Hamed Pishvayazdi, spring 1394

1

Cloud Definition

Cloud Characteristics

oOn demand

o Pay-per-use : less investmento Pay-as-you-go

oElastic Capacity & Infinite Resources & ScalabilityoSelf-Service Interface & ManageabilityoAbstraction: Resources that are abstract and virtualizedoUtility ComputingoBetter resource utilizationoReduce power (Green IT computing)oUbiquity of access (anywhere, anytime, …)oEase of management & Self-serviceoCustomization: More in IaaS and less in PaaS and SaaS

Cloud Security: Advantages & Disadvantages

General Security Advantages

Cloud homogeneity makes security auditing/testing simpler

Clouds enable automated security management

Redundancy / Disaster Recovery

5

Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks

6

Cloud Security Advantages (Cont.)Simplification of Compliance AnalysisData Held by Unbiased Party (cloud vendor

assertion)Low-Cost Disaster Recovery and Data Storage

SolutionsOn-Demand Security ControlsReal-Time Detection of System TamperingRapid Re-Constitution of ServicesUsing cloud for security:

Defense or attackAdvanced Honeynet CapabilitiesDOSDecryption7

Responsibility & Accountability“Ultimately, you can outsource responsibility but

you can’t outsource accountability.”

8

Companies are still afraid to use clouds

9

10

Specific Customer Concerns Related to Security

Protection of intellectual property and data

Ability to enforce regulatory or contractual obligations

Unauthorized use of data

Confidentiality of data

Availability of data

Integrity of data

Ability to test or audit a provider’s environment

Other

30%21%15%12% 9% 8% 6% 3%

Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007

11

Lots of Governance Issues Cloud Provider going out of business

Provider not achieving SLAs

Provider having poor business continuity planning

Data Centers in countries with unfriendly laws

Proprietary lock-in with technology, data formats

Mistakes made by internal IT security – several orders of magnitude more serious

12

13

Problems Associated with Cloud ComputingMost security problems stem from:

Loss of controlLack of trust (mechanisms)Multi-tenancy

These problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues,

but not related to above

Possible SolutionsMinimize Lack of Trust

Policy LanguageCertification

Minimize Loss of Control MonitoringUtilizing different cloudsAccess control managementIdentity Management (IDM)

Minimize Multi-tenancy

14

15

Cloud Forcing Key Issues

Separation between data owners and data processors

Anonymity of geography Anonymity of providerPhysical vs virtual controlsIdentity management

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

… and one other

Public Cloud

Private Cloud

Virtual Private

Cloud

Hybrid Cloud

Community Cloud

Cloud Deployment Model

16

Public Cloud

Cloud infrastructure made available to the general public.

Private Cloud

Cloud infrastructure operated solely for an organization.

Virtual Private

Cloud

Cloud services that simulate the private cloud experience in public

cloud infrastructure

Hybrid Cloud

Cloud infrastructure composed of two or more clouds that interoperate

or federate through technology

Community Cloud

Cloud infrastructure shared by several organizations and supporting

a specific community

NIST Deployment Models

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Ownership

Control

Internal Resources

All cloud resources owned by or dedicated to enterprise

External Resources

All cloud resources owned by providers; used by many customers

Private Cloud

Cloud definition/governance controlled by enterprise

Public Cloud

Cloud definition/governance controlled by provider

Hybrid Cloud

Interoperability and portability among Public and/or Private Cloud systems

Enterprise Deployment ModelsDistinguishing between Ownership and Control

17

18

Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )

19

We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.

Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?

Of enterprises consider security #1 inhibitor to cloud adoptions

80%

Of enterprises are concerned about the reliability of clouds48%

Of respondents are concerned with cloud interfering with their ability to comply with regulations

33%

Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)

Governance structure of IT organizations

20

Assessment responsibility

22

High-level cloud security concerns

ComplianceComplying with SOX, HIPPA

and other regulations may prohibit the use of clouds for some applications.

Comprehensive auditing capabilities are essential.

22

Less ControlMany companies and governments are uncomfortable with the idea of their

information located on systems they do not control. Providers must offer a high degree of

security transparency to help put customers at ease.

ReliabilityHigh availability will be a key concern. IT

departments will worry about a loss of service should outages occur. Mission critical

applications may not run in the cloud without strong availability guarantees.

Security ManagementProviders must supply easy, visual controls

to manage firewall and security settings for applications and runtime

environments in the cloud.

Data SecurityMigrating workloads to a shared network and compute infrastructure increases the

potential for unauthorized exposure. Authentication and access technologies

become increasingly important.

Customer Pain PointsP - Privacy (Confidentiality)A - Authorization (Authentication)

I - IntegrityN - Non-Repudiation

23

The fundamentals of security haven’t changed for a long time.However, in the last few years due to viruses, worms, intrusions & DDoSattacks, another one has been added called “Assured Information Access”.

Threat ModelRisk 1: Resource Exhaustion*Risk 2: Customer Isolation Failure*Risk 3: Management Interface CompromiseRisk 4: Interception of Data in TransmissionRisk 5: Data leakage on Upload/Download,

Intra-cloud

24

Threat ModelRisk 6: Insecure or Ineffective Deletion of

Data*Risk 7: Distributed Denial of Service (DDoS)Risk 8: Economic Denial of Service*Risk 9: Loss or Compromise of Encryption

KeysRisk 10: Malicious Probes or Scans

25

Threat ModelRisk 11: Compromise of Service

Engine/Hypervisor*Risk 12: Conflicts between customer

hardening procedures and cloud environmentRisk 13: Subpoena and E-Discovery*Risk 14: Risk from Changes of Jurisdiction*Risk 15: Licensing Risks*

26

Threat ModelRisk 16: Network FailureRisk 17: Networking ManagementRisk 18: Modification of Network TrafficRisk 19: Privilege Escalation*Risk 20: Social Engineering Attacks

27

Threat ModelRisk 21: Loss or Compromise of Operation

LogsRisk 22: Loss or compromise of Security LogsRisk 23: Backups Lost or StolenRisk 23: Unauthorized Access to Premises,

Including Physical Access to Machines and Other Facilities

Risk 25: Theft of Computer Equipment.*

28

Overview

29

30

Mapping the Model to the Metal

31

Physical Physical Plant Security, CCTV, Guards

Compute & StorageHost-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking

Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth

Management

GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring

Information DLP, CMF, Database Activity Monitoring, Encryption

ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.

Trusted ComputingHardware & Software RoT & API’s

Security Control Model

Cloud Model

Compliance Model

PCI

HIPAA

GLBA

FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...

SOX

Find the Gaps!

CSA Guidance Research

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud ArchitectureCloud Architecture

Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud

33

CSA Guidance Domains

Governing in the Cloud2. Governance & Risk

Mgt

3. Legal

4. Electronic Discovery

5. Compliance & Audit

6. Information Lifecycle Mgt

7. Portability & Interoperability

Operating in the Cloud2. Traditional, BCM, DR

3. Data Center Operations

4. Incident Response

5. Application Security

6. Encryption & Key Mgt

7. Identity & Access Mgt

8. Storage

9. Virtualization

1. Understand Cloud Architecture

Governing Governing the cloudthe cloud

Legalbetween the laws the cloud provider must comply

with and those governing the cloud customerGain a clear expectation of the cloud provider’s

response to legal requests for information.Cross-border data transfers

35

Legal IssuesLiability

Contractual responsibilityFinancial compensationnot meeting SLALegal requests for informationProhibit data use by providerRestrict cross border transfer

Intellectual PropertyAll data including copies owned by clientState data rights in SLA clearly

36

Electronic DiscoveryOrganizations have control over the data they are

legally responsible for.Preserve data as authentic and reliable.

MetadataLogfiles

Mutual understanding of roles and responsibilities

37

Compliance & Audit

Classify data and systems to understand compliance requirements

Understand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive

certification scoping to beef up SAS 70 II, ISO 2700X

38

Information Lifecycle Mgtlogical segregation of information and

protective controls implementedUnderstand the privacy restrictions inherent

in dataData retention assurance easy, data

destruction may be very difficult.

39

Information Lifecycle ManagementFrom creation to destructionData classification Data confidentialityData integrity Provider Access needs be definedData retentionData destruction :harder to proveCross-jurisdictional issuesNegotiate penalties for data breachesAccess control: like RBAC

40

Portability & Interoperability

Understand and implement layers of abstractionFor SaaS:

regular data extractions and backups to a usable formatFor IaaS:

deploy applications abstracted from the machine image.For PaaS:

“loose coupling” using SOA principlesUnderstand who the competitors are to your cloud

providers and what their capabilities are to assist in migration.

Advocate open standards.

41

CSA Guidance Research

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud ArchitectureCloud Architecture

Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud

Operating in Operating in the cloudthe cloud

Traditional, BCM/DRGreatest concern: insider threat

Onsite inspections of cloud provider facilities whenever possible.

BCP/DRP

Identify physical interdependencies in provider infrastructure.

44

Business ContinuityDisaster recovery plan

Is it comparable to client’s data center?

Can we do a BC audit?Location of recovery data centersSLA Guarantee Data Portability

45

Incident ResponseAny data classified private:

should always be encrypted

Application layer logging frameworks to:granular narrowing of incidents to a specific customer.

Cloud providers and customers need defined collaboration for incident response.

46

Application SecuritySecure software Development Lifecycle (SDL)

IaaS, PaaS and SaaS: differing trust boundaries for SDL

For IaaS, need trusted virtual machine images

Apply best practices available to harden DMZ host systems to virtual machines

Securing inter-host communications:no assumption of a secure channel between hosts

Understand malicious actors techniques

47

48

49

Cyber Security (DPI) DPI refers to the ability to inspect all packet contents

Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)

MAC Header IP Header TCP/UDP Payload

DPI Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP

Switch

Servers

MAC Header IP Header TCP/UDP Payload

Router MAC Header IP Header TCP/UDP Payload

Firewall MAC Header IP Header TCP/UDP Payload

MAC Header IP Header TCP/UDP Payload

Traditional Network Devices

Encryption & Key MgtNot controlling backend systems:

Assure data is encrypted being stored on the backend

Use encryption : separate data holding from data usage.

Segregate the key management from the cloud provider hosting the data, creating a chain of separation.

50

51

52

Identity & Access MgtRobust federated identity management

Insist upon standards : primarily SAML, WS-Federation and Liberty ID-FF federation

Validate that cloud provider support: strong authentication natively via delegation support robust password policies

Consider implementing Single Sign-on (SSO)

Using cloud-based “Identity as a Service” providers may be a useful tool for

53

54

Data & StorageStorage architecture and abstraction layers:

verify that the storage subsystem does not span domain trust boundaries

knowing storage geographical location is possible

Cloud provider’s data search capabilities

Storage retirement processes.

storage can be seized by a third party or government entity?

How encryption is managed on multi-tenant storage?

Long term archiving, will the data be available several years later?

55

PrivacyPrivate data

What is collected?Where is it stored?How is it stored?How is it used?How long is it stored?

Tagging of PII dataAccess control of PII dataProtection of digital identities & credentialsAccess policy for 3rd parties (e.g. Govt.

agency)How will 3rd parties protect my privacy?

56

Governance & Enterprise Risk ManagementCSPs accept no responsibility for data they store in their

infrastructureBe clear on who owns the data SLAs include

availability service quality resolution times critical success factors, key performance indicators, etc.

Regular 3rd party risk assessments Require listings of all 3rd party relationshipsFor mission critical situations & PII examine creating a

private or hybrid cloudRisk Management

57

VirtualizationVirtualized operating systems should be augmented by

third party security technology

Risk of insecure machine images provisioning.

Virtualization advantages :creating isolated environments better defined memory space, :minimize application instability

and simplify recovery.

Need granular monitoring of traffic crossing VM backplanes

58

Physical/Personnel SecurityProtection against internal attacks

Ensure internal people can’t exploit the information to their gain

Restricted & Monitored access 24x7Background checks for all relevant

personnelAudit privileged users?Coordination of Admins (Hybrid Cloud)

59

The Host Level

SaaS/PaaSBoth the PaaS and SaaS platforms abstract and

hide the host OS from end usersHost security responsibilities are transferred to

the CSP (Cloud Service Provider) You do not have to worry about protecting hosts

However, as a customer, you still own the risk of managing information hosted in the cloud services.

60

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

The Host Level (cont.)

61

Thank you !!!

62

Question????