Zimory White Paper: Security in the Cloud pt 1/2

249 views
211 views

Published on

The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From the customer's point of view, they might seem difficult to control with conventional IT security standards. Cloud computing security is, in reality, not isolated from the standard IT security and data protection policies and regulations. Main security concerns are:
 Data protection
 Sharing of resources
 Differences in country legislations
The following document analyzes on one hand, security in virtualized environments from the Cloud customer’s point of view, justifying the importance of customer awareness about security issues in the Cloud.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
249
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Zimory White Paper: Security in the Cloud pt 1/2

  1. 1. SECURITY IN THE CLOUD Part 1 – Guarantees for Cloud Security White Paper, November 2012
  2. 2. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 1 TABLE OF CONTENTS Introduction and Problem Description........................................................ 2 Security vs. Decision of Moving to the Cloud............................................. 2 Market Perspectives for Virtualization............................................................................ 3 Cloud Security Best Practices........................................................................................ 4 Benefits of Cloud Security.......................................................................... 5 Security Implications in the Zimory Cloud Suite......................................... 5 Security Standards and Testing Procedures: The Zimory Cloud Suite case ................ 5 Conclusion ................................................................................................. 7 Contact Information.................................................................................... 8
  3. 3. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 2 INTRODUCTION AND PROBLEM DESCRIPTION The Cloud stopped being a trend, it is now a reality. However, some aspects of the Cloud cause of hesitation for both customers considering moving to the Cloud and Cloud Service Providers. The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From the customer's point of view, they might seem difficult to control with conventional IT security standards. Cloud computing security is, in reality, not isolated from the standard IT security and data protection policies and regulations. Main security concerns are:  Data protection  Sharing of resources  Differences in country legislations The following document analyzes on one hand, security in virtualized environments from the Cloud customer’s point of view, justifying the importance of customer awareness about security issues in the Cloud. The second part of this white paper puts Zimory as an example of Cloud management services, meeting high quality and security standards. This section includes the description of penetration tests performed by one of Zimory’s customers in order to observe responses of the Zimory Cloud Suite, facing simulated attacks. SECURITY VS. DECISION OF MOVING TO THE CLOUD When deciding to move to the Cloud, customers must demand to openly discuss have with Cloud Service Providers and vendors any security doubt or question they may have. Clarity and efficiency are a must when dealing with these issues on any IT environment. Even more so in Cloud Computing environments where elements that are by definition intrinsic to them (abstracted resources, scalability and flexibility, shared resources, programmatic management, etc.) can create some uncertainties for all parties involved. As stated by the European Network and Information Security Agency (ENISA),”Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.
  4. 4. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 3 The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective”1 . Security issues can be a major question mark for businesses hesitating to move to the Cloud. The Cloud with its innovative technology has also found effective means to face and resolve these issues in order to provide guarantees. MARKET PERSPECTIVES FOR VIRTUALIZATION Regarding virtualization projections in the IT market, the following chart presents Gartner's predictions regarding the progression of virtualization by 2015: Figure 1. Progress towards Virtualization Source: Gartner (May 2012) Based on the previous chart, it is important to mention basic principles regarding the transition from the “physical” security environment to a virtualized security environment2 , such as:  Management consoles: Often being the target of an attack.  Multi-tenancy and shared resources.  Compromising the hypervisor. 1 Catteddu, Daniele and Hogben, Giles: “Cloud Computing Security Risk Assessment”. European Network and Information Security Agency- ENISA: 2009. 2 For more details regarding this transition, see “Security in the Cloud- Part II: Threats and Solutions”. Zimory, 2012.
  5. 5. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 4 Providers should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls”3 This is clearly one of the main challenges of the Cloud Computing market due to its novelty and rapid evolution. CLOUD SECURITY BEST PRACTICES Ideally, in order to keep Cloud Computing Services balanced and in continuous evolution, there are certain aspects to be considered even as a best practices check-list 1 : 1. Customers must be aware of risks when adopting Cloud services. 2. Customers should compare different Cloud provider offerings in order to make an informed decision. 3. Cloud providers should provide customers with as much assurance as possible. 4. Not all the assurance burden should fall on Cloud providers. 5. Awareness of regulations of the country where data is stored, where the company is located and where the cloud service provider is located. 6. Awareness of who controls and regulates data. Customers using services of a US company are exposed to the Patriot Act, for example. 7. Transparency as work principle and basis of the cloud computing companies and customers. 8. Whenever possible, allow customers to test Cloud services. Testing procedures will become a guarantee for Cloud Services. All implicated players in the cloud computing contracts must be aware of the applicable regulation to their businesses. It is of high importance for Cloud Service Vendors to explain security issues to their customers before moving to the Cloud. 3 Gartner Inc. Securing and Managing Enterprise Cloud. John Pescatore. May 2012
  6. 6. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 5 BENEFITS OF CLOUD SECURITY As stated in ENISA’s Cloud Computing Security Assessment 1 , security in the Cloud can also imply multiple benefits for all parties involved: 1. Security as a differentiator: Cloud services meeting high security standards can be a stand-out point in a very competitive market. 2. The larger scale, the cheaper the implemented security measures. 3. Efficient and effective scaling of resources: An intrinsic quality of Cloud services is the ability to dynamically reallocate resources for multiple purposes, which has many advantages for resilience. 4. Audits and gathering consumption information: Zimory Cloud Suite offers a pay- per-use policy and the possibility of exporting resource consumption reports. All of which leads to more effective resource and cost management. 5. Advantages of Resource concentration: This is generally seen as a risk for Cloud Computing. It can also facilitate, however, the application of many security- related measures. SECURITY IMPLICATIONS IN THE ZIMORY CLOUD SUITE The Zimory Cloud suite can be taken as an example of testing the performance of Cloud management services. To be more concrete, Zimory manages for one of its customers, public cloud services for large companies. High security standards are especially required for these security environments where virtual private clouds are working inside public clouds. A clear challenge for security issues on software management for public cloud services offered inside the high security networks of telecommunication companies. When providing these solutions, the Zimory Cloud Suite successfully proves to be capable of meeting all security requirements of a carrier grade IaaS management software. Furthermore, Zimory's multi-layered security approach provides clear and concrete answers regarding security issues. This approach is based on a compensation method, which implies that in case one security layer is compromised, other layers will back-up the security system integrity. This back-up procedure will maintain the system stable and secure, avoiding complete shutdown. SECURITY STANDARDS AND TESTING PROCEDURES: THE ZIMORY CLOUD SUITE CASE
  7. 7. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 6 Testing procedures are thus of key importance to support and provide security standards to the performance of Cloud services. Therefore, Zimory welcomed one of their customers to perform penetration tests on the Zimory Cloud Suite, based on well-defined security standards. Penetration tests or pentests are defined by Search Software Quality as “the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit”4 . These tests simulate both internal and external attacks, including four main steps: Step 1: Preparing the Test. During this step, an access methodology to the tested system is created. Some of the tasks performed during this step are:  Defining the system to be tested: In this case, zimory®manage was the tested component, since it allows direct interaction with an end and external user.  Determining visibility of the system and the company: Identifying existing limits of the Information availability.  Setting test depth and aggressiveness.  Determining methodology to approach problems, such as software damages, information leaks, etc. Step 2: Gathering Information. This step identifies for example, elements that need to be “less visible”. Other tasks of this step include:  Providing documentation.  Surveying the development process.  Examining the I-modules, which constitute the “test steps that serve for pure provision of information”. Step 3: Evaluation of Gathered Information. Analysis of the information gathered during the previous step, including:  Identifying critical areas.  Identifying achievable goals.  Selecting and examining e-modules, or the “active penetration attempts” 4  Describing test cases. Step 4: Execution Phase or Active Intrusion. Applying the testing procedures described above, penetration tests were performed on the Zimory Cloud Suite on April 2011 and included both on-site and remote tests. 4 Gershater, Jonathan and Mehta, Puneet. Pen Test (Penetration Testing). Search Software Quality, 2011. Retrieved from: http://searchsoftwarequality.techtarget.com/definition/penetration-testing
  8. 8. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 7 After pentest implementation, Zimory software presented no abnormalities regarding essential test parameters such as:  Verification of Security laws.  Failure causes.  Command, XPath and SQL injections: Techniques used to attack software.  XML poisoning.  XDoS attacks: XML denial of service. Most of the problems, which were minor issues, detected during the penetration testing procedure and regarding for example, cross-site scripting issues, have been already solved ever since. Cloud vendors allowing customers and Service Providers to perform test procedures with high standards could be nearly considered as a breakthrough in the Cloud Computing world. Lack of standard testing procedures, especially with regards to security issues, has been identified as one of the main customer concerns when moving to the Cloud and one of the reasons for the slow take-off of the Cloud Computing market5 . Moreover, testing software with such high standard procedures and without having any major issues detected is a clear indicator of carrier grade software meeting high quality standards. CONCLUSION It is of key importance for customers to be aware and well informed with regards to security implications from the moment they decide to move to the Cloud. Providers, on the other hand, should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls” 3 . Security in the Cloud is a matter concerning all actors involved, who must actively contribute to build confidence in the Cloud. Cloud security measures are not at all isolated from the conventional IT security measures. Customers and Cloud service users need to analyze and beware of security conditions before actually deciding to move to the Cloud. Finally, the Zimory Cloud Suite can be considered an example of carrier grade IaaS management software, meeting high quality and security standards. As described in this paper, Zimory is open and secure enough to submit its product to rigorous tests regarding security parameters of the product. All of this confirms product guarantees regarding data protection, scalability, flexibility, hardening of virtual machines and hypervisors, etc. Our Cloud Suite is without a doubt, a secure option for managing Cloud services. 5 For more information, see “Cloud Computing Market: Understanding its Slow Take-Off in Europe”. Zimory, 2012
  9. 9. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 8 CONTACT INFORMATION Zimory GmbH Alexanderstrasse 3, 10178 Berlin Germany Email: info@zimory.com Tel: +49 (0)30 609 85 07-0 For the latest information, please visit www.zimory.com The information contained in this document represents the current view of Zimory GmbH on the issues discussed as of the date of publication. Because Zimory must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Zimory, and Zimory cannot guarantee the accuracy of any information presented after the date of publication. The information represents the product at the time this document was published and should be used for planning purposes only. Information is subject to change at any time without prior notice. This document is for informational purposes only. ZIMORY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2009 Zimory GmbH. All rights reserved. Zimory is a registered trademark of Zimory GmbH in Germany. All other trademarks are the property of their respective owners.

×