encrypt. protect. trust. - NIAS2019€¦ · Page 7 15.10.2019 NIAS 2019 –secunet Workshop...
Transcript of encrypt. protect. trust. - NIAS2019€¦ · Page 7 15.10.2019 NIAS 2019 –secunet Workshop...
Dr. Kai Martius
Chief Technology Officer – secunet
October 15th 2019
NIAS Workshop
How to achieve conscious competence in controlling & protecting your data
in a cloud infrastructure - A CTO’s view
15.10.2019 NIAS 2019 – secunet WorkshopPage 2
Cloud Infrastructure – Areas of impact
Chances
o Economic efficiency
o Sustainability
o Efficiency of resources
o Operating models
o Self Service
o Scalability
Risks
o Confidence and security
o Verifiability
o Dependency
o Data sovereignty
o Selection of applications
o Selection of suppliers / in-house operation
o Data security
15.10.2019 NIAS 2019 – secunet WorkshopPage 3
Motivation Example
Energy consumpt ion in da ta cen te rs
Source: Nature 561, 163-166 (2018)
BIG DATA
INTERNET OF THINGS
MACHINE LEARNING
CRYPTOCURRENCY
DEEP LEARNING
SMART CITIES
BLOCKCHAIN
DIGITAL ENERGY
VIRTUAL REALITY
5G
15.10.2019 NIAS 2019 – secunet WorkshopPage 4
To ensure:
Consistent encryption of data
End-to-end security
Cryptographic client separation
Potential approach
Prov id ing a secure , sus ta inab le and energy -e f f i c ien t c loud so lu t i on
15.10.2019 NIAS 2019 – secunet WorkshopPage 5
Potential solution
An OpenStack -based „C loud Opera t ing Sys tem“
15.10.2019 NIAS 2019 – secunet WorkshopPage 6
Stro
ng A
cce
ss C
ontro
l
Data
Sove
reig
nty
Defe
nse
-in-D
epth
Secure cloud solution - Layers of Improvement
Secured Access to Infrastructure
Isolation / Protection of Tenant-Networks
Control over Crypto Keys by Tenants
Encryption of User Data In Block Storage
Encryption and Signature of Images
Hardening and Protection of Infrastructure
15.10.2019 NIAS 2019 – secunet WorkshopPage 7
Hardening and Protection of Infrastructure
Risks
Weaknesses in OpenStack services
Misconfiguration
External attacks against the host (Linux) and OpenStack platform (REST services, databases, RPC services)
VM breakout leading to an „internal“ attack on host and OpenStack platform
Countermeasure 1: Encryption / Authentication / Policy Enforcement between OpenStack services
TLS-based authentication and encryption of REST-based services
Group-key based encryption of RPC-based services
Definition (and enforcement) of communication policies based on Use Cases
Countermeasure 2: classical hardening of the Linux-Platforms
IPtables, Minimization
Sandboxing of OpenStack Services
VM hardening
15.10.2019 NIAS 2019 – secunet WorkshopPage 8
Isolation of Tenant Networks
Risks
Eavesdropping user data on the network
Misconfiguration (mixing up different tenant’s data flows)
Attacking user workloads (VMs)
Countermeasure: Encryption / Authentication of Tenant’s network traffic
MacSec based Layer 2 encryption of Tenant networks throughout the Cloud infrastructure
Group-key management layer based on secunet’s SOLID technology
Integration in OpenStack Neutron machinery to setup keys on virtual MacSec network interfaces
15.10.2019 NIAS 2019 – secunet WorkshopPage 9
Encryption of User data in Block Storage
Risks
Manipulation of User Workload in Guest VMs at storage nodes
Eavesdropping of Data Blocks on the network while accessing storage nodes / Cinder Service
Countermeasure: (Re)Encryption of Images before copied into Volumes
Block-based file / storage encryption with Tenant-provided keys
Integration of Tenant-”Intervention” to provide Image / Volume key during creation of Volumes
15.10.2019 NIAS 2019 – secunet WorkshopPage 10
Encryption and Signature of Images
Risks
Manipulation of User Workload in Guest VMs at a central
place (Glance) even before VMs are created
Eavesdropping of Data Blocks on the network while
accessing storage nodes / Glance Service
Countermeasure:
Encryption / Signature of Images before upload
Block-based file / storage encryption and signature on
Tenant premises (hybrid encryption)
At that point, key can stay on Tenant premises
Encrypted image upload in Glance
At the time images are accessed and ported into volumes,
the User / Owner has to present the key
15.10.2019 NIAS 2019 – secunet WorkshopPage 11
Control over Crypto Keys by Tenants
Risks
Even if data is encrypted, unauthorized access to keys
could make encryption useless
Keys in a (central) storage (Barbican) or even HSMs in
the Cloud are more risky than keys staying on User’s
premisses
Countermeasure: Keys in User Hand
Hierarchical key management
Involving user within the access process to encrypted
data explicitly
“Call-back” / SmartCard based two factor key protection
possible by design
Integration in OpenStack processes (VM creation,
different storage types, Image / Volume / Ephemeral
Storage…)
15.10.2019 NIAS 2019 – secunet WorkshopPage 12
Secured Access to Cloud Infrastructure
Risks
Eavesdropping / Manipulation of Data on the network
through the Internet and inside the Cloud Infrastructure
Unauthorized access to User VMs
Risks on Client side due to weak network protection of
Client host platform
Countermeasure:
Strong Layer 3 VPN Encryption of Data
Client-side: IPsec VPN / SINA Workstation as a secure
endpoint to protect local data and access into Cloud
infrastructure
Cloud-side: Virtual SINA Box appliance connecting the
Cloud network infrastructure / Internet access to the
Tenant’s virtual network (which itself is protected by a
MacSec-encryption
Integration of SINA Box into the OpenStack Secure Router
concept
15.10.2019 NIAS 2019 – secunet WorkshopPage 13
The desired outcome
Prov id ing a secure , sus ta inab le and energy -e f f i c ien t c loud so lu t i on
Planning
Building
Operating
PKI
Key Management
Certification
Secure Clients
Secure networks
applications
virtual infrastructure
platform
applications
virtualization
compute storage network
physical infrastructure
15.10.2019 NIAS 2019 – secunet WorkshopPage 14