Cloud Security: Beyond the Buzz


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Security: Beyond the Buzz

  1. 1. Cloud Security: Beyond the Buzz Real-world case studies show how time-tested security concepts are applied to the Cloud
  2. 2. Today’s Chat • Introduction • Me, my company, and why we care about Cloud. • What’s Cloud? • SaaS, IaaS, PaaS • What’s Cloud Security? • Different for SaaS, IaaS, PaaS • The Nitty Gritty • Considerations and case studies
  3. 3. Introduction: Terremark Worldwide • World-class Data Centers • NAP of the Americas, NAP of the Capital Region • Network-agnostic (e.g, ~100 ISPs in NAPOTA) • World-class Managed Hosting • Built on InfiniStructure – a virtualized platform • Large sensitive clients: H&R Block, Broadlane, ... • Enterprise Cloud • Built on InfiniCenter, evolved from InfiniStructure
  4. 4. Terremark and the Cloud • Gartner Magic Quadrant • VMWare Service Provider of the Year • VMWare recently bought 5% of TMRK • Deep Cisco partnership • Large Federal Cloud deployments • Large Banking Cloud deployments • Security is a key differentiator for us!
  5. 5. Introduction: Mario D. Santana • Director, Secure Information Services • Security/risk consulting, forensics, etc. • Security of Terremark’s hosting environments • Expert witness, lectures, etc. • CISSP, CISA, GIAC, ECTF, Infragard, etc… • Systems developer/designer in the 80’s • Systems administrator/architect in the 90’s • Security guy in the 00’s
  6. 6. Depends who you ask. It’s some level of IT abstraction. WHAT’S “THE CLOUD?”
  7. 7. What’s Cloud? • Depends who you ask! • Much agreement on NIST’s1 5 characteristics: • On-demand self-service • Ubiquitous network access • Location-independent resource pooling • Rapid elasticity • Measured service • You know this: you’re at CloudWorld!
  8. 8. Cloud is Abstraction • NaaS: Network as a Service • The original cloud, as in network diagrams • We don’t care how it works, it’s a black box • “Service” “Utility” “On-Demand” etc… • Not to be confused with “managed” services • These are more of a partnership with a vendor • Bottom line: Cloud is someone else’s problem. “It just works.”
  9. 9. Different Kinds of Cloud Computing • Infrastructure as a Service (IaaS) • “Abstract away the data center” • Amazon EC2, Terremark e-Cloud • Platform as a Service (PaaS) • “Abstract away the middleware” • Google AppEngine, Microsoft Azure • Software as a Service (SaaS) •, countless others…
  10. 10. The Cloud Stack • Higher layers are built on lower layers • Higher abstractions “include” lower ones • Clouds used to be all (SaaS) or nothing (NaaS) • Today’s marketplace has more fine-grained distinctions
  11. 11. Moving Target • In analyst-speak: it’s a “dynamic marketplace” • Semantics matter • New solutions break young, unrefined definitions • They yield insight about why Cloud is useful • As the marketplace matures, definitions solidify • Players are making moves • SaaS players offering PaaS and IaaS, for example • Amazon’s multitude of offerings are coalescing
  12. 12. It’s technology + process + due diligence. The core issue is trust. WHAT’S CLOUD SECURITY?
  13. 13. Technology, Process, Shoe Leather • There’s no magic technology in the Cloud • The stack is made up mostly of the same old stuff • There are a very few special considerations • The Cloud is more than the technology • It’s also the business, cost, and operating models • Cloud security can look like security of outsourcing • Bottom line: understand and secure the layers • The secret ingredient is due diligence
  14. 14. Technology: Defense in Depth • Defend each layer independently • A few special considerations: shared resources • All models: shared networking • IaaS: shared virtualization and storage • PaaS: shared middleware, database, etc. • SaaS: shared everything • Mostly, non-Cloud security measures translate fairly easily to Cloud environments
  15. 15. The Real Issue: Trust • Obviously, reputation matters • How long has the vendor been doing Cloud? • How solid is their past security record? • What are their plans? Will they be around long? • Fundamental approach: Trust but Verify • Without verification, it’s more faith than trust • Partnerships with trustworthy third parties can help • Weaknesses don’t have to be fatal • If you know about them, you can work with them
  16. 16. The Nitty Gritty: Considerations and Case Studies IAAS
  17. 17. IaaS: security challenges • Virtualization issues • VM “break-out” attack: scary but rare • Miscellanea (e.g., hypervisor log-file flooding) • Shared infrastructure issues • Shared storage: clean it before de-allocating it • Shared CPU/RAM: don’t over-allocate resources • Depend on outsourced datacenter practices • These will cover pretty much everything else!
  18. 18. IaaS: security benefits • Virtualization benefits • Machine-level instrumentation (e.g., VMSafe) • Simplified incident response, forensics, recovery • Shared infrastructure benefits • Shared, industrial-strength instrumentation • Correlate security information across customers • Relatively simple to understand • IaaS is much like any other outsourced data center
  19. 19. IaaS case study: Enterprise Cloud • Terremark’s offering – I’m very familiar with it • Right now it’s a pure IaaS play • Meeting the IaaS security challenges: • Mature architecture evolved over five years • Zero-on-read for shared storage • No over-allocation of CPU or RAM • Leveraging IaaS security benefits: • Robust, integrated managed security offerings
  20. 20. The Nitty Gritty: Considerations and Case Studies PAAS
  21. 21. PaaS: security challenges • Complex, powerful APIs are hard to protect • The platform itself must be safe from attack • Applications must be isolated from each other • Security mechanisms are “secret sauce” • Details are scarce and vendors aren’t talking • Awkward to do due diligence or compliance • Applications might still be insecure • Even a perfectly secure platform can’t fix that
  22. 22. PaaS: security benefits • Centrally-managed platform • Fixes and countermeasures help all users • Correlation of security information across users • More and better expertise about the platform • The best and brightest people • More attention to (security-related) detail • Many non-Cloud measures translate directly • Application firewalls, strong authentication, etc.
  23. 23. PaaS case study: Google Apps • Awkward case study, since Google isn’t talking • Severely limited API (reduce complexity) • Big promises, backed by a strong reputation1 • There is fuel for speculation: • Guido is on board (Google bets on smart people) • Java was designed with sandboxing from early on • Recent issues2 have scared sensitive clients3 • Continued evolution of real and perceived security
  24. 24. The Nitty Gritty: Considerations and Case Studies SAAS
  25. 25. SaaS: security challenges • Even more than with PaaS, trust is the key • The vendor runs everything, soup to nuts • The due diligence takes more effort • As with PaaS, vendors are tight-lipped • Again, there’s “secret sauce” involved • More limited use cases expose fewer details • No opportunity to work around weaknesses • The vendor controls every layer of the technology
  26. 26. SaaS: security benefits • Centrally-managed application • Security is stressed by many users • Attack information correlated from many users • Attention to the application • Unlike for users, running this app is the business • Shared costs brings more expertise and resources • Little or no technical skill needed to assess • Lean on processes, certifications, and reputation
  27. 27. SaaS case study: • Very mature platform, yet still evolving • Started as a focused SaaS pure play • Solidly placed in the PaaS market today • Security history typical of outsource partner • In 2007, over 900K customer identities stolen • In 2009, an extended outage during peak hours • Original concept is simple • Keep watching as gains momentum
  28. 28. Additional thoughts. BONUS ROUND
  29. 29. Bonus Round • Typical recommendations • The “what” is the same for Cloud or no Cloud. • How-to considerations • The plumbing is different in virtual environments • In theory, everything is easy; in practice, it depends • Testing for security in the Cloud • Shared environments are always tricky to test • Bottom line: coordinate with your vendor
  30. 30. Typical Recommendations • Full packet capture with session reassembly • NetFlow analysis (especially for DDoS) • Detailed incident response plan • Full forensics capability predefined • Code-level security review of applications • Application-level firewall • End-user metrics and analytics These are the same for Cloud or no Cloud.
  31. 31. How-To Considerations • Plumbing is different in a virtualized datacenter • Software switches and things like VMSafe • Be careful not to expose more attack surface • In theory, everything is easier • The flexible plumbing opens a new world of options • In practice, it depends • The vendor controls the virtualization layer • Do they have the wherewithal to cater to your custom needs?
  32. 32. Testing for Security in the Cloud • Shared environments are tricky to test • Read and understand the acceptable use policy • By design, security tests look like hacking activity • Illegal access vs. pen-testing: what’s the difference • Bottom line: coordinate with your vendor • Clearly define the rules of engagement • Any findings will improve the service you receive • You can still incorporate the element of surprise • E.g., perform authorized tests at random intervals
  33. 33. Questions and discussion. THANK YOU!