PCTY 2012, Cloud security (real life) v. Ulf Feger
1. Cloud Security
Abstract:
Cloud security or security for the cloud is neither a „big bang” nor is
it something completely new. It’s a transformation process of taking
existing methodologies and technologies and adapting them depending
on the cloud business road you are taking.
This is not limited to just technology assets but also includes policies,
processes, and of course the handling of (business) expectations.
What might such a roadmap look like and is it then limited to security only?
Ulf Feger
Security Architect, CISSP, COBIT Practitioner (ISACA)
Cloud Security & Security Solutions
IBM Security Systems Division
Member of the Board, Cloud Security Alliance, German Chapter
2. Cloud & Security
Customer Expectations and Experiences
Healing bei Touching – or Cloud is a devil
The Cloud – yes, of course with Security – solves all our Security challenges, we will have no
problems anymore
Open discussions: I know what I know and to be honest tell me what I should know
What you tell me is not Cloud security that‘s security
The roadmap to Cloud & Security
Customer expectations towards IBM
– Understand their environment (on given information)
– Understand their security concepts & architecture (on the given information)
– Be able to talk to network people, sw architects, security architects
– Provide inside, give feedback
What we do:
– All of the stuff above
– Open discussions in highly political environment
– Offered more input based on existing material like BSI MindMap
– Fed people with news ideas like VSP, Cloud Security is more than some techie stuff only
2
3. Cloud & Security
Transformation
of Security, of Security Awareness, of the Need for Security
The Fortress
3
5. Cloud & Security
Zeus Crimeware Service
Hosting for costs $50 for 3 months.
This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.
# Log all information via internet explorer
# Log all FTP connections
# Steal banking data
# Steal credit cards
# Phish US, UK and RU banks
# Host file override
# All other ZeuS Trojan features
# Fully set up MalKit with stats viewer inter graded.
# 10 IE 4/5/6/7 exploits
# 2 Firefox exploits
# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.
This includes a fully set up zeus panel/configured binary
5 FUD = Full Undetectable,
6. Cloud & Security
Transformation
of Security, of Security Awareness, of the Need for Security
The Fortress The User
6
13. Cloud & Security
IBM Cloud Computing Reference Architecture
The IBM CC RA represents the aggregate experience
across hundreds of cloud client engagements and
the implementation of IBM-hosted clouds
Cloud Service Cloud Service Provider Cloud Service
Consumer Creator
Cloud Services Common Cloud
Management Platform (CCMP)
– Based on knowledge of IBM’s services, Existing & 3rd party Business-Process-
software & system experiences, including IBM services, Partner
Ecosystems
as-a-Service
Cloud
Research Service
Integration
Tools
Sof tware-as-a-Service
Operational Business
Service
Support Support Creation
Services Services Tools
(OSS) (BSS)
Platf orm-as-a-Service
Consumer
In-house IT
Inf rastructure-as-a-Service
Inf rastructure
The IBM Cloud Computing Reference Architecture Security, Resiliency, Performance & Consumability
(CC RA) is reflected in the design of Governance
– IBM-hosted cloud services
OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.doc
CCRA Whitepaper on ibm.com:
http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&appname=GTSE_CI_CI_USEN&htmlfid=CIW03078USEN&attachment=CIW03078USEN.PDF
13
15. Cloud & Security
Architecture Principles
IBM Security Framework: Business Security Reference Model
Governance, Risk,
People and Identity Data and Information
Compliance (GRC)
IT Infrastructure:
Application and Process Network, Server, End Physical Infrastructure
Point
Foundational Security Management
Software, System and Identity, Access and Data and Information Threat and Vulnerability
IT Service Management
Service Assurance Entitlement Management Protection Management Management
Command and Control Security Policy Risk and Compliance Physical Asset
Management Management Assessment Management
Security Services and Infrastructure
Security Info and Identity, Access and Security Policy Crypto, Key and Service Management
Event Infrastructure Entitlement Infrastructure Infrastructure Certificate Infrastructure Infrastructure
Host and End-point
Storage Security Application Security Network Security Physical Security
Security
Code and Identities and Events and
Images Policies Attributes Logs
Security Data Repositories
Service Levels and Classification
Config Info Operational IT Security
Designs and Registry Context Knowledge
15
16. Cloud Governance - GRC
.. hey .. and what else ?
.. and what’s the meaning of G R C ?
17. Cloud & Security
The majority of corporations avoid the use of Cloud Computing because of
Security and Goverance risks and the lack of trust in to the service provider1)
Obstacles for Cloud-Projects
Question: „Do you use cloud Frage: „Because of which reasons do you decided not to
computing solutions already or do you use cloud computing solutions (multiple answers are
plan the use them in near future? “ possible)?
Risk of loss of Governance /
and Control
Inadequate Data Security /
Availability
Open Compliance or
Legal issues
Doubts in regard to the long term
No: 54% Yes: 46% availability of the offering
Risik of a Vendor-
Lock-In
No commercial
benefit
Licence issues
0% 10% 20% 30% 40% 50% 60%
1)
„Cloud Computing in Germany“ – Survey Results from Deloitte and BITKOM, January 2011
17
18. Cloud & Security
Requirements – Cloud Computing & Security (plus GRC + ..)
Security topics – technical & process related
Data Security & Data Privacy
Access Management & Identity Management - IAM
Cloud Services
Application and Service Provisioning incl. Removal
Application and Systems test incl. Data Pro- and De-Provisioning
Cloud Computing
Model
Service Level Agreement – SLA Management
Vulnerability Management – Detection, Scoring, Removal
Threat Analysis
Service Availability incl. local/national load balancing
Auditability & Governance (GRC – Governance, Risk & Compliance)
Cross-border law.abiding, e.g. person related data & processes
18
19. Cloud & Security
Cloud from the viewpoint of Export Regulations (ER)
An Export takes place when ..
Root Access
Cross border Clouds – the data crosses the border
Cross Border
Cloud Computing
Distributed service offerings means
The server and data stay in the local country
Who gets which kind or type of root access to/for what ?
19
21. Cloud & Security
Understand Compliance requirements – Data Privacy – Data Security
Expectation
1 Improvement in Security 2 Inner Security 4
Reduction in Cost Outer Securitty „How do I prove?“
Load Optimization Operational Security
3 5 traceability &
Focus:
verifiability &
„What do I really need?“
auditability
Goal
understand business security guidelines,
risks and threats rules, policies
Security Compliance
Management
awareness,
monitoring &
implementation &
detection
automization
Risk
Risk – Appetite ?
Cloud - Workload -> Risk Assessment / Analysis / Accreditation / Certification
21
22. Cloud & Security
Business processes, use cases, assets
• C – Confidentiality
Matrix items to evaluate:
• I – Integrity
- authentication (item1)
Potential Damage • A – Availability
- data transfer (item2)
- ..
I5-c
high i2-a
(4) i5-i
i2-c
i5-a
medium i3-c
(3) i1-c i2-c i1-a
i3-i
low i4-i
(2) i7-a
insignificant
(1)
impossible low medium high very high Probability
(0) (2) (3) (4) (4)
22
24. The Roadmap to where ?
Cloud & Security
Cloud transformation phases to your own cloud.
Where‘s your Security ? Does it fit to your risk appetite ?
1 2 3 4 5
IT IT IT IT IT
processes processes processes processes processes
Bus
Transition Cloud(ization) Pro
4
Transition Bus
Automatization Pro
3 Bus
Transition Standardization Pro
2
Bus
Virtualization Pro
1
Bus
Consolidation Pro
Elimination
Exp: Baseline VSP Compliance Approval GRC Target
Security SIEM rules, Reporting
Approval Workflows
24
25. Cloud & Security
4 (simple) examples of underestimated threats
x
Virtualisierung Power VM, VMware, KVM…
Ressourcen Virtualisierung
Power VM, VMware, KVM…
Ressourcen Virtualisierung Power VM, VMware, KVM…
Ressourcen Virtualisierung Power VM, VMware, KVM…
Ressourcen
25
28. Cloud & Security
Eckpunktepapier- Sicherheitsempfehlungen
Security Recommendation for Cloud Computing
für Cloud Computing Anbieter
Providers
More sources:
• IT-Grundschutz
• BSI-Standard 100-2/100-4
• ISO 27001/2
• Cloud Security Alliance – German Chapter, cloudsecurityalliance.org
• ISF – Information Security Forum, www.securityforum.org
• TMForum – TeleManagement Forum, www.tmfourm.org
• Euro Cloud e.V. en.eurocloud.de/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile
28
29. Cloud & Security
the result ..
29 To get the MindMap contact ulf.feger@de.ibm.com
30. Cloud & Security
n
tio
Supporting Security landscape – What is the aim of my security ?
ap
ad
Desktop/Client Security Policy
Connection Repository
HTTP (incl. SOAP/
HTTP) Connection Identity Repository
Admin User
Web Services (Person & Account)
ic
Connection User Self-
Admin.
service Identity
Synchronisation
m
Reporting
Tivoli Identity Manager (TIM) Workflow & Lifecycle
Tivoli Access Manager for e-business (TAMeb) Common Cloud Entitlement Policy Identity HR
Store System
na
Tivoli Federated Identity Manager (TFIM) Auditor
Management Platform
Provisioning Engine
Management Domain
Tivoli Security Policy Manager (TSPM)
dy
Reconciliation
Provisioning
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO) SSO WS Fed Web
Policy Policy SSO Policy
Tivoli Compliance Insight Manager (TCIM) Mgmt Mgmt Conf. Mgmt
Admin(s)
Policy
Enforce
Cloud Services
Web
Web Authentication and
App
Web Single Signon
Web Authentication and
Portal
Portal
Web Single Signon
HTTP Server
Authorization
HTTP Server
Authorization
Web
Consumer
App
Enterprise Single Signon
User Authentication
Web
Internet App
Other Employee/
FedSSO
A&A FedSSO BSS Apps Staff
A&A
WS ESB
Business
Gateway (SOA) Windows
Windows
Windows
Apps
Policy Apps
Identity Apps
Enforce Mapping Enterprise
Dir
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Log
Log
Log
Log
Log
Log
Log
Log
Log
OSS
Audit Log Consolidation
Audit Policy Compliance Reporting
30 Auditor Auditor
31. Cloud & Security
Supporting Security landscape – What is the aim of my security ?
Desktop/Client Security Policy
Connection Repository
HTTP (incl. SOAP/
HTTP) Connection Identity Repository
Admin User
Web Services (Person & Account)
Connection User Self-
Admin.
service Identity
Synchronisation
Reporting
Tivoli Identity Manager (TIM) Workflow & Lifecycle
Tivoli Access Manager for e-business (TAMeb) Entitlement Policy Identity HR
Store System
Tivoli Federated Identity Manager (TFIM) Auditor
Provisioning Engine
Management Domain
Tivoli Security Policy Manager (TSPM)
Reconciliation
Provisioning
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO) SSO WS Fed Web
Policy Policy SSO Policy
Tivoli Compliance Insight Manager (TCIM) Mgmt Mgmt Conf. Mgmt
Admin(s)
Policy
Enforce
Web
Cloud Platform
Web Authentication and
App
Web Single Signon
Web Authentication and
Portal
Portal
Web Single Signon
HTTP Server
Authorization
Cloud Services
HTTP Server
Authorization
Web
Consumer
App
Enterprise Single Signon
BSS
User Authentication
Web
Internet OSS App
Other Employee/
FedSSO Apps Staff
FedSSO
A&A
A&A
WS ESB
Business
Gateway (SOA) Windows
Windows
Windows
Apps
Policy Apps
Apps
Identity
Enforce Mapping Enterprise
Dir
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Log
Log
Log
Log
Log
Log
Log
Log
Log
Audit Log Consolidation
Audit Policy Compliance Reporting
Auditor Auditor
31
32. Cloud & Security
Admin User
User Self-
Admin.
service Identity
Synchronisation
Reporting
Common Cloud
Workflow & Lifecycle
Entitlement Policy Identity HR
Management Platform
Store System
Auditor
Provisioning Engine
Management Domain
Reconciliation
Provisioning
SSO WS Fed Web
Policy Policy SSO Policy
Mgmt Mgmt Conf. Mgmt
Admin(s)
Policy
Enforce
Cloud Services
Web
Web Authentication and
App
Web Single Signon
Web Authentication and
Portal
Portal
Web Single Signon
HTTP Server
Authorization
HTTP Server
Authorization
Web
Consumer
App
Enterprise Single Signon
User Authentication
Web
Internet App
Other Employee/
BSS
FedSSO Apps Staff
A&A FedSSO
A&A
WS ESB
Business
Gateway (SOA) Windows
Windows
Windows
Apps
Policy Apps
Identity Apps
Enforce Mapping Enterprise
Dir
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Log
Log
Log
Log
Log
Log
Log
Log
Log
Audit Log Consolidation
Audit Policy
OSS Compliance Reporting
Auditor Auditor
32
33. Cloud & Security
Admin User
User Self-
Admin.
service Identity
Synchronisation
Reporting
Common Cloud Workflow & Lifecycle
Entitlement Policy Identity HR
Management Platform
Store System
Auditor
Provisioning Engine
Management Domain
Reconciliation
Provisioning
SSO WS Fed Web
Policy Policy SSO Policy
Mgmt Mgmt Conf. Mgmt
Admin(s)
Cloud Services
Policy
Enforce
Web
Web Authentication and
App
Web Single Signon
Web Authentication and
Portal
Portal
Web Single Signon
HTTP Server
Authorization
HTTP Server
Authorization
Web
Consumer
App
Enterprise Single Signon
User Authentication
Web
Internet App
Other Employee/
BSS
FedSSO Apps Staff
A&A FedSSO
A&A
WS ESB
Business
Gateway (SOA) Windows
Windows
Windows
Apps
Policy Apps
Identity Apps
Enforce Mapping Enterprise
Dir
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Collect
Log
Log
Log
Log
Log
Log
Log
Log
Log
Audit Log Consolidation
Audit Policy
OSS Compliance Reporting
Auditor Auditor
33
34. Which challenges have to be&solved – a long list, a new list ?
Cloud Security
csIT - “traditionell”
mi
Cloud – Service User Cloud ––(Service) Provider
Cloud (Service) Provider
User: na control incl. rule based policy
• Access
y managment
• Access control incl. rule based policy
dD
managment
• Service Offering
lo u • User and entitlement management incl.
processes mngment and p.-automation
• User and entitlement management incl.
processes mngment and p.-automation
C
Duties:
• Role based separation of duties • Role bases separation of duties
- Authentication
• Security policy management • Security policy management
- Authorization
- del. Administration • Security monitoring, auditing, compliance • Security monitoring, auditing, compliance
- pay the bill reporting reporting
• SOD for multi tenancy • SoD for multi tenancy
Expectations:
• Reporting (SoD based) - Security infor- • Reporting (SoD based) - Security infor-
-SLA Fulfillment mation and Event Management mation and Event Management
-Compliance
• Compliance audit & reporting across the • Compliance audit & reporting across the
-Detailed Reporting
IT infrastructure and processes IT infrastructure and processes
• Protection and security for the virtualized • Protection and security for the virtualized
environment (network / hosts / VMs) environment (network / hosts / VMs)
• Protection and compliance tool for server • Protection and compliance tool for server
verification verification
• Configuration and change management • Configuration and change management
• Connectivity / linkage with YOUR accoun- • Connectivity / linkage with YOUR accoun-
34 ting model (Metering & Rating) ting model (Metering & Rating)
35. Cloud & Security
IBM Cloud Components – more than Virtualization only
10. Management 9. Visualization of the services
Service Level related to business targets and
Agreements (SLAs) Service agreements
8. Collect, Analyze, and
11. Exit-Management
Report -> Acounting
based on usage / costs /
licence model
Common Cloud
Management Platform
1. Ordering / 3. Provisioning Cloud Services
of the service
booking from a 7. Realtime Management
service Event Consolidation rgd.
catalogue BSS the Business Services
4. Integration with OSS 6. Monitoring
2. integration with - Service Monitoring
Storage Area
Service Desk -Platform Monitoring
Network (SAN) and
und IT Asset
netzwork(poo)
Management + - Performance
AND the Security
Processes - Security Alerts
Managment 5. Service
- PUMA
Discovery,
-…
Change &
Configuration
Service = Software, Platform, Infrastructure (i.e. Composite Management:
Application, Physical / Virtual OS, Middleware, Network, Storage - Service
- Platform
Not in all cases will all steps exist in a client engagement
35
Users are the weakest link What’s wrong with this picture? Did the gate work as designed? Did the gate provide security? Social engineering 71% of people at Victoria Station (London) station gave out passwords for an Easter egg* If security is too inconvenient … users will find a way to subvert it
To take the previous chart a step further, here we talk about attackers the different types of attackers we see. There are those using off the shelf tools and techniques -- exploits that are publicly released, and can easily be acquired off Internet to launch their attacks. Or you’ve got more sophisticated attackers who develop their own exploits and discover their own vulnerabilities then target them before anyone else has even seen them. We also see attacks that are broadly focused. They’re trying to target the entire Internet. Or, we have attacks that are highly targeted. They’re specifically interested in breaking into particular organizations. So looking at those two dimensions you get four categories. Off the shelf broad attacks are typically financially motivated botnet builders. This accounts for most of the attack activity that we’ve seen and have been fighting for the past ten years. However, we also see today this thing that’s often called the advanced persistent threat (ATP), which is sort of the other side of the coin. These are targeted, sophisticated attackers that are going after specific organizations and they’re using vulnerabilities they have discovered themselves. Highly custom malware so they’re very difficult to protect against. In addition, this year we’ve seen a lot of targeted attacks that used off the shelf techniques. So these are often activists. People who have a motive to attack a particular organization but are not necessarily as sophisticated in watching those attacks as the advanced persistent threat. And we have one more category, which fortunately we aren’t dealing with much today and that is if you took the sophistication of the APT and applied it broadly, this is sort of the cyber war nightmare scenario that people have been talking about in policy circles. Fortunately that’s not a reality today on the Internet.
Users are the weakest link What’s wrong with this picture? Did the gate work as designed? Did the gate provide security? Social engineering 71% of people at Victoria Station (London) station gave out passwords for an Easter egg* If security is too inconvenient … users will find a way to subvert it
This diagram is the Top Level view of the blueprint. The top layer is the IBM Security Framework, which provides the business context or business perspective of security. The framework is commonly represented by the graphic you see on the right. The blueprint separates the management of security from the implementation of security, which are represented in the middle and bottom layer respectively. A product-agnostic and solution-agnostic approach to defining security capabilities. A common vocabulary to use in more detailed discussions Architectural principles that are valid across all domains and deployment environments Based on researching many customer related scenarios A roadmap to assist in designing and deploying security solutions The security management layer represents the capabilities needed to translate the business view of security concerns into policies, operational procedures, and technical controls that can be deployed into the IT landscape and the organization. The Services and Infrastructures layer represents the security capabilities needed to enforce policies and their integration points into the IT infrastructure. By separating security management from security implementation, the IT organization can focus on getting the policy and needed controls correctly defined and can better monitor and assess how completely and effectively the policies are being enforced. Architecture Principles in the Blueprint 1. Openness 2. Security by default 3. Design for accountability 4. Design for regulations 5. Design for privacy 6. Design for extensibility 7. Design for sharing 8. Design for consumability 9. Multiple levels of protection 10. Separation of management, enforcement and accountability 11. Security is model-driven 12. Security-critical resources must be aware of their security context 13. Consistency in approaches, mechanisms and software components The IBM Security Blueprint separates security management from infrastructure services.
Welche Anforderungen haben unsere Kunden – Cloud Dienstnutzer und Cloud-Dienstanbieter - an eine Cloud-Lösung. Man nehme klassische Data Center Security und füge den Aspekt der Dynamik hinzu – eine der Eigenschaften der Cloud. Somit erhält man o.g. Liste der Herausforderungen mit ihren 11 Punkten – mind. 11 Punkte
Bem: GS Prz – Geschäftsprozesse Ansichten und Bemerkungen des IT-Verantwortlichen oder Beauftragten, häufiger Kommentar: Ich muss Cloud machen, ich soll Cloud machen, aber wie ? Oder: Ich mach doch schon Cloud, nämlich .. Virtualisierung Die meisten Interessenten für Cloud & Security sind im Umfeld Virt+Stand, teilweise Aut, viele geben aber auch offen zu: Kons beschäftigt sie Es gilt eine Sec Roadmap aufzustellen, mit dem Kunden, die die GSPrz + IT Proz + Sec Themen abbildet Und dies für jede Phase, z.B. hier für die Virt., viele habe die Riskiken nicht auf dem Radar
VMWare NOT PowerVM Hier 4 Sicherheitsszenarien 1 2 3
Eine Empfehlungssammlung des BSI für CC Anbieter, Ich empfehle dies auch den Nutzern zu lesen und ihre Anbieter daraufhin zu prüfen. Oder ein Service Provider überlegt Cloud-Dienste anzubieten: Was gilt es zu beachten - Ein guter Start, auf abstrakter, hoher Ebene, kaum technisch
Ich habe aus dem BSI Katalog die Einzelthemen exrtahiert und als MindMap erfasst Dann in beliebigen Farben Ergänzungen hinzugefügt, weitere Themen genannt Dient als Leitfaden für Kundendiskussion U.a. Weitere Informationsquellen
Dies ist die gesamt MindMap in Version 1.0, Aktuelle Version 1.03 / 16.08.2011 Weitere Versionen folgen
Hier in der Mitte, kaum zu übersehen: die Cloud Plattform mit ihren 3 Layern Services Business Support Systems/Services Operations Support Systems/Service In Anlehnung an das TMForum CSP eTOM model -> WO beginnt man hier mit Security: außerhalb – innerhalb ?
Hier in der Mitte, kaum zu übersehen: die Cloud Plattform mit ihren 3 Layern Services Business Support Systems/Services Operations Support Systems/Service In Anlehnung an das TMForum CSP eTOM model -> WO beginnt man hier mit Security: außerhalb – innerhalb ?
Eine Liste mit Sec Herausforderungen, eigentlich nichts neues, wenn man sich mit diesen themen bereits in der „alten“ Welt beschäftigt hat ..
Cloud vs. „Nur-Virtualisierung“ Ein Kreislauf der auch Sec betrifft, diese muss integriert werden Diese muss bereits in die grundlegende Architektur integtriert werden Hier fehlt: Exit-Management Was geschieht mit den Daten, wie bleiben alle Parteien auditierfähig, welche Abhängigkeiten von der Workload existieren
Standardmodell – Schichtenmodell 1+2.. Abstraktion der HW durch konsolidierte HW 3: Katalogwesen -> keine Management mehr auf Zuruf 4: Gewinn durch Automatisierung von der Bestellung bis zum Abbau – Achtung Abbau ist ein difizieles Thema: Was geschieht mit den Daten, wo bleibt die Auditierfähigkeit 5: am Schluß purzelt die sichere Cloud heraus .. Ok, so einfach ist es nun auch nicht
Nehmen wir die untersten Schichten: HW + Virtualisierung - diese sind nicht nur 1x, sondern x mal vorhanden, es sei denn man eine eine omnipotente Maschine – oder spielt nu mit Cloud Also x mal HW + x mal Virtualiserung UND dies gemanaged durch 1 Plattform, nicht x+1 Plattformen, Management-Konsolen Es ergibt sich eine verteilte Cloud Infrastruktur, ja, diese kann komplett lokal sein, muss aber nicht, Beispiele zur Verteilung einer privaten Cloud und was dies bedeutet folgt noch