Cloud Security

Cloud Security
Nimrod Luria
CTO | Q.rity
Information Security Lead | Hi-Tech
Nimrod@Qrity.com

It can be confusing
Technical
Institutional, Business Model and Usage
System DC Operation & Management
Security of the cloud architecture Operation Management
Security of data center facility
- virtualized environment - Operator access control
- location, natural hazard, utility services
- hypervisor - system privilege control
Information Security

- physical access control, monitoring - large distributed system (grif) - Unauthorized access control
- isolation of processes - Incident response
Communication security between user
and cloud Security of data storage - patch and vulnerability management
-reliability of communication path, QOS - physical location of storage for disaster - Antiviral software management
-confidentiality and security of communication recovery, backup and geopolitical risks - Application management
- isolation between data
Information Lifecycle Management Information Lifecycle Management

Data encryption and key management
Client device security Cryptographic solution for communication, data and operation

User authentication, access control, user monitoring
hardware reliability and redundancy
Business
Continuit

Cloud provider resiliency
Disaster recovery planning and operation
y

Management and governance of cloud provider
Availability and dependability of the system and the services
BCP of cloud provider
Compliance

Laws and regulations conformity
- Internal control Auditability and inquiry accommodation to users, third parties, administration and law enforcement
- Personal data protection law
Digital forensics
- ＦＩＳＭＡ, HIPAA and others
Data storage location and effect from local laws and regulations and privacy requirement

SLA standards and guidelines
Service level assurance
Usability

Portability/lock-in of data and applications - Process capability and scalability
- Storage capacity and scalability
Interoperability and the standardization (cloud to cloud, cloud to on-premise)
Copyright © 2009-2010 Bottlenecks in data transfer
Information-Technology 16/03/2010 3
Promotion Agency

Agenda
• Private cloud architecture
• Microsoft Private Cloud Solutions
• Top Cloud Computing Threats
• Trust in the Cloud
• Cloud Security: the challenges
• Cloud Security Frame
• Secure cloud architecture Q&A

What Constitutes cloud computing?
SOFTWARE
AS A SERVICE

PLATFORM
AS A SERVICE

INFRASTRUCTURE
AS A SERVICE

1 2 3

Standardize Identity with Standardize Management with
Active Directory Virtualize with Hyper-V System Center

4 5

Enable Self Service with the Deploy One App on the Windows
Free Self Service Portal Azure Platform

Consuming and Delivering IT as a Service
Compose
Service Type Image

Deploy
Image
SLA Requirements
Attach
Network

Compliance Configure Image
Requirements
Service
Self Service Configure Service
Model Access
Portal Requirements
Configure
Monitoring

Load Estimates Configure
Application Reporting
Owner
Configure
Billing Backup
Info
Configure
Security
Reporting Monitor
Compliance

User App
VM VM VM VM
Virtual FW 1 2 3 4

Secure VDI
Hypervisor
CLIENTS Support
POLICY Virtual Machines
Internet
SSL VPN

HR ZONE
DMZ

Virtualized
Security
Services FINANCE ZONE

Services
DoS Protection .1 NAT .5
Firewall .2 Intrusion prevention .6
Policies Reporting Authentication .3 Real-time visibility .7
Encryption .4
Management & Compliance Traffic prioritization .8

Microsoft Private Cloud Components

SELF-SERVICE

MANAGEMENT

VIRTUALIZATION

IDENTITY

Trust in the Cloud
Compliance and Risk
Management

Identity and Access
Management

Information Protection

Service Integrity

Endpoint Integrity

Security is the Major Issue

13

Cloud computing Risks

• LOCK-IN
UNDERTAKING MALICIOUS PROBES OR •
• LOSS OF GOVERNANCE
SCANS.
• COMPLIANCE CHALLENGES
DISTRIBUTED DENIAL OF SERVICE •
• LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS)
ACTIVITIES
ECONOMIC DENIAL OF SERVICE (EDOS) •
• CLOUD SERVICE TERMINATION OR FAILURE
LOSS OF ENCRYPTION KEYS •
• CLOUD PROVIDER ACQUISITION
CONFLICTS BETWEEN CUSTOMER •
• SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD
• RESOURCE EXHAUSTION ENVIRONMENT
• ISOLATION FAILURE COMPROMISE SERVICE ENGINE •
• CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY •
• MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION •
• INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS •
• DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD
• INSECURE OR INEFFECTIVE DELETION OF DATA

Commonly referenced cloud security Issues
Amazon: Hey Spammers, Get Off My Cloud!
Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html

Bitbucket's Amazon DDoS - what went wrong
Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/

Many eggs Lightning Zaps Amazon Cloud – In-cloud federated
One basket http://news.cnet.com/8301-1001_3-10263425-92.html
Identity Management
Entitlement Security issues with Google Docs Lack of Standards
Management http://peekay.org/2009/03/26/security-issues-with-google-docs/

Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile
Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf
Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html
Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare
http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf

Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine
in VM http://eprint.iacr.org/2009/474

Data Provanence Data Remanence Location & Privacy
Where did the data come from? You can check out but can’t leave Who looks at/after your data?
And where? Jurisdictions?

Demo
• Configuring Baseline Security for the Private
cloud

Top Cloud Computing Threats
Threat 1: Abuse and Nefarious Use of Cloud Computing
Threat 2: Insecure Interfaces and APIs
Threat 3: Malicious Insiders
Threat 4: Shared Technology Issues
Threat 5: Data Loss or Leakage
Threat 6: Account or Service Hijacking
Threat 7: Unknown Risk Profile

Abuse and Nefarious Use of Cloud Computing
Description Examples
Criminals continue to leverage IaaS offerings have hosted the Zeus
new technologies to improve botnet, InfoStealer trojan horses,
their reach, avoid detection, and downloads for Microsoft Office
and improve the effectiveness and Adobe PDF exploits.
of their activities. Cloud Additionally, botnets have used
Computing providers are IaaS servers for command and
actively being targeted, control
partially because their functions. Spam continues to be a
relatively weak registration problem — as a defensive measure,
systems facilitate anonymity, entire blocks of IaaS network
and providers’ fraud detection addresses have been publicly
capabilities are limited. blacklist

Remediation Iaas PaaS SaaS
• Stricter initial registration and validation processes.
• Enhanced credit card fraud monitoring and coordination.
• Comprehensive introspection of customer network traffic.
• Monitoring public blacklists for one’s own network blocks.

Insecure Interfaces and APIs
Reliance on a weak set of interfaces Anonymous access and/or reusable
and APIs exposes organizations to tokens or passwords, clear-text
a variety of security issues related authentication or transmission of
to confidentiality, integrity, content, inflexible access controls
availability and accountability. or improper authorizations, limited
monitoring and logging capabilities,
unknown service or API
dependencies.

Remediation
Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS
Ensure strong authentication and access controls are
implemented in concert with encrypted transmission.
Understand the dependency chain associated with the API.

Malicious Insiders
The level of access granted No public examples are available at
could enable such an adversary to this time.
harvest confidential data or gain
complete control over the cloud
services with little or no risk of
detection.

Remediation
• Enforce strict supply chain management and conduct a comprehensive supplier
assessment.
• Specify human resource requirements as part of legal contracts.
• Require transparency into overall information security and
management practices, as well as compliance reporting.
Iaas PaaS SaaS
• Determine security breach notification processes.

Description Shared Technology Issues
Attacks have surfaced in recent years
that target the shared technology inside
Cloud Computing environments. Disk
partitions, CPU caches, GPUs, and other Examples
shared elements were never designed • Joanna Rutkowska’s Red and
for strong compartmentalization. As a Blue Pill exploits
result, attackers focus on how to impact • Kortchinksy’s CloudBurst
the operations of other cloud presentations.
customers, and how to gain
unauthorized access to data.

Remediation
• Implement security best practices for installation/configuration.
• Monitor environment for unauthorized changes/activity.
• Promote strong authentication and access control for
administrative access and operations.
• Enforce service level agreements for patching and vulnerability
• remediation.
Iaas PaaS SaaS
• Conduct vulnerability scanning and configuration audits.

Data Loss or Leakage
Description
The threat of data compromise
increases in the cloud, due to the Examples
number of and interactions
between risks and challenges which Insufficient authentication,
are either unique to cloud, or more authorization, and audit (AAA)
dangerous because of the controls; inconsistent use of
architectural encryption and software keys.
or operational characteristics of the
cloud environment
Remediation
• Implement strong API access control.
• Encrypt and protect integrity of data in transit.
• Analyzes data protection at both design and run time.
• Implement strong key generation, storage and management, and destruction
practices.
• Contractually demand providers wipe persistent media before
it is released into the pool.
• Contractually specify provider backup and retention strategies. Iaas PaaS SaaS

Account or Service Hijacking
Account and service hijacking, Amazon EC2 Zeus Password stealing.
usually with stolen credentials,
remains a top threat. With
stolen credentials, attackers
can often access critical areas
of deployed cloud computing
services

Remediation
• Prohibit the sharing of account credentials between users an services.
• Leverage strong two-factor authentication techniques where possible.
• Employ proactive monitoring to detect unauthorized activity.
• Understand cloud provider security policies and SLAs.

Iaas PaaS SaaS

Unknown Risk Profile

When adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A;
functionality may be well Amazon refused.
advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester-
the internal security procedures, configuration cloud-computingqa.
hardening, Html
patching, auditing, and logging? How are your data
and related logs stored and
who has access to them? What information if any will
the vendor disclose in the event of a security incident?
Often such questions are not clearly answered or are
overlooked, leaving customers with an unknown risk
profile that may
include serious threats.

Remediation
• Disclosure of applicable logs and data.
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls,
etc.).
• Monitoring and alerting on necessary information.
Iaas PaaS SaaS

Fraud as a service
What’s Required?
• Buy the malware
• Choose a server (“bulletproof hosting”)
• Install malware on a server
• Infect PCs
• Keep the malware up-to-date

Beyond Architecture: The Areas Of Critical Focus
• Governance and Enterprise Risk Management
• Legal and Electronic Discovery
• Compliance and Audit
• Information Lifecycle Management
• Portability and Interoperability
• Traditional Security, Business Continuity and Disaster Recovery
• Data Center Operations
• Incident Response, Notification and Remediation
• Application Security
• Encryption and Key Management
• Identity and Access Management
• Virtualization

Analyzing Cloud Security
• Clouds are massively complex systems can be
reduced to simple primitives that are
replicated thousands of times and common
functional units

33

Cloud Security: the challenges
Law & Compliance
Provider & resource / data location
Multi-tenancy Risks Cross-border data movement
Security of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA)
Process isolation Limited audit ability Poor quality of evidence
Data segregation Regulatory violation Auditing and compliance (PCI, ISO 27001)
‘Data sharding ‘ (fragmentation across images) No risk transference for data
Identity & Access Management Infrastructure misuse / break in Data Location & Mobility
EU vs. US vs. China regulations
Data Commingling (Government access).
In-cloud segregation of data: difficult Differences in data protection
Accidental seizure of customer data between regions
during forensic investigations Cost of keeping data hosting in
EU
Resilience & Availability Cloud Audit data is legally owned by
Latency sensitive applications CSP and not client.
Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand
Insufficient capabilities to cater for over audit logs’.
critical data
Security Extremely difficult to involve law
enforcement with CSP activities -
Cloud lock in breach investigation/litigation.
Lack of standards
Security at multiple layers
Lack of interoperability
Virtual image provided by
Limited service portability
IaaS provider
Incompatible management
Platform stack provided
processes
by PaaS provider
IaaS,PaaS issues +
application security

Cloud Security: the challenges
Isolation
Data risks
CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation
classify data. • Robust at system level (modulo kernel bugs)
CSP’s cannot offer different levels • Issues at management plane
of security based upon data • Memory hijacking
sensitivity.
No DLP – data leakage protection
services offered.
Virtual VM Security
Infrastructure Guest OS needs security protection
Physical 2 virtual mapping • at massive scale
Crypto doesn’t like virtual Security resilient VM life-cycle
Current algorithms set to • secure, scalable, dynamic
optimise resource pooling
Can’t always use specialised HW
Encryption key management.
Reliance on VM vendor security
Issues with guest OS Security
Can VMWare, Microsoft be trusted to
implement kernel security correctly ?…

Private Clouds and User Roles

VMM Admin

Delegated Admin

VMM Admin
Cloud Manager

Scope: Everything
Delegated Admin
Scope cannot be
Scope: Host groups and
Cloud Manager
modified
Clouds Self-Service User
Can take any action Scope: Clouds only
Create cloud from Self-Service User
physical capacity Subdivides clouds
Scope: Clouds only
Access to cloud Delegates clouds
automatically gives Manages services and
Includes all Self-Service VMs
access to host groups User rights
Includes all Cloud Authors templates
Manager rights Shares resources
Actions can be revoked
Quota: Per-user limit

User Roles and Scope

VMM Admin Delegated
Admin

Self Service
Cloud
User
Manager

Private Cloud Usage Scenarios

VMM Admin creates a private cloud

VMM Admin delegates the cloud to
Cloud Manager

Cloud Manager sub-divides the cloud
and assigns it to Self-Service User

Self Service User creates VMs and
services in the cloud

Identity as a service
(IDaaS)

IAM Protocols
and Standards
• SAML
• XACML
• OAuth
• OpenID
• OATH
• OpenAuth

Demo
Set Cloud CSRF (oneClick) to Stop
machine

The future of cloud computing security
• Infrastructure security
– Greater transparency of security capabilities.
• Data security and storage
– Predicate encryption
• Identity and access management
– Hybrid IAM strategy
• Security management
– Unified Management function across CSP’s

resources
• http://www.cloudsecurityalliance.org/Research.html
• http://csrc.nist.gov/groups/SNS/cloud-
computing/index.html
• Microsoft Security Compliance Manager
– http://www.microsoft.com/downloads/en/details.aspx?FamilyI
D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en
• Build Your Own Private Cloud
– http://www.microsoft.com/virtualization/en/us/private-cloud-
get-started.aspx
• http://blogs.technet.com/b/ddcalliance/archive/2010/02/1
6/dynamic-infrastructure-toolkit-for-system-center-dit-sc-
sneak-peek-into-on-boarding.aspx

Thank You !
Nimrod@Qrity.com

Cloud Security

More Related Content

What's hot

Viewers also liked

Similar to Cloud Security

Recently uploaded

Cloud Security