This document discusses virtualization, cloud computing, and data security. It begins by introducing the author and their background in security, privacy, and building virtual datacenters. It then discusses some key challenges around securing data in the cloud, including gracefully losing control while maintaining accountability. The rest of the document covers various aspects of cloud security such as access control, data classification, encryption of data at rest and in motion, and some of the unique security challenges presented by virtualization and moving data off-premise into the cloud.

1. virtualization, cloud
& data security
and the occasional intersection of the three
Friday, April 6, 2012

2. Hi, I’m Taylor.
@taylorbanks
‣ I’m a control freak.
‣ I do #security.
I advocate for #privacy.
‣ I build virtual datacenters
and cloud infrastructure.
‣ I keep my data in the cloud. 2
Friday, April 6, 2012

3. "Cloud computing is about gracefully losing
control while maintaining accountability even
if the!operational responsibility falls upon one
or more third parties. "
From the CSA’s Security Guidance for
Critical Areas of Focus in Cloud Computing
Copyright © 2010 by L. Taylor Banks
3
Friday, April March
Wednesday, 6, 201210, 2010

4. *These statements have not been evaluated by the CSA.
This presentation is not designed to diagnose, prevent,
treat or cure any cloud security problems or conditions.
4
Friday, April 6, 2012

5. CloudSec
5
Friday, April 6, 2012

6. Fundamentals
Cloud security doesn’t happen in a vacuum 1
Secure Virtualization
Unique architectures present unique challenges 2
Data in the Cloud
Public or private, understanding your data is the key to securing it 3
6
Friday, April 6, 2012

7. Cloud May Magnify Risk
Simply put, if you’re not securing your data
effectively before moving it into the cloud,
you’re in for a rude awakening when you do.
7
Friday, April 6, 2012

8. I hate to disappoint you, really I do.
But most of what I’m about to tell you,
you should already know.
8
Friday, April 6, 2012

9. Access Control
A mechanism which enables an authority to control
access to data in a given information system
9
Friday, April 6, 2012

10. AAA:
Authentication
Authorization
Accounting
10
Friday, April 6, 2012

11. Hello, my name is:
RBAC 11
Friday, April 6, 2012

12. Data Considerations
• Data classification • Data sensitivity
• Data at rest • Data in motion
• On-premise • Off-premise
Friday, April 6, 2012

13. Categorization vs. Sensitivity
Classification has become synonymous with ‘censored for,’
arguably to the detriment of effective categorization.
Classification Classification
(Categorization) (Sensitivity)
The purpose of classification is to protect Simply possessing a clearance should not
information from being used to damage or automatically authorize an individual to
endanger organizational security. view all data classified at or below that level.
13
Friday, April 6, 2012

14. From Understanding Data Classification Based on Business and Security Requirements
By Rafael Etges, CISA, CISSP, and Karen McNeil from ISACA Journal Online
14
Friday, April 6, 2012

15. Data Classification Example Properties
‣ Relative importance
‣ Frequency of use
‣ Topical content
‣ File type
‣ Operating platform
‣ Average file size
‣ MAC times
‣ Departmental ownership 15
Friday, April 6, 2012

16. RTO-based Classification Example
Data by Fred G. Moore of HorISon Information Strategies
Mission-
Attributes Vital Sensitive Non-Critical
Critical
RTO Immediate Seconds Minutes Hours, days
Availability 99.999+ 99.99 99.9 <99
Retention Hours Days Years Infinite
16
Friday, April 6, 2012

17. Data at Rest vs. Data in Motion
Both important yet distinct considerations
Data at Rest Data in Motion
“On the Internet, communications security However, anyone can read what’s going
is much less important than the security of across the wire when it is sent unencrypted.
the endpoints.” - Bruce Schneier
17
Friday, April 6, 2012

18. CA Office of HIPAA Implementation
Requires encryption to protect any data containing electronic
protected health information (EPHI).
‣ DATA AT REST
• Data at rest should be protected by one of the following:
- Encryption, or
- Firewalls with strict access controls that authenticate the identity of those
individuals accessing _____ [system/data].
• The use of password protection instead of encryption is not an
acceptable alternative to protecting EPHI.
• Systems that store or transmit personal information must have proper
security protection, such as antivirus software, with unneeded services or
ports turned off and subject to needed applications being properly
configured.
18
Friday, April 6, 2012

19. CA Office of HIPAA Implementation
Requires encryption to protect any data containing electronic
protected health information (EPHI).
‣ TRANSMISSION SECURITY
• All emails with EPHI transmitted outside of State (or county) departments’
networks must be encrypted.
• Any EPHI transmitted through a public network to and from vendors,
customers, or entities doing business with ___ [name of the org in the State
of California, or a county] must be encrypted or be transmitted through an
encrypted tunnel. EPHI must be transmitted through a tunnel encrypted
with ___ [specify type of encryption to be used, such as virtual private
networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells
(SSH) and secure socket layers (SSL)].
• Transmitting EPHI through the use of web email programs is not allowed.
• Using chat programs or peer-to-peer file sharing programs is not allowed.
• Wireless (Wi-fi) transmissions must be encrypted using ___.
19
Friday, April 6, 2012

20. On-premise vs. Off-premise
New trust models will likely have a direct impact on the
effectiveness of pre-existing security policies.
On-premise Off-premise
You need only trust those vetted, hired and Trust model now includes external entities,
managed by your organization, and plus potential additional considerations
according to your own security policies. around governance, regulations and
compliance.
20
Friday, April 6, 2012

21. Fundamentals
Cloud security doesn’t happen in a vacuum 1
Secure Virtualization
Unique architectures present unique challenges 2
Data in the Cloud
Public or private, understanding your data is the key to securing it 3
21
Friday, April 6, 2012

22. Virtualization is
...a broad term with many uses
‣ Abstraction of the characteristics of
physical compute resources from
systems, users, applications
‣ Typically, one of:
• Resource (virtual memory, RAID, SAN)
• Platform (virtual machines, instances)
22
Friday, April 6, 2012

23. VirtSec
‣ Security of virtual infrastructure and the
virtual machines running therein.
‣ While many security considerations are
the same within physical and virtual, ...
‣ Virtualization does introduce unique
architectures & a few unique challenges
23
Friday, April 6, 2012

24. Unique Challenges, you say?
‣ VMs are highly-mobile & often short-lived
‣ VM sprawl vs. VM stall
‣ Most orgs have poor change control &
patch management systems for virtual
‣ Introspection mechanisms available,
but not widely deployed
24
Friday, April 6, 2012

25. Compute resources 1 Virtual machines 5
Network resources 2 Management console 6
Storage resources 3 Networking layer 7
Hypervisor 4 Administrators 8
25
Friday, April 6, 2012

26. Simpler is Better
• Keep It Simple, Stupid (KISS)
• Make Your Architecture Simpler to Secure! (MYASS)
• More moving pieces means more time,
effort and money required to implement
security completely and effectively
• Don’t let the capabilities of your platform
fool you into believing you need all of them
Copyright © 2010 by L. Taylor Banks
26
Friday, April March
Wednesday, 6, 201210, 2010

27. Secure Your Resources
• Your virtual infrastructure is only as secure
as the resources that comprise it!
• Securing your compute, network and
storage infrastructure is as important as
securing the hypervisor and guests
Copyright © 2010 by L. Taylor Banks
27
Friday, April March
Wednesday, 6, 201210, 2010

28. The Malignant OS
• Needs to be hardened / secured just like
on physical machines
• Principles of minimization will lead to
smaller, faster, more secure vm’s
Copyright © 2010 by L. Taylor Banks
28
Friday, April March
Wednesday, 6, 201210, 2010

29. Guest OS Hardening
• Consider automated assessment tools,
checklists and/or hardening scripts
• nmap, Nessus, Metasploit, CANVAS
• “15 Steps to Hardening WS2003”
• Microsoft Baseline Security Analyzer
• Bastille Linux
Copyright © 2010 by L. Taylor Banks
29
Friday, April March
Wednesday, 6, 201210, 2010

30. VM Introspection
Inspecting a virtual machine from the outside (typically by way
of the hypervisor) for the purpose of analyzing [its behavior]
‣ Introspective firewalling
‣ Introspective malware detection
‣ Introspective DLP
‣ Traditionally, distinct products
• Catbird, Hytrust, Juniper, Reflex
Systems,Trend Micro, VMware, etc.
30
Friday, April 6, 2012

31. Fundamentals
Cloud security doesn’t happen in a vacuum 1
Secure Virtualization
Unique architectures present unique challenges 2
Data in the Cloud
Public or private, understanding your data is the key to securing it 3
31
Friday, April 6, 2012

32. What is “Cloud Security?”
Without context, cloud security is undefined.
‣ Network security?
‣ Virtualization security?
‣ Application security?
‣ Governance, Risk & Compliance?
‣ YesPls!
• Depends on service and deployment models
• Determined mostly by your DATA!
32
Friday, April 6, 2012

33. 4 8 15 16 23 42
• Five characteristics
• On-demand self-service, Broad network
access, Resource pooling, Rapid elasticity,
Measured service
• Three service models
• SaaS, PaaS, IaaS
• Four deployment models
• Public, Community, Private, Hybrid Copyright © 2010 by L. Taylor Banks
33
Friday, April March
Wednesday, 6, 201210, 2010

34. Private IaaS? Public IaaS? It matters!
In public IaaS, the likelihood of having control over
virtual infrastructure comprising ‘your cloud’ is slim.
34
Friday, April 6, 2012

35. Cloud Security Fundamentals
‣ See: K.I.S.S. M.Y.A.S.S.
‣ Classify your data; consider trust models
‣ Understanding what your org means by ‘cloud’ is
key to securing data in the cloud:
• 5 characteristics
• 3 service models
• 4 deployment models
35
Friday, April 6, 2012

36. Cloud Security Risks
CSA’s Top Threats to Cloud Computing v1.0
‣ Abuse and Nefarious Use of Cloud Computing
‣ Insecure Interfaces and APIs
‣ Malicious Insiders
‣ Shared Technology Issues
‣ Data Loss or Leakage
‣ Account or Service Hijacking
‣ Unknown Risk Profile
36
Friday, April 6, 2012

37. Mitigation
• Encrypt locally before storing in the cloud
• Ensure external key storage and
management
• Keep private data out of cloud
• Build protection mechanisms directly into
your resources in the cloud
• Host private cloud
Copyright © 2010 by L. Taylor Banks
37
Friday, April March
Wednesday, 6, 201210, 2010

38. Cloud Security Fundamentals
‣ Network, infrastructure, virtual and application
security are no less important than before
‣ Compliance is important, but useless taken out
of context (SAS 70 TII, but with which controls?)
‣ Compliance doesn’t fully address governance,
residency or access
38
Friday, April 6, 2012

39. Understand your Data
How will your data be used, accessed and modified?
How and when will it be removed? By whom?
39
Friday, April 6, 2012

40. Avoiding the Data Tornado
(...in which your data is a vortex of bits across multiple
jurisdictions, tossing data around like a doublewide.)
‣ Deep knowledge of your data
‣ Data flow and threat modeling
‣ AAA, IAM & RBAC FTW
‣ Effective security policies
‣ Tested security procedures
‣ Proven security controls
40
Friday, April 6, 2012

41. Required Reading
‣ CSA’s Secure Guidance for Critical Areas of Focus
in Cloud Computing
‣ ENISA’s Cloud Computing: Benefits, Risks and
Recommendations for Information Security
‣ CSA’s Cloud Controls Matrix
‣ ENISA’s Procure Secure: A guide to monitoring of
security service levels in cloud contracts
‣ NIST SP 800-145 Definition of Cloud Computing and
800-137 on Information Security Continuous Monitoring
41
Friday, April 6, 2012

42. Taylor @ Cloud in 48.com
http://www.linkedin.com/in/taylorbanks
42
Friday, April 6, 2012