Are Clouds Secure? Security and Privacy Implications of Cloud Computing
Subra Kumaraswamy, SunTim Mather, RSA
04/21/09 | Session ID: HOT-105Session Classification: Intermediate
2
What We’re Not Going to Discuss
• Existing aspects of information security which are not impacted by ‘cloud computing’
• There are plenty of existing sources of useful information about information security, and we will not attempt to recreate those sources, nor rehash unchanged practices
3
What Not a Cloud?
4
What We Are Going to Discuss
Information Security – Data
Information Security – Infrastructure(network-, host-, application-level)
Security Management Services(security management, security monitoring, identity services)
Other Important Considerations(audit & compliance, privacy)
Security-as-a- [Cloud] Service (SaaS)
Where Risk Has Changed: Where Risk Has Changed:
5
The Cloud: Types
6
The Cloud: Pyramid of Flexibility
(IaaS)
(PaaS)
(SaaS)
7
Flavors of Cloud Computing
8
The Cloud: How are people using it?
9
Components of Information Security
Information Security – InfrastructureInformation Security – Infrastructure
Network-level
Host-level
Application-level
Information Security – DataInformation Security – Data
Encryption, data masking, content protection
Security Management ServicesSecurity Management Services
Management – patching, hygiene, VA, ACL management
Security monitoring – network, host, application
Identity services – provisioning, AAA, federation, delegation
Information Security – Infrastructure
11
Infrastructure – Network-level
• Shared Infrastructure• VLAN – private and public (tagged)
• DHCP server, firewall, load balancer
• Limitations• No zones – domains instead
• Traditional port/protocol filtering irrelevant
• Point-to-point encryption (in transit) is doable
• Extranet security jeopardized – unless ‘you’ control cloud (IP) addressing (questionable)
• Security monitoring – no transparency
12
Infrastructure – Network-level
• Threats• Lack of widespread adoption of secure BGP
• Secure BGP (S-BGP), Secure Origin BGP (soBGP), and Pretty Good BGP (pgBGP)
• Traffic redirection for eavesdropping
• DNS: domain hijacking• Lack of widespread adoption of Secure DNS
• Only country-wide adoption: Sweden
• DoS / DDoS
• Mitigations• Virtual private cloud – VPN-based solution with strong
authentication
• SSL with client-side certs
13
Infrastructure – Host-level
• Shared infrastructure• Hardware – CPU, memory, disks, network
• Software – virtualization layer (e.g., Xen)
• Web Console – provisioning, image management
• Limitations• Ephemeral IP address assignment
• Patch, configuration management of large number of dynamic nodes
• SLAs are mostly standard – click-through user agreement
• Host-based IDS is customer responsibility
• Access management – OS and vendor specific
14
Infrastructure – Host-level
• Threats• Image configuration drift and vulnerabilities
• Targeted DOS attack
• Potential breakout of VMs; examples: Subvert, Blue Pill, HyperVM
• Attack on standard OS services
• Mitigations• Reduce attack surface – Secure-by-default, harden image, turn off OS
services, use software firewall, enable logging
• Institute process – Access provisioning, patch, config. mgmt.
• Extend existing IT security standards, practice & processes
• Host-based IDS – Tripwire, OSSEC
15
Infrastructure – Application-level
• Shared Infrastructure• Virtualized host, network, firewall (if hosted on IaaS or PaaS)
• Virtualized stack (e.g., LAMP)
• Database Vs Dataspace (e.g., SimpleDB, BigTable)
• Limitations• SaaS – application security is a black box
• SaaS/PaaS – no CVE participation
• IaaS/PaaS – customer responsibility to secure applications
• IaaS/PaaS – Limited capabilities for encryption, identity management
• No option to install application firewall
16
Infrastructure – Application-level
• Threats• OWASP Top 10
• Mash up security
• Denial of service by corporate IPS/Firewalls
• Developers side stepping controls
• Mitigations• Traditional application security testing and monitoring
• Review provider SDLC and security assurance process
• If possible encrypt data stored in DB
• Manage and protect application “secret keys”
• User awareness – phishing attacks on users
Information Security – Data
18
Data Security
• Confidentiality, Availability• Multi-tenancy
• Data-at-rest possibly not encrypted
• Data being processed definitely not encrypted
• Data lineage (mapping data flows)
• Data provenance
• Data remanence
Security Management Services
Security Management – Customer Responsibilities
Activities IaaS PaaS SaaS
OS, DB, Application Hardening and Patching
• Manage VM Image hardening• Manage patching of VM , app and DB using your established process
• Harden applications by integration by integrating security into SDLC• Test for OWASP Top 10 vulnerabilities
• Not applicable
Change and configuration management
• Manage change and configuration management of host , DB, Application using your established process
• Customer deployed application only
• Not applicable
Vulnerability management
• Manage OS, Application vulnerabilities leveraging your established vulnerability management process
• Customer deployed application only
• Not applicable
Access Control management
• Manage Access control to VM, zone firewall using vendor consoles. Install and manage host firewall policies
• Manage user provisioning• Restrict access using authentication and IP based restriction• Delegate authentication if SAML supported
• Manage user provisioning• Restrict access using authentication and IP based restriction• Delegate authentication if SAML supported
Security Monitoring – Customer view
Activities IaaS PaaS SaaS
Network monitoring • Not available
• Not available • Not available
Host monitoring • Install and manage HIDS such as OSSEC
• Monitor security events using logs stored in VM
• Not available • Not available
Database monitoring • Install DB security monitoring tool on the VM hosting DB
• Not available • Not available
Application monitoring • Monitor application security logs• Monitor application vulnerabilities using your preferred tool
• Monitor application logs that may be available – No standard
• Not available
Sun Confidential- Internal Only
22
Identity Services
• Generally, strong authentication is available only through delegation
• Federated identity generally not available• Support for SAML v2, WS* and XACML is sporadic
• OpenID is not enterprise-ready
• OpenID OATH OAuth OpenAuth OpenSSO
• All five are “open” and deal with authentication, but….
• Delegated authorization generally not available
• Generally weak credential management – of weak credentials
Other Important Considerations
24
Audit & Compliance
• No audit standards specific to the ‘cloud’• Not operational, procurement (e.g., FAR), or security
• SAS-70 Type 2 is an audit format – not specific audit criteria• Most cloud providers don’t even have a SAS-70
• Compliance: so-called Patriot Act Problem• Location, location, location
• Issue is assurance of compliance (e.g., data lineage – let alone data providence)
25
Privacy
• Loss of Fourth Amendment protection• Legal order served on provider – not ‘you’
• Some data can be accessed merely by NSLs
• Magistrate judge court orders under §215
• Probably no encryption of data-at-rest• No indexing or sorting of encrypted data
• Definitely no encryption while data processed• Promise of 2-DNF (homomorphic encryption), Predicate Encryption
(asymmetric encryption)
• Data remanence: limited attempt to address• NIST Special Publication 800-88, Guidelines for Media Sanitization
Security-as-a- [Cloud] Service
27
Security Through the Cloud
• Proliferation of endpoints
• Different OSs, form factors – but all with access to organizational data
• Scalability & manageability of existing solutions stretched too far
• USENIX paper in July 2008 in San Jose• “CloudAV: N-Version Antivirus in the Network Cloud”
• Network-centric: e-mail, vulnerability assessment
• Former host resident: anti-malware, content filtering
28
Conclusions
• Part of ‘your’ infrastructure security moves beyond your control – Get Ready!
• Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than ‘your’ expectations
• Data security becomes significantly more important
• Weak access control, credential mgmt. – unless delegated back to ‘you’
29
Conclusions
• No established standards for redaction, obfuscation, or truncation’
• No cloud-specific audit requirements or guidance• “Extending” SAS-70 Type 2 to cloud providers
• No cloud-specific regulatory requirements – yet• Some foreign prohibitions on using U.S. cloud providers
30
Questions?
31
Speakers
• Subra Kumaraswamy, Senior Security Manager– Sun Microsystems
• Tim Mather, Chief Security Strategist– RSA, The Security Division of EMC
Top Related