1 / 31

Are Clouds Secure? Security and Privacy Implications of Cloud Computing

Are Clouds Secure? Security and Privacy Implications of Cloud Computing. Subra Kumaraswamy, Sun Tim Mather, RSA 04/21/09 | Session ID: HOT-105 Session Classification: Intermediate. What We’re Not Going to Discuss.

moshe
Download Presentation

Are Clouds Secure? Security and Privacy Implications of Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Are Clouds Secure? Security and Privacy Implications of Cloud Computing Subra Kumaraswamy, Sun Tim Mather, RSA 04/21/09 | Session ID: HOT-105 Session Classification: Intermediate

  2. What We’re Not Going to Discuss • Existing aspects of information security which are not impacted by ‘cloud computing’ • There are plenty of existing sources of useful information about information security, and we will not attempt to recreate those sources, nor rehash unchanged practices

  3. What Not a Cloud? 3

  4. Information Security – Data Information Security – Infrastructure (network-, host-, application-level) Security Management Services (security management, security monitoring, identity services) Other Important Considerations (audit & compliance, privacy) Security-as-a- [Cloud] Service (SaaS) What We Are Going to Discuss Where Risk Has Changed: 

  5. The Cloud: Types 5

  6. The Cloud: Pyramid of Flexibility (SaaS) (PaaS) (IaaS) 6

  7. Flavors of Cloud Computing 7

  8. The Cloud: How are people using it? 8

  9. Components of Information Security Security Management Services Identity services – provisioning, AAA, federation, delegation Security monitoring – network, host, application Management – patching, hygiene, VA, ACL management Application-level Host-level Network-level Information Security – Data Encryption, data masking, content protection Information Security – Infrastructure 9

  10. Information Security – Infrastructure

  11. Infrastructure – Network-level • Shared Infrastructure • VLAN – private and public (tagged) • DHCP server, firewall, load balancer • Limitations • No zones – domains instead • Traditional port/protocol filtering irrelevant • Point-to-point encryption (in transit) is doable • Extranet security jeopardized – unless ‘you’ control cloud (IP) addressing (questionable) • Security monitoring – no transparency 11

  12. Infrastructure – Network-level • Threats • Lack of widespread adoption of secure BGP • Secure BGP (S-BGP), Secure Origin BGP (soBGP), and Pretty Good BGP (pgBGP) • Traffic redirection for eavesdropping • DNS: domain hijacking • Lack of widespread adoption of Secure DNS • Only country-wide adoption: Sweden • DoS / DDoS • Mitigations • Virtual private cloud – VPN-based solution with strong authentication • SSL with client-side certs 12

  13. Infrastructure – Host-level • Shared infrastructure • Hardware – CPU, memory, disks, network • Software – virtualization layer (e.g., Xen) • Web Console – provisioning, image management • Limitations • Ephemeral IP address assignment • Patch, configuration management of large number of dynamic nodes • SLAs are mostly standard – click-through user agreement • Host-based IDS is customer responsibility • Access management – OS and vendor specific 13

  14. Infrastructure – Host-level • Threats • Image configuration drift and vulnerabilities • Targeted DOS attack • Potential breakout of VMs; examples: Subvert, Blue Pill, HyperVM • Attack on standard OS services • Mitigations • Reduce attack surface – Secure-by-default, harden image, turn off OS services, use software firewall, enable logging • Institute process – Access provisioning, patch, config. mgmt. • Extend existing IT security standards, practice & processes • Host-based IDS – Tripwire, OSSEC 14

  15. Infrastructure – Application-level • Shared Infrastructure • Virtualized host, network, firewall (if hosted on IaaS or PaaS) • Virtualized stack (e.g., LAMP) • Database Vs Dataspace (e.g., SimpleDB, BigTable) • Limitations • SaaS – application security is a black box • SaaS/PaaS – no CVE participation • IaaS/PaaS – customer responsibility to secure applications • IaaS/PaaS – Limited capabilities for encryption, identity management • No option to install application firewall 15

  16. Infrastructure – Application-level • Threats • OWASP Top 10 • Mash up security • Denial of service by corporate IPS/Firewalls • Developers side stepping controls • Mitigations • Traditional application security testing and monitoring • Review provider SDLC and security assurance process • If possible encrypt data stored in DB • Manage and protect application “secret keys” • User awareness – phishing attacks on users 16

  17. Information Security – Data

  18. Data Security • Confidentiality, Availability • Multi-tenancy • Data-at-rest possibly not encrypted • Data being processed definitely not encrypted • Data lineage (mapping data flows) • Data provenance • Data remanence 18

  19. Security Management Services

  20. Security Management – Customer Responsibilities

  21. Sun Confidential- Internal Only Security Monitoring – Customer view

  22. Identity Services • Generally, strong authentication is available only through delegation • Federated identity generally not available • Support for SAML v2, WS* and XACML is sporadic • OpenID is not enterprise-ready • OpenID  OATH  OAuth  OpenAuth  OpenSSO • All five are “open” and deal with authentication, but…. • Delegated authorization generally not available • Generally weak credential management – of weak credentials 22

  23. Other Important Considerations

  24. Audit & Compliance • No audit standards specific to the ‘cloud’ • Not operational, procurement (e.g., FAR), or security • SAS-70 Type 2 is an audit format – not specific audit criteria • Most cloud providers don’t even have a SAS-70 • Compliance: so-called Patriot Act Problem • Location, location, location • Issue is assurance of compliance (e.g., data lineage – let alone data providence) 24

  25. Privacy • Loss of Fourth Amendment protection • Legal order served on provider – not ‘you’ • Some data can be accessed merely by NSLs • Magistrate judge court orders under §215 • Probably no encryption of data-at-rest • No indexing or sorting of encrypted data • Definitely no encryption while data processed • Promise of 2-DNF (homomorphic encryption), Predicate Encryption (asymmetric encryption) • Data remanence: limited attempt to address • NIST Special Publication 800-88, Guidelines for Media Sanitization 25

  26. Security-as-a- [Cloud] Service

  27. Security Through the Cloud • Proliferation of endpoints • Different OSs, form factors – but all with access to organizational data • Scalability & manageability of existing solutions stretched too far • USENIX paper in July 2008 in San Jose • “CloudAV: N-Version Antivirus in the Network Cloud” • Network-centric: e-mail, vulnerability assessment • Former host resident: anti-malware, content filtering 27

  28. Conclusions • Part of ‘your’ infrastructure security moves beyond your control – Get Ready! • Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than ‘your’ expectations • Data security becomes significantly more important • Weak access control, credential mgmt. – unless delegated back to ‘you’ 28

  29. Conclusions • No established standards for redaction, obfuscation, or truncation’ • No cloud-specific audit requirements or guidance • “Extending” SAS-70 Type 2 to cloud providers • No cloud-specific regulatory requirements – yet • Some foreign prohibitions on using U.S. cloud providers 29

  30. Questions? 30

  31. Speakers • Subra Kumaraswamy, Senior Security Manager • Sun Microsystems • subrak@sun.com • Tim Mather, Chief Security Strategist • RSA, The Security Division of EMC • tim.mather@rsa.com 31

More Related