Cloudop security


Published on

The next session will look at security and privacy in the cloud. We'll examine the new risks, and what tools can mitigate them. We'll discuss governance, compliance, and what systems we need to use to access cloud resources securely. We'll deal with identity, single-sign-on, and so on.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

  • IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. Further, IaaS incorporates the capability to abstract resources (or not) as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of API’s which allows for management and other forms of interaction with the infrastructure by the consumer of the service.

    PaaS sits atop IaaS and adds an additional layer of integration with application development frameworks, middleware capabilities and functions such as database, messaging, and queuing that allows developers to build applications which are coupled to the platform and whose programming languages and tools are supported by the stack.

    SaaS in turn is built upon the underlying IaaS and PaaS stacks and provides a self- contained operating environment used to deliver the entire user experience including the content, how it is presented,

  • Private Clouds are provided by an organization or their designated service provider and offer a single-tenant (dedicated) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure may be owned by and/or physically located in the organization’s datacenters (on-premise) or that of a designated service provider (off- premise) with an extension of management and security control planes controlled by the organization or designated service provider respectively.

    Public Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is generally owned by and managed by the designated service provider and located within the provider’s datacenters (off-premise.)

    Managed Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is owned by and/or physically located in the organization’s datacenters with an extension of management and security control planes controlled by the designated service provider.

    Hybrid Clouds are a combination of public and private cloud offerings that allow for transitive information exchange and possibly application compatibility and portability across disparate Cloud service offerings and providers utilizing standard or proprietary methodologies regardless of ownership or location. This model provides for an extension of management and security control planes

  • Security concerns have been the top factor cited as delaying cloud adoption for the past several years.

    In part this is due to a lack of standards around testing, reporting, SLAs and other standard business agreements that have already been worked out in more mature markets (like hosting).

    Another major factor is that the terms used with cloud-computing can have very different meanings based on context and so discussing cloud security can be tricky without laying down some ground work as far as definitions and context.

  • Public deployments have the advantage of leveraging the service provider’s experience, security budget, process & procedure at a minimal cost to the consumer, however, if a provider doesn’t offer a security feature that is critical to your deployment you’re pretty much out of luck.

    Annonimizing effect: Being a small fish in a large ocean makes targeted attacks against your infrastructure very difficult to orchestrate. This is amplified by the transitory nature of IP addressing in most IaaS provider offerings. PaaS & SaaS offerings take this further by providing such massively scaled systems that the cost of producing a successful attack can outweigh the potential benefits.

    Collateral Damage: Attacks against the overall cloud provider or against specific systems sharing the same physical infrastructure as yours can lead to collateral damage from attacks not directly targeted at your organization. The “VM Next Door” (same processor, same network segment, etc…) may be a bad actor of the target of one. Cloud providers are high value targets that present a large attack surface on public networks. This coupled with other items in this list such as the global scope of vulnerabilities can have a huge impact when doing a risk assessment for public cloud deployments.

    Large Security Investments: Public cloud providers have dedicated security teams, battle tested policies and procedures and more advanced security tools than most organizations can afford. This plays into the major economic motivators for public cloud adoption which is leveraging the expertise and budget of the cloud provider.

    Data & AAA security: Keeping secure data on a multi-tenant, non-isolated system requires additional planning and resources than keeping it in a private data store. You need to work how & when to encrypt data as well as how to manage access to that data. Managing AAA (Authentication, authorization & accounting) functions can be more challenging in a public cloud deployment. The lack of multi-user role based access controls in most IaaS & PaaS offerings makes managing access to underlying system controls challenging. However, the SOA oriented nature of public cloud services generally means you get a standardized method of accessing, collecting and acting upon AAA data.

    Pre-certification: Public cloud providers continue to amass different security certifications as well as guidelines, policies and procedures that can help their clients reach particular certification levels (ie: Amazon’s SAS-70 datacenter certifications). Public cloud providers will probably also become major players in helping shape new certification requirements going forward (ie: The development of new cloud based PCI compliance requirements have been announced)

    Regulatory Compliance & Certifications: While “pre-certification” is in the advantages column, it is a double edged sword with public cloud providers. If a cloud provider does not have a particular certification you require, or does not provide a report or feature you require to attain a certification or compliance, the likelihood of being able to influence their feature sets is minimal.

    Multi-site system & data redundancy: The automated sharding and distribution of data and workloads to multiple sites is major benefit of public cloud deployments. The cost and ease with which this is accomplished within public clouds is a major factor favoring their adoption.

    Multi-jurisdiction data store: The flip side to automated data replication to multiple geographic sites is that your data will most likely end up in multiple legal jurisdictions either in whole or in part. You may not even know which jurisdictions your data is in at any time. This can pose serious problems achieving certain regulatory requirements (Ie: EU Data Protection Directive, US Safe Harbour program). Additionally, you may not know when legal actions (ie: foreign data supoenas) have been issued against your data. Having data in multiple jurisdictions also has implications for legal data ownership & recovery issues.

    Fault tolerance & excess capacity: The automated systems and APIs used by IaaS, Paas & SaaS providers has allowed for the creation of incredibly fault tolerant systems, from autoscalling instances in EC2 to the total cloaking of the hardware & network layers in AppEngine and In terms of excess capacity public cloud providers allow you to scale to continue providing service in the face of DoS attacks, they also provide amazing resiliency and RESTORATION OF SERVICES following an attack or other security incident.

    Know vulnerabilities are global: This related back to the “Collateral Damage” item in that once a vulnerability in your public cloud provider’s infrastructure is discovered, it will generally affect all accounts. We have already seen this with several SaaS providers such as Google Apps.
  • Externalization of attack surface: By placing the public side of your application in a public cloud, you can deflect attacks from your corporate environment to the cloud provider who may be bettr suited to dealing with them or mitigating them.

    Data Transfer & Access Considerations: Though has to be given to how data is transferred into out of the public cloud. What are the security requirements? If you have access controls inplace internally, how do you extend those AAA functions to the public cloud?

    Private cloud scaling limits: Hybrid scenarios offer the promise of allowing private clouds to “spill-over” excess compute requirements into a public cloud as required. In reality these types of hybrid systems are very difficult to implement today, however temporarily moving certain workloads between private clouds and public clouds for special events can provide enormous ROI.

    Increase architectural complexity: Marshalling and managing separate AAA systems, data transfers and application communications between private infrastructure and public clouds can be tricky and requires lots of planning.

    Multi-site system & data redundancy: Hybrid solutions also promise to allow corporations to quickly implement disaster recovery and business continuity plans. The costs associated with having a hot or warm standby secondary site are more complicated than in a pure public cloud deployment yet quite more cost effective than with a private cloud deployment.

    Credential Management: Managing access to the public cloud APIs as well as managing inbound traffic from application components hosted in a public cloud can be daunting. Can you validate that inbound messages to your private cloud actually originate from your own systems in the public cloud?

    Isolation & segregation: Hybrid cloud deployments allow corporations to maintain control over the isolation and segregation of their most sensitive data while still providing many of the benefits inherit in a public cloud.

    Regulatory compliance: This can be trickiest in the hybrid model as requirements may span both your corporate systems and those of your cloud provider partners. More on regulatory compliance below.
  • Redundancy & Availability: by partnering with organizations that share similar requirements, goals & data organizations can build clouds that provide many of the redundancy aspects offered by public clouds yet make sure that the overall security posture and feature set meets their needs.

    Complexity: More organizations = more complexity. Negotiations on requirements can be a major stumbling block.

    Shared risk & security costs: by pooling security resources among several organizations, community clouds are able to offer security features and services that a single organization might not be able to afford.

    Federation requirements: Mapping role based access controls to users and interconnecting disparate corporate directory service and AAA systems can be extremely time consuming but can add a level of flexibility for security arrangements between partners that are unavailable in other cloud models.

    Compliance requirements: Members of a community cloud deployment can ensure that “their cloud” meets their particular regulatory and certification requirements. Ie: HIPPA, SoX, PCI-DSS, etc..

    Increased privilege user attacks: Depending on the cloud and application architecture, many more people may have direct access to your organizations data in a community cloud model. This leads to the increased possibility of privileged user attacks.

    Easy targeting: Community clouds can be a treasure trove for malicious actors looking for specific information. You cannot hide behind the annonimity of public clouds to avoid targeted attacks against your organization or data “types”.
  • Increased control of encryption: IaaS is the only cloud model that allows you to fully dictate when and how data gets encrypted before being committed to persistent storage.

    Account hijacking: Hijacking of cloud account credentials can place the “keys to the kingdom” in an attackers hand. Given the low levels of security generally required for exercising cloud account privileges this can be a major issue. Also changing cloud account credentials in an IaaS model can be more difficult than with other models.

    Minimized privileged user attacks: Due to the increased low level controls compared to other cloud service models, IaaS provides the least vulnerability to privileged user attacks.

    Ability to use familiar AAA mechanisms: Since IaaS clouds are providing familiar VMs, you can leverage your existing knowledge of how to secure and manage them.

    API security risks: Think about a private enterprise datacenter and all the layers of security you would need to transverse to shutdown a system from a remote location (2 factor VPN authentication, bastion host login, corporate directory credential authorization, ssh authentication, sudo restrictions, etc…). NOW, think about what it takes to remotely shutdown a system on EC2 or in Azure remotely. A simple API call from any internet enabled device.

    More standardized deployments: IaaS provider best practices and methodologies force, guide and cajole system engineers to rely on automated deployment systems. This leads to a much more standardized deployment and change management process.

    Lack of role based authorization: Many IaaS providers still do not provide mechanisms for restricting which systems different operations staff can access or control via API in a granular manner.

    Rapid cross vendor redeployment: Again due to the fact that IaaS clouds are providing well know OS VMs moving functionality between cloud providers is relatively easy (barring data transfer costs)

    Dependence on security of the virtualization platform: IaaS vendors rely on the security features of the hypervisor or virtualization software to provide security controls. Vulnerabilities in these cloud building blocks can impact all cloud provider customers.

    Full operational control at the VM level: Your organization maintains full control over your systems from the VM level upwards.

    Full responsibility for operations: Even though you have no control over the physical infrastructure or the network, your IT team is still responsible for the security and operations of your production systems. If a PaaS or SaaS provider has an outage you can’t be held responsible, if a IaaS provider has an outage, it was up to you to plan for that eventuality.

  • Cloudop security

    1. 1. CLOUDOPS: SECURITY It ain’t all fluffy and blue sky out there!
    2. 2. WHO’S THIS GUY? Ward Spangenberg, Director of Security Operations, Zynga Game Network No - I won’t whack the Petville boss who just broke into your cafe and made away with all your “grave dirt” riding a “luv- ewe”. Founding Member of the Cloud Security Alliance
    3. 3. WHAT’S HE GOING TO TALK ABOUT? Definitions: Same starting point for everyone. Security: What does that even mean? Compliance: Did he just say compliance and cloud in the same sentence? Privacy: All your cloud belong to us. Stuff: quips, stories, advice, and hopefully some laughter.
    4. 4. DEFINITION OF CLOUD COMPUTING Cloud computing describes a system where users can connect to a vast network of computing resources, data and servers that reside somewhere “cloudy,” usually on the Internet, rather than locally or in the data center. Cloud computing can give on-demand access to supercomputer- level power, even from a thin client or mobile device such as a smart phone or laptop. (or iPad) (@tomme Agreed. Quit arguing about definition. Common denominator: other people's ppl, other ppl's gear - let's focus on benefits #ccevent)
    5. 5. !"#$%&'()*+&,' -./)*"0.12' 3*&.),' 4.$5%6.' 4*;<9$.'9,'9' ?)9@*$0'9,'9' A1B$9,2$+62+$.'9,'9' 3*&.),' 4.$5%6.'=4994>' 4.$5%6.'=?994>' 4.$5%6.'=A994>' I1'-.091&'4.)BJ4.$5%6.' 7,,.189)' E$*9&'F.2<*$G'H66.,,' C9/%&'7)9,86%2"' (:9$962.$%,86,' C.,*+$6.'?**)%1D' 3.9,+$.&'4.$5%6.' 39,,%5.'469).' C.,%)%.12'(*0/+81D' (*00*1'' !*0*D.1.%2"' N.*D$9/:%6'-%,2$%#+8*1' (:9$962.$%,86,' L%$2+9)%M98*1' 4.$5%6.'I$%.1298*1' K*<'(*,2'4*;<9$.' H&5916.&'4.6+$%2"' THE NIST CLOUD DEFINITION
    6. 6. DEFINITIONS OF ARCHITECTURE IaaS: “based on pure virtualization. Vendor owns all the hardware and controls the network infrastructure, and you own everything from the guest operating system up. You request virtual instances on-demand and let them go when you are done.” PaaS: ““infrastructure as well as complete operational and development environments for the deployment of your applications.” SaaS: ““a web-based software deployment model that makes the software available entirely through a web browser.”
    8. 8. DEPLOYMENT MODELS Public Private ("I'm just going to call a private cloud a data center." --Kash Rangan, Managing Director, Merrill Lynch) Managed Hybrid Mongrel/Mutt
    9. 9. WHY CONSIDER THE CLOUD? Increased productivity Decreased capital investments Reduced Costs for IT Scalable systems with low overhead Increased Storage Flexibility
    10. 10. WHAT WORKS? Stateless Computer Intensive Non-sensitive data Changing workload pattern Increased workload with greater subscription rate
    11. 11. WHAT DOESN’T WORK? Special hardware Huge data set Sensitive data Low latency requirements 99.999% Availability
    13. 13. SECURITY + CLOUD = ? As my friend Hoff likes to say: “ is difficult to frame meaningful discussion around what security and Cloud Computing means...” Yes, no, maybe. Actually security is not a cloud specific issue. The real struggle is “operational, organizational and compliance issues that come with this new unchartered (or poorly chartered) territory.”
    15. 15. TOP THREATS TO CLOUD COMPUTING Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile
    16. 16. OWASP TOP 10 A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration (NEW) A7 – Failure to Restrict URL Access A8 – Unvalidated Redirects and Forwards (NEW) A9 – Insecure Cryptographic Storage A10 - Insufficient Transport Layer Protection
    18. 18. LESSONS? Somethings are no different in the cloud than they are in the enterprise. The bad guys still want to abuse the resources. It still comes down to data loss.
    19. 19. CLOUD SECURITY COMPLEXITY Many different actors are involved Complex policy requirements Simplified procedural operations Many moving parts Learning curve for operations & security staff Traditional security boundaries
    20. 20. WHO’S YOUR NEIGHBOR? The “Process Next Door” may be behaving badly or be under attack. Unbalanced resource consumption can affect operational availability. Shared IP space may have a “bad reputation” Possible hypervisor level attacks on IaaS platforms Re-using IP addresses leads to unintentional DoS
    21. 21. IS IT THE SAME BUILDING? Very different attack surface compared to traditional infrastructure Large attack surface + high profile = high value targets Who has access to your data? Clouds bypass the "physical, logical and personnel controls" IT shops exert over in-house programs* Lack of visibility into data access by privileged users
    22. 22. GOT A HANDYMAN? Management tools & development frameworks may not provide all the security features they should or could. Tool vendors need to keep up to date with cloud providers feature enhancements. Limited security toolsets are available in cloud environments. Cloud forensics can be challenging.
    23. 23. COMPLIANCE POSSIBLE? Ability to leverage compliance and certifications cloud provider already has. Difficult to get feature/policy/procedure changes from cloud vendor to meet other regulatory requirements or certifications. Distributed nature of cloud services can add jurisdictional issues to regulatory compliance. Investigative support & forensics may be difficult to obtain from your cloud provider.
    24. 24. WHERE FOR ART THOU? Increased regulatory complexities of having data stored in multiple legal jurisdictions. Foreign governments, agencies or corporations may gain access to your data without your knowledge. Increased data availability & resiliency of having data automatically replicated to multiple sites. Intra-application communications may unintentionally span multiple locations Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.
    25. 25. ANY CHANCE THAT COMES WITH A WARRANTY? Long term viability of cloud partners is a critical consideration in PaaS vendors. Lock-in with IaaS & SaaS vendors may be less of an issue. Data transfer costs are can be the toughest part of vendor lock-in. As open cloud platforms emerge and the hybrid deployment model gains popularity, standards will ease some of the current lock-in concerns.
    26. 26. DOES IT MATTER? All types of cloud systems can be leveraged for malicious purposes. IaaS clouds can be used for large scale spam, DoS, or Command & Control functions. PaaS platforms have already been used as Command & Control for botnets. Hijacked accounts can be used to stage internal DoS attacks within the cloud provider’s infrastructure. Defending against cloud based attacks can be extremely difficult.
    27. 27. PUBLIC DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Anonymizing effect Collateral damage effect Data & AAA security Large security investments requirements Regulatory Compliance & Pre-certification Certifications Multi-site system & data Multi-jurisdiction data store redundancy Fault tolerance & excess capacity Known vulnerabilities are global
    28. 28. MONGREL DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Data transfer/access Externalization of attack surface considerations Overcomes private cloud scaling Increased architecture limits complexity Multi-site system & data Credential management redundancy Isolation & segregation of secure Regulatory Compliance & data Certifications
    29. 29. COMMUNITY DEPLOYMENT ISSUES Advantages Disadvantages Increased redundancy & Extremely high level of availability complexity Shared risk & security costs Federation requirements Compliance & certification Increased Privileged User requirements attacks Easy targeting of high value systems
    30. 30. IAAS SECURITY ISSUES Advantages Disadvantages Increased control of encryption Account hijacking Minimized privileged user attacks Credential management Ability to use familiar AAA mechanisms API security risks More standardized deployments Lack of role based authorization Dependence on security of the Rapid cross vendor redeployment virtualization platform Full operational control at the VM level Full responsibility for operations
    31. 31. PAAS SECURITY ISSUES Advantages Disadvantages Less operational control than Less operational responsibility IaaS Instant multi-site business Vendor lock-in continuity Lack of security tools, reporting, Massive scale & resiliency etc. Simplification of compliance Increased privileged user attack analysis likelihood Built-in framework security Cloud provider’s long term features viability
    32. 32. SAAS SECURITY ISSUES Advantages Disadvantages Clearly defined access controls Inflexible reporting & features Vendor is responsible for data- Lack of version control center & application security Predictable scope of account Inability to layer security compromise controls Integration with internal Increased vulnerability to directory services privileged user attacks Simplified User ACD No control over legal discovery
    33. 33. QUESTIONS? Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia Wars, Vampire Wars and occasionally Yoville.
    34. 34. CONTACT INFO Ward Spangenberg twitter: @wardspan