750 likes | 1.2k Views
Security Implications of Cloud Computing. Doc Shankar IBM Distinguished Engineer Federal CTO Office dshankar@us.ibm.com. Myths or Realities?. Cloud is not as secure as a traditional IT operation Security patching is better in a cloud Demonstrating compliance is harder in a cloud
E N D
Security Implications of Cloud Computing Doc Shankar IBM Distinguished Engineer Federal CTO Office dshankar@us.ibm.com
Myths or Realities? • Cloud is not as secure as a traditional IT operation • Security patching is better in a cloud • Demonstrating compliance is harder in a cloud • Data loss is less likely in a cloud • More control leads to better security • Cloud providers can handle insecure apps better • Cloud providers have a better view of threats • Cloud offers more availability than in-house IT • Cloud providers are more concerned with protecting themselves than the client
Security … It’s simple, really… SOX Physical Access MILS VPN IPSEC Laptop Encryption DAC HIPPA SAML SSL Identity Management Password Smart Card PCIDSS MLS SaaS FIPS 140-2 Biometrics Token XML Gateways Cross Domain Systems Trusted Computing PKI H/W Crypto Thin Clients Kerberos Accreditation Digital Certificate LSPP/EAL4+ MAC Guards SABI/TSABI Trusted OS Hardening Wireless Secure Blades Secure Collaboration Tripwire Cyber Security RSBAC Cloud FISMA Federation TCP Wrapper SOA Security Compliance * Not a complete collection
Trustworthy Computing Trusted Computing Trusted OS Trusted Guards Trust Information Security Information Assurance Privilege Portal Sandbox Governance End-to-end security PKI XML SOAP WSDL UDDI SAML XACML TTP PDP PEP WS – * Key terms and acronyms* * Not a complete list
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV – Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint Agenda
A Simple Definition of Cloud Cloud is really about moving complex computing workloads off premise and delivering them as a service. The hope is that, it more cost effective then traditional IT.
A Complete Definition of Cloud* • Cloud Computing is a (pay-per-use) model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction * NIST Definition – Still an evolving paradigm; e.g. pay-per-use deleted
Delivery Models • Software as a Service (SaaS) • Use provider’s applications • Access through thick/thin clients, Browser, etc. • E.g. email, google docs, Sales force, Desktop Apps. • Platform as a Service (PaaS) • Deploy client applications using programming languages, tools supported by provider • E.g. azure .Net server, SQL sever, google app engine, Amazon SimpleDB • Infrastructure as a Service (IaaS) • Rent processing, storage, networks and other fundamental computing resources • Deploy arbitrary software including operating systems • Client could select networking components (firewalls, load balancers) • E.g. Amazon EC2, S3, Azure storage services
Security Implications of the Delivery Models The lower down the stack the cloud provider stops, the more security you are tactically responsible for implementing and managing yourself
Deployment Models • Private Cloud • Owned or leased by a single organization • No public access • Public Cloud • Owned by an organization selling cloud services • Managed Cloud • Owned by a single organization • No public access • Community Cloud • Shared by several organizations • Supports a specific community that has shared concerns • Hybrid Cloud • Composition of 2 or more clouds • Enable data & application portability (e.g. cloud bursting) Is private cloud an oxymoron?
Is CC New? • Distributed Systems Evolution • Computer • Computer Utility (Phrase coined) • Computer Networking • LAN • Client/Server • Thin Clients • Internet • Web Applications • Grid Computing • Web Services • Cross Organizational Web Services • SaaS • Cloud Computing
Cloud Ready When the processes, applications and data are largely independent When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When web is the desired platform When cost is an issue When the applications are new Not so cloud ready When the processes, applications and data are largely coupled When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs work When the applications require a native interface When cost is not an issue When the applications are legacy Cloud Readiness
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV – Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint Agenda
Historical Analogy In 1907, 70 percent of the industrial electrical generation in the United States was in-house, but by the 1920s that same percentage was generated by utility companies. Initially you had to own your own plant, but later it became a disadvantage.
Business value of CC • Illusion of infinite computing resources available on demand • Pay for use of computing resources (e.g. processors by hour, storage by day) • Elimination of upfront commitment by cloud users (start small & grow) • Better uptime & availability (e.g. Google) • Consistent upgrades • Expedite launch of new IT projects • Speedy Innovation • Lower TOC • Collaborative & community computing • Wider visibility of internet traffic (e.g. DDoS)
CC Obstacles/Opportunities* • Adoption • Availability of Service • Data Lock-In • Data Confidentiality • Growth • Data Transfer Bottlenecks • Performance Unpredictability • Scalable Storage • Bugs in large distributed systems • Scaling Quickly • Business/Policy • Reputation Fate Sharing • Software Licensing * Above the Clouds: A Berkeley view of cloud computing – UC, Berkeley
CC vs SOA SOA is to cloud computing as HTML is to the internet
CC vs SaaS SaaS User Mashup Applications SaaS User/SaaS Provider Web Applications Cloud User/SaaS Provider Utility Computing Cloud Provider
Part I - Cloud Computing (CC) Overview A Simple Definition A Complete Definition Is CC new? Part II - Cloud Computing Value What is the business value of CC? CC Obstacles/Opportunities CC vs SOA CC vs Outsourcing CC vs SaaS Part III - Cloud Computing Security Customer Security Concerns How do we get attacked? Have the security fundamentals changed? What are the security issues in CC? Part IV – Towards building Secure Cloud Solutions Business/IT Drivers IBM Security Framework Typical Security Requirements IBM Security Blueprint Agenda
Cloud Security 101: Simple Example TODAY TOMORROW ? ? ? ? ? We Have Control It’s located at X. It’s stored in server’s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged. ? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our securityteam engage? Lesson Learned: We have responded to these questions before… clouds demand fast, responsive, agile answers. 22
High-level cloud security concerns Less Control Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease. Data Security Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees. Compliance Complying with SOX, HIPPAand other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Security Management Providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud. 23
CC Security Customer Concerns • “I am nervous about someone else controlling my data” • “My data is on the same disks as data from other users. If another customer’s data is raided by FBI, could mine go with it?” • “I am not willing to say that the copy of the data in the cloud is the only copy I’ve got” • “I am fearful of vendor lock-in” • “I am still responsible for demonstrating compliance” • “I don’t know where my data is stored – in which country?” • “I don’t understand how my data is kept separate from others” • “I don’t see how I recover my data in case of a disaster” • “I want to investigate any illegal activity over my data” • “I want to ensure my data is available when I need it” Some say, Cloud security fears are overblown!
Cloud Security Breach Examples • Google Doc allowed shared permission without user knowledge • http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en • Salesforce.com phishing attack led to leak of a customer list; subsequent attacks • http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html • Vasrev.com Webhost hack wipes out data for 100,000 sites • http://www.theregister.co.uk/2009/06/08/webhost_attack/ • Twitter company files leaked in Cloud Computing security failure • http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure/ • DDoS attack that downed Twitter also hit Facebook • http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_2009-08-07
Unsafe Programs Misconfigured Programs Buggy Programs Buffer Overflows Parsing Errors Formatting Errors Bad input to cgi bin Malicious Programs Trojans Virus Worms Rootkits Botnets Identity Theft Applications Cross site scripting Injection flaws Malicious file execution Eavesdropping Spamming IP Spoofing Phishing Pharming DoS/DDoS People Social Engineering Weak passwords Sloppy Admins. Attack Categories
Customer Pain Points • P - Privacy (Confidentiality) • A - Authorization (Authentication) • I - Integrity • N - Non-Repudiation The fundamentals of security haven’t changed for a long time. However, in the last few years due to viruses, worms, intrusions & DDoS attacks, another one has been added called “Assured Information Access”.
Governance & Risk Management Compliance Vulnerability & Patch Management Physical/personal Security Operational security Availability Incident response Privacy Business Continuity Legal Issues Data Security Identity Management Single Sign On Applications Security Secure Multi-tenancy Logs & Audit Trails (Forensics) Cyber Security (DPI) Encryption & Key Management Virtualization Security Storage security Information Lifecycle Management Portability & interoperability US Federal Specific Issues Security Issues
Data Segregation Data Location DaR Protection DiM Protection Data Integrity Data Erasure at EoS Data Encryption (Policy/Keys) Data Compliance Data Loss Prevention Contractual Obligations/SLAs Authentication Access Control Auditing Support Data Security Issues
Data Security in the Cloud • Data will be • Stored in multi-tenant environments • Spanning multiple layers in the cloud stack • Accessed by various parties of different trust levels • users, tenants, privileged cloud admins • Located in various geographies • Enforced by various contractual obligations/SLAs • Governed by various regulations and industry best practices • Secured by multiple technologies and services A Shared, multi-tenant infrastructure increases potential for unauthorized exposure
Identity Management • Identity issues in a data center • Single employee has multiple user accounts • Provisioning & de-provisioning of accounts • Terminated employees have system access • SSO, RSO solutions • Federated identity management capability • Inappropriate privileges
Identity Management (Contd.) • Identity issues in a cloud data center • Same issues as above • Segregation of identities across multiple tenants • User account management (Ask cloud provider about life cycle) • Multi factor authentication • Cloud provider must leverage your federated identity management infrastructure • Insist support of standards Open ID, SAML, WS-Federation, Liberty ID-FF • With IaaS & PaaS, client will have to build this integration • Validate Cloud provider supports authentication meeting or exceeding your polices • Investigate delegation of authentication to your Identity provider • Investigate integration of your IdM solution with Cloud provider • Integration with Client AD or LDAP • Consider implementing SSO for internal applications and leveraging this for cloud applications • Investigate “identity as a service” with a separate Cloud provider The key to managing identities by cloud provider is to have robust federated Identity management architecture and strategy internal to the organization
Application Security • Is it appropriate to migrate or design an application in the cloud? • What type of cloud platform is most appropriate? • What security controls must the application provide over and above the cloud platform? • How would an enterprise’s software development life cycle change to accommodate cloud computing? All answers must be continually re-evaluated as the application is maintained and enhanced over time.
Application Security • Cloud platform implications on application • Multi-tenancy • Lack of direct control over environment • Access to data by Cloud Provider • Migrate or develop decision application by Cloud Provider • What type of cloud platform • Acceptance criteria for outsourced and packaged application code • Scanning methodology & tools • Best practices available to harden machines should be applied to virtual machines • Application security measures • Application level firewalls & proxies • OWASP development guideline Security professionals must stay abreast of the latest tools and techniques hackers develop specifically to attack cloud providers
Secure Multi-tenancy • Tenants are segregated from all other tenants in all ways • Tenants are neither aware of others nor affect in any way • Multi-tenancy point • Hardware, hypervisor, OS, Application platform, Application • Differing isolation qualities • MT above the OS layer requires code changes to MW/applications • Customer must be able to set policies • Provider must provably enforce the customer policies • All operations are fully logged for audit and accountability • System administrators have no access to customer data unless granted • Customers’ system administrators have no access to their customer data unless granted
Logs & Audit Trails (Forensics) • CPs must make available as required by customer or law firm (Electronic Discovery) • Is multi-tenancy logging used? • May need to have dedicated storage of logs and audit trails • Investigation support provided • Forensics support • Are logs tamper proof? • How long are the logs and audit trails kept? How does the client do forensics in the event of a cloud attack?
Cyber Security (DPI) DPI Traditional Network Devices Switch Router MAC Header MAC Header MAC Header MAC Header IP Header IP Header IP Header IP Header TCP/UDP TCP/UDP TCP/UDP TCP/UDP Payload Payload Payload Payload Firewall Servers Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP MAC Header IP Header TCP/UDP Payload • DPI refers to the ability to inspect all packet contents • Other packet processing models allow partial access (shown below) • Full Layer 2-7 Inspection • No inherent MAC or IP address: invisible on the network • Real-time analysis with full packet & flow manipulation • Create/remove packets • High speed analysis (10 Gbits/sec)
Encryption and Key Management • Traditional security is based on container-based protection • In cloud consumer doesn't know where data is stored • Cloud divorces data from location • Strong encryption & secure key management is needed • Sensitive & PII data must be encrypted; preferably all data is • Who holds the keys? • Create a chain of separation for keys & data • How many keys? One? One/customer? Or Multiple keys/customer • Is the key management scalable? • Encrypt data in motion & data at rest • Data integrity requirements • Ensure encryption is adhering to industry & Government standards Safe harbor provisions in some laws and regulations consider lost encrypted data as not lost at all.
Virtualization Security • Virtualization is a key enabler for cloud computing • Simplicity of creating and moving machine instances • creates a risk that insecure images can be created • Assure each VM is secure by default (STIG, CIS, PCI DSS etc.) • Assure security in VM migration • Virtualization introduces new attack surfaces with the hypervisor & other management components • Admin access should include strong authentication • Creating, configuring and cloning VMs • Virtualization obscures data location – a key regulatory concern • Secure sharing across partitions • Trusted Virtual Domains – Grouping VMs across machines Virtualization is a key enablement technology for cloud computing. However, There Is a concern of VMs moving freely from one physical box to another
Storage Security • Basic tenets of data security still hold – CIA • Typically provided as IaaS • Object Reuse requirement • Storage retirement process • Data destroyed – hard to prove • Strong encryption renders data unreadable when storage is recycled • Storage provisioning for multiple customers (multi-tenancy) • Can storage be seized by a 3rd party or Government? • How is encryption done in multi-tenant storage? • How long are the keys maintained? • Support for long term archiving • Management of off-line & portable storage How do you know your storage provider plans your data is still reliable And available when your business needs it?
Information Lifecycle Management • Information must be managed throughout the life of the data (creation to destruction) • Data classification should be put in place • Data confidentiality • Data integrity • Provider access needs to be defined and enforced • Data retention • Data destruction (harder to prove by CP) • Cross-jurisdictional issues • Negotiate penalties for data breaches • RBAC required
Portability & Interoperability • What if there is a need to switch a CP due to • Cost increase at renewal time • Provider out of business • Degraded service quality • Ability to recover and port depends on type of service • SaaS • Migrate data to new application • Keep regular backups of data • Ensure competitors can help migrate • IaaS • Ensure applications are deployed on virtual image • Keep backups in cloud-independent format • PaaS • Ensure use of an application development architecture • If not, could involve significant rewrites • Keep backup cpoies • Geographic redundancy may be OK • Consider use of multiple providers for redundancy
US Federal Specific Issues • How will the cloud meet my information assurance requirements? • If multiple Govt. agencies need to share information, do they need to be in the same cloud? How do I build a community cloud? • How is sharing done across different security domains in the cloud? e.g. Multiple Independent Levels of Security (MILS), Multilevel Security (MLS), Cross domain,.. • Mission criticality is key in certain DoD operations. How is this guaranteed in the cloud? • What cyber security requirements should I impose on cloud providers? • In case of a cloud cyber attack, how is the attack contained? • How do I know/control the other tenants? • How would my end point encryption change, if I move to cloud? • How will I meet Certification and Accreditation (C&A) requirements in the cloud?
Governance & Enterprise Risk Management • Beware many CSPs accept no responsibility for data they store in their infrastructure • Be clear on who owns the data • Be clear on what risks are being transferred • SLAs include availability, service quality, resolution times, critical success factors, key performance indicators, etc. • CSPs should have regular 3rd party risk assessments (made available to customers) • Require listings of all 3rd party relationships • Understand financial viability of CSP • Understand CSPs key risk & performance indicators from a customer perspective • For mission critical situations & PII examine creating a private or hybrid cloud • What provider is needed? – IaaS, PaaS, SaaS
Compliance • Know your legal obligations • Compliance is NOT a provider responsibility! • Understand data locations (e.g. EU DPD has restrictions) • Data Copies and how they are controlled • Perform external risk assessment • Perform privacy impact assessment • Provider must make it easier to demonstrate compliance • Compliance Requirements • SAS 70 • ISO 27001 • FISMA • EU DPD • SOX • GLBA • HIPPA • PCI DSS • Basel II • California A.B.21
Vulnerability Management • Vulnerability management strategy/plan • Network scanning policy • Application scanning policy • Allow outside scanning? • Allow external vulnerability assessment? • Vulnerability remediation process
Physical/Personnel Security • Protection against internal attacks • Ensure internal people can’t exploit the information to their gain • Restricted & Monitored access 24x7 • Background checks for all relevant personnel • Audit privileged users? • Passed SAS 70 Audit? Audit result? • Security team on client side needed? • Coordination of Admins (Hybrid Cloud)
Operational Security • Look under the hood! • Understand how CP has implemented the key architectural characteristics • What IT products does the CP use? • Segregation of tenants • Who are the other clients of your CP? • Is your neighbor a high profile target? • How does resource democratization occur? • CP’s patch management policies • Logging practices
Availability • Availability #? • Multiple ISPs • DDoS protection mechanism • Is availability history data available? • Service upgrade plan • Patch management policy • Peak load/capacity