cloud security challenges and guidelines · cloud federation management cloud federation fabric...
TRANSCRIPT
© British Telecommunications plc
Template Version 1.2BT Assure. Security that matters
Theo Dimitrakos
Chief Security Researcher, BT Research & TechnologyProfessor of Computer Science, University of KentContact: [email protected]
Cloud Security Challenges and Guidelines
Physical SecurityProtect BTCyber SOC
Cable TheftGlobal ThreatMonitoring
Visual Analytics Virtualisation andapplication security
Malware EvolutionEnablingtechnologies
AI
Applicationareas
Future HomeSecurity
IntelligentProtection
Network AlarmCorrelation
….
Secure CloudStorage
Security Research & Innovation
Change factors in a networked world
Cloud Computing
• Disappearing perimeters• Business services distributed over the network• Global operations• Big data at rest on the network / exposed via the network
Network Virtualisation • Virtualisation of networks and network devices• New ways of operating network infrastructures
Internet of Things• Massive interconnection of cloud services and smart devices• Global distribution (Smart Cities, Smart Health, Smart Energy, etc.)• Fusion of services with nw areas that did not rely on IT networks
Content Networks & NewMedia
• New and more complex content• Complex content and media delivery schemes
Mobile Network Evolution • 4G evolution and deployment• BOYD proliferation
Social Networks • Complex interleaving communication channels• New socio-technical models
Cyber Crime • Fusion of traditional and internet crime• Reputation damage and attacks
Cyber Terrorism• Network increasingly a theatre of state, group and activist terrorism• Complex supply chains• Fusion of civil/defence networks
Example: Commonly referenced cloud security incidents
Amazon: Hey Spammers, Get Off My Cloud! (2008)Megaupload US prosecutor investigation (2012)Bad co-hosts
Bitbucket's Amazon DDoS - what went wrong (2009)AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursquare
ServiceAvailability
Diginotar (June 2011)RSA SecureID (March2011)
Risk communication& Response
Security issues with Google DocsSecurity Issues with Sony User Network
EntitlementManagement
An Empirical Study into the Security Exposure to Hosts of HostileVirtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdfBlue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.htmlCloudburst: Arbitrary code execution vulnerability for VMWare
http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
Hypervisor &Virtual MachineVulnerabilities
Resettable Public-Key Encryption: How to Encrypt on a Virtual MachineCrypto Opsin VM
In-cloud federatedIdentity Management
Lack of Standards
Data ProvanenceWhere did the data come from?
Data RemanenceYou can check out but can’t leave
Location & PrivacyWho looks at/after your data?And where? Jurisdictions?
Cloud Security: the challenges
NetworkVirtualisation
NetworkVirtualisation
Virtualizednetwork
governance
Virtualizednetwork
governance
Virtualisation /Hypervisor
Securitythreats
Virtualisation /Hypervisor
Securitythreats
Packetprocessing ona virtualized
infrastructure
Packetprocessing ona virtualized
infrastructure
Securityprocessing
impact
Securityprocessing
impact
• Improperly configured virtualfirewalls or networking
• Inspection of intra-VM trafficon virtual networks
• Data leakage throughoffline images
• Improperly configuredhypervisor
• Hypervisorvulnerabilities &malware
• Virtual machineimages / virtualappliances containingmalicious code (pre-built)
• Confidentiality efficient data encryption process & encrypted processing function• Integrity integrity monitoring: virtual image, network traffic & protocol processing ; accountability• Resource isolation bandwidth slicing ; virtual to physical mapping ; network processor scheduling
• Shared processor and memoryamong virtual appliances
• Overhead on packet processing• Overhead on forwarding rate
Cloud Security: the challenges
Robust at system level(modulo kernel bugs)Issues at management planeMemory hijacking
Cloud & VirtualInfrastructure
Security
Cloud & VirtualInfrastructure
Security
ActiveShielding
ActiveShielding
Isolation(Inter-VM &Hypervisor)
Isolation(Inter-VM &Hypervisor)
VMSecurity
VMSecurity
HypervisorSecurity
HypervisorSecurity
Physical -to- VirtualMapping
Physical -to- VirtualMapping
End-to-endVirtualisati
on
End-to-endVirtualisati
on
DataLeakage
Prevention
DataLeakage
Prevention
Near real-time virtual patchingIntrusion Prevention at Hypervisor level – below Guest OSMalware prevention / detection at Hypervisor level
Hypervisor / trusted VM:• the best place to secure• Limited compute resources• Security API standardsDifficult to exploit but high-impactDo you trust Microsoft?Do you trust VMWare?
Guest OS needssecurity protectionResilient VM lifecycle• dynamic• at massive scale
Crypto doesn’t like virtualCurrent algorithms set to
optimise resource poolingCan’t always use specialised HW
Encryption key management
Co-ordinate securitypolicies & provisioning for
network & server virtualisationLocation/resource optimisation
CSPs don’t:• allow clients to classify data
• offer different levels of securitybased upon data sensitivity
• offer DLP services
Cloud Security: the challenges
Cloud Data &ServicesSecurity
Cloud Data &ServicesSecurity
Law &Compliance
Law &Compliance
DataLocation &
Mobility
DataLocation &
Mobility
Resilience &Availability
Resilience &Availability
Security inDepth
Security inDepth
DataComingling
DataComingling
Multi-tenancy
Multi-tenancy
CloudPlatformLock-in
CloudPlatformLock-in
VMs provided by IaaS providerPlatform stack by PaaS providerIaaS, PaaS issues + application security
Lack of standardsLack of interoperability
Limited service portabilityIncompatible management processes
Provider & resource / data locationCross-border data movementPII and privacy obligations (HIPAA, GLBA)Auditing and compliance (PCI, ISO 27001)Poor quality of evidence
EU vs. US vs. China (Gov. access)Differences in data protectionCost of keeping data hosting in EUAudit data legally owned by CSPrefusal to ‘hand over audit logs?
Difficult to involve law enforcementwith CSP activities
Latency sensitive applicationsEnforcement of SLA obligationsInsufficient capabilities to caterfor managing critical data
In-cloud segregation of data: difficultAccidental seizure of customer data
during forensic investigations
Security of shared resourcesProcess isolationData segregation
“Data sharding”(fragment across images)
Entitlement & Access Mgmt(policy issuing authority)
Cloud Security: the challenges
ProvisioningIdentity IntegrationUser Management
Credential ManagementEntitlement Management
Device Credentials, PKIInfrastructure
Active Directory/LDAP -Attributes, Credentialsand Groups for Edgeservers
CloudApplication
Security
CloudApplication
Security
DistributedAccess
Management
DistributedAccess
Management
VirtualDirectory
Services
VirtualDirectory
Services
ApplicationService
Integration
ApplicationService
Integration
IdentityLifecycle
Management
IdentityLifecycle
Management
Credential MappingAuthorization with Constrained Delegation(Policy Integrity & Recognition of Authority)Trust & FederationSecurity Auditing
Federation and Edge Server Security –Secure Application Integration Fabric (SecureESB Gateway)
Example: Cloud Computing TechnologyInnovation –vs– Cyber Security Challenges
Commoditisedvirtualisation
• Security API forhypervisor
• Virtual Data CentreService ManagementLayer
• Commoditisedelasticity
• Commoditised dataabstraction & datafederation
Cloudislands
• User-definedhosting
• On-demandElasticity
• Flexible chargingmodel
• Rapid provisioning/ de-provisioning
• Customer definedstandalone cloudapplications
• Cloud island-specific security in-depth
• Pre-customerisolation & multi-tenancy
Commoncapabilities
• Cloud –vs.–managed servicedelivery model
• Reusable andcustomisableenabling servicesoffered via a cloudservice deliverymodel:• Identity & access,• Data & system
security,• Data federation ,• Performance
monitoring,• Intelligent
reporting• Auditing• Usage control,• Licensing,• Optimisation
VirtualPrivateClouds
• Customer definedsecurity and QoS
• Customer-centricidentity & accessfederation
• Customer-awareprocess & dataisolation
• Customer-definedprocess and datafederation
• Secure privatenetwork overlayoffered as aservice over theinternet
• customer-centricloud applicationcomposition
CommunityClouds
• Community-specific virtualprivate clouds
• In-cloudcollaboration,communitymanagement &identity federationservices
• Vertical integrationof hosting andcommunity-specificcloud applications
• Shared
Cloud awareapplications
• Commoditisation ofcloud applicationstores
• Commoditisation ofSDK for cloudapplications
• Take advantage ofcloud IaaS or PaaSto develop SaaS
• Ability deploy yourcloud SaaS over atargeted SaaS /PaaS
• SDK methods foron-demandelasticity, in-cloudhosting anddynamic resourceprovisioning
Cloudservice
assembly• Standardisation of
cloud servicemanagementinterfaces
• Commoditisationof cloud assemblyprocesses & tools
• Vertical valuechain specificfederation
• Ability to mix-and-match cloudinfrastructure & in-cloud commoncapabilities whenproducing cloudapplications
• Ability to specifyand rapidlyprovision mixeddelivery models:eg. SaaS on 3rd
party PaaS; PaaSon 3rd party IaaS
Open cloudfederation
• Standardisation of• cloud common
capabilities• cloud service
managementinterfaces
• cloud accessmanagement &federated identitymodels
• cloud servicemonitoring &reporting
• cloud licensemanagementservices
• Virtual Private“Local” Networkover the Internet
• User definedVirtual PrivateCloud
CloudAggregationEcosystem
• Standardised cloudcharging modelsincluding auctions
• Standardisation ofcloud serviceassemblyprocesses
• Virtual DataCentres assembledover multiple IaaSclouds by differentproviders
• PaaS overfederated IaaS withintegrated commoncapabilities bymultiple 3rd parties
• Commoditisationof “Make your ownCloud” capability
© British Telecommunications plc
Slide 10
Example: Cloud security innovation roadmapat BT Research & Technology
Secure Cloud Service Broker Virtual hosing on federated clouds
Accountable EntitlementManagement (in-cloud)
Virtual Patching
Cloud SaaS security-confidentiality enhancements
Application awareBehavioural Malwaredetection (in-cloud)
In-cloud malwarescanning
Secure cloudstorage service
Cloud informationassurance metrics
Cloud securityanalytics
Hypervisor levelMalware Detection
Hypervisor level IntrusionPrevention Hypervisor level Data Leak Prevention Use of trusted hardware in
Virtual Data Centres & Cloud
Technical innovationchallenges & solutions
Cloud Security Innovation Strategy
Market evolutionanalysis
Recommendations for High-level SecureCloud Architecture for Government (IaaS)
In-cloud securitycost-benefit analysis
Cloud informationassurance metrics
Cloud security riskassessment (eGov)
Recommendations for High-level SecureCloud Architecture for Government (SaaS)
Cloud ecosystem securityvalue network
Market analysisrevision
Cloud securityCloud securityvalue network
revisionStrategicForesight
Cloudfederation
CloudSecurityservices
CloudSecurityinfrastructure
SecureVirtualisation
SSO & Identity Managementas a Cloud Service
Multi-CloudIntelligent Protection
Multi-CloudSecure Storage
Cloud Federation Fabric Cloud Aggregation EnvironmentCloud Federation Management Cloud CERT
Cloud Cyber-IncidentManagement
BT core technology innovation activity
Research Collaboration
Long term research
Strategy / Guidelines
© British Telecommunications plc
Slide 11
• Hypervisor vulnerabilities.• Lack of cloud specific security solutions• Defence in depth is complex to achieve in the Cloud
Technology Risks
• Resource sharing• Poor Process isolation /Data Segregation• Data Sharding, remanance (erasure), Co-mingling
Multi-tenancy(shared infrastructure)
• Virtual image provided by IaaS provider• Platform stack provided by PaaS• SaaS application security
Protection in depth &Security at multiple layers
• Latency controls for sensitive applications• Inability to enforce high-assurance SLAs• CSP unable to provide QoS for sensitive applications
Resilience & Availability
• EU vs. US vs. China regulations (Government access)• Differences in data protection between EU regions• Examples of CSP refusing to ‘hand over audit logs’
Data Location & Mobility
•Cross-border data movement•Privacy obligations ( DPA, HIPAA, GLBA)•Auditing and compliance (PCI, ISO 27001)
Information Assurance& Compliance
• Lack of standards / interoperability• Limited service portability• Incompatible management processes
Cloud vendor lock in
• Lack of transparency• Limited audit ability• Global CSP - Regulatory compliance.
Corporate Risks
DirectInnovationdownstreamto BT MFUs/ Platforms
DirectInnovationdownstreamto BT MFUs/ Platforms
InfluenceEU / UKpolicy(via expertadvisorygroups /agencies)
InfluenceEU / UKpolicy(via expertadvisorygroups /agencies)
Influenceindustryvia CSAand ISF
Influenceindustryvia CSAand ISF
Cloud Security Challenges and how we address them
© British Telecommunications plc
Slide 12
Examples of Collaborative Research Impact & Value Generation: overview
Cloud Computing:Benefits, RisksRecommendations
Security andResilience ofGovernmentalClouds
Procure Secure:security levels incloud contracts
GovernmentalClouds: GoodPractice Guide
Incident Reportingin the Cloud
Influence Strategy & Policy at EUand National Level: Contributors to
ENISA advisory reports on Cloud Security
IntelligentProtection
Secure CloudStorage
Multi-cloud VPNoverlay
Trust Assessment
CloudComplianceAssessment
GovernmentalCloud StoreCapabilities
Intelligent Protectionfor GovernmentalApplications
Cloud DataProtection Services
Federated Identityas a Service forPSN and G-Cloud
Trials•CentralGovernment•Greek Ministry ofFinance
•Municipalities•London, UK•Genova, Italy•Belgrade, Serbia
2010-2013EU collaboration
Cloud TechnologyDevelopment
2014-2017Cloud TechnologyTrials & Validation
© British Telecommunications plc
Slide 13
Examples of Collaborative Research Impact &Value Generation: illustrative case
CIPSTRATEGIC
Secure cloud servicestore
EIT HII TrustedCloud
Secure cloudplatform
FP6 TrustCoM – IP 2004-7Security policy management automation
FP6 BEinGRID – IP 2006-9Common Capabilities for Cloud,Cloud Architecture Security Patterns
FP6 OPTIMIS– IP 2010-13Secure Cloud Broker,Common capabilities for Cloud Data &Application Protection
FP7 FED4FIRE experiments 2014Multi-cloud Data & ApplicationProtection at large scale
BT CloudCompute- Platform,
Application,Data Security
- IdentityFederation
BT Security- Cloud
SecurityServices
- Identity as aService
Research,Development &
Experimentation
Technology &BusinessValidation
BTcustomisation &productisation
© British Telecommunications plc
Slide 14
Cloud security research
In-Cloud Security Services Secure Community Clouds
Protecting BT’s Cloud Platforms Protect BT’s use of cloudinfrastructure, platform and
application services
Cloud security researchIdentity &
FederationApplication &Virtual Server
ProtectionStorage & Data
ProtectionPlatform &
InfrastructureSecurityGovernance, Standards, Compliance, Assurance
Cloud security: current areas of BT innovation and solutions
One capability multiple cloud security servicemodels
Multi-cloudprotection
• One• Security dashboard• Security policy
management interface• Governance process
• Many• Control points• Cloud platforms• Applications & servers
Cloud storeMarketplace
• Horizontal / reusablecapability
• Fully integrated withcloud applicationdeployment
• Automated policyderivation (securityintelligence)
• Automated securitypatching per application
• Customisable self-management interface
• Multi-cloud• One click to buy
Cloud platformenhancement
• Horizontal / reusablecapability
• Configurable securityoptions
• Fully integrated withcloud applicationdeployment
• Automated policyderivation (securityintelligence)
• Automated securitypatching per application
• One click to buy• Inflight-provisioning• Inventory sync
Cross-cloudapplication defined
security policy• Multi-cloud deployment• Application defined
virtual network overlay• Application defined
security policy group
Cloud-based On-premise
Fully managed
Self-managed
© British Telecommunications plc
Slide 16
BT Cloud Security Services Incubator - Enabling Open Innovation
• Working withcustomersto trial new innovations
• Obtain early marketfeedback and testcommercialattractiveness andcommercial viability
• Define community,qualify and prioritiseopportunities
• Research prototype torefine concept inpartnership withcommunity
• Validate candidatetechnologies/software
• Ideas for new productsand services
• Ideas for changingcommercial modelsand value propositions
• Ideas to make thingsfaster
• When conceptshave been provenwith customersthen they will bedown-streamed toproduct platforms
Ideageneration
Strategiccollaboration
Customertrials
New products& propositions
ResearchResearchResearch AlphaAlphaAlpha BetaBetaBeta PlatformPlatformPlatform
• Alpha at AdastralPark run by R&T
• Supports ISVintegration, hothouses, etc.
• Beta at London GS2run by GS, tacticalops from IP Soft
• Targeting LatAm, US,Asia-Pac
© British Telecommunications plc
Slide 17
Thought-leadership: Innovation Demonstrators
Cloud Broker& Federation• Secure Cloud
Service Broker• Cloud community
management• Cloud Identity and
Federationmanagemnt
Cloud ApplicationSecurity• Intelligent Application
Protection• Accountable Entitlement
Management• Confidentiality/Compliance
for Cloud SaaS
Cloud SystemSecurity• GRC Assessor• Secure data
storage & sharing• Intelligent System
Protection• Virtual Security
Patching
SecureVirtualisation• Hypervisor level
Malware Detection• Hypervisor level
Intrusion Prevention• Hypervisor level Data
Leak Prevention
© British Telecommunications plc
Slide 18
The BIG picture: Towards a Secure Cloud blueprint
© British Telecommunications plc
Slide 19
BT thought-leadership: Overview of external collaborations• Co-authors of ENISA expert advisory report on Cloud Security Risk Analysis
• Contributors to CSA security guidelines and lead of Virtualisation Security work stream
• Co-authors of the BT Cloud Security standard.
• Contributors to ENISA expert group on Government use of Cloud computing
• Leading Governmental Cloud Services Store & Clooud Security activities on STRATEGIC a€5 million innovation validation project
• Led Cloud Brokerage & Federation use case at OPTIMIS a €10.5 million collaborative R&Dproject
• Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on
next generation SOA in Europe
• Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSOSummit, etc.
• 3 books and several technical papers in Cloud & Next Generation SOA
Protection in the Cloud: BT Intelligent ProtectionTheo [email protected]
Protection of Systems & Apps in the CloudWhat is it?• A cloud security service that has ben designed and
developed to address customer demand for protectingvirtual servers and hosted applications on cloudinfrastructures.
• Supports multiple cloud service providers, including BTCloud Compute, Amazon EC2, vCloud etc.
• Comprehensive security solution: Virtual firewall,Intrusion Prevention/Detection, Security Patchmanagement, Anti-malware.
• Deploy security patching & intrusion prevention with nodown time.
• Central Security Portal to manage protection in MultipleCloud Platforms.
• Automatically Protect deployed applications / systemsin Virtual Environment.
• Flexible delivery of protection:• At Hypervisor / virtualisation management level.• By self-installing agents on 3rd party environments.• Automatically integrate with Application Deployment
via Service Store.
Current statusAbout to go live in the next release of BT Cloud Compute.Market place and intelligent protection service can be used to auto-provision on most popular cloud infrastructure / platform providers
Benefits• Reduction of complexity through integration with the cloud
environment for automatic capability provisioning, life-cyclemanagement and inventory synchronisation.
• Provides vulnerability protection.• Eliminates the cost and risk of deployment, integration and
management of complex security software or appliances.
Next steps• Inclusion in BT Compute product roadmap• BT Wholesale Proposition
Intelligent Protection ServiceSecurity is secretly out of control
DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc
Important elements of cyber security strategy & innovation
Protection life-cycle Other important elements• Think global• Understand the societal, business &
technology evolution• Share intelligence with care• Carefully attribute responsibility: think
of the whole supply-chain• Design for change & adaptation• Understand the impact of change
Learn from own and others mistakes• Centralise visibility & control• Distribute ability to enforce & self-
adapt within policy & context
Intelligence
Prevention &Protection
ContinuousAssessment
Remediationplanning &
ImpactAnalysis
Adapt &Respond
© British Telecommunications plc
Slide 23Cloud portal
Intelligent ProtectionSecurity Dashboard
Core strengths & innovative features• In flight intrusion prevention, no down time• Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware• 360o Protection of customer applications• Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud
BT Intelligent Protection
Automatic Application Protection
24
• During Application Provisioning, Customers / Tenants:• Purchase intelligent protection License for the required
Security Modules (Firewall, Anti-Malware, Intrusion Detection,Integrity Monitoring, Log Inspection)
• Select an Application from the Application Market Place.• Automatic Protect deployed Application with selected Security
Options.
Cloud Service Provisioning
Automatic Application Protection
25
Automatic Application Protection
26
Automatic Application Protection
27
Cloud Security Services – protection of data in the cloudSecurity is secretly out of control
Secure cloud data protection serviceWhat is it?• Not just another cloud (i.e. network accessible)
storage service• A cloud security service enabling customers to manage
data protection across many cloud infrastructures• Virtual “hard-disk” volume encryption offered ‘as a
service’• Decryption only possible in “safe” environments
following policy-based approval• Protected data mobility across servers and across
clouds• Customer in control of compliance with data-
protection policies across many clouds and regions• Faults & security breaches visible across clouds• Seamless integration with Cloud Service stores and
interoperability with most cloud platforms
Current statusAbout to go live on BT Cloud Compute.Market place and intelligent protection service can beused to auto-provision on most popular cloud IaaS/PaaSBT Intellectual Property (2 core and 9 related patents)Estimated impact of protecting revenue > £30M p.a.Selected for trial with Municipalities UK, Italy, Serbia)and Central Government services (Lithuania, Greece)
How it works• Customer is in control of connection, protection, access to secure
virtual storage.• Decryption only possible when data is used in a specific ‘safe’
environment following policy-based approval.
Policy-driven key management• Uses identity and integrity based enforcement to ensure only
authorised virtual machine receive keys and access to securestorage.
• Automates key release and virtual machine authorisation for rapidoperation.
• Enables the use of policies to determine when and where keys wereused.
Advanced Encryption techniques• Features FIPS 140-2 certification and FIPS approved AES
encryption.• Encrypts and decrypts information in real time, so that data is always
protected.• Applies whole volume encryption to secure all data, metadata, and
associated structures.
Robust auditing, reporting, and Alerting• Logs actions in the management console for audit purposes.• Provides detailed reporting and alerting features with incident-based
and interval-based notifications
DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc
© British Telecommunications plc
Slide 29
Cloud-based Identity Management ServiceFuture Challenge: Traditional enterprise in a changing world
InternalEnterprise
Cloud
Cloud Platform& Infrastructure
Cloud Apps &Web Services
Social Media
SaaS
Silo expansionIdentity shadowing
Policy fragmentationLoss of control
© British Telecommunications plc
Slide 30
Cloud-based Identity Management ServiceFuture Challenge: Cloud-ready always connected enterprise
InternalEnterprise
Cloud
Cloud Platform& Infrastructure
Cloud Apps &Web Services
Social Media
SaaS
Cloud/hosted service- Holistic identity life-cycle
management- Privileged identity- Governance, audit- Federation and SSO- Fraud preventionfor both on-premise and
in-cloud services &applications
Gateway/bridge to- Identity management- Enterprise governance- Access management- Information protection
for enterpriseresources
Future identity challenges case study: BT Cloud Compute Service Store
© British Telecommunications plc
Slide 31