Are Clouds Secure? Security and Privacy Implications of Cloud Computing

Subra Kumaraswamy, SunTim Mather, RSA

04/21/09 | Session ID: HOT-105Session Classification: Intermediate

2

What We’re Not Going to Discuss

• Existing aspects of information security which are not impacted by ‘cloud computing’

• There are plenty of existing sources of useful information about information security, and we will not attempt to recreate those sources, nor rehash unchanged practices

3

What Not a Cloud?

4

What We Are Going to Discuss

Information Security – Data

Information Security – Infrastructure(network-, host-, application-level)

Security Management Services(security management, security monitoring, identity services)

Other Important Considerations(audit & compliance, privacy)

Security-as-a- [Cloud] Service (SaaS)

Where Risk Has Changed: Where Risk Has Changed:

5

The Cloud: Types

6

The Cloud: Pyramid of Flexibility

(IaaS)

(PaaS)

(SaaS)

7

Flavors of Cloud Computing

8

The Cloud: How are people using it?

9

Components of Information Security

Information Security – InfrastructureInformation Security – Infrastructure

Network-level

Host-level

Application-level

Information Security – DataInformation Security – Data

Encryption, data masking, content protection

Security Management ServicesSecurity Management Services

Management – patching, hygiene, VA, ACL management

Security monitoring – network, host, application

Identity services – provisioning, AAA, federation, delegation

Information Security – Infrastructure

11

Infrastructure – Network-level

• Shared Infrastructure• VLAN – private and public (tagged)

• DHCP server, firewall, load balancer

• Limitations• No zones – domains instead

• Traditional port/protocol filtering irrelevant

• Point-to-point encryption (in transit) is doable

• Extranet security jeopardized – unless ‘you’ control cloud (IP) addressing (questionable)

• Security monitoring – no transparency

12

Infrastructure – Network-level

• Threats• Lack of widespread adoption of secure BGP

• Secure BGP (S-BGP), Secure Origin BGP (soBGP), and Pretty Good BGP (pgBGP)

• Traffic redirection for eavesdropping

• DNS: domain hijacking• Lack of widespread adoption of Secure DNS

• Only country-wide adoption: Sweden

• DoS / DDoS

• Mitigations• Virtual private cloud – VPN-based solution with strong

authentication

• SSL with client-side certs

13

Infrastructure – Host-level

• Shared infrastructure• Hardware – CPU, memory, disks, network

• Software – virtualization layer (e.g., Xen)

• Web Console – provisioning, image management

• Limitations• Ephemeral IP address assignment

• Patch, configuration management of large number of dynamic nodes

• SLAs are mostly standard – click-through user agreement

• Host-based IDS is customer responsibility

• Access management – OS and vendor specific

14

Infrastructure – Host-level

• Threats• Image configuration drift and vulnerabilities

• Targeted DOS attack

• Potential breakout of VMs; examples: Subvert, Blue Pill, HyperVM

• Attack on standard OS services

• Mitigations• Reduce attack surface – Secure-by-default, harden image, turn off OS

services, use software firewall, enable logging

• Institute process – Access provisioning, patch, config. mgmt.

• Extend existing IT security standards, practice & processes

• Host-based IDS – Tripwire, OSSEC

15

Infrastructure – Application-level

• Shared Infrastructure• Virtualized host, network, firewall (if hosted on IaaS or PaaS)

• Virtualized stack (e.g., LAMP)

• Database Vs Dataspace (e.g., SimpleDB, BigTable)

• Limitations• SaaS – application security is a black box

• SaaS/PaaS – no CVE participation

• IaaS/PaaS – customer responsibility to secure applications

• IaaS/PaaS – Limited capabilities for encryption, identity management

• No option to install application firewall

16

Infrastructure – Application-level

• Threats• OWASP Top 10

• Mash up security

• Denial of service by corporate IPS/Firewalls

• Developers side stepping controls

• Mitigations• Traditional application security testing and monitoring

• Review provider SDLC and security assurance process

• If possible encrypt data stored in DB

• Manage and protect application “secret keys”

• User awareness – phishing attacks on users

Information Security – Data

18

Data Security

• Confidentiality, Availability• Multi-tenancy

• Data-at-rest possibly not encrypted

• Data being processed definitely not encrypted

• Data lineage (mapping data flows)

• Data provenance

• Data remanence

Security Management Services

Security Management – Customer Responsibilities

Activities IaaS PaaS SaaS

OS, DB, Application Hardening and Patching

• Manage VM Image hardening• Manage patching of VM , app and DB using your established process

• Harden applications by integration by integrating security into SDLC• Test for OWASP Top 10 vulnerabilities

• Not applicable

Change and configuration management

• Manage change and configuration management of host , DB, Application using your established process

• Customer deployed application only

• Not applicable

Vulnerability management

• Manage OS, Application vulnerabilities leveraging your established vulnerability management process

• Customer deployed application only

• Not applicable

Access Control management

• Manage Access control to VM, zone firewall using vendor consoles. Install and manage host firewall policies

• Manage user provisioning• Restrict access using authentication and IP based restriction• Delegate authentication if SAML supported

• Manage user provisioning• Restrict access using authentication and IP based restriction• Delegate authentication if SAML supported

Security Monitoring – Customer view

Activities IaaS PaaS SaaS

Network monitoring • Not available

• Not available • Not available

Host monitoring • Install and manage HIDS such as OSSEC

• Monitor security events using logs stored in VM

• Not available • Not available

Database monitoring • Install DB security monitoring tool on the VM hosting DB

• Not available • Not available

Application monitoring • Monitor application security logs• Monitor application vulnerabilities using your preferred tool

• Monitor application logs that may be available – No standard

• Not available

Sun Confidential- Internal Only

22

Identity Services

• Generally, strong authentication is available only through delegation

• Federated identity generally not available• Support for SAML v2, WS* and XACML is sporadic

• OpenID is not enterprise-ready

• OpenID OATH OAuth OpenAuth OpenSSO

• All five are “open” and deal with authentication, but….

• Delegated authorization generally not available

• Generally weak credential management – of weak credentials

Other Important Considerations

24

Audit & Compliance

• No audit standards specific to the ‘cloud’• Not operational, procurement (e.g., FAR), or security

• SAS-70 Type 2 is an audit format – not specific audit criteria• Most cloud providers don’t even have a SAS-70

• Compliance: so-called Patriot Act Problem• Location, location, location

• Issue is assurance of compliance (e.g., data lineage – let alone data providence)

25

Privacy

• Loss of Fourth Amendment protection• Legal order served on provider – not ‘you’

• Some data can be accessed merely by NSLs

• Magistrate judge court orders under §215

• Probably no encryption of data-at-rest• No indexing or sorting of encrypted data

• Definitely no encryption while data processed• Promise of 2-DNF (homomorphic encryption), Predicate Encryption

(asymmetric encryption)

• Data remanence: limited attempt to address• NIST Special Publication 800-88, Guidelines for Media Sanitization

Security-as-a- [Cloud] Service

27

Security Through the Cloud

• Proliferation of endpoints

• Different OSs, form factors – but all with access to organizational data

• Scalability & manageability of existing solutions stretched too far

• USENIX paper in July 2008 in San Jose• “CloudAV: N-Version Antivirus in the Network Cloud”

• Network-centric: e-mail, vulnerability assessment

• Former host resident: anti-malware, content filtering

28

Conclusions

• Part of ‘your’ infrastructure security moves beyond your control – Get Ready!

• Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than ‘your’ expectations

• Data security becomes significantly more important

• Weak access control, credential mgmt. – unless delegated back to ‘you’

29

Conclusions

• No established standards for redaction, obfuscation, or truncation’

• No cloud-specific audit requirements or guidance• “Extending” SAS-70 Type 2 to cloud providers

• No cloud-specific regulatory requirements – yet• Some foreign prohibitions on using U.S. cloud providers

30

Questions?

31

Speakers

• Subra Kumaraswamy, Senior Security Manager– Sun Microsystems

– subrak@sun.com

• Tim Mather, Chief Security Strategist– RSA, The Security Division of EMC

– tim.mather@rsa.com