2008- CEO Pawn Promotion Senior Project Manager PDC/KTH Co-founder Numeri

Transcription

1

2 Åke Edlund, PhD CEO Pawn Promotion Senior Project Manager PDC/KTH Co-founder Numeri Core Application Architect, Sony Ericsson Mobile Communications AB 2001 Solution Manager, Ericsson Business Innovation AB (startup) 2000 Partner Integration Manager, eu-supply.com (startup) 1999 Product Manager, Cycore AB (startup) 1997 Consultant, Parallel Consulting Group International AB (startup) 1999 Ph.D. Technion Israel Institute of Technology (Uppsala, Berkeley, Rice) Pawn Promo3on

3 Cloud Security Part I Introduc3on, Good and Bad News, Secure Migra3on Paths for Cloud Compu3ng, Data Security and Storage, Governing the Cloud Pawn Promo3on Åke Edlund

4 And thanks to Ilja Livenson! "Security Guidance for Critical Areas of Focus! in Cloud Computing"! " " "Top Threats to Cloud Computing"! " " Cloud Computing: Benefits, Risks and Recommendations! for Information Security! " "

5 Before star*ng

6 Core objec*ves and principles that cloud compu*ng must meet to be successful Security #1 Scalability Availability Performance Cost- effec*ve Acquire resources on demand Release resources when no longer needed Pay for what you use Leverage others core competencies Turn fixed cost into variable cost Security = Enabler

7 Discussion: what would you list as a poten*al security issue?

8 Security is the Major Issue

9 hfp:// compu3ng- sme- survey

10 hfp:// compu3ng- sme- survey

11 hfp:// compu3ng- sme- survey

12

13 "The same amount of investment in security buys better protection"! All kinds of security measures, are cheaper when implemented on a larger scale. E.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc)! Staff specialization & experience - Cloud providers big enough to hire specialists in dealing with specific security threats.! Timeliness of response to incidents - Updates can be rolled much more rapidly across a homogenous platform! Default VM images and software modules can be updated with the latest patches and security settings. Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.!

14 Almost all major an*virus vendors now offer "cloud" based solu*ons hfp:// Panda- Cloud- An3virus hfp:// aid= _backup_storage_and_recovery_as_a_service_for_smbs#benefits

15

16 ...! the massive concentrations of resources and data present! a more attractive target! to attackers!

17 General Security Challenges Trus3ng vendor s security model Customer inability to respond to audit findings Obtaining support for inves3ga3ons Indirect administrator accountability Proprietary implementa3ons can t be examined Loss of physical control

18 Cloud Security Challenges (cont.) Data dispersal and interna3onal privacy laws EU Data Protec3on Direc3ve and U.S. Safe Harbor program Exposure of data to foreign government and data subpoenas Data reten3on issues Need for isola3on management Mul3- tenancy Logging challenges Data ownership issues Quality of service guarantees

19 Cloud Security Challenges (cont.) AFrac3on to hackers (high value target) Possibility for massive outages Encryp3on needs for cloud compu3ng Encryp3ng access to the cloud resource control interface Encryp3ng administra3ve access to OS instances Encryp3ng access to applica3ons Encryp3ng applica3on data at rest

20 Secure Migra*on Paths for Cloud Compu*ng

21 Cloud compu3ng is about gracefully losing control while maintaining accountability even if the opera3onal responsibility falls upon one or more third par3es.

22 The Why and How of Cloud Migra*on There are many benefits that explain why to migrate to clouds Cost savings, power savings, green savings, increased agility in sogware deployment Cloud security issues may drive and define how we adopt and deploy cloud compu3ng solu3ons

23 Balancing Threat Exposure and Cost Effec*veness Private clouds may have less threat exposure than community clouds which have less threat exposure than public clouds. All else being equal, massive public clouds may be more cost effec*ve than large community clouds which may be more cost effec3ve than small private clouds. Doesn t strong security controls mean that I can adopt the most cost effec7ve approach?

24 Cloud Migra*on and Cloud Security Architectures Clouds typically have a single security architecture but have many customers with different demands Clouds should afempt to provide configurable security mechanisms Higher sensi3vity data is likely to be processed on clouds where organiza3ons have control over the security model

25 Strong security controls are necessary for all cloud models Clouds can contain strong security controls Quan3fying security advantages vs. challenges is not currently possible Reducing the threat exposure and implemen3ng strong security controls should lead to processing higher sensi3vity data Thus, strong security controls are necessary for all cloud models (even private clouds)

26 PuVng it Together Most clouds will require very strong security controls All models of cloud may be used for differing tradeoffs between threat exposure and efficiency There is no one cloud. There are many models and architectures. How does one choose?

27 Assets Iden*fy the asset for the cloud deployment Data Applica3ons, Func3ons, Processes Evaluate the asset Importance Rough es3mate of how sensi3ve (how, see next slide)

28 If something happens Ques*ons to ask: How would we be harmed if the asset became widely public and widely distributed? an employee of our cloud provider accessed the asset? the process or func3on were manipulated by an outsider? the process or func3on failed to provide expected results the informa3on/data were unexpectedly changed? the asset were unavailable for a period of 3me?

29 Map the asset to poten*al cloud deployment Models - determine which deployment models we are comfortable with. Can we accept the risks implicit to the various deployment models: private, public, community, or hybrid; and hos3ng scenarios: internal, external, or combined. i.e. finding the comfort level suitable for your assets.

30 Providers, and data flow Evaluate poten*al cloud service models and providers : Focus on the degree of control you have to implement risk mi3ga3on. Sketch the poten*al data flow: Absolutely essen3al to understand whether, and how, data can move in and out of the cloud

31 Conclusion Understand the importance of What you are considering moving to the cloud, Your risk tolerance (at least at a high level), and Which combina3ons of deployment and service models are acceptable. A rough idea of poten3al exposure points for sensi3ve informa3on and opera3ons.

32 Data Security and Storage

33 Data loss... The Microsoft data loss of 2009 resulted in an estimated 800,000 smartphone users in the United States temporarily losing personal data, such as s, address books and photos from their mobile handsets.! The computer servers holding the data were run by Microsoft.! At the time, it was described as the biggest disaster to affect the concept of cloud computing.!

34 Data loss...

35 Threat #5: Data Loss or Leakage The problem:! There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example.! Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media.! Loss of an encoding key may result in effective destruction.! Finally, unauthorized parties must be prevented from gaining access to sensitive data.!

36 Threat #5: Data Loss or Leakage What have happened (so far):! "Insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures; persistence and remanence challenges: disposal challenges; risk of association; jurisdiction and political issues; data center reliability; and disaster recovery.!

37 A closer look at Data Security and Storage Data- in- transit Data- at- rest Processing of data, including mul3tenancy Data lineage (following the path of data, for audits e.g.) Data provenance (integrity and accuracy) Data remanence (was the data fully removed?)

38 Key challenges regarding data lifecycle security in the cloud Data security Confiden3ality Integrity Availability Authen3city Authoriza3on

39 Loca*on of the data There must be assurance that the data, including all of its copies and backups, is stored only in geographic loca*ons permi`ed by contract, SLA, and/or regula*on. For instance, use of compliant storage as mandated by the European Union for storing electronic health records can be an added challenge to the data owner and cloud service provider.

40 Data remanence or persistence Data must be effec3vely and completely removed to be deemed destroyed. Therefore, techniques for completely and effec3vely loca3ng data in the cloud, erasing/ destroying data, and assuring the data has been completely removed or rendered unrecoverable must be available and used when required.

41 Commingling data with other cloud customers Data especially classified / sensi3ve data must not be commingled with other customer data without compensa3ng controls while in use, storage, or transit. Mixing or commingling the data will be a challenge when concerns are raised about data security and geo- loca3on.

42 Data backup and recovery schemes for recovery and restora*on Data must be available and data backup and recovery schemes for the cloud must be in place and effec3ve in order to prevent data loss, unwanted data overwrite, and destruc3on. Don t assume cloud- based data is backed up and recoverable. Don t assume cloud- based data is backed up and recoverable. Don t assume cloud- based data is backed up

43 Governing the Cloud

44 GOVERNING THE CLOUD more good advice from the Cloud Security Alliance Governance and Enterprise Risk Management Enterprise Risk Management Informa3on Risk Management Recommenda3ons Third Party Management Recommenda3ons Legal and Electronic Discovery Compliance and Audit Portability and Interoperability

45 Governance and Enterprise Risk Management Guidance dealing with the ability of an organiza*on to govern and measure enterprise risk introduced by Cloud Compu*ng. Legal precedence for agreement breaches, ability of user organiza3ons to adequately assess risk of a cloud provider, responsibility to protect sensi3ve data when both user and provider may be at fault, and how interna3onal boundaries may affect these issues

46 Legal and Electronic Discovery Guidance dealing with Poten*al legal issues when using Cloud Compu*ng. protec3on requirements for informa3on and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, interna3onal laws, etc.

47 Compliance and Audit Guidance dealing with maintaining and proving compliance when using Cloud Compu*ng. Evalua3ng how Cloud Compu3ng affects compliance with internal security policies, as well as various compliance requirements (regulatory, legisla3ve, and otherwise) are discussed here. This domain includes some direc3on on proving compliance during an audit.

48 Informa*on Lifecycle Management Guidance dealing with managing data that is placed in the cloud. Iden3fica3on and control of data in the cloud compensa3ng controls which can be used to deal with the loss of physical control when moving data to the cloud who is responsible for data confiden3ality, integrity, and availability

49 Portability and Interoperability Guidance dealing with the ability to move data/services from one provider to another, or bring it en*rely back in- house. Issues surrounding interoperability between providers. Users should be able to control the data they store in any of Google's products. Our team's goal is to make it easier to move data in and out.

50 More examples of threats

51 So many new APIs and tools! Maybe they need some more security! hardening?! Do you think so?!

52 Threat #2: Insecure Interfaces and APIs The problem:! Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.! What have happened (so far):! Anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies.! What to do about it:! - Analyze the security model of cloud provider interfaces.! - Ensure strong authentication and access controls are implemented in concert with encrypted transmission.! - Understand the dependency chain associated with the API.!

53 Remember this one? Mul*- Tenancy

54 Sharing cage... Bad neighbors...

55 A user might insist on using physical machines populated only with their own VMs and, in exchange, bear the opportunity costs of leaving some of these machines under- u*lized.

56 Threat #4: Shared Technology Issues The problem:! IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture.! To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources.! Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.! A defense in depth strategy is recommended, and should include compute, storage, and network security enforcement and monitoring. Strong compartmentalization should be employed to ensure that individual customers do not impact the operations of other tenants running on the same cloud provider. Customers should not have access to any other tenant s actual or residual data, network traffic, etc.!

57 Threat #4: Shared Technology Issues What have happened (so far):! Joanna Rutkowska s Red and Blue Pill exploits! Kortchinksy s CloudBurst presentations.! What to do about it:! Implement security best practices for installation/configuration.! Monitor environment for unauthorized changes/activity.! Promote strong authentication and access control for administrative access and operations.! Enforce service level agreements for patching and vulnerability remediation.! Conduct vulnerability scanning and configuration audits.!

58 Threat #7: Unknown Risk Profile The problem:! Not knowing : Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design! Missing : Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs.!

59 Opera*ng Securely in the Cloud

60 Opera*ng in the Cloud - good advice from the Cloud Security Alliance Tradi*onal Security, Business Con*nuity, and Disaster Recovery Data Center Opera*ons Incident Response, No*fica*on, and Remedia*on Applica*on Security Encryp*on and Key Management Encryp3on for Confiden3ality and Integrity Key Management Iden3ty and Access Management Iden3ty Provisioning Recommenda3ons Authen3ca3on Recommenda3ons Federa3on Recommenda3ons Access Control Recommenda3ons IDaaS Recommenda3ons Virtualiza*on

61 Data Center Opera*ons Guidance dealing with how to evaluate a provider s data center architecture and opera*ons. This is primarily focused on helping users iden3fy common data center characteris3cs that could be detrimental to on- going services, as well as characteris3cs that are fundamental to long- term stability.

62 Incident Response, No*fica*on and Remedia*on Guidance dealing with proper and adequate incident detec*on, response, no*fica*on, and remedia*on. This afempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexi3es the cloud brings to your current incident handling program.

63 Applica*on Security Guidance dealing with securing applica*on solware that is running on or being developed in the cloud. This includes items such as whether it s appropriate to migrate or design an applica3on to run in the cloud, and if so, what type of cloud platorm is most appropriate (SaaS, PaaS, or IaaS). Some specific security issues related to the cloud are also discussed.

64 Applica*on Security - Recommenda*ons Solware Development Lifecycle (SDLC) security is important, and should at a high level address these three main areas of differen3a3on with cloud- based development: 1) updated threat and trust models 2) applica3on assessment tools updated for cloud environments 3) SDLC processes and quality checkpoints to account for applica3on security architectural changes. IaaS, PaaS, and SaaS create different trust boundaries for the sogware development lifecycle; which must be accounted for during the development, tes3ng, and produc3on deployment of applica3ons.

65 Applica*on Security Recommenda*ons (cont.) The best prac3ces available to harden host systems within DMZs should be applied to virtual machines. Limi*ng services available to only those needed to support the applica*on stack is appropriate.

66 Applica*on Security Recommenda*ons (cont.) Account for external administra3on and mul*- tenancy in the applica3on s threat model.

67 Applica*on Security Recommenda*ons (cont.) Cloud providers must support dynamic analysis web applica3on security tools against applica3ons hosted in their environments. AFen3on should be paid to how malicious actors will react to new cloud applica3on architectures that obscure applica3on components from their scru3ny. Hackers are likely to afack visible code, including but not limited to code running in the user context. They are likely to afack infrastructure and perform extensive black box tes3ng.

68 Encryp*on and Key Management Guidance dealing with iden*fying proper encryp*on usage and scalable key management. This sec3on is not prescrip3ve, but is more informa3onal is discussing why they are needed and iden3fying issues that arise in use, both for protec3ng access to resources as well as for protec3ng data.

69 Key Management Secure key stores. Key stores must themselves be protected, just as any other sensi3ve data. They must be protected in storage, in transit, and in backup. Improper key storage could lead to the compromise of all encrypted data.

70 Access to key stores Access to key stores must be limited to the en33es that specifically need the individual keys. There should also be policies governing the key stores, which use separa3on of roles to help control access; an en3ty that uses a given key should not be the en3ty that stores that key.

71 Key backup and recoverability Loss of keys inevitably means loss of the data that those keys protect. While this is an effec3ve way to destroy data, accidental loss of keys protec3ng mission cri3cal data would be devasta3ng to a business, so secure backup and recovery solu3ons must be implemented.

72 Encryp*on and Key Management - Recommenda3ons Use encryp3on to separate data holding from data usage. Segregate the key management from the cloud provider hos3ng the data, crea3ng a chain of separa3on. This protects both the cloud provider and customer from conflicts when compelled to provide data due to a legal mandate.

73 Encryp*on and Key Management - Recommenda3ons Understand whether and how cloud provider facili3es provide role management and separa3on of du3es. In cases where the cloud provider must perform key management, understand whether the provider has defined processes for a key management lifecycle: how keys are generated, used, stored, backed up, recovered, rotated, and deleted. Further, understand whether the same key is used for every customer or if each customer has its own key set.

74 Encryp*on and Key Management - Recommenda3ons Assure regulated and/or sensi3ve customer data is encrypted in transit over the cloud provider s internal network, in addi3on to being encrypted at rest. This will be up to the cloud customer to implement in IaaS environments, a shared responsibility between customer and provider in PaaS environments, and the cloud provider s responsibility in SaaS environments.

75 Encryp*on and Key Management - Recommenda3ons In IaaS environments, understand how sensi3ve informa3on and key material otherwise protected by tradi3onal encryp3on may be exposed during usage. For example, virtual machine swap files and other temporary data storage loca3ons may also need to be encrypted.

76

77 What Is Security for Cloud Compu*ng?

78 Revenue US$1.077 billion (2009) Opera3ng income US$ million (2009) Net income US$ million (2009) Employees From Security Statement 1. When you access our site Secure Socket Layer (SSL) Your data will be completely inaccessible to your compe3tors unique user name and password that must be entered each 3me a User logs on hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders..

79 Cloud Security Part II More Threats, Opera3ng Securely in the Cloud, Infrastructure security - AWS example, Discussion(s) Pawn Promo3on Åke Edlund

80 Iden*ty and Access Management Guidance dealing with managing iden**es and leveraging directory services to provide access control. The focus is on issues encountered when extending an organiza3on s iden3ty into the cloud. This provides insight into assessing an organiza3on s readiness to conduct cloud- based Iden3ty and Access Management (IAM).

81 Virtualiza*on Guidance dealing with The use of virtualiza*on technology in Cloud Compu*ng. Risks associated with mul3- tenancy, VM isola3on, VM co- residence, hypervisor vulnerabili3es, etc. This domain focuses on the security issues surrounding system/hardware virtualiza3on, rather than a more general survey of all forms of virtualiza3on.

82 Virtualiza*on - recommenda*ons Iden3fy which types of virtualiza3on your cloud provider uses, if any. Understand which security controls are in place internal to the VMs other than the buil3n hypervisor isola3on such as intrusion detec3on, an3- virus, vulnerability scanning, etc. Secure by default configura3on must be assured by following or exceeding available industry baselines.

83 Virtualiza*on recommenda*ons (cont.) VM- specific security mechanisms embedded in hypervisor APIs must be u3lized to provide granular monitoring of traffic crossing VM backplanes, which will be opaque to tradi3onal network security controls. Administra3ve access and control of virtualized opera3ng systems is crucial, and should include strong authen3ca3on integrated with enterprise iden3ty management, as well as tamper- proof logging and integrity monitoring tools.

84 Virtualiza*on recommenda*ons (cont.) Have a repor3ng mechanism in place that provides evidence of isola3on and raises alerts if there is a breach of isola3on. Be aware of mul3- tenancy situa3ons with your VMs where regulatory concerns may warrant segrega3on.

85 Infrastructure security

86

87 Security and Amazon Security Team, Overview of Security Processes, hfp://media.amazonaws.com/pdf/aws_security_whitepaper.pdf Amazon Web Services Team, Crea*ng HIPPA- Compliant Medical Data Applica*ons With AWS hfp://media.amazonaws.com/aws_hipaa_whitepaper_final.pdf J.Varia, Architec*ng for the Cloud: Best Prac*ces hfp://media.amazonwebservices.com/aws_cloud_best_prac3ces.pdf... and many more!

88 Security should be implemented in every layer of the cloud application architecture! Physical security is typically handled by your service provider which is an additional benefit of using the cloud.! Network and application-level security is your responsibility and you should implement the best practices as applicable to your business.! AWS Security Best Practices tells you how.!

89 Protect your data in transit If you need to exchange sensitive or confidential information between a browser and a web server, configure SSL on your server instance.! You ll need a certificate from an external certification authority like VeriSign or Entrust.! The public key included in the certificate authenticates your server to the browser and serves as the basis for creating the shared session key used to encrypt the data in both directions.! Create a Virtual Private Cloud by making a few command line calls (using Amazon VPC). This will enable you to use your own logically isolated resources within the AWS cloud, and then connect those resources directly to your own datacenter using industry-standard encrypted IPSec VPN connections.! You can also setup an OpenVPN server on an Amazon EC2 instance and install the OpenVPN client on all user PCs.!

90 Protect your data at rest If you are concerned about storing sensitive and confidential data in the cloud, you should encrypt the data (individual files) before uploading it to the cloud.! For example, encrypt the data using any open source or commercial PGP-based tools before storing it as Amazon S3 objects and decrypt it after download.!

91 Protect your data at rest (cont.) On Amazon EC2, file encryption depends on the operating system.! Amazon EC2 instances running Windows can use the built-in Encrypting File System (EFS) feature. This feature will handle the encryption and decryption of files and folders automatically and make the process transparent to the users.! If you need a full encrypted volume, consider using the opensource TrueCrypt product; this will integrate very well with NTFS-formatted EBS volumes.! Amazon EC2 instances running Linux can mount EBS volumes using encrypted file systems using variety of approaches (EncFS6, Loop-AES7, dm-crypt8, TrueCrypt9).!

92 Protect your data at rest (cont.) Regardless of which approach you choose, encrypting files and volumes in Amazon EC2 helps protect files and log data so that only the users and processes on the server can see the data in clear text, but anything or anyone outside the server see only encrypted data.!

93 Protect your data at rest (cont.) No matter which operating system or technology you choose, encrypting data at rest presents a challenge: managing the keys used to encrypt the data.! If you lose the keys, you will lose your data forever and if your keys become compromised, the data may be at risk.! Therefore, be sure to study the key management capabilities of any products you choose and establish a procedure that minimizes the risk of losing keys.!

94 Protect your data at rest (cont.) Besides protecting your data from eavesdropping, also consider how to protect it from disaster.! Take periodic snapshots of Amazon EBS volumes to ensure it is highly durable and available. Snapshots are incremental in nature and stored on Amazon S3 (separate geo-location) and can be restored back with a few clicks or command line calls.!

95 Protect your AWS creden*als AWS supplies two types of security credentials: AWS access keys and X.509 certificates.! Your AWS access key has two parts: your access key ID and your secret access key.! When using the REST or Query API, you have to use your secret access key to calculate a signature to include in your request for authentication.! To prevent in-flight tampering, all requests should be sent over HTTPS.!

96 Protect your AWS creden*als (cont) If your Amazon Machine Image (AMI) is running processes that need to communicate with other AWS web services (for polling the Amazon SQS queue or for reading objects from Amazon S3, for example), one common design mistake is embedding the AWS credentials in the AMI.! Instead of embedding the credentials, they should be passed in as arguments during launch and encrypted before being sent over the wire.!

97 Protect your AWS creden*als (cont) If your secret access key becomes compromised, you should obtain a new one by rotating to a new access key ID.! As a good practice, it is recommended that you incorporate a key rotation mechanism into your application architecture so that you can use it on a regular basis or occasionally (when disgruntled employee leaves the company) to ensure compromised keys can t last forever.!

98 Protect your AWS creden*als (cont) Alternately, you can use X.509 certificates for authentication to certain AWS services.! The certificate file contains your public key in a base64-encoded DER certificate body.! A separate file contains the corresponding base64-encoded PKCS#8 private key.!

99 Secure your Applica*on (cont.) Every Amazon EC2 instance is protected by one or more security groups, named sets of rules that specify which ingress (i.e., incoming) network traffic should be delivered to your instance.! You can specify TCP and UDP ports, ICMP types and codes, and source addresses.! Security groups give you basic firewall-like protection for running instances.!

100 For example, instances! that belong to a web! application can have! the following security! group settings:! Secure your Applica*on (cont.) Another way to restrict incoming traffic is to configure softwarebased firewalls on your instances.! - Windows instances can use the built-in firewall.! - Linux instances can use netfilter and iptables.!

101 Secure your Applica*on (cont.) Over time, errors in software are discovered and require! patches to fix. You should ensure the following basic! guidelines to maximize security of your application:! Regularly download patches from the vendor's web site and update your AMIs! Redeploy instances from the new AMIs and test your applications to ensure the patches don't break anything. Ensure that the latest AMI is deployed across all instances!

102 Secure your Applica*on (cont.) Invest in test scripts so that you can run security checks periodically and automate the process! Ensure that the third-party software is configured to the most secure settings! Never run your processes as root or Administrator login unless absolutely necessary!

103 Secure your Applica*on (cont.) All the standard security practices pre-cloud era like adopting good coding practices, isolating sensitive data are still applicable and should be implemented.! In retrospect, the cloud abstracts the complexity of the physical security from you and gives you the control through tools and features so that you can secure your application.!

104 Some about Service Level Agreements (SLAs) Contract between customers and service providers of the level of service to be provided Contains performance metrics (e.g., up3me, throughput, response 3me) Problem management details Documented security capabili3es Contains penal3es for non- performance

105 Example: Amazon and the fine print Some lines from the terms of use: "DISPUTES Any dispute rela3ng in any way to your visit to the Site or to services provided by AWS or through the Site in which the aggregate total claim for relief sought on behalf of one or more par3es exceeds $7,500 shall be adjudicated in any state or federal court in King County, Washington, and you consent to exclusive jurisdic3on and venue in such courts. - Customer agreement: hfp://aws.amazon.com/agreement/ - Service terms: hfp://aws.amazon.com/serviceterms/

106 Summing it all up

107 Cloud compu3ng is about gracefully losing control while maintaining accountability even if the opera3onal responsibility falls upon one or more third par3es.

108 Summary Cloud Security Cloud services gives economy of scale! = The same amount of investment in security buys better protection! But the massive concentrations of resources and data present a more attractive target to attackers! Providers-users, Users-users, Users-provider! Cloud providers need to guard against theft or denial of service attacks by users.! Users need to be protected against one another.! And users need to be protected against their cloud providers!

109 What to 'carry home' from all this? CSA and ENISA are your best friends. If you (and your cloud provider) follow these recommenda3ons cloud compu3ng can be securely used for many situa3ons. Move to the cloud step- wise, from private, to hybrid and later if it makes sense for your business to fully public. Always keep a copy of all cri3cal data in- house.

110 Thanks! Time for ques*ons.

111 Comparison with cellular networks How Trusted Plaqorm Modules Could Improve Cloud Security hfp:// v=h9yo8xtwocg

112 Google hfp://cloudsecurity.org/blog/2008/07/01/cloudsecurityorg- interviews- guido- van- rossum- google- app- engine- python- and- security.html - interview with one of the google app developers, also creator ofpython. hfp://portal.acm.org/cita3on.cfm?id= a bit more generalar3cle on vm security in clouds hfp://books.google.de/books? hl=en&lr=&id=bhazecoudlyc&oi=fnd&pg=pa1&dq= %2Bgae +security&ots=fx5ei4kna7&sig=isittmku2o2yroreznb6rk 5f_08#v=onepage&q=&f=false - GAE is also discussed in this book.

113 Spare Slides

114 Iden*ty Provisioning Recommenda*ons Capabili3es offered by cloud providers are not currently adequate to meet enterprise requirements. Customers should avoid proprietary solu3ons such as crea3ng custom connectors unique to cloud providers, as these exacerbate management complexity. Cloud customers should modify or extend their authorita3ve repositories of iden3ty data so that it encompasses applica3ons and processes in the cloud.

115 Tradi*onal Security, Business Con*nuity and Disaster Recovery Guidance dealing with how Cloud Compu*ng affects the opera*onal processes and procedures currently use to implement security, business con*nuity, and disaster recovery. Discuss and examine possible risks of Cloud Compu3ng, in hopes of increasing dialogue and debate on the overwhelming demand for befer enterprise risk management models. Further, the sec3on touches on helping people to iden3fy where Cloud Compu3ng may assist in diminishing certain security risks, or entails increases in other areas.

116 Applica*on Security (cont.) Applica3ons in cloud environments will both impact and be impacted by: Applica*on Security Architecture Solware Development Life Cycle (SDLC Compliance Tools and Services Vulnerabili*es

117 So: Iden*fy what s new, and handle it New roles who is responsible for what? New technologies/ways to use technology New infrastructure gaps in this? Known threats, best prac3ces and recommenda3ons Examples

118 Microsog Azure Services Source: Microsog Presenta3on, A Lap Around Windows Azure, Manuvir Das

119 Case Study: Salesforce.com in Government 5,000+ Public Sector and Nonprofit Customers use Salesforce Cloud Compu*ng Solu*ons President Obama s Ci*zen s Briefing Book Based on Salesforce.com Ideas applica*on Concept to Live in Three Weeks 134,077 Registered Users 1.4 M Votes 52,015 Ideas Peak traffic of 149 hits per second US Census Bureau Uses Salesforce.com Cloud Applica*on Project implemented in under 12 weeks 2,500+ partnership agents use Salesforce.com for 2010 decennial census Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no capital expenditure

120 Let's compare to non- cloud... Top Secret Brit Laptop Stolen FACT: In 2006 on average one in ten lap- tops were stolen Intel Study: Stolen Laptop Cost to Businesses $50,000 Ci3ng a Tech Republic survey, Ponemon showed that approximately 1 in 10 notebooks are stolen. Of those thegs, 88 percent of laptops go unrecovered.

121

122 Recap

123 Cloud Software as a Service (SaaS) Use provider s applications over a network Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources

124 Recap - 4 Cloud Deployment Models Private cloud enterprise owned or leased Community cloud shared infrastructure for specific community Public cloud Sold to the public, mega- scale infrastructure Hybrid cloud composi3on of two or more clouds Cloud Security and Privacy, 2009, Tim Mather et al.

125

126 Security Relevant Cloud Components

127 Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elas3c Elements: Storage, Processing, and Virtual Networks

128 Provisioning Service Advantages Rapid recons3tu3on of services Enables availability Provision in mul3ple data centers / mul3ple instances Advanced honey net capabili3es Challenges Impact of compromising the provisioning service

129 Data Storage Services Advantages Data fragmenta3on and dispersal Automated replica3on Provision of data zones (e.g., by country) Encryp3on at rest and in transit Automated data reten3on Challenges Isola3on management / data mul3- tenancy Storage controller Single point of failure / compromise? Exposure of data to foreign governments

130 Cloud Processing Infrastructure Advantages Ability to secure masters and push out secure images Challenges Applica3on mul3- tenancy Reliance on hypervisors Process isola3on / Applica3on sandboxes

131 Cloud Support Services Advantages On demand security controls (e.g., authen3ca3on, logging, firewalls ) Challenges Addi3onal risk when integrated with customer applica3ons Needs cer3fica3on and accredita3on as a separate applica3on Code updates

132 Cloud Network and Perimeter Security Advantages Distributed denial of service protec3on VLAN capabili3es Perimeter security (IDS, firewall, authen3ca3on) Challenges Virtual zoning with applica3on mobility

133 General Security Advantages Shiging public data to a external cloud reduces the exposure of the internal sensi3ve data Cloud homogeneity makes security audi3ng/ tes3ng simpler Clouds enable automated security management Redundancy / Disaster Recovery

134 Cloud Security Advantages Data Fragmenta3on and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protec3on Against Network AFacks Possible Reduc3on of C&A Ac3vi3es (Access to Pre- Accredited Clouds)

135 Cloud Security Advantages (cont.) Simplifica3on of Compliance Analysis Data Held by Unbiased Party (cloud vendor asser3on) Low- Cost Disaster Recovery and Data Storage Solu3ons On- Demand Security Controls Real- Time Detec3on of System Tampering Rapid Re- Cons3tu3on of Services Advanced Honeynet Capabili3es

136 Migra*on Paths for Cloud Adop*on Use public clouds Develop private clouds Build a private cloud Procure an outsourced private cloud Migrate data centers to be private clouds (fully virtualized) Build or procure community clouds Organiza3on wide SaaS PaaS and IaaS Disaster recovery for private clouds Use hybrid- cloud technology Workload portability between clouds

137 Possible Effects of Cloud Compu*ng Small enterprises use public SaaS and public clouds and minimize growth of data centers Large enterprise data centers may evolve to act as private clouds Large enterprises may use hybrid cloud infrastructure sogware to leverage both internal and public clouds Public clouds may adopt standards in order to run workloads from compe3ng hybrid cloud infrastructures

138 Data discovery As the legal system con3nues to focus on electronic discovery, cloud service providers and data owners will need to focus on discovering data and assuring legal and regulatory authori3es that all data requested has been retrieved. In a cloud environment that ques3on is extremely difficult to answer and will require administra3ve, technical and legal controls when required.

139 Data aggrega*on and inference With data in the cloud, there are added concerns of data aggrega3on and inference that could result in breaching the confiden3ality of sensi3ve and confiden3al informa3on. Hence prac3ces must be in play to assure the data owner and data stakeholders that the data is s3ll protected from subtle breach when data is commingled and/or aggregated, thus revealing protected informa3on (e.g., medical records containing names and medical informa3on mixed with anonymous data but containing the same crossover field ).

140 Analyzing Cloud Security Some key issues: trust, mul3- tenancy, encryp3on, compliance Clouds are massively complex systems can be reduced to simple primi*ves that are replicated thousands of 3mes and common func*onal units Cloud security is a tractable problem There are both advantages and challenges

141

142 Authen*ca*on Recommenda*ons Both the cloud provider and the customer enterprises should consider the challenges associated with creden3al management and strong authen3ca3on, and implement cost effec3ve solu3ons that reduce the risk appropriately. SaaS and PaaS providers typically provide the op3ons of either built- in authen3ca3on services to their applica3ons or platorms, or delega3ng authen3ca3on to the enterprise. Customers have the following op3ons: Authen3ca3on for enterprises. Enterprises should consider authen3ca3ng users via their Iden3ty Provider (IdP) and establishing trust with the SaaS vendor by federa3on. Authen3ca3on for individual users ac3ng on their own behalf. Enterprises should consider using user- centric authen3ca3on such as Google, Yahoo, OpenID, Live ID, etc., to enable use of a single set of creden3als valid at mul3ple sites. Any SaaS provider that requires proprietary methods to delegate authen3ca3on (e.g., handling trust by means of a shared encrypted cookie or other means) should be thoroughly evaluated with a proper security evalua3on, before con3nuing. The general preference should be for the use of open standards. For IaaS, authen3ca3on strategies can leverage exis3ng enterprise capabili3es. For IT personnel, establishing a dedicated VPN will be a befer op3on, as they can leverage exis3ng systems and processes.

143 Authen*ca*on Recommenda*ons Some possible solu3ons include crea3ng a dedicated VPN tunnel to the corporate network or federa3on. A dedicated VPN tunnel works befer when the applica3on leverages exis3ng iden3ty management systems (such as a SSO solu3on or LDAP based authen3ca3on that provides an authorita3ve source of iden3ty data). In cases where a dedicated VPN tunnel is not feasible, applica3ons should be designed to accept authen3ca3on asser3ons in various formats (SAML, WS- Federa3on, etc), in combina3on with standard network encryp3on such as SSL. This approach enables the organiza3ons to deploy federated SSO not only within an enterprise, but also to cloud applica3ons. OpenID is another op3on when the applica3on is targeted beyond enterprise users. However, because control of OpenID creden3als is outside the enterprise, the access privileges extended to such users should be limited appropriately.

144 Authen*ca*on Recommenda*ons Any local authen3ca3on service implemented by the cloud provider should be OATH compliant. With an OATH- compliant solu3on, companies can avoid becoming locked into one vendor s authen3ca3on creden3als. In order to enable strong authen3ca3on (regardless of technology), cloud applica3ons should support the capability to delegate authen3ca3on to the enterprise that is consuming the services, such as through SAML. Cloud providers should consider suppor3ng various strong authen3ca3on op3ons such as One- Time Passwords, biometrics, digital cer3ficates, and Kerberos. This will provide another op3on for enterprises to use their exis3ng infrastructure.

145 Federa*on Recommenda*ons In a Cloud Compu3ng environment, federa3on of iden3ty is key for enabling allied enterprises to authen3cate, provide single or reduced Sign- On (SSO), and exchange iden3ty afributes between the Service Provider (SP) and the Iden3ty Provider (IdP). Organiza3ons considering federated iden3ty management in the cloud should understand the various challenges and possible solu3ons to address them with respect to iden3ty lifecycle management, authen3ca3on methods, token formats, and non- repudia3on. Enterprises looking for a cloud provider should verify that the provider supports at least one of the prominent standards (SAML and WS- Federa3on). SAML is emerging as a widely supported federa3on standard and is supported by major SaaS and PaaS cloud providers. Support for mul3ple standards enables a greater degree of flexibility. Cloud providers should have flexibility to accept the standard federa3on formats from different iden3ty providers. However most cloud providers as of this wri3ng support a single standard, e.g., SAML 1.1 or SAML 2.0. Cloud providers desiring to support mul3ple federa3on token formats should consider implemen3ng some type of federa3on gateway. Organiza3ons may wish to evaluate Federated Public SSO versus Federated Private SSO. Federated Public SSO is based on standards such as SAML and WS- Federa3on with the cloud provider, while Federated Private SSO leverages the exis3ng SSO architecture over VPN. In the long run Federated Public SSO will be ideal, however an organiza3on with a mature SSO architecture and limited number of cloud deployments may gain short- term cost benefits with a Federated Private SSO. Organiza3ons may wish to opt for federa3on gateways in order to externalize their federa3on implementa3on, in order to manage the issuance and verifica3on of tokens. Using this method, organiza3ons delegate issuing various token types to the federa3on gateway, which then handles transla3ng tokens from one format to another.

146 Access Control Recommenda*ons Selec3ng or reviewing the adequacy of access control solu3ons for cloud services has many aspects, and entails considera3on of the following: Review appropriateness of the access control model for the type of service or data. Iden3fy authorita3ve sources of policy and user profile informa3on. Assess support for necessary privacy policies for the data. Select a format in which to specify policy and user informa3on. Determine the mechanism to transmit policy from a Policy Administra3on Point (PAP) to a Policy Decision Point (PDP). Determine the mechanism to transmit user informa3on from a Policy Informa3on Point (PIP) to a Policy Decision Point (PDP). Request a policy decision from a Policy Decision Point (PDP). Enforce the policy decision at the Policy Enforcement Point (PEP). Log informa3on necessary for audits.

147 Cloud Security and Privacy, 2009, Tim Mather et al.