The Day After Yesterday

Transcription

1 The Day After Yesterday or: How I Learned to Stop Worrying About Securing the Cloud

2 Start at the Beginning Virtualization Security is easy once you understand how hard it is Cloud Security is a topic almost as controversial as the Healthcare Bill, but much more widely debated With all this topic encompasses, I m going to focus only on the practical, and leave theorizing and pontificating about the future of cloud to other pundits

3 The Next 54 Minutes My focus is on the enterprise My focus is largely on virtualization I m only going to talk specifics with regards to the most popular solutions My focus is on what can you do today

4 Topics Practical VirtSec Resources Hypervisor Management Interface Virtual Machines Virtual Networks Practical CloudSec Risks Mitigation EC2 Basics VPC Third-party

5 Virtualization is... Broad term, many uses Abstraction of characteristics of physical compute resources from systems, users, applications Typically: Resource (virtual memory, RAID, SAN) Platform (virtual machines)

6 Cloud is... A nebulous term ;) A collection of, comprised of, that can be rapidly Resources hosted Not a new technology!

7 Cloud is... Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

8 VirtSec is... Security of virtual infrastructure and the virtual machines running within it Many considerations the same in virtual and physical infrastructure, however Virtualization does introduce unique architecture and a few unique challenges

9 CloudSec is... Defined by individual interpretation and implementation of cloud More process than technology Subject to the same advantages and disadvantaged inherent in cloud

10 VirtSec in Practice

11 Simpler is Better Keep It Simple, Stupid (KISS) Make Your Architecture Simpler to Secure! (MYASS) More moving pieces means more time, effort and money required to implement security completely and effectively Don t let the capabilities of your platform fool you into believing you need all of them

12 Where the Wild Things Are Five primary [sub]systems: Compute, network and storage resources Hypervisor / VMM / vmkernel Virtual machines (guest OS) Service console (COS, dom0) Networking [layer]

13 Secure Your Resources Your virtual infrastructure is only as secure as the resources that comprise it! Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests

14 Storage and Network Zoning and masking Isolated [dedicated] IP storage networks Mutual CHAP for iscsi, restrict NFS by IP Firewalls throughout, forward and reverse proxies where possible Consider physical log and monitoring servers, IDS/IPS, load balancers

15 Secure Your Hypervisor Not generally user-serviceable Small(ish) attack surface Area of least control (and concern) See hyperjacking See redpill / bluepill The future? Hardware Root of Trust

16 Service Console In ESX, COS is based on RHEL/CentOS Moderately secure out of the box (only authenticated and encrypted management services on by default) Still, needs additional hardening to be considered secure ESXi has BusyBox, no real COS XenServer dom0 is also CentOS

17 ESX Minimum Required Hardening Limit use of su to members of wheel group Enforce use of sudo and use aliases Configure TCP wrappers (hosts.deny) Authenticate via AD or LDAP Replace the default self-signed SSL certs Configure NTP and remote logging

18 Further COS Hardening VMware s Hardening Guides (VI3, vsphere) CIS ESX server benchmark Tripwire s ConfigCheck, OpsCheck XenSource wiki

19

20 Configure NTP & remote logging Configure host to sync time via NTP Configure remote logging (consider Syslog- NG, Splunk, Mitre s CEE) Configure alarms and alerts via SNMP Archive logs to RO medium daily Keep your COS/dom0 patched!

21 Virtual Machines VMs are highly mobile and often short-lived VM sprawl results from creation of new VMs to suit every whim Most organizations have poor change control and/or patch management systems for virtual infrastructure Introspection mechanisms not widely available, deployed

22 The Malignant OS Needs to be hardened / secured just like on physical machines Principles of minimization will lead to smaller, faster, more secure vm s

23 Power. Respect. JEOS. How far will you go to get it? Just Enough Operating System Most effective way to ensure security of virtual infrastructure Difficult to achieve today, not impossible nlite, vlite, LitePC Ubuntu VM Builder, SuSE Studio, Rpath, Arch, Slackware, Gentoo, BSD

24 See the service guides at (ex. Windows 2008 R2 Service Configurations)

25 Guest OS Hardening Consider automated assessment tools, checklists and/or hardening scripts nmap, Nessus, Metasploit, CANVAS 15 Steps to Hardening WS2003 Microsoft Baseline Security Analyzer Bastille Linux

26

27 VM Introspection Examine and understand internal state of a running VM VMSafe XenAccess Virtual Introspection for Xen

28 Virtual Networking Built-in vswitches provide some protection Limit promisc mode Prevent mac changes / forgery Basic VLAN tagging, trunking No native ACLs or firewalling

29 Enhanced Virtual Networking New vswitches provide greatly enhanced functionality and security (Open vswitch, Cisco Nexus 1000v) You can also do a fairly effective job with: Vyatta, LRP, FreeSCO m0n0wall, pfsense, OpenBSD Astaro, IPcop, Untangle

30 Important Considerations Isolated, OOB management network Isolated, OOB ip storage networks Redundant NICs in NIC teams across redundant switches Physical separation between prod and dev Physical interfaces always preferred over VLANs for segmentation

31 UTM-in-a-VM? In addition to firewalls, consider that you may need to provide VM-based IDS / IPS, authentication, NAC, and/or malware protection and content filtering within your virtual networks Astaro and Untangle provide much of this functionality already

32

33 Configuration Management Configuration management and change control are two of the most critical elements in an effective security policy Also the two most frequently overlooked, and/or shoddily implemented processes There are tools available to help, you just have to use them!

34

35

36

37 CloudSec in Practice

38 "Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. " From the CSA s Security Guidance for Critical Areas of Focus in Cloud Computing

39 Fundamentals K.I.S.S. (M.Y.A.S.S.) Define assets, understand trust models Understanding cloud key to securing cloud 5 cloud characteristics 3 service models 4 deployment models

40 Five characteristics On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service Three service models SaaS, PaaS, IaaS Four deployment models Public, Community, Private, Hybrid

41 Cloud Security Alliance

42 What Do We Mean By Cloud Security? Infrastructure security? Virtualization security? Application security? Compliance? It s all about the assets

43 What Do You Mean What Do I Mean? Infrastructure, virtualization, application security no less important than before, but managed differently Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?) Compliance doesn t fully address governance, residency, access

44 The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; Sun Tzu

45 Predominant Risks From ENISA s Benefits, Risks and Recommendations for Information Security Loss of governance [Lack of transparency] Lock-in Isolation failure Compliance risks Management interface compromise Data protection Incomplete or insecure data deletion Malicious insider

46 Barriers Largely questions of governance, residency and compliancy Where is your data? Who has access? Who controls and manages it? How is the data accessed?

47 Mitigation Encrypt locally before storing in the cloud Ensure external key storage and management Keep private data out of cloud Build protection mechanisms directly into your resources in the cloud Host private cloud

48 Encourage Adoption of Open Standards Will help with transparency Will help avoid lock-in Will help in understanding governance Will help in achieving compliancy

49 Required Reading CSA s Security Guidance for Critical Areas of Focus in Cloud Computing ENISA s Benefits, Risks and Recommendations for Information Security CloudSecurity.org RationalSurvivability.com/blog

50 EC2 Security Basics Automate, orchestrate, standardize using RightScale, Puppet, Chef, etc Firewall rules / security groups SSH keys, AWS multi-factor auth Use modern, trusted AMI s, patch regularly Know what you re doing? Roll your own

51 Virtual Private Clouds Connect existing datacenter infrastructure to isolated cloud resources Private, overlay network Extend existing datacenter security and monitoring controls into the cloud Amazon VPC CohesiveFT VPN-Cubed CloudSwitch Google Secure Data Connector

52 More CloudSec EnStratus Extra-cloud key and credential storage and management PerspecSys Apps in the cloud, data at home More solutions coming every day, and I interested in hearing about those I neglected to include or mention!

53 In Conclusion VirtSec and CloudSec follow the same rules that the rest of our infrastructure follows, though they do introduce new surfaces, forms of exposure, and questions about governance and responsibility Secure your resources first, then focus on hardening your guests and instances -- the most likely sources of compromise and/or data loss / theft / manipulation Oh yeah, and don t forget to K.I.S.S. M.Y.A.S.S! ;)