Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Cloud Security Ghost Story Craig Balding


Published on

Presented at Black Hat Europe 2009 by Craig Balding, founder of

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Cloud Security Ghost Story Craig Balding

  1. 1. A Cloud Security Ghost Story Craig Balding
  2. 2. Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.
  3. 3. Happy to take questions as we go ✴ Will limit in-flight answers to 2 minutes... ✴ allow time for Q&A at end ✴ If you want SAP Pwnage, other track ;-) ✴
  4. 4. Tweeting/Blogging? Please add the tag: cloudsec
  5. 5. Clown Computing? Cloud == Internet It’s Outsourcing! It’s Virtualization! Overhyped Fad Nothing New Don’t Believe in Clouds?
  6. 6. A Service Model *aaS: a Service On-Demand Pay As You Go (CC) Elastic Abstracted Resource What Is “Cloud”?
  7. 7. Cloud Security vs. Security in the Cloud Avoid the Facepalm
  8. 8. This is not ASP Shared Hardware Shared Fabric / Host Scalability / Cost Multi Tenancy
  9. 9. DB Security Model
  10. 10. DB == Tenant
  11. 11. DB == Tenant 1..n
  12. 12. Engineering Feat Scalability Availability New techniques 1000:1 Green “It’s Only Day 1”
  13. 13. Cloud Magic: Just Say No
  14. 14. Evil State Replication Woes Patching Devils Insidious Integrity Funding Cloud FAIL
  15. 15. Risk Management Your Liable Compensating Controls Plan for Failure Trust but Verify Web Services Security Browsers Are Brittle Security Givens
  16. 16. Ghost Central
  17. 17. *aaS: a Service Pay As You Go (CC) Elastic Outages Very Public Support Forums Public Clouds
  18. 18. Classic SPI Model Software as a Service Platform as a Service Infrastruture as a Service
  19. 19. Examples Software as a Service Platform as a Service Infrastruture as a Service
  20. 20. SaaS CRM == PaaS AppExchange Code Reviews Service Cloud Salesforce
  21. 21. Examples Software as a Service Platform as a Service Infrastruture as a Service
  22. 22. PaaS Python VM Justin Ferguson Java VM Data Import/Export SDC Google App Engine
  23. 23. Google Secure Data Connector
  24. 24. Software & Services Technology Preview Identity (Cameron) Microsoft Azure
  25. 25. Software + Services
  26. 26. Examples Software as a Service Platform as a Service Infrastruture as a Service
  27. 27. Public IaaS Pioneer EC2, S3, SQS etc “You secure” Security Whitepaper Evangelism Data Cleansing Amazon Web Services
  28. 28. One Key Management Plane New Policy Language Report a Scan If a HD is Stolen... AWS Ecosystem Amazon Web Services
  29. 29. Dynamo Paper Consistency Availability Integrity Out of order No Time Promises Eventually Consistent
  30. 30. AWS “Dev friendly” Dev Testimonials AMZN PMTS 866-216-1072 AWS API endpoints POST/PUT/DELETE Developers with Credit Cards
  31. 31. Visibility Mutants Cloud Stacks Integration Privacy Regulations SLAs Haunted House of the Cloud
  32. 32. The Visibility Ghost Ship
  33. 33. When Controls Fail Lingua Franca: API Manage SSL EC2 vs NSM Immature logging DLP The Visibility Ghostship
  34. 34. IaaS vs Paas vs SaaS Scan & Get Canned Idea: AllowScan API Pen-testing Scope Assurance
  35. 35. Virtual Data Center Version Control View as Timeline Pre/post Commit Sanity Checks Proactive Polling Data Center Tripwire
  36. 36. Call Premium Support Cloud Clamour No Business Context Incident Response
  37. 37. IaaS vs Paas vs SaaS Ghosting a Ghost Logs & Integration Offline Forensic VMs AWS EBS Cloning Forensics as a Service Cloud IR Teams? Forensics
  38. 38. IaaS vs Paas vs SaaS Mash-ups 1...n Theft of Hard Drive... First, find the DC Jurisdictional Hell Investigations
  39. 39. The March of the Mutated Hypervisor
  40. 40. AWS EC2 Xen with “mods” No Dom0 Access Xen DomU Expose via XML API The March of the Mutated Hypervisor
  41. 41. BIOS Functionality++ Research++ Cache Snooping Hypervisor Attack Persistent Rootkits The Vampire BIOS
  42. 42. Ghost in the Stacks
  43. 43. Dependent Services Consume & Provide Trust by Inheritence Mind the Gap Pass the Buck Cloud Stacks/Layers
  44. 44. Appirio Salesforce App Hook API Divert Attachments Client > EC2 > S3 Stored in Plaintext! Example
  45. 45. Net vs Storage Crypto
  46. 46. Enterprise Integration Road to Hell
  47. 47. Identity is > People Federated Auth Visibility DLP Metrics Billing Enterprise Integration
  48. 48. IaaS vs Paas vs SaaS VM Portability Frameworks AWS as defacto API Unified Cloud? Interoperability
  49. 49. Cloud Lock-in
  50. 50. The Green Latern of Privacy
  51. 51. EPIC Compliant Misstating Security Snafus & Vulns Lack of Crypto Bar of chocolate? $SOCIALNETWORKS The Green Lantern of Privacy
  52. 52. The Screaming Regulator
  53. 53. PCI: The Mosso Pitch HIPAA: AWS / “Apps” Screaming or silent? VirtSec / PCI DSS Groundhog Day The Screaming Regulator
  54. 54. Jurisdiction IP rights Content ownership Contract Law Wins Licensing Raid 8 Legal Concerns
  55. 55. The Curse of the Bloodstained SLA
  56. 56. Blah Blah Blah No CHANGELOG Blah Blah Blah Internet == No promises Blah Blah Blah CC_OK || rm -rf /cloud Blah Blah Blah Service Credits FTW! Blah Blah Blah Blood Stained SLA
  57. 57. AWS Security Pledge 7.2 We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications.
  58. 58. AWS Security Advice 7.2. ...We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates.
  59. 59. Not even Service Credits? ;-) 7.2. ...We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
  60. 60. Cloud Nirvana: The Rise of the Enterprise Private Cloud
  61. 61. Maximum Control Interoperability Cloudbursting Extend Off-site VMware / CISCO Eucalyptus (OSS) Private Clouds
  62. 62. Source: Chris Hoff
  63. 63. Infrastructure 1.0 Firewall Mentality Controls vs Data Investments vs Risk DL Time Bombs Visibility & IR Enterprise Skeletons
  64. 64. 346 Legacy Apps Audit Reports 3rd Party Monsters Aging Policies Controls <> Assets Inner Control Freak Good Old Days Call from the Grave
  65. 65. Eucalyptus (OSS) API == AWS EC2 Xen + KVM Ship w/Ubuntu 9.04 Open Source Private Cloud
  66. 66. Centralised Controls Password Cracking Forensic Readiness Never Ending Logs Security Builds Security Testing Embrace the Cloud
  67. 67. Cloud Aggregator “Internet Trading Platformquot; Public/Private Handle Billing Cloud Brokers
  68. 68. Example: Zimory
  69. 69. Pick Your Poison Gold: A gold SLA cloud delivers the strongest quality standards. This includes availability and security standards. The providers offering these resources are compliant with all relevant security certifications. Silver: A silver SLA offers high availability and security standards. The providers are known brands. Bronze: A bronze SLA delivers the usual quality and availability standards of hosting providers. It does not contain certifications and additional security offerings.
  70. 70. Cloud Spirits General John Willis: IT ESM and Cloud (Droplets) Kevin L. Jackson: Cloud Musing (Federal) James Urquhart (CISCO): Wisdom of Clouds Werner Vogels (AWS CTO): All Things Distributed Google Groups Cloud Computing Security Christofer Hoff: Craig Balding (aka Me):
  71. 71. Cloud Security Alliance ENISA Cloud Security Working Group Cloud Security Initiatives
  72. 72. Cloud Security Alliance Non-profit organization Promote practices to provide security assurance Comprised of many subject matter experts from a wide variety disciplines Official launch next week @ RSA Join? Linkedin Group “Cloud Security Alliance” open to all
  73. 73. ENISA Cloud Computing Risk Assessment European Policymakers responsible for funding Cloud risk mitigation research, policy, economic incentives, legislative measures, awareness-raising initiatives Business leaders to evaluate Cloud risks of and possible mitigation strategies. Individuals/citizens to evaluate cost/benefit of consumer Cloud services.
  74. 74. Hosting => Cloud Cloud Platform Wars Cloud Pwnage Trust Indicators Vertical Clouds Data Centric Security? Social Engineering++ Futures
  75. 75. Ghost Alley / Amsterdam
  76. 76. Thanks
  77. 77. Q&A Craig Balding
  78. 78. CSA: Domains •Information lifecycle •Portability & management InteroperabilityData •Governance and Center Operations Enterprise Risk Management Management •Incident Response, •Compliance & Audit Notification, Remediation •General Legal •quot;Traditionalquot; Security •eDiscovery impact (business •Encryption and Key Mgt continuity, disaster •Identity and Access Mgt recovery, physical security) •Storage •Architectural •Virtualization Framework •Application Security