks have surfaced in recent years
that target the shared technology inside
Cloud Computing environments. Disk
partitions, CPU caches, GPUs, and other Examples
shared elements were never designed • Joanna Rutkowska’s Red and
for strong compartmentalization. As a Blue Pill exploits
result, attackers focus on how to impact • Kortchinksy’s CloudBurst
the operations of other cloud presentations.
customers, and how to gain
unauthorized access to data.
Remediation
• Implement security best practices for installation/configuration.
• Monitor environment for unauthorized changes/activity.
• Promote strong authentication and access control for
administrative access and operations.
• Enforce service level agreements for patching and vulnerability
• remediation.
Iaas PaaS SaaS
• Conduct vulnerability scanning and configuration audits.
24. Data Loss or Leakage
Description
The threat of data compromise
increases in the cloud, due to the Examples
number of and interactions
between risks and challenges which Insufficient authentication,
are either unique to cloud, or more authorization, and audit (AAA)
dangerous because of the controls; inconsistent use of
architectural encryption and software keys.
or operational characteristics of the
cloud environment
Remediation
• Implement strong API access control.
• Encrypt and protect integrity of data in transit.
• Analyzes data protection at both design and run time.
• Implement strong key generation, storage and management, and destruction
practices.
• Contractually demand providers wipe persistent media before
it is released into the pool.
• Contractually specify provider backup and retention strategies. Iaas PaaS SaaS
25.
26. Account or Service Hijacking
Description Examples
Account and service hijacking, Amazon EC2 Zeus Password stealing.
usually with stolen credentials,
remains a top threat. With
stolen credentials, attackers
can often access critical areas
of deployed cloud computing
services
Remediation
• Prohibit the sharing of account credentials between users an services.
• Leverage strong two-factor authentication techniques where possible.
• Employ proactive monitoring to detect unauthorized activity.
• Understand cloud provider security policies and SLAs.
Iaas PaaS SaaS
27.
28. Unknown Risk Profile
Description Examples
When adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A;
functionality may be well Amazon refused.
advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester-
the internal security procedures, configuration cloud-computingqa.
hardening, Html
patching, auditing, and logging? How are your data
and related logs stored and
who has access to them? What information if any will
the vendor disclose in the event of a security incident?
Often such questions are not clearly answered or are
overlooked, leaving customers with an unknown risk
profile that may
include serious threats.
Remediation
• Disclosure of applicable logs and data.
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls,
etc.).
• Monitoring and alerting on necessary information.
Iaas PaaS SaaS
29. Fraud as a service
What’s Required?
• Buy the malware
• Choose a server (“bulletproof hosting”)
• Install malware on a server
• Infect PCs
• Keep the malware up-to-date
30. Beyond Architecture: The Areas Of Critical Focus
• Governance and Enterprise Risk Management
• Legal and Electronic Discovery
• Compliance and Audit
• Information Lifecycle Management
• Portability and Interoperability
• Traditional Security, Business Continuity and Disaster Recovery
• Data Center Operations
• Incident Response, Notification and Remediation
• Application Security
• Encryption and Key Management
• Identity and Access Management
• Virtualization
31. Analyzing Cloud Security
• Clouds are massively complex systems can be
reduced to simple primitives that are
replicated thousands of times and common
functional units
33
32. Cloud Security: the challenges
Law & Compliance
Provider & resource / data location
Multi-tenancy Risks Cross-border data movement
Security of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA)
Process isolation Limited audit ability Poor quality of evidence
Data segregation Regulatory violation Auditing and compliance (PCI, ISO 27001)
‘Data sharding ‘ (fragmentation across images) No risk transference for data
Identity & Access Management Infrastructure misuse / break in Data Location & Mobility
EU vs. US vs. China regulations
Data Commingling (Government access).
In-cloud segregation of data: difficult Differences in data protection
Accidental seizure of customer data between regions
during forensic investigations Cost of keeping data hosting in
EU
Resilience & Availability Cloud Audit data is legally owned by
Latency sensitive applications CSP and not client.
Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand
Insufficient capabilities to cater for over audit logs’.
critical data
Security Extremely difficult to involve law
enforcement with CSP activities -
Cloud lock in breach investigation/litigation.
Lack of standards
Security at multiple layers
Lack of interoperability
Virtual image provided by
Limited service portability
IaaS provider
Incompatible management
Platform stack provided
processes
by PaaS provider
IaaS,PaaS issues +
application security
33. Cloud Security: the challenges
Isolation
Data risks
CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation
classify data. • Robust at system level (modulo kernel bugs)
CSP’s cannot offer different levels • Issues at management plane
of security based upon data • Memory hijacking
sensitivity.
No DLP – data leakage protection
services offered.
Virtual VM Security
Infrastructure Guest OS needs security protection
Physical 2 virtual mapping • at massive scale
Crypto doesn’t like virtual Security resilient VM life-cycle
Current algorithms set to • secure, scalable, dynamic
optimise resource pooling
Can’t always use specialised HW
Encryption key management.
Reliance on VM vendor security
Issues with guest OS Security
Can VMWare, Microsoft be trusted to
implement kernel security correctly ?…
34.
35. Private Clouds and User Roles
VMM Admin
Delegated Admin
VMM Admin
Cloud Manager
Scope: Everything
Delegated Admin
Scope cannot be
Scope: Host groups and
Cloud Manager
modified
Clouds Self-Service User
Can take any action Scope: Clouds only
Create cloud from Self-Service User
physical capacity Subdivides clouds
Scope: Clouds only
Access to cloud Delegates clouds
automatically gives Manages services and
Includes all Self-Service VMs
access to host groups User rights
Includes all Cloud Authors templates
Manager rights Shares resources
Actions can be revoked
Quota: Per-user limit
36. User Roles and Scope
VMM Admin Delegated
Admin
Self Service
Cloud
User
Manager
37. Private Cloud Usage Scenarios
VMM Admin creates a private cloud
VMM Admin delegates the cloud to
Cloud Manager
Cloud Manager sub-divides the cloud
and assigns it to Self-Service User
Self Service User creates VMs and
services in the cloud
42. The future of cloud computing security
• Infrastructure security
– Greater transparency of security capabilities.
• Data security and storage
– Predicate encryption
• Identity and access management
– Hybrid IAM strategy
• Security management
– Unified Management function across CSP’s
43. resources
• http://www.cloudsecurityalliance.org/Research.html
• http://csrc.nist.gov/groups/SNS/cloud-
computing/index.html
• Microsoft Security Compliance Manager
– http://www.microsoft.com/downloads/en/details.aspx?FamilyI
D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en
• Build Your Own Private Cloud
– http://www.microsoft.com/virtualization/en/us/private-cloud-
get-started.aspx
• http://blogs.technet.com/b/ddcalliance/archive/2010/02/1
6/dynamic-infrastructure-toolkit-for-system-center-dit-sc-
sneak-peek-into-on-boarding.aspx