Securing Data While Leveraging Virtualized and Cloud Storage

Transcription

1 Securing Data While Leveraging Virtualized and Cloud Storage Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP CTO Security & Privacy Hitachi Data System

2 Welcome to the Virtual Jungle The Setup Virtualization Lay of the Land Virtual Security (or Insecurity) Lifting the Haze Around Cloud Computing Securing the Cloud Legal & Compliance Issues The Storage Angle Wrapping Up 2

3 The Setup 3 A Little Context

4 Background Storage virtualization plays an important role in data resilience and data protection strategies within many organizations. Migrations onto virtual servers have saved some businesses huge sums of money as a result of consolidation and improved efficiency. The server virtualization market has emerged so quickly that customers have not been able to keep up from a best practices standpoint (especially security). Server virtualization introduces technologies that must be managed and secured. Virtualization is clearly an enabler for cloud. 4

5 Observations & Trends Concerns over security in a virtual environment are often centered around lack of visibility, lack of control and fear of the unknown. Smaller organizations with minimal IT departments can see improved security when using services and infrastructure from a public cloud service provider. The security and IS audit communities continue to highlight the risks associated with the use of cloud The storage industry is becoming very excited about virtualization and enabling technologies for the cloud In the U.S., many lawyers have become very interested in the cloud (data breaches and lawsuits) 5

6 Virtualization Lay of the Land 6

7 Virtualization Issues Networks that work correctly with physical servers don't necessarily work well with virtual machines. Virtualization introduces technologies like the hypervisor that must be managed. Virtual switching, which routes network traffic between virtual servers, is often done in ways that aren't always visible to tools designed to monitor traffic on the physical network. Many business continuity failures in virtualized environments can be attributed to network design flaws. In many organizations, the IT security team isn't consulted about virtual infrastructure until well after the architecture is built and rolled out on production servers. Virtualization does present risks if best practices are not followed and adapted to a virtual infrastructure. Virtual server instances may move between data centers, not just within a single facility. 7

8 Key Virtualization Components Virtual Machine (VM): Software that allow the sharing of the underlying physical machine resources between different VMs, each running its own operating system. Virtual Machine Monitor (VMM): Software responsible for managing interactions between VM(s) and the physical system. 8 Hypervisor: The software that handles kernel operations. A hypervisor can run on bare hardware (Type 1 or native VM) or on top of an operating system (Type 2 or hosted VM). Virtual Networks: Virtual networks tie together the VMs' virtual network interface cards (vnics), virtual switches (vswitches), and physical network interface cards (NICs) into various network architectures. Putting It All Together: A virtualized environment consists of a VMM and one or more VMs. The VMs and VMM interact with either a hypervisor or a host OS to access hardware, local I/O, and networking resources. In addition to these components, virtualization architectures leverage virtual networking, virtual storage, and terminal service capabilities to complete their architectures.

9 Key Virtualization Types 9 VM1 VM2 VM3 VM1 VM2 VM3 Applications Applications Applications Applications Applications Applications OS OS OS OS OS OS Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtualization Layer X86 Architecture Hardware Type 1 Virtualization Virtualization Layer Host OS Kernel X86 Architecture Hardware Type 2 Virtualization

10 Virtual Security (VirtSec) 10

11 Immutable Laws of Virtualization Security Law 1: All existing OS-level attacks work in the exact same way. Law 2: The hypervisor attack surface is additive to a system's risk profile. Law 3: Separating functionality and/or content into VMs will reduce risk. Law 4: Aggregating functions and resources onto a physical platform will increase risk. Law 5: A system containing a trusted VM on an untrusted host has a higher risk level than a system containing a trusted host with an untrusted VM. 11 SOURCE: Burton Group, Attacking and Defending Virtual Environments, Version 1, Pete Lindstrom, Jan-2010,

12 Virtualization Security Issues 12 Virtualization potentially makes the strong perimeter defense obsolete. While technologies are available to secure virtual infrastructure, it is common to see security failures that can be tracked to misconfigurations. The traffic flowing between VMs is another area of concern, since IDS/IPS, firewalls and other monitoring tools aren't able to tell if those machines are running on the same physical server hardware. In the virtual world, there is no inherent separation of duties, so it has to be build in. In an unchecked, unmonitored virtual environment, administrators are all powerful; often they don't understand the security risks. The hypervisor must be patched just like any other operating system to plug security holes.

13 Best Practices for Virtualized Systems Harden the Host Operating System, Hypervisor, and VMs Limit Physical Access to the Host Use Encrypted Communications Disable Background Tasks Employ Timely Patching and Updating of Systems Enable Perimeter Defenses on the VM Implement Only One Primary Function per VM Implement File Integrity Checks Perform Image Backups Frequently Secure VM Remote Access 13 SOURCE: Cloud Security, Krutz, Vines, 2010, Wiley Publishing, ISBN:

14 Lifting the Haze Around Cloud Computing 14

15 NIST Cloud Computing Characteristics 15 On-demand self-service. A consumer can unilaterally provision computing capabilities as needed automatically without requiring human interaction with each service s provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms. Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. SOURCE: National Institute of Standards and Technology, NIST Definition of Cloud Computing v15,

16 An Application View of Cloud 16 Service Delivery Models High-performance Computing Analytics Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Application Domains Finance Web Infrastructure-as-a-Service (IaaS) Other Public Hybrid Private Cloud Deployment Models SOURCE: Cloud Security and Privacy, Mather, Kumaraswamy, Latif, 2009, O Reilly, ISBN:

17 Mapping the Cloud Model to the Metal 17 Applications Information Intelligent workloads IaaS Management Network Trusted Computing Compute & Storage PaaS SaaS Physical SOURCE: Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, Version 2.1, 2009,

18 Securing the Cloud 18

19 What is Cloud Security? 19 Security in the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think tactical solutions like virtualized firewalls, IDS/IPS, AV, DLP, DoS/DDoS, IAM, etc. Security for the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry). Think cloud-based Anti-spam, DDoS, DLP, WAF, etc. Security by the Cloud: Security services delivered by Cloud Computing services which are used by providers for the cloud which often rely on those features described in the cloud. Think, basically any service these days that brand themselves as Cloud.

20 CSA Cloud Computing Security Guidance Governance Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operations Traditional Security, Business Continuity and Disaster Recovery Data Center Operations Incident Response, Notification and Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization NOTE: The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. SOURCE: Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, Version 2.1, 2009, 20

21 CSA Top Threats to Cloud Computing (1) 21 #1: Abuse and Nefarious Use of Cloud Computing Impacted Services Models: IaaS & PaaS Description: The illusion of unlimited compute, network, and storage capacity often coupled with a frictionless registration process (that preserve anonymity) has allowed spammers, malicious code authors, and other criminals to conduct their activities with relative impunity. #2: Insecure Interfaces and APIs Impacted Services Models: IaaS, PaaS, SaaS Description: Software interfaces or APIs, which are exposed for customers to manage and interact with cloud services (e.g., provisioning, management, orchestration, and monitoring), interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. SOURCE: Cloud Security Alliance, Top Threats to Cloud Computing, Version 1.0, 2010,

22 CSA Top Threats to Cloud Computing (2) #3: Malicious Insiders Impacted Services Models: IaaS, PaaS, SaaS Description: The well known malicious insider threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure as well as little or no visibility into the hiring standards and practices for cloud employees, creating an attractive opportunity for an adversary. #4: Shared Technology Issues Impacted Services Models: IaaS Description: IaaS vendors deliver their services in a scalable way by sharing infrastructure, which was not designed to offer strong isolation properties for a multi-tenant architecture, so appropriate security controls should be employed to ensure that individual customers do not impact the operations of other tenants and that customers do not have access to any other tenant s actual or residual data, network traffic, etc.

23 CSA Top Threats to Cloud Computing (3) 23 #5: Data Loss or Leakage Impacted Services Models: IaaS, PaaS, SaaS Description: The threat of data compromise (unauthorized access or corruption/destruction) increases in the cloud, due to the number of and interactions between risks and challenges, which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. #6: Account or Service Hijacking Impacted Services Models: IaaS, PaaS, SaaS Description: Although account or service hijacking is not new, cloud solutions add a new threat because a successful attacker (e.g., gains access to your credentials) can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites as well as use your account or service instances as a new base for the attacker, possibly leverage the power of your reputation to launch subsequent attacks.

24 CSA Top Threats to Cloud Computing (4) #7: Unknown Risk Profile Impacted Services Models: IaaS, PaaS, SaaS Description: The features and functionality of a cloud service may be well advertised, but there may be few details (e.g., versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design) to help estimate your organization s security posture as well as little or no information on the cloud service provider s compliance of the internal security procedures, configuration hardening, patching, auditing, and logging. Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. 24

25 Legal & Compliance Issues 25

26 Governance & Compliance Compliance regulation/legislation not prescriptive on how to address virtual/cloud environments For Virtualized Environments: 26 Auditors making judgment calls; security teams adjusting existing controls to be compliant-enough Data tracking (VM movement) one of the biggest problems areas Monitoring and audit logging capabilities to prove compliance also a huge problem Need to establish compliance policies and practices as well as configuration management for virtual environments For Cloud: This list is long and distinguished (see CSA guidance)

27 Privacy For Virtualized Environments: 27 Access control much more difficult to establish and enforce It can be difficult/impossible to prove that regulated information has remained protected at all times while moving For Cloud: Sensitive information is potentially moving around the Internet within the Cloud in violation of law Data may be crossing national boundaries (possibly multiple jurisdictions) Data droppings throughout the Cloud; data retention and media sanitization are unpredictable Data protection and security dependent on contractual terms and service level agreements

28 Digital Evidence and Forensics Amassing the forensic data from the various sources could be a serious challenge Investigators must be proficient with the technologies For Virtualized Environments: Image backups of VMs could be extremely valuable Audit trails are key, but only if they are usable For Cloud: The real-time nature of Cloud Services may reduce the amount and nature of digital evidence The integrity and authenticity of data may be questionable (for example, inadequate protections against attacks) Describing (to a jury) indiscretions that occur within the Cloud could be extremely difficult 28

29 Electronic Discovery 29 For Virtualized Environments: Compartmentalization may make is easier to find relevant data Many more places to look for the data (missing it could result in sanctions) For Cloud: Data classification and records management practices become more important, but they are less likely to be used Relevant data could be within the hands of a large number of third parties (suppliers to suppliers) Business processes will be dependent on many elements within the Cloud (multiple consumers and suppliers) Organizations will have additional challenges identifying relevant data because business units are directly leveraging the Cloud

30 The Storage Angle 30

31 Storage and Virtualization 31 Storage virtualization is employed by many organizations as part of the data resilience and disaster recovery and business continuity solutions An assortment of storage security mechanisms exits: Entity authentication (iscsi CHAP & FC-SP DH-CHAP) Source filtering (IP address & WWNs) At-rest encryption (HBA and in-line) Storage security mechanisms often have to be loosened to accommodate server virtualization Storage-based replication can be a powerful compliment for VM movement between sites

32 Storage and Cloud 32 Multiple proprietary cloud storage offerings available and some include security mechanisms Cloud-based backup services used by many individuals and small businesses Storage Networking Industry Association (SNIA) has completed the Cloud Data Management Interface (CDMI) specification; working on reference implementation. Assume nothing about security; mechanisms are often disabled by default.

33 Wrapping Up 33

34 Summary Virtualization Server virtualization is common-place for many organization, and becoming so for many others Virtualization security is a viable option, but: Security professionals need to engaged early Security requirements/mechanisms may impose restrictions that negate some or all of the value of virtualization Compliance requirements must be factored into the solution Leverage storage technologies to help with data management 34

35 Summary Cloud 35 It is possible to engineer solutions across most cloud services today that meet or exceed the security provided within the enterprise however, the capability to execute may not be a reality! With cloud, the SLA represents the best of circumstances (assume nothing). Don t put anything in the cloud you wouldn t want someone else to see (government, competitor, or a private litigant)

36 Cloud Security Resources 36 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing, Top Threats to Cloud Computing, European Network and information Security Agency (ENISA), Cloud Computing Benefits, risks and recommendations for information security, Information Systems Audit and Control Association (ISACA), Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, Cloud Security and Privacy, Mather, Kumaraswamy, Latif, 2009, O Reilly Publishing, ISBN: Cloud Security A Comprehensive Guide to Secure Cloud Computing, Ronald L. Krutz, Russel Dean Vines, 2010, Wiley, ISBN: SNIA Cloud Storage Initiative,

37 Cloud Standards Activities (1) Cloud Computing Interoperability Forum (CCIF) is developing Unified Cloud Interfaces and APIs Cloud Security Alliance (CSA) to promote the use of best practices for providing security assurance within Cloud computing Distributed Management Task Force (DMTF) is developing specification for the management interfaces between the cloud service consumer / developer and the cloud service provider. ISO/IEC JTC 1 Subcommittee 38 (SC38) on Distributed Application Platforms and Services (DAPS) has a focus on Web services, SOA, and cloud computing 37

38 Cloud Standards Activities (2) Object Management Group (OMG) to establish a uniform vocabulary for Cloud Computing, as well as to synchronize standards development Open Cloud Consortium (OCC) is researching the creation of inter-cloud interfaces with the aim of developing compatibility standards Open Grid Forum (OGF) is developing on an Open Cloud Computing Interface (OCCI) Storage Networking Industry Association (SNIA) developed the Cloud Data Management Interface (CDMI) specification 38

39 39 Questions & Comments can be directed to: Thank You

40 About the Author/Presenter Eric Hibbard is Hitachi Data Systems CTO for Security and Privacy where he is responsible for storage security strategy, identifying and defining new storage security architectures, and designing new storage networking infrastructures. He is a senior security professional with 30+ years experience in information and communications technology (ICT), working for government, academia, and industry. 40 Mr. Hibbard is active in formal storage and security standardization as well as organizations involved with data security and protection. He serves as the International Representative for INCITS/CS1 Cyber Security, Co-Chair of the E-Discovery and Digital Evidence (EDDE) Committee of the American Bar Association s Section of Science & Technology Law, the Vice Chair of IEEE Information Assurance Standards Committee (IASC), the Vice Chair of IEEE P1619 Security in Storage Work Group (SISWG), and the Chair of the Storage Networking Industry Association (SNIA) Security Technical Working Group. He is also involved with INCITS/T11, Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), Trusted Computing Group, IEEE-USA Critical Infrastructure Protection Committee (CIPC), IETF, W3C, and the Distributed Management Task Force (DMTF). Mr. Hibbard currently holds the International Information Systems Security Certification Consortium (ISC) 2 CISSP certification as well as the ISSAP, the ISSMP, and the ISSEP concentration certifications. He also holds the ISACA Certified Information Systems Auditor (CISA) and the SNIA Certified Storage Engineer (SCSE) certifications. His educational background includes a B.S. in Computer Science and a credential in Data Communications.