cloud & security - edited
TRANSCRIPT
Security & Cloud ServicesIAN KAYNE
Cloud Components
Dynamically scalable infrastructure, services and software based on broad network accessibility
NETWORK ACCESS
INTERNAL ESTATE
CLOUD SERVICES
Cloud Components
NETWORK ACCESS
INTERNAL ESTATE
CLOUD SERVICES• Public
• Private
• Hybrid
• (Single & Multi Tenant)
• Private WAN
• Internet
• Hybrid
• User Devices, BYO
• IT Estate
• Data
Cloud Services
Managed Messaging Applications Web Services
Operating Systems Middleware Database
Compute Power Storage & Backup Networking
Abstraction of Environment - End User Application Provision
Abstraction of Infrastructure – Tool and Service Provision
Automated Scalability & Resilience – “Virtual Datacenter”
Software As A Service
Platform As A Service
Infrastructure As A Service
Sa
aS
Pa
aS
Iaa
S
Least control
Most control
Most control
Least control
Customer Provider
Virtualization
VMware ESX VMware ESX VMware ESXi
Resource Pool
Physical Servers
Hypervisor Hypervisor Hypervisor
Virtualization
VMware ESXiHypervisor
Vir
tua
l S
wit
ch
Physical Host
Shared
Storage
Vir
tua
l S
tora
ge
Network
Virtualization
VMware ESXi VMware ESXi
Zone
Hypervisor Hypervisor
Zone
Virtualization Attack Vectors
•App level attacks (especially legacy apps)
•O/S level attacks
•Infrastructure attacks
•Hypervisor breakout – VENOM flaw (2015)◦ Escalation from VM via flaw in legacy disk driver
•Remote DoS – VMWare ESXi Hypervisor (2012)◦ No authentication/credentials required
◦ Breaks vSphere SOAP API
◦ Infrastructure management tools lose all connectivity
Cloud Attack Vectors
•All the Virtualization attack vectors, plus:
•Insecure web app design (OWASP top 10)
•API flaws
•Platform service flaws (middleware, databases etc)
•Management systems flaws
•DoS (resource exhaustion)
•Access anywhere credentials theft
•Plus the attacker gets free access!
Security Principles
Security Principles
Confidentiality
Integrity
Availability
Cloud Provider - Security
•Standard security practices, OWASP top 10
•Customer / Environment isolation (zoning)
•Enhanced auditing
•Service & architecture based on customer need (eg:PCI)
•Security Info & Event Management◦ Collation of monitoring data from multiple sources
◦ Agent / SNMP based
◦ Centralized storage & assessment
◦ Trend analysis, deviation from norm alerting (tuning required)
Cloud Customer - Considerations
Visibility
Network
Reliance
• Regulatory compliance challenges
• Unknown risk profiles, “black box” service
• Loss of hands on control of
valuable data
• Privacy – cloud provider has
access to data
• Multi-tenant “interference”
• Enforced change to
environment
• Inaccessibility on network
or vendor outage (DDoS)
• Education
• Identity management
“islands”
• BYOD
• Low data and service portability
• Vendor tool and service
restrictions
Security Design Principles
•Cloud customers must protect both internal and cloud services – shared responsibility
•Defence in depth
•DMZ / Bastion / Perimeter security controls
•Least privilege
•Fail secure, fail closed, default deny
•Simplify (“economy of mechanism”)
•Avoid shared access mechanisms (“least common”)
•… and a few more (no security through obscurity etc)
More Security Design Principles
•Human Factor & “usable security”
•Password Policies
•People are often the weakest link
•Cloud services reduce the control over systems & data
Data Classification
Data in Cloud Services
Cloud customer
security
challenge is “data
classification” –
knowing the
value of your
data
Customer internal
infrastructure
Data Classification
•Know the value of data
•Understand the impact of data aggregation
•Understand the impact of a security breach
•Understand data states:◦ In Use – in memory (stack, heap)
◦ In Motion – in transit (network)
◦ At Rest – in storage (disk)
•Data protection = encryption?
Encryption
•“Any encryption keys must exist as long as the encrypted data exists. And storing those keys becomes as important as storing the unencrypted data was. In a way, encryption doesn't reduce the number of secrets that must be stored
securely; it just makes them much smaller.” - Bruce Schneier
•Data at rest - encryption plays a supporting role, keeps data confidentiality from cloud service provider, but you don’t attack the encryption
•Encryption has a cost – time and processing
•Access and end point control is critical
Convenience > Security
• Every website.
• Every web browser.
• Convenient apps (e.g.: LastPass).
Encryption Keys
•“We suffered a security breach, but our confidential customer data was encrypted”
•How was the data used?
•Where were the keys stored?
“All sensitive data is encrypted and decrypted locally
before syncing with LastPass. Your key never leaves your
device, and is never shared with LastPass. Your data
stays accessible only to you.”
Cloud Encryption Appliances
•Encryption happens “on premises” before transmission to cloud service
•Separates key storage from data at rest
•Requires two pronged attack to breach data
Plain text Encrypted
Encryption
appliance
Data Loss Prevention
•Proactive detection & prevention
•Network egress points
•“End point protection”
•Detects sensitive information in transit based on policy
•Used by organizations with critical confidential data that’s widely accessible to internal staff (e.g.: banks)
Identity Access Management
•“…the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” – Gartner
•Key to (regulatory) compliance
•Centralized control of data and appaccess was hard for internal ITsystems – local accounts, shadow IT
•Becomes critical in cloud environments
Federated SSO & SAML
•Provides single source of authentication and authorization to multiple service providers
•Security Assertion Markup Language
•Requires preset“trust” 1: “Principle” (user)
accesses resource
2: Service
Provider
requests
assertion
from Identity
Provider
3: Identity
Provider
requests
information
(credentials)
from Principle
(can be any
directory)
Secure Architecture Design
•No “one size fits all”
•Dependent on customer need, cloud service (SaaS is different to IaaS)
•Dependent on risk profile & data classification
•BYOD & cloud “access anywhere” creates challenges
Architecture
OOB Management
Foundations
•Security is much more than just devices & config:◦ Governance
◦ Policies
◦ Auditing
◦ Processes
◦ Design patterns
•Cloud security is a shared responsibility between consumers and providers
Open Security Architecture Group
Thank you
•Q&A
This document was created using the official VMware icon and diagram library. Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.VMware does not endorse or make any representations about third party information included in this document, nor does the inclusion of any VMware icon or diagram in this document imply such an endorsement.