Securing the Cloud (Don’t get lost in the fog) Chris Munt M/Gateway Developments Ltd

Topics Real World View Assessing risk Corporate/Lawyers View Analysis of commercial risk Technical View Using technology to mitigate risk

Real World View

Assessing risk

Corporate/Lawyers View

Analysis of commercial risk

Technical View

Using technology to mitigate risk

Real world view

Assessing risk What risks are you exposed to?

Assessing risk

Assessing risk Indentify weaknesses

Assessing risk Can technology help?

Assessing risk Source: XKCD web comic: http://xkcd.com/

Assessing risk Lost in the fog of fanciful terms used to describe technology?

Assessing risk Cyberspace Virtualization Cloud computing Private Cloud Public Cloud Hybrid Cloud Cloudware IaaS, PaaS, SaaS

Assessing risk Cloud Computing Real computers Real databases Real networks Who’s watching you?

Real computers

Real databases

Real networks

Assessing risk What about human factors?

Assessing risk

Assessing risk

Assessing risk “ You must change your password every few weeks and it must be constructed from no less than twelve characters which will include a mixture of upper and lower case letters, digits and punctuation characters”

Assessing risk Security versus Convenience?

Assessing risk

Assessing risk Why would anyone want to break your security?

Assessing risk

Assessing risk What’s your data worth to you? What’s it worth to someone else?

Assessing risk Lindisfarne Castle, Holy Island ~1797 by Thomas Girtin (1775–1802)

Assessing risk Best security is data locked in a secure room Not practical Sensible compromise required Must be practical with safeguards against all likely risks

Best security is data locked in a secure room

Not practical

Sensible compromise required

Must be practical with safeguards against all likely risks

Corporate/Lawyers view

Cloud Computing: Risks to an organization Focus on Security and Accountability Gartner report June 2008 Identify seven areas of risk Suggest questions to be directed at service provider Reference: http://www.infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_risks_1.html

Focus on Security and Accountability

Gartner report June 2008

Identify seven areas of risk

Suggest questions to be directed at service provider

Reference:

http://www.infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_risks_1.html

User Access Risk Privileged user access Who has access to your data? Who administers the systems? Governance

Privileged user access

Who has access to your data?

Who administers the systems?

Governance

Regulatory Compliance Risk You are ultimately responsible for the security and integrity of your own data What is in your data? Do you store sensitive information about others? Is the supplier subject to external audit in the same way as conventional suppliers of outsourcing solutions?

You are ultimately responsible for the security and integrity of your own data

What is in your data?

Do you store sensitive information about others?

Is the supplier subject to external audit in the same way as conventional suppliers of outsourcing solutions?

Data Location Risk You probably have no control of where your data is physically held Can you insist that it be held within a certain jurisdiction? Can the Cloud provider sign up to local privacy requirements on behalf of their customers?

You probably have no control of where your data is physically held

Can you insist that it be held within a certain jurisdiction?

Can the Cloud provider sign up to local privacy requirements on behalf of their customers?

Data Segregation Risk Your data is usually stored in shared environments along with the data of other customers. Ask about encryption schemes used and how they are verified Assess risk of encryption accidents Possibility of rendering data unreadable

Your data is usually stored in shared environments along with the data of other customers.

Ask about encryption schemes used and how they are verified

Assess risk of encryption accidents

Possibility of rendering data unreadable

Risks Associated With Recovery Even with modern equipment disasters can (and do) still happen Can the supplier do a complete recovery? How long will a full recovery take? Granularity of recovery?

Even with modern equipment disasters can (and do) still happen

Can the supplier do a complete recovery?

How long will a full recovery take?

Granularity of recovery?

Risks inherent in investigating security breaches and illegal activity Inherent difficulty in investigating illegal activity in shared environments To what extent can the supplier support investigative work? To what extent do you have to account for illegal activity involving your application and/or data?

Inherent difficulty in investigating illegal activity in shared environments

To what extent can the supplier support investigative work?

To what extent do you have to account for illegal activity involving your application and/or data?

Risks associated with sustainability Long term viability of supplier What happens if the supplier goes bust? What happens if the supplier is taken over by another company? How would you get your data back (and port it to another platform) if you needed to?

Long term viability of supplier

What happens if the supplier goes bust?

What happens if the supplier is taken over by another company?

How would you get your data back (and port it to another platform) if you needed to?

Technical view

Cloud Computing: Security Standards compliance Credit Card transactions Payment Card Industry – PCI compliance 4 Levels Confidential data Medical records Personal financial data Securing applications

Credit Card transactions

Payment Card Industry – PCI compliance

4 Levels

Confidential data

Medical records

Personal financial data

Securing applications

PCI compliance Level 1 Very large businesses and/or those that have been compromised More than 6 million transactions per year Systems designed by credit card companies Annual on-site security audit Quarterly system perimeter scans Probe of network to detect vulnerabilities Merchants choose from certified list of service providers

Level 1

Very large businesses and/or those that have been compromised

More than 6 million transactions per year

Systems designed by credit card companies

Annual on-site security audit

Quarterly system perimeter scans

Probe of network to detect vulnerabilities

Merchants choose from certified list of service providers

PCI compliance Level 2 Merchants processing 1,000,000 to 6,000,000 transactions per year Annual compliance questionnaire Quarterly system perimeter scans

Level 2

Merchants processing 1,000,000 to 6,000,000 transactions per year

Annual compliance questionnaire

Quarterly system perimeter scans

PCI compliance Level 3 Merchants processing 20,000 to 1,000,000 transactions per year Annual compliance questionnaire Quarterly system scans

Level 3

Merchants processing 20,000 to 1,000,000 transactions per year

Annual compliance questionnaire

Quarterly system scans

PCI compliance Level 4 Merchants processing less than 20,000 transactions per year Annual self-assessment questionnaires Quarterly scans

Level 4

Merchants processing less than 20,000 transactions per year

Annual self-assessment questionnaires

Quarterly scans

PCI compliance in the Cloud Basic Level 4 compliance Don’t store credit card information One-time transactions via web services to a credit card processing gateway Can be done inside or outside cloud

Basic Level 4 compliance

Don’t store credit card information

One-time transactions via web services to a credit card processing gateway

Can be done inside or outside cloud

PCI compliance in the Cloud Storing credit card information? Usually need level-2 compliance Not attainable on shared virtualized servers in the cloud In-house solution Credit card details must be stored outside cloud Or on dedicated virtualized environments Rackspace and GoGrid Third party supplier Cloud based provider of billing systems Store the credit card data on your behalf and manage any recurring transactions for you Zuora or Aria

Storing credit card information?

Usually need level-2 compliance

Not attainable on shared virtualized servers in the cloud

In-house solution

Credit card details must be stored outside cloud

Or on dedicated virtualized environments

Rackspace and GoGrid

Third party supplier

Cloud based provider of billing systems

Store the credit card data on your behalf and manage any recurring transactions for you

Zuora or Aria

PCI Compliance in the Cloud Source: http://cloudsecurity.org

Cloud Computing: Securing confidential information Medical records Personal financial data Perception of risk is as important as actual risk Compartmentalise data Anonymous data in the cloud ‘ Root index’ stored outside the cloud Data in the cloud cannot be related to a particular individual without the ‘root index’.

Medical records

Personal financial data

Perception of risk is as important as actual risk

Compartmentalise data

Anonymous data in the cloud

‘ Root index’ stored outside the cloud

Data in the cloud cannot be related to a particular individual without the ‘root index’.

Cloud Computing: Securing confidential information PATIENT Patient_ID Name Birth_Date Address ADMISSION Patient_ID Admission_Date Ward Consultant TEST Test_Date Specimen_ID Patient_ID Specimen_Type TEST_RESULT Test_Date Specimen_ID Test_ID Result

Cloud Computing: Securing confidential information Typical Hospital Database Data is meaningless without the Patient Master Index PATIENT Object/Table keyed by PATIENT_ID Use of surrogate keys Anonymization is already used for research data Hybrid approaches using public and private cloud infrastructure M/Gateway’s M/DB Plug compatible with Amazon’s SimpleDB

Typical Hospital Database

Data is meaningless without the Patient Master Index

PATIENT Object/Table keyed by PATIENT_ID

Use of surrogate keys

Anonymization is already used for research data

Hybrid approaches using public and private cloud infrastructure

M/Gateway’s M/DB

Plug compatible with Amazon’s SimpleDB

Obscurity in the Cloud Most attacks on publically accessible infrastructure are against known vulnerabilities Hide identity of web server and underlying platform Use header masking facilities if they are available Use customized error pages

Most attacks on publically accessible infrastructure are against known vulnerabilities

Hide identity of web server and underlying platform

Use header masking facilities if they are available

Use customized error pages

Securing Applications in the Cloud HTTP Basic authentication Supported by all browsers Client credentials passed to server in the clear Really only useful for secured (internal) networks HTTP digest authentication Protection for password Some compatibility issues with browsers Still not as strong as authentication over SSL/TLS or Kerberos. Both only suitable for guarding against casual attacks in private Clouds

HTTP Basic authentication

Supported by all browsers

Client credentials passed to server in the clear

Really only useful for secured (internal) networks

HTTP digest authentication

Protection for password

Some compatibility issues with browsers

Still not as strong as authentication over SSL/TLS or Kerberos.

Both only suitable for guarding against casual attacks in private Clouds

Securing Applications in the Cloud SSL/TLS Transport Layer Security (successor to SSL) Usually authenticates server to a non-authenticated client Certificate issued to server. Client identifies him/herself using a username/password over the secure channel (all communications encrypted). Mutual authentication Certificate issued to both client and server Kerberos Both suitable for use in public Clouds User authentication Content protection

SSL/TLS

Transport Layer Security (successor to SSL)

Usually authenticates server to a non-authenticated client

Certificate issued to server.

Client identifies him/herself using a username/password over the secure channel (all communications encrypted).

Mutual authentication

Certificate issued to both client and server

Kerberos

Both suitable for use in public Clouds

User authentication

Content protection

Coding for the Cloud Client-side JavaScript in web applications Ajax techniques Code can be viewed by the client Protect against users modifying URLs used in Ajax calls

Client-side JavaScript in web applications

Ajax techniques

Code can be viewed by the client

Protect against users modifying URLs used in Ajax calls

Storing Data in the Cloud Your own database hosted in the cloud Security ‘best practice’ is the same as for any other public facing web application Be careful with Ajax techniques Proprietary Cloud-based data store Amazon Web Services: S3, Simple DB Charged by usage Be sure to protect ‘access keys’ to data-store! AWS Access Key Be particularly careful with JavaScript Keys should only be visible to a ‘proxy layer’ mediating between client and server

Your own database hosted in the cloud

Security ‘best practice’ is the same as for any other public facing web application

Be careful with Ajax techniques

Proprietary Cloud-based data store

Amazon Web Services: S3, Simple DB

Charged by usage

Be sure to protect ‘access keys’ to data-store!

AWS Access Key

Be particularly careful with JavaScript

Keys should only be visible to a ‘proxy layer’ mediating between client and server

Conclusion Conventional Web Security Role for Hybrid Architectures E.g. M/DB and Amazon SimpleDB Common sense

Conventional Web Security

Role for Hybrid Architectures

E.g. M/DB and Amazon SimpleDB

Common sense