introduction to openstack - cyberlearn // hes-so...context • cloud is not just the virtualization...
TRANSCRIPT
Security Cloud
Tewfiq El Maliki, HES-SO
With the collaboration of Martin Gwerder, FHNW
Document : CC BY-SA 3.0
Cloud Security
• Une science ou un Art !
2
Table of Content
• Recap
–Data Protection Laws
–Comparison Traditional vs Virtual DC
• Securing a Cloud list from X.1601 Chap 9
–Identity and Access Management (IAM),
Authentication, Authorization and Transaction
Audit
–Virtualization Environment
• Physical Security
• Interface Security
• Computing Virtualization Security
• Network Security
–Data Isolation, Protection and Confidentiality
Protection
• Processes
–Security Coordination, Operational Security;
Incident Management
–Disaster Recovery
–Service Security Assessment and Audit
• Standard compliance
–Interoperability, portability and reversibility
Context
• Cloud is not just the virtualization (NIST definition)
• May be based on Type 1-3 hypervisor or a container
• A cloud platform is typically shared among multiple Tenants. These parties are many to many relationship
but at least one CSP and multiple CSC.
• Sharing resources and the synergy measurements (such as memory/storage deduplication or cache
sharing) augment attack surface – the majority of flaws and threats come from this side.
• A cloud is not weaker in terms of security. Think about simplicity against complexity. It is just more complex
and adds thus more points we have to think of. Generally the implementation of a cloud is underestimated
security wise and thus weaker and consequences are catastrophic – Attack on OVH has generated 1 Pbit/s
traffic-
4 CSP : Cloud service Provider CSC : Cloud Service Consumer
Recap Data Protection Act
Art. 4 Principles
1 Personal data may only be processed lawfully.
2 Its processing must be carried out in good faith and must be proportionate.
3 Personal data may only be processed for the purpose indicated at the time of
collection, that is evident from the circumstances, or that is provided for by law.
4 The collection of personal data and in particular the purpose of its processing
must be evident to the data subject.
5 If the consent of the data subject is required for the processing of personal
data, such consent is valid only if given voluntarily on the provision of adequate
information. Additionally, consent must be given expressly in the case of
processing of sensitive personal data or personality profiles.
Art. 6 Cross-border disclosure
1 Personal data may not be disclosed abroad if the privacy of the data subjects would be
seriously endangered thereby, in particular due to the absence of legislation that guarantees
adequate protection.
2 In the absence of legislation that guarantees adequate protection, personal data may be
disclosed abroad only if:
a. sufficient safeguards, in particular contractual clauses, ensure an adequate level of
protection abroad
b. the data subject has consented in the specific case
c. the processing is directly connected with the conclusion or the performance of a
contract and the personal data is that of a contractual party
d. disclosure is essential in the specific case in order either to safeguard an overriding
public interest or for the establishment, exercise or enforcement of legal claims before
the courts
e. disclosure is required in the specific case in order to protect the life or the physical
integrity of the data subject
f. the data subject has made the data generally accessible and has not expressly
prohibited its processing
g. disclosure is made within the same legal person or company or between legal persons
or companies that are under the same management, provided those involved are
subject to data protection rules that ensure an adequate level of protection.
3 The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26)
must be informed of the safeguards under paragraph 2 letter a and the data protection rules
under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide
information.
5
Articles : Data protection Art. 4 Principes
1 Tout traitement de données doit être licite.1
2 Leur traitement doit être effectué conformément aux principes de la
bonne foi et de la proportionnalité.
3 Les données personnelles ne doivent être traitées que dans le but
qui est indiqué lors de leur collecte, qui est prévu par une loi ou
qui ressort des circonstances.
4 La collecte de données personnelles, et en particulier les finalités
du traitement, doivent être reconnaissables pour la personne
concernée.2
5 Lorsque son consentement est requis pour justifier le traitement de
données personnelles la concernant, la personne concernée ne
consent valablement que si elle exprime sa volonté librement et
après avoir été dûment informée. Lorsqu'il s'agit de données
sensibles et de profils de la personnalité, son consentement doit
être au surplus explicite.3
Art. 61Communication transfrontière de données
1 Aucune donnée personnelle ne peut être communiquée à
l'étranger si la personnalité des personnes concernées devait s'en
trouver gravement menacée, notamment du fait de l'absence d'une
législation assurant un niveau de protection adéquat.
6
2 En dépit de l'absence d'une législation assurant un niveau de
protection adéquat à l'étranger, des données personnelles peuvent être
communiquées à l'étranger, à l'une des conditions suivantes
uniquement:
a. des garanties suffisantes, notamment contractuelles, permettent
d'assurer un niveau de protection adéquat à l'étranger;
b. la personne concernée a, en l'espèce, donné son consentement;
c. le traitement est en relation directe avec la conclusion ou l'exécution
d'un contrat et les données traitées concernent le cocontractant;
d. la communication est, en l'espèce, indispensable soit à la
sauvegarde d'un intérêt public prépondérant, soit à la constatation,
l'exercice ou la défense d'un droit en justice;
e. la communication est, en l'espèce, nécessaire pour protéger la vie ou
l'intégrité corporelle de la personne concernée;
f. la personne concernée a rendu les données accessibles à tout un
chacun et elle ne s'est pas opposée formellement au traitement;
g. la communication a lieu au sein d'une même personne morale ou
société ou entre des personnes morales ou sociétés réunies sous une
direction unique, dans la mesure où les parties sont soumises à des
règles de protection des données qui garantissent un niveau de
protection adéquat
Recap Comparison of Physical vs Virtual Datacenters
Physical
• Physical presence in the location may be required to
destroy, remove, copy or damage assets.
• Privileged access to root consoles or similar is only
available on premises.
• Image copies of machines are hard to reuse as only
seldom the same HW is available upon failure.
• Access control is easy as there are physical access
controls installed on premise.
• Location of physical machine is always known
• Network boundaries are physical and may not be bridged
by accident.
• A normal “full breach” of a physical machine only discloses
the data of the respective system.
• Hardware failure of a host affects just one system. The
failed system may require hours to days to recover.
• Redundancy must be explicitly built.
Virtual
• Assets are destroyed, removed, copied over networks.
• Privileged access is available over the network.
• Image copies allow to recover or copy any machine on
any infrastructure within minutes.
• Access control is hard as Network access is broadly
available and thus needs to be splitted in admin and
“regular” traffic.
• Location of a virtual is volatile and may change during
operation.
• Network boundaries are logical and may be bridged or
even breached without visible impact.
• A normal “full breach” of a cloud host discloses the data of
many systems (either full host or full cluster)..
• Hardware failure of a host affects many systems. The
failed systems may recover within minutes
• Redundancy (on HW level) is implicitly available.
7
Cloud Service Model
• Cloud brings us an entire new set of value
• Application scalability
• Flexibility
• Economies of scale
• Cost reduction
• Resources efficiencies
• OWASP Top 10
• Application Security Risks - 2017
• The (NIST), whose cloud definition is widely accepted in the industry,
omits virtualization as a criterion for cloud. 8
www.bsi.bund.de
VM vs BM
• Two types of clouds
• VM vs Bare metal
• You should consider VM cloud for highly dynamic workloads
• Application that spins up and down rapidly
• Application is sensitive to performance, bare metal can be unbeatable
• Resources dedicated to a single customer
• Greater processing power and input/output operations per second (IOPS)
• More consistent disk and network I/O performance
• Quality of Service (QoS) that guarantees elimination of the noisy neighbor
problem in a multitenant environment.
9
Docker hardware deployment
10
• Type 2 Hypervisor, VMware Workstation for example.
• Type 2 with VM Guest Docker.
• Native host Docker.
• Type 1 Hypervisor, native IBM Z, VMware ESX and others.
• Type 1 with VM Guest Docker.
How does Asynchronous Mirroring differ
from Synchronous Mirroring?
• Asynchronous Mirroring captures the state of the source volume at a
particular point in time and copies just the data that has changed since
the last image capture, whereas Synchronous Mirroring
reflects all changes made on the source volume to the target volume.
• Asynchronous
• Communication Supports iSCSI and Fibre Channel interfaces between storage arrays.
• Distance Unlimited Support for virtually unlimited distances between the local and remote
storage arrays, with the distance typically limited only by the capabilities of the network and
the channel extension technology.
• Synchronous
• Communication via Fibre Channel Supports only Fibre Channel interfaces between arrays.
• Distance Restricted Typically must be within about 10 km (6.2 miles), of the local storage
array to meet the latency and application performance requirements.
•
11
Trust model IAM
• Identity and Access Management (IAM) is the security discipline that
enables the right individuals to access the right resources at the right
times for the right reasons.
• Multiple administrators and users are involved in cloud computing
services, and these cloud computing services are accessed and used
internally (CSPs) and externally (CSCs).
• IAM contributes to the confidentiality, integrity and availability of
services and resources, and thus becomes essential in cloud
computing. Single sign-on and sign-off.
• Transaction audit protects against repudiation, enables forensic
analysis after a security incident, and acts as a deterrent to attacks
(both intrusion and insider). 12
Physical Access
• Access to premises containing CSP equipment is restricted to
authorized persons and only to those areas directly necessary for their
job functions; this is part of the IAM process.
• Multiple sites are needed to guarantee resilience.
• The likelihood of a breach is the same as traditional data centers
13
Interface security
• This capability secures interfaces open to CSCs and/or other contracted
CSPs through which various kinds of cloud computing services are
delivered, and secures communications based on these interfaces.
Mechanisms available to ensure interface security include but are not
limited to:
• unilateral/mutual authentication, integrity checksum, end-to-end encryption,
digital signature, etc.
14
Computing virtualization security
• Refers to the security of the whole computing virtualization env.
• Protects the hypervisor from attacks, protects the host platform from
threats originating in the computing virtualization environment.
• Enables VM isolation, and protects the VM images and suspended VM
instances in storage and during migration.
• The hypervisor configured with the minimum set of services.
• Unnecessary interfaces and application programing interfaces (APIs) is closed,
• Irrelevant service components will be disabled.
• VMs covered those created by CSC in IaaS, and any VMs created by
SaaS and PaaS. Virtual machines is isolated when sharing memory, a
central processing unit (CPU) and storage capacities. 15
Network security
• Both physical and virtual network isolation,
• Secures communications among all participants.
• Enables network security domain partition,
• Network border access controls (e.g., firewall), intrusion detection and
prevention,
• Network traffic segregation based on security policies, and
• Protects the network from attacks in both the physical and virtual
network environments.
16
Data isolation, protection and confidentiality
protection
• They have legal implications.
• Data isolation : a tenant is prevented from accessing data belonging to
another tenant (A given CSC may have multiple tenants Bussines-IT)
• Data protection : Data protection ensures that CSC data and derived
data held in a cloud computing environment is appropriately protected
• Confidentiality protection : The collection, use, transfer, handling,
storage and destruction of private information can be subject to
confidentiality regulations or laws.
• A risk assessment of private information can assist a CSP in identifying
the specific risks of confidentiality breaches involved in an envisaged
operation 17
Securing a Cloud Virtualization environment: Physical environment -- example
Datacenter 1 Datacenter 2
• VM storage is typically coupled asynchronously or even
periodically mirrored. Synchronous replication is very
hard and expensive to achieve.
• Host clusters typically do not span multiple physical
datacenters or they are likely to break redundancy on
VM level.
• An outage of a physical host is typically recovered within
minutes automatically without significant data loss.
• An outage of a datacenter is typically recovered within
hours with typical loss of up to 24 hours of data (due to
mirroring) and failover and fall back are typically
manual.
Securing a Cloud Virtualization environment: Computing Virtualization Security
• Sharing resources in overcommitted systems may result in security relevant data exposures. Some of the
exposures (e.g. RAM or Disk) may be addressed by zeroing or disk sanitization.
• However, in some cases such as a cache this does not work. Most of the known, general attacks on
virtualization systems do address this vector.
Typically used vectors are:
• Timing information from other virtual machines and their core adherence
• Timing information when accessing Cache
• Timing information when writing to deduped memory or storage
• Hardware security features are typically not available in todays cloud environment (or badly supported).
19
Securing a Cloud Virtualization environment: Network security
• Traditionally multiple networks have to be physically separated on a host.
– Guest networks
– Admin network
– Heartbeat network
– Migration networks
– Storage network (includes regular and backup networks)
20
Admin Network
Migration Network
Guest Networks
Storage Network
Processes Security coordination, operational security, and incident management
• Security coordination depends on the interoperability and harmonization
of diverse security mechanisms.
• Monitoring the CSP's security measures and their effectiveness, and
giving appropriate reports to affected CSCs and applicable third-party
auditors (acting as a CSN), which can enable the CSC to measure
whether a CSP is delivering on SLA security commitments.
• Incident management provides incident monitoring, prediction, alerting
and response. In order to know whether the cloud computing service is
operating as expected through the whole infrastructure, continuous
monitoring is necessary.
21
Disaster recovery
• Fast and possibly automated disaster recovery is a key strength of a cloud system.
• Disaster recovery represents the capability to respond to catastrophic disasters, to recover to
a safe state and to resume normal operations as quickly as possible. This capability provides
continuity of provided service with minimum interruption.
22
Service security assessment and audit
• This capability enables the security evaluation of cloud computing
services. It enables an authorized party to verify that a cloud service
complies with the applicable security requirements. Security
assessment or security audit could be performed by the CSC, CSP or a
third party (CSN), and security certification could be performed by an
authorized third party (CSN).
• Auditing and certification are good means to manage risk and to
ameliorate security
23
Standard Compliance Interoperability, portability and reversibility
• Cloud services are only limmited interoperable. While VM migration
within a cluster is «daily business», a migration between two clouds (of
same or different type) require usually a set of common factors.
• Please differentiate:
• Online interoperability
Capability to move a running virtual machine between clouds
• Offline interoperability
Capability to move a stopped virtual machine between clouds
• P2V (Physical to Virtual), V2P (Virtual to Physical)
Capability to convert a physical machine into virtual or the inverse
24
Standard Compliance Common Disk File formats
• VDIVirtualBox uses the VDI (Virtual Disk Image) format for image files. None of the OpenStack Compute
hypervisors support VDI directly,
• VHD Microsoft Hyper-V uses the VHD (Virtual Hard Disk) format for images.
• VHDX format, which has some additional features over VHD such as
• support for larger disk sizes and protection against data corruption during power failures.
• VMDK VMware ESXi hypervisor uses the VMDK (Virtual Machine Disk)
• format for images. Supports thin and thick provisioning.
• QCOW2
Main disk file format for QEMU. Supports thin provisioning,
AES encryption, copy on write and transparent decompression.
• RAW : The raw image format is the simplest one, and is
• Natively supported by both KVM and Xen hypervisors
• This format does not support thin provisioning, deduplication
25
NIST Definitions
• Vulnerability : Any weakness of the security system that could be unintentionally
triggered or intentionally exploited and result in a violation of the system’s security
policy.
• Threat source : a situation and method that may accidentally trigger a vulnerability.
• Threat : The potential for a “threat source” to exploit (intentional) or trigger
(accidental) a specific vulnerability.
26
RISK
THREAT
IMPACT PROBABILIT
Y
Actor
-Person
-Organization
Government
THREAT
Threat
Source
Vulnerability
-Flaw
-Weakness
Motivatio
n
-Financial
-Political
Security model (NIST)
27
System
Confidentiality
Integrity
Availability Accountability Non-repudiation
Assurance
Intrusion
detection
Cryptographic key management
Protected communications
Authentication Authorization
System protections
Transaction privacy
Security administration
Access
Control
Tolerance
Security Effort
28
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Security
Effort (free scale)
Security (effort)
Effort*
Security*
Effort*
Security*
DEffort
DSecurity
Risk Management
29
Risk
Threats
Vulnerabilities
likel ihood
Safeguards
Assets Consequences
Risk
>Threshold
Detect
analyze
Act
Sensing Context
internal and
external elements
No
Yes
Decide
Control Loop description of autonomic system
30
AnalyzeAct
Collect
Decide
Control Loop
Decision Theory
Risk Management
Trust & Reputation
Autonomic Control loop
Environmental
Sensors
User
Context
Cloud and ISO 27k
• 2008 : foundation of Cloud Security Alliance (Cloud Security Matrix)
• 2010 : Group comity 38 in ISO
• 2011 : Publication de la NIST 800-145 (Definition of Cloud Computing)
• 2014 : Publication de ISO 27018 1st edition
• 2015 : Publication de ISO 27017 1st edition
32
Goal of ISO 27017
• Fournir un guide de bonnes pratiques spécifiques aux services de cloud
computing
• L’ISO/IEC 27017 (Code de pratique pour les contrôles de sécurité de
l'information fondés sur l'ISO/IEC 27002 pour les services en nuage) est un
catalogue de bonnes pratiques pour les contrôles de sécurité adapté aux
services en nuage
• Ces bonnes pratiques sont additionnelles à celles de l’ISO/IEC 27002 sur
la sécurité de l’information, dans le cas où on s’inscrit dans le cadre de
l’ISO/IEC 27001
• Elle intègre des bonnes pratiques et techniques et organisationnelles • Le
recours à la norme ISO/IEC 27017 peut être utile dans une procédure de
mise en conformité dans le contexte spécifique du cloud 34
Sommaire de la norme ISO 27017
Foreword •
0 Introduction •
1 Scope •
2 Normative references ▫
2.1 Identical recommendations International Standards ▫
2.2 Addi tional references •
3 Terms and definitions ▫
3.1 Terms defined elsewhere ▫
3.2 Abbreviations •
4 Overview ▫
4.1 Overview ▫
4.2 Supplier relationshipin cloud services ▫
4.3 Relationships between cloud service customers and
cloud service provider ▫
4.4 Managing information security risks in cloud ser vices ▫
4.5 Structure of this standard •
5 Information security policies ▫
5.1 Management direction for information security •
6 Organization of information security ▫
6.1 Internal organization ▫
6.2 Mobile devices and teleworking •
35
7 Human resource security ▫
7 .1 Prior to employment ▫
7 .2 During employment ▫
7 .3 Termination and change of employment •
8 Asset management ▫
8.1 Responsibility for assets ▫
8.2 Information classification ▫
8.3 Media handling •
9 Access control ▫
9.1 Business requirements of access control ▫
9.2 User access management ▫
9.3 User responsibilities
9.4 System and application access control •
10 Cryptography ▫
10.1 Cryptographic controls •
11 Physical and environmental security ▫
11 .1 Secure areas ▫
11 .2 Equipment •
12 Operations security ▫
12.1 Operational procedures and responsibilities ▫
12.2 Protection from malware ▫
12.3 Backup ▫
12.4 Logging and monitoring ▫
12.5 Control of operational software ▫
12.6 Technical vulnerability management ▫
12.7 Information systems audit considerations •
13 Communications security ▫
13.1 N etwork security management ▫
13.2 Information transfer •
14 System acquisition, development and mai ntenance ▫
14.1 Security requirements of information systems ▫
14.2 Security in development and support processes ▫
14.3 Test data •
15 Supplier relationships ▫
15.1 Information security in supplier relationships ▫
15.2 Supplier services delivery management •
16 Information security incident management ▫
16.1 Management of information security incidents and
improvements •
17 Information security aspects of business conti nuity
management ▫
17 .1 Information security continuity ▫
17 .2 Redundance •
18 Compliance ▫
18.1 Compliance with legal and contractual r equirements ▫
18.2 Information security reviews •
Annex A (normative) Cloud service extended control set •
Annex B References on information security risk related to
cloud computing •
Bibliography
Most important Questions
40
1. Security architecture/model and framework
2.Security management and audit technology
3. BCP/disaster recovery and storage security
4.Data and privacy protection
5.Account/identity management
6.Network monitoring and incidence response
7.Network security
8.Interoperability security
9.Service portability
Management CyberSecurity (Main)cloud IdM/Bio
X.1601 Security framework for cloud computing
7. Security threats for cloud computing
8. Security challenges for cloud computing
9. Cloud computing security capabilities
10. Framework methodology
X.1601——7. Security threats for cloud computing
7.1 Security threats for cloud service customers
(CSCs)
• 7.1.1 Data loss and leakage
• 7.1.2 Insecure service access
• 7.1.3 Insider threats
7.2 Security threats for cloud service providers (CSPs)
• 7.2.1 Unauthorized administration access
• 7.2.2 Insider threats
X.1601—8. Security challenges for cloud computing
43
8.1 Security challenges for cloud service
customers (CSCs)
• 8.1.1 Ambiguity in responsibility
• 8.1.2 Loss of trust
• 8.1.3 Loss of governance
• 8.1.4 Loss of privacy
• 8.1.5 Service unavailability
• 8.1.6 Cloud service provider lock-in
• 8.1.7 Misappropriation of intellectual property
• 8.1.8 Loss of software integrity
8.2 Security challenges for cloud service providers (CSPs)
• 8.2.1 Ambiguity in responsibility
• 8.2.2 Shared environment
• 8.2.3 Inconsistency and conflict of protection mechanisms
• 8.2.4 Jurisdictional conflict
• 8.2.5 Evolutionary risks
• 8.2.6 Bad migration and integration
• 8.2.7 Business discontinuity
• 8.2.8 Cloud service partner lock-in
• 8.2.9 Supply chain vulnerability
• 8.2.10 Software dependencies
8.3 Security challenges for cloud
service partners (CSNs)
• 8.3.1 Ambiguity in responsibility
• 8.3.2 Misappropriation of intellectual property
• 8.3.3 Loss of software integrity
X.1601
9.Cloud computing security capabilities
9.1 Trust model
9.2 Identity and access management (IAM), authentication, authorization, and transaction audit
9.3 Physical security
9.4 Interface security
9.5 Computing virtualization security
9.6 Network security
9.7 Data isolation, protection and privacy protection
9.8 Security coordination
9.9 Operational security
9.10 Incident management
9.11 Disaster recovery
9.12 Service security assessment and audit
9.13 Interoperability, portability, and reversibility
9.14 Supply chain security 44
X.1601 ——10. Framework methodology
Step 1: Use clauses 7 and 8 to identify security threats and security implications of the challenges in the cloud computing service under study.
Step 2: Use clause 9 to identify the needed high level security capabilities based on identified threats and challenges which could mitigate security threats and address security challenges.
Step 3: Derive security controls, policies and procedures which could provide needed security abilities based on identified security capabilities.
CCM
• Version 1.x Releases – 1.0 (April 2010), 1.01 (Oct 2010), 1.1 (Dec 2010), v1.2 (Aug 2011), v1.3 Aprill, 2013,
• v1.4 (TBD)
• CCM 1.4 • Baseline Control Assurance Framework for Cloud Security mapped to:
• **COBIT 4.1
• **HIPAA / HITECH Act
• ISO/IEC 27001:2005
• **NIST Special Publication (SP) 800-53 Rev 3
• FedRAMP 3.0
• PCI DSS v2.0
• BITS Shared Assessments
• AICPA Trust Services Principles & Criteria (TSP)
49
CLOUD CONTROLS MATRIX
• Application & Interface Security
• Audit Assurance & Compliance
• Business Continuity Management & Operational Resilience
• Change Control & Configuration Management
• Data Security & Information Lifecycle Management Classification
• Datacenter Security Asset Management
• Encryption & Key Management Entitlement
• Governance and Risk Management: Baseline Requirements
• Human ResourcesAsset Returns
51
CLOUD CONTROLS MATRIX
• Identity & Access Management Audit Tools Access
• Infrastructure & Virtualization Security
• Audit Logging / Intrusion Detection
• Interoperability & PortabilityAPIs
• Mobile Security : Anti-Malware
• Security Incident Management, E-Discovery, & Cloud Forensics
• Contact / Authority Maintenance
• Supply Chain Management, Transparency, and Accountability
• Threat and Vulnerability Management
• Anti-Virus / Malicious Software
52