cloud security: beyond the buzz
TRANSCRIPT
Cloud Security: Beyond the Buzz
Real-world case studies show how time-tested security concepts are applied to the Cloud
Today’s Chat
• Introduction• Me, my company, and why we care about Cloud.
• What’s Cloud?• SaaS, IaaS, PaaS
• What’s Cloud Security?• Different for SaaS, IaaS, PaaS
• The Nitty Gritty• Considerations and case studies
Introduction: Terremark Worldwide
• World-class Data Centers• NAP of the Americas, NAP of the Capital Region• Network-agnostic (e.g, ~100 ISPs in NAPOTA)
• World-class Managed Hosting• Built on InfiniStructure – a virtualized platform• Large sensitive clients: H&R Block, Broadlane, ...
• Enterprise Cloud• Built on InfiniCenter, evolved from InfiniStructure
Terremark and the Cloud
• Gartner Magic Quadrant• VMWare Service Provider of the Year
• VMWare recently bought 5% of TMRK• Deep Cisco partnership• Large Federal Cloud deployments• Large Banking Cloud deployments• Security is a key differentiator for us!
Introduction: Mario D. Santana
• Director, Secure Information Services• Security/risk consulting, forensics, etc.• Security of Terremark’s hosting environments• Expert witness, lectures, etc.
• CISSP, CISA, GIAC, ECTF, Infragard, etc…• Systems developer/designer in the 80’s• Systems administrator/architect in the 90’s• Security guy in the 00’s
WHAT’S “THE CLOUD?”Depends who you ask. It’s some level of IT abstraction.
What’s Cloud?
• Depends who you ask!• Much agreement on NIST’s1 5 characteristics:
• On-demand self-service• Ubiquitous network access• Location-independent resource pooling• Rapid elasticity• Measured service
• You know this: you’re at CloudWorld!
Cloud is Abstraction
• NaaS: Network as a Service• The original cloud, as in network diagrams
• We don’t care how it works, it’s a black box• “Service” “Utility” “On-Demand” etc…
• Not to be confused with “managed” services• These are more of a partnership with a vendor
• Bottom line: Cloud is someone else’s problem. “It just works.”
Different Kinds of Cloud Computing
• Infrastructure as a Service (IaaS)• “Abstract away the data center”• Amazon EC2, Terremark e-Cloud
• Platform as a Service (PaaS)• “Abstract away the middleware”• Google AppEngine, Microsoft Azure
• Software as a Service (SaaS)• Salesforce.com, countless others…
The Cloud Stack
• Higher layers are built on lower layers
• Higher abstractions “include” lower ones
• Clouds used to be all (SaaS) or nothing (NaaS)
• Today’s marketplace has more fine-grained distinctions
Moving Target
• In analyst-speak: it’s a “dynamic marketplace”• Semantics matter
• New solutions break young, unrefined definitions• They yield insight about why Cloud is useful• As the marketplace matures, definitions solidify
• Players are making moves• SaaS players offering PaaS and IaaS, for example• Amazon’s multitude of offerings are coalescing
WHAT’S CLOUD SECURITY?It’s technology + process + due diligence. The core issue is trust.
Technology, Process, Shoe Leather
• There’s no magic technology in the Cloud• The stack is made up mostly of the same old stuff• There are a very few special considerations
• The Cloud is more than the technology• It’s also the business, cost, and operating models• Cloud security can look like security of outsourcing
• Bottom line: understand and secure the layers• The secret ingredient is due diligence
Technology: Defense in Depth
• Defend each layer independently• A few special considerations: shared
resources• All models: shared networking• IaaS: shared virtualization and storage• PaaS: shared middleware, database, etc.• SaaS: shared everything
• Mostly, non-Cloud security measures translate fairly easily to Cloud environments
The Real Issue: Trust
• Obviously, reputation matters• How long has the vendor been doing Cloud?• How solid is their past security record?• What are their plans? Will they be around long?
• Fundamental approach: Trust but Verify• Without verification, it’s more faith than trust• Partnerships with trustworthy third parties can help
• Weaknesses don’t have to be fatal• If you know about them, you can work with them
IAASThe Nitty Gritty: Considerations and Case Studies
IaaS: security challenges
• Virtualization issues• VM “break-out” attack: scary but rare• Miscellanea (e.g., hypervisor log-file flooding)
• Shared infrastructure issues• Shared storage: clean it before de-allocating it• Shared CPU/RAM: don’t over-allocate resources
• Depend on outsourced datacenter practices• These will cover pretty much everything else!
IaaS: security benefits
• Virtualization benefits• Machine-level instrumentation (e.g., VMSafe)• Simplified incident response, forensics, recovery
• Shared infrastructure benefits• Shared, industrial-strength instrumentation• Correlate security information across customers
• Relatively simple to understand• IaaS is much like any other outsourced data center
IaaS case study: Enterprise Cloud
• Terremark’s offering – I’m very familiar with it• Right now it’s a pure IaaS play
• Meeting the IaaS security challenges:• Mature architecture evolved over five years• Zero-on-read for shared storage• No over-allocation of CPU or RAM
• Leveraging IaaS security benefits:• Robust, integrated managed security offerings
PAASThe Nitty Gritty: Considerations and Case Studies
PaaS: security challenges
• Complex, powerful APIs are hard to protect• The platform itself must be safe from attack• Applications must be isolated from each other
• Security mechanisms are “secret sauce”• Details are scarce and vendors aren’t talking• Awkward to do due diligence or compliance
• Applications might still be insecure• Even a perfectly secure platform can’t fix that
PaaS: security benefits
• Centrally-managed platform• Fixes and countermeasures help all users• Correlation of security information across users
• More and better expertise about the platform• The best and brightest people• More attention to (security-related) detail
• Many non-Cloud measures translate directly• Application firewalls, strong authentication, etc.
PaaS case study: Google Apps
• Awkward case study, since Google isn’t talking• Severely limited API (reduce complexity)• Big promises, backed by a strong reputation1
• There is fuel for speculation:• Guido is on board (Google bets on smart people)• Java was designed with sandboxing from early on
• Recent issues2 have scared sensitive clients3
• Continued evolution of real and perceived security
SAASThe Nitty Gritty: Considerations and Case Studies
SaaS: security challenges
• Even more than with PaaS, trust is the key• The vendor runs everything, soup to nuts• The due diligence takes more effort
• As with PaaS, vendors are tight-lipped• Again, there’s “secret sauce” involved• More limited use cases expose fewer details
• No opportunity to work around weaknesses• The vendor controls every layer of the technology
SaaS: security benefits
• Centrally-managed application• Security is stressed by many users• Attack information correlated from many users
• Attention to the application• Unlike for users, running this app is the business• Shared costs brings more expertise and resources
• Little or no technical skill needed to assess• Lean on processes, certifications, and reputation
SaaS case study: Salesforce.com
• Very mature platform, yet still evolving• Started as a focused SaaS pure play• Solidly placed in the PaaS market today
• Security history typical of outsource partner• In 2007, over 900K customer identities stolen• In 2009, an extended outage during peak hours
• Original concept is simple• Keep watching as force.com gains momentum
BONUS ROUNDAdditional thoughts.
Bonus Round
• Typical recommendations• The “what” is the same for Cloud or no Cloud.
• How-to considerations• The plumbing is different in virtual environments• In theory, everything is easy; in practice, it depends
• Testing for security in the Cloud• Shared environments are always tricky to test• Bottom line: coordinate with your vendor
Typical Recommendations
• Full packet capture with session reassembly• NetFlow analysis (especially for DDoS)• Detailed incident response plan• Full forensics capability predefined• Code-level security review of applications• Application-level firewall• End-user metrics and analytics
These are the same for Cloud or no Cloud.
How-To Considerations
• Plumbing is different in a virtualized datacenter• Software switches and things like VMSafe• Be careful not to expose more attack surface
• In theory, everything is easier• The flexible plumbing opens a new world of options
• In practice, it depends• The vendor controls the virtualization layer• Do they have the wherewithal to cater to your
custom needs?
Testing for Security in the Cloud
• Shared environments are tricky to test• Read and understand the acceptable use policy• By design, security tests look like hacking activity• Illegal access vs. pen-testing: what’s the difference
• Bottom line: coordinate with your vendor• Clearly define the rules of engagement• Any findings will improve the service you receive• You can still incorporate the element of surprise
• E.g., perform authorized tests at random intervals
THANK YOU!Questions and discussion.