630 likes | 649 Views
Explore the impact, reasons, and aftermath of the Amazon Cloud attack on Bitbucket, emphasizing the importance of security, risk management, and the shared responsibility between providers and customers in cloud computing. Learn lessons from the case study and cloud security challenges.
E N D
INF6953G :Concepts avancés en infonuagiqueCloud Security Foutse Khomh foutse.khomh@polymtl.ca Local M-4123
Is Cloud Computing Secure? …the level of security depends on the effectiveness of risk management and security policies that are in place…
What Happened? • Bitbucket was down for over 19 hours • DDoS took down the connection between Bitbucket and Amazon EC2
What was the impact? Because of this attack • Bitbucketreceived over 19 hours of downtime • Their customers could not access any of their source code hosted by Bitbucket This attack showed the reality of the security risk in the cloud, even though DDoS attacks are not specific to cloud computing…
Why did the attack succeed? • The initial complaint from Bitbucketwas dismissed as temporary. • The technical support at Amazon denied that anything was wrong with their system, asking Bitbucket to look at their own systems. • It is only 8 hours after the problem was reported that Amazon acknowledged that the problem was on their system • Because of this initial dismissal, it took Amazon some time to figure out the attack pattern Coordination is important on security issues and the security responsibility should be shared between the provider and the customer.
Why did the attack succeed? • Amazon also did not have measures to detect a large number of UDP packets targeted to the same IP address • Having this measure could have prevented this attack from happening • While it is largely clear how the attack succeeded, it is still not clear how the internal EC2 and EBS were exposed to external internet traffic, since they are on the internal network between Amazon and its customers • It was rumored that it might have been one of Amazon’s customers that launched this attack….
What happened in the aftermath? • Bitbucket, considered switching service and received offers from various providers. • JesperNøhr (founder of Bitbucket) speculates that their storage sits on the same network interface that connects the site with the outside world. He also said that Amazon urged him not to reveal the attack because it might help attackers develop new ways of DDoSing the site. • Later on Amazon issued the following statement…
Amazon’s statement " .....one of our customers reported a problem with their Amazon Elastic Block Store (EBS). This issue was limited to this customer's single Amazon EBS volume ....…. While the customer perceived this issue to be slowness of their EBS volume………. but rather that the customer's Amazon EC2 instance was receiving a very large amount of network traffic…….... we worked with the customer ….. to help mitigate the unwanted traffic they were receiving…. apply network filtering techniques which have kept their site functioning properly….…. continue to improve the speed with which we diagnose issues like this… use features like Elastic Load Balancing and Auto-Scaling to architect their services to better handle this sort of issue…."
Some Lessons from the case study? • Amazon didn’t trust Bitbucket’s information, which caused them to lost 11 hours because of a poor diagnostic. • Amazon didn’t have the proper security tool in place. Later on : • They enforced Transparency on Network Traffic information • They implemented better data filters and detection systems • Elastic Load Balance • Auto-Scaling • Distribute instances in multiple availability zones and regions. • Relying on a single cloud provider is risky; spreading resources between multiple providers can prevent a complete system failure.
Despite Plausible Security Risks Cloud is Still Attractive CIO Agenda Insight, Gartner, 2015
The Promise of Cost Reduction is Appealing… KPMG International’s 2012 Global Cloud Provider Survey (n=179) But some fears persists…
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Cloud security Challenges • What’s not new? • Phishing, password, malware, downtime etc. • What’s new? Understand… • Change in trust boundaries • Impact of using • Public vs. private cloud • IaaS vs. PaaS vs. SaaS • Division of responsibilities between customer and Cloud Service Provider (CSP)
Main Cloud Computing Models Infrastructure as service (IaaS) Traditional development Software as service (SaaS) Platform as service (PaaS) Data Data Data Data Applications Applications Applications Applications Virtual Machine Virtual Machine Virtual Machine Virtual Machine Server Server Server Server Storage Storage Storage Storage Network Network Network Network
Control, liability and accountability Infrastructure as service (IaaS) Traditional development Software as service (SaaS) Platform as service (PaaS) Data Data Data Data Applications Applications Applications Applications Virtual Machine Virtual Machine Virtual Machine Virtual Machine Server Server Server Server Storage Storage Storage Storage Network Provider has control Organization has control Network Network Network
Security management • Availability • Access control • Monitoring • Vulnerability, patching, configuration • Incident response
Availability • Why is this important? • “Amazon Web Services suffers outage, takes down Vine, Instagram, Bitbucket, others,” Aug 26, 2013* • E.g. AWS features • Distributed denial of service (DDoS) protection • Fault-tolerant, independent failure zones *http://www.zdnet.com/amazon-web-services-suffers-outage-takes-down-vine-instagram-flipboard-with-it-7000019842/
Access control • Who should have access? • To VM, app, services etc. • Users, admin, business admin, others? • E.g. AWS features • Built-in firewallscontrol access to instances • Multi-factor authentication: password + authentication code from MFA device • Monitor AWS employee accesses
Monitoring • Monitor • Availability, unauthorized activities etc. • E.g. AWS features • DoS, MITM, port scan, packet sniffing • Password brute-force detection • Access logs (request type, resource, IP, time etc.)
Vulnerability, patching, configuration • E.g. AWS features • Patching • Automatic Software Patching for Amazon supplied Windows image • Configuration • Password expiration for AWS employees • Vulnerability • Vulnerability scans on the host operating system, web application and DB in the AWS environment
Security Demands for Different Cloud Computing Models Kai Hwang, Keynoteaddress, International Conference on Parallel and Distributed Computing and Systems (PDCS 2010), Marina Del Rey, CA. Nov. 8, 2010
Security Features of Big Vendors Kai Hwang, Trusted Cloud Computing with Secure Resources and Data Coloring, IEEE Internet Computing, Sept. 2010
Customer/Provider responsibilities • Cloud is a shared environment
Customer/Provider responsibilities • Cloud is a shared environment “AWS manages the underlying infrastructure but you must secure anything you put on the infrastructure.”
Customer/Provider responsibilities • AWS requires customers to • Patch VM guest operating system • Prevent port scans • Change keys periodically • Vulnerability testing of apps • Others…
Data issue: confidentiality • Transit between cloud and intranet • E.g. use HTTPS • Possible for simple storage • E.g. data in Amazon S3 encrypted with AES-256 • Difficult for data processed by cloud • Overhead of searching, indexing etc. • E.g., iCloud does not encrypt data on mail server* • If encrypted, data decrypted before processing • Is it possible to perform computations on encrypted data? *iCloud: iCloud security and privacy overview, Retrieved Oct 30, 2013, https://support.apple.com/kb/HT4865
Data issue: confidentiality • Transit between cloud and intranet • E.g. use HTTPS • Possible for simple storage • E.g. data in Amazon S3 encrypted with AES-256 • Difficult for data processed by cloud • Overhead of searching, indexing etc. • E.g., iCloud does not encrypt data on mail server* • If encrypted, data decrypted before processing • Is it possible to perform computations on encrypted data?^ • Homomorphic encryption is not yet operational…it’s still very slow *iCloud: iCloud security and privacy overview, Retrieved Oct 30, 2013, https://support.apple.com/kb/HT4865 ^See Fully Homomorphic Encryption Scheme, Wikipedia, http://en.wikipedia.org/wiki/Homomorphic_encryption
Encryption management • Algorithms • Proprietary vs. standards • Key size • Key management • Ideally it should be done by customer • Does Cloud service provider have decryption keys? • E.g. Apple uses master key to decrypt iCloud data to screen “objectionable” content* *Apple holds the master decryption key when it comes to iCloud security, privacy, ArsTechnica, Apr 3, 2012
Comingled data Issues • Cloud uses multi-tenancy • Data comingled with other users’ data • Amazon provides both bucket-level and object-level access controls to allow customers to maintain full control over who has access to their data. • Application vulnerabilities may allow unauthorized access • E.g. Google docs unauthorized sharing, Mar 2009 • “identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”
Shared infrastructure issues • Reputation-fate sharing • Blacklisting of shared IP addresses • E.g. Spamhaus blacklisted AWS IP range sending spam1 • An FBI takedown of data center servers may affect other companies co-hosted on the servers2 • Cross virtual-machine attacks • Malicious VM can attack other VMs hosted on the same physical server3 • E.g. stealing SSH keys 1 https://blog.commtouch.com/cafe/ip-reputation/spamhaus-unblocks-mail-from-amazon-ec2-%E2%80%93-sort-of/ 2 http://www.informationweek.com/security/management/are-you-ready-for-an-fbi-server-takedown/231000897 3 Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, Ristenpart et al., ACM CCS 09
Lineage, provenance, remanence • Identifying lineage for audit is difficult • i.e. tracing data as it flows in the cloud • Ensuring provenance is difficult • i.e. computational accuracy of data processed by CSP • Residual data may be accessible by other users • CSP should securely erase data
Access and authentication • Protocol interoperability between CSPs • Support for access from multiple devices and locations • E.g. SSO, augmented authentication etc. • Finer grained access control • E.g. Support multiple roles such as user, admin, and business admin via RBAC
Privacy challenges • Protect PII • Ensure conformance to Federal Information Processing (FIP)s principles (USA) • Compliance with laws and regulations • GLBA, HIPAA, PCI-DSS, Patriot Act etc. • Multi-jurisdictional requirements • EU Directive, EU-US Safe Harbor
Laws and regulations • Require compliance with different Standards (e.g., FIPs) • Laws in different countries provide different privacy protections • EU Directive more strict than US • In US, data stored on public cloud has less protection than personal servers • May be subpoenaed without notice*
Mitigation Solutions: Service level agreements • Increasing to deal with loss of control • SLA permits CMU IRB data on Box.com; can’t use Dropbox Do you [CSP] have SLAs in your cloud offerings today? Do you expect to have SLAs in cloud offerings within 3 years? KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Top SLA parameters What do you [CSP] believe are the most important SLA parameters today?* System availability Regulatory compliance Data security Response time Other performance levels Functional capabilities *KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Mitigation Solutions: CSPs are improving security What steps are you [CSP] taking to improve data security and privacy in your cloud offerings? (top 3)* Tighter restrictions on user access Greater use of data encryption Improving real-time threat detection *KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Distributed Defense against DDoS Attacks over Multiple Network Domains(Chen, Hwang, and Ku, IEEE Trans. on Parallel and Distributed Systems, Dec. 2007 )
Amazon Virtual Private Cloud (VPC)http://aws.amazon.com/vpc/ VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud
Trusted Zones for VM Insulation APP APP APP OS OS OS APP OS Cloud Provider Physical Infrastructure Insulate infrastructure from Malware, Trojans and cybercriminals Anti-malware Federate identities with public clouds Identity federation Cybercrime intelligence Strong authentication Tenant #2 Virtual Infrastructure Control and isolate VM in the virtual infrastructure Insulate information from other tenants Virtual network security Data loss prevention Tenant #1 Virtual Infrastructure Insulate information from cloud providers’ employees Segregate and control user access Encryption & key mgmt Access Mgmt Tokenization Physical Infrastructure Security Info. & Event Mgmt GRC
Mitigation Solutions: Private and hybrid clouds • Rise in hybrid and private cloud for sensitive data • Private cloud cost can be prohibitive • Hybrid cloud ranks 4 on Gartner top 10 strategic technology trends, 2014 Models companies use/intend to use* (Larger companies prefer private) KPMG's The Cloud: Changing the Business Ecosystem, 2011
Other approaches • Move cloud to countries with better privacy protections • Many customers moving away from the US • US industry may lose $22 to $35 billion in next three years due to NSA surveillance* • Depend on third-party certifications • E.g. AWS has ISO 27001, PCI-DSS Level 1 etc. • Learn about CSP security under NDA *How Much Will PRISM Cost the U.S. Cloud Computing Industry? ITIF Report, Aug. 2013
Zoom in : Security for the SaaS stack http://www.infosectoday.com/Articles/Securing_SaaS_Applications.htm
Zoom in : Security for the SaaS stack The following key points shouldbeconsideredcarefully: • SaaS deployment model • Is the apps deployed on premise or in a public cloud? • Data security • Carefully regulate accesses to data and consider encryption • Network security • Use strong network traffic encryption techniques • Regulatory compliance • Access, storage, and processing of sensitive data needs to be carefully controlled and is governed under regulations such as ISO-27001, Sarbanes-Oxley Act [SOX], Gramm-Leach-Bliley Act [GLBA], Health Insurance Portability and Accountability Act [HIPAA] and industry standards like Payment Card Industry Data Security Standard [PCI-DSS].