DEBUNKING THE MYTHS OF CLOUD SECURITY

Transcription

1 DEBUNKING THE MYTHS OF CLOUD SECURITY

2 DEBUNKING THE MYTHS OF CLOUD SECURITY The benefits of cloud are extensive. Cloud enables rapid deployment, provisioning and scaling of IT resources, which means users can integrate acquired companies easier and enter new markets faster while shortening development times, reducing waste and lowering costs. But despite growing cloud adoption rates, some companies are still reluctant to aggressively move workloads and applications to the cloud. The reason is security. Security remains one of the major concerns in moving applications to the cloud and selecting the right cloud provider. It s time to separate fact from fiction and debunk some cloud security myths about Infrastructure as a Service (IaaS) the building blocks for all other cloud services. Figure 1 is a simplified illustration of a multitenant cloud delivering IaaS supporting two subscribers. Physical resources are shared. The hypervisor layer splits the CPU of the hardware into compute cycles that can be used by different virtual machines belonging to different customers. The management layer depicts types of management services that the cloud service provider can offer. Firewalls are shown coming into the cloud and in front of each of the two customers environments. Significant differences exist in firewalls and management layer functionality between cloud providers. CUSTOMER NETWORK INTERNET CLOUD PLATFORM CUSTOMER 1 ENVIRONMENT CUSTOMER 2 ENVIRONMENT REPORTING VIRTUALIZATION (HYPERVISOR) LAYER SECURITY CPU NETWORK STORAGE PATCHING PHYSICAL LAYER MANAGEMENT LAYER Figure 1. Infrastructure as a Service MYTH 1: CUSTOMERS IN THE CLOUD CAN EASILY ATTACK EACH OTHER A persistent myth concerning cloud computing is that a multitenant cloudbased infrastructure is inherently more vulnerable than a traditional IT infrastructure. In a public cloud, customers share a pool of compute, storage and network resources. The first common concern is that, because resources are shared, cloud subscribers are more easily subject to attack by other customers using the same service. 1

3 To dispel this myth, let s examine the three basic attack vectors in a multitenant environment: 1. Attacks on the virtualization or hypervisor layer that houses customer workloads 2. Vulnerabilities within the management layer provided by the cloud service provider 3. Network threats between clients (hopping from one client internal network across to another) 1. Attacks on the Hypervisor Layer Subscriber segregation in a cloud environment occurs at the hypervisor layer. Hypervisors distribute, assign and manage shared access to CPU, memory and storage resources. In a multitenant environment, the virtual disk devices that hold a customer s data are logically separated from those of other customers by the security controls of the hypervisor. Using hypervisor technology, at the cloud layer, sets of virtual devices are logically segregated and offered to subscribers as if they were completely disparate data centers. So, the quality and security of the hypervisor is critical in cloud. Hypervisors are extremely difficult to attack. They have a small code base and open attack surface. Microsoft Windows, which is thousands of times larger, is much more vulnerable and subject to attack than the hypervisor. There is evidence of very few attacks where a virtual machine has been able to elevate its privileges due to a hypervisor attack or to gather data from other virtual machines. 1 One of the most interesting attacks was carried out on Amazon s EC2 platform, where researchers were able to steal a cryptographic key in a side channel attack. 2 Although it has been proven in laboratory conditions that it is theoretically feasible, actual data suggests that attacks at the hypervisor level are practically nonexistent. If legal or regulatory requirements demand more resource segregation between subscribers, organizations can choose a cloud provider that offers services using dedicated resources. Dedicating memory and CPU resources prevents any malicious activity being performed by another cloud subscriber that would compromise the hypervisor and potentially allow access to memory or CPU resources of the subscriber s virtual machines. 2. Attacks at the Management Layer The hypervisor, like any IT service, must be patched and maintained. New versions and updates provided by suppliers must be installed through a management interface, which in turn is vulnerable to attack. However, unlike normal software patching, the management interface of a hypervisor can be completely isolated from the end user resources running on top of it, by placing it on a separate management network. As a result, a malicious customer cannot use it to launch a direct attack. The same argument is valid for other resources (networks and storage), which also have separate management channels that are not accessible by cloud subscribers. The cloud subscribing organization needs to have confidence that its chosen cloud provider has stringent controls in hiring, separation of duties and access controls for their cloud operations and management staff, particularly those 2

4 that have access to the management layer. These controls mitigate the risks of attack from inside the cloud provider s organization. Key provider controls should include: Personnel background checks on all employees as a baseline condition Separation of staff duties and limitation of access, with frequent audits in place to ensure compliance Strong multifactor authentication for access Secure VPN access points using encrypted communication channels Monitoring and audit trail for all access Monitoring for rogue wireless access points Removal of the desktop for support personnel as a potential attack path Stringent management change process and controls Periodic vulnerability scans 3. Multitenant Network Threats Another concern in multitenant environments is in preventing customers of the same provider from gaining access to the same networks. This concern is typically mitigated through isolation of the virtual area network (VLAN) (reference IEEE802.1Q based VLAN isolation). For example, VMware vcloud Director can be used to create consistent secure VLANs, and the VMware Distributed Virtual Switch enforces the separation of traffic between the different VLANs. Following are additional ways to mitigate the potential network risks in a multitenant cloud environment: First, a distributed virtual switch can potentially span an entire data center as well as all clusters and hosts contained within it. This can result in perimeter security deployed upon a cluster running virtual machines for other customers. A cloud provider could mitigate this concern by limiting Distributed Virtual Switch membership to hosts within the client s dedicated environment. Second, the provider implements a secure, encrypted site-to-site tunnel that terminates directly in a single subscriber s cloud environment. This enables the commercial cloud to become an extension of the subscriber s existing network. Third, a subscriber can request that the cloud provider build a high-speed, dedicated connection from the subscriber s cloud environment to the client s on-premises data center. When companies migrate strategic workloads and applications to the cloud, often these private networking options are preferred. Debunked: It is not easy for an attack to be triggered from another cloud subscriber in a multitenant cloud environment. Moreover, some cloud providers also offer dedicated compute and networking options to further mitigate risks. Cloud subscribers should evaluate their applications and requirements and choose a cloud provider and cloud offering based on the needs of their applications. 3

5 MYTH 2: EXTERNAL INTERNET THREATS ARE MORE THREATENING IN THE CLOUD Some of the top external security issues, identified by the 2013 Cloud Security Alliance, include data breaches, account hijacking, insecure APIs and denial of service. These concerns are not new to the Internet economy. A variety of defenses can be used against these attacks, including basic firewalls, vulnerability scanning, encryption, network intrusion detection and network intrusion prevention, multifactor access control, and monitoring. Implementing a series of concentric defenses can provide a stronger security posture. To make the analogy of protecting your home, having a deadbolt on your front door does not tell you if a burglar is turning the doorknob or rattling the window to see if they are unlocked. It only stops the burglar from coming through the front door. By implementing systems such as intrusion detection and intrusion prevention alongside the firewalls, the environment identifies if someone is trying to find a way in (and if they are successful). The additions of encryption and vulnerability scanning add even more layers of protection. Often cloud providers deploy more stringent security tools and disciplined processes than individual companies or subscribers might employ on their own. For example, a cloud provider can provide 24x7 security monitoring, whereas a company may only support monitoring during working hours. Also, a cloud provider s bandwidth is much greater than that of a single company or subscriber, and this alone reduces the chance of a successful denial-of-service attack. Often bad guys attack through the customer s own network including via laptops or servers in non-cloud data centers. To limit the success of these types of attacks, subscribers can use desktop virtualization services, combined with firewalling, to reduce the attack surface from office locations. Basic service management remains a challenge for even the most security-conscious enterprises, making this type of attack more likely than a direct attack on the cloud. Phishing attacks also represent weak links, despite security awareness training given to users. Taking all this into consideration, the cloud is clearly not the weakest link. Debunked: External Internet threats are real, but no more threatening to the cloud than any other service delivery environment. Enterprises deploying a private cloud must provide the same level of scrutiny on detection and prevention that they would if they were deploying workloads using a hosting provider or their own internal IT infrastructure. MYTH 3: YOU CAN T CONTROL WHERE YOUR DATA RESIDES IN THE CLOUD Data residency is a key concern, and many countries have regulations that don t allow personal data to be exported to or stored in another country. When data residency is a concern, particularly for personally identifiable information, private health information, and tax and financial information, then a subscriber must take into account where a provider operates cloud data centers. Cloud subscribers needing to deliver services on multiple continents must choose a service provider that adheres to the required data governance policies by country. In addition, many subscribers want a contractual guarantee to audit the locations where their cloud services are deployed, where their data is stored and how data replication is handled. Debunked: This myth is easily addressed by selecting a cloud provider with a global footprint and with providers offering data accountability. When the workloads and applications being moved to cloud require it, private cloud is a simple way to address data governance. 4

6 MYTH 4: CERTIFICATIONS ARE STANDARD IN A CLOUD ENVIRONMENT AND PROVIDE ASSURANCE TO SUBSCRIBERS The same certifications that clients trust in traditional IT service delivery environments can be applied to applications running in a cloud environment. Whether it is SSAE 16 for financial services, PCI-DSS for credit card processing, or HIPAA for healthcare records, certifications and compliance regulations are the foundation for building a trustworthy service. It s important to note that compliance in cloud is really no different from compliance in a hosting environment, except in how the infrastructure and applications are assembled on a single distributed infrastructure. While we are used to an implementation of a collection of servers in a hosting data center, the cloud changes this with an instantiation of a virtual collection of servers on a single infrastructure. The rules for securing the data have not changed, but the methods have. Last, it is also important to realize that certifications are a trailing indicator of how secure a platform may be, since standards are always trying to keep up with the latest trends. That s why it s important to make sure your cloud provider stays ahead of new risks and vulnerabilities. Making the front page of The Wall Street Journal or The Economic Times over a breach on a certified platform because of an exposure the cloud provider ignored is an issue. Focusing only on certification is not sufficient. Debunked: Certifications are good reference points, but taken alone, they are insufficient proof points that the cloud provider will satisfy all the subscribing organization s security and compliance needs. Ultimately the cloud consumer is accountable for ensuring that their organization s security and compliance requirements are met. Subscribers need to understand the security capabilities and processes of their cloud provider and not rely on certifications alone. MYTH 5: CLOUDS ARE NOT INHERENTLY TRANSPARENT Lack of transparency or visibility into the cloud environment to enable IT governance is often cited as an issue in moving workloads to the cloud. Digital trust requires transparency or visibility into a cloud environment. Transparency ensures that the subscriber can implement standard IT governance practices. Visibility requires knowledge and access to real-time or near-real-time information on: Who is using the environment and when it is being used How the virtual environment is performing Access of billing information in granular detail Change management reports Access to security reports, including: Vulnerability alerts Intrusion detection Firewall rule set reports Audit log management reports Subscribers need the ability to view reports and real-time information online. Online reporting not only allows on-demand access to critical and time-sensitive information, but also builds trust in the cloud provider through verification. Debunked: Transparency in the cloud is feasible. Not all cloud providers place an emphasis on this or spend the dollars to provide the visibility that enterprise cloud users should demand. Compare and contrast transparency and security reporting features and capabilities of cloud providers before making a decision. 5

7 THE CSC CLOUD SECURITY DIFFERENCES CSC differentiates itself in three primary areas: our security expertise; integration of leading security technology and our own intellectual property as the foundation for our cloud services; and providing the additional security and data protection options to tailor clouds to meet a client s application and industry-specific needs (see Figure 2). We offer multiple delivery options to our clients to implement IaaS with progressively high levels of resource segregation: CSC CloudCompute deploys leveraged resources in a highly secure, resilient environment with virtual segregation of clients and applications. Dedicated VPN and point-to-point connectivity is optional. CSC BizCloud VPE delivers compute and network and point-to-point connectivity dedicated to a single client and logically segregated storage, with an entire datastore dedicated to a single client. CSC BizCloud is a private cloud with physically segregated resources deployed from CSC worldwide cloud data centers or from the client s environment. OUR CLIENTS AND SECURITY EXPERTISE LEADING TECHNOLOGY AND BEST PRACTICES SECURITY OPTIONS TO MEET YOUR NEEDS Trusted Cloud Controls Program built on basis of 50+ years of outsourcing experience Holistic defensein-depth security framework 24x7 incident response by security experts Higher assurance requirements delivered Enterprise-class firewalls and access control frameworks Security from the edge to the endpoint with VMware vcloud Director, vshield, and vsphere Network intrusion detection monitoring and vulnerability scanning Full transparency into service performance and location of applications and data Additional Cybersecurity options for cloud integration CloudBackup and CloudDR Dedicated hostbased intrusion prevention services Encryption of Data at Rest Figure 2. The CSC Cloud Security Difference 6

8 CUSTOMER RESPONSIBILITY While we ve addressed some commonly held myths about cloud security, ultimately the cloud subscriber needs to examine the security and compliance requirements for each application being migrated to the cloud. The consumer needs to match their applications requirements to the cloud provider that delivers on the security and data protection that s required. CSC SECURITY EXPERTISE CSC is not only recognized as a worldwide leader in IaaS; 3 we are also recognized as a leader in providing managed security services. 4 We have more than 1,700 cybersecurity professionals and five integrated global security operations centers, and our security experts provide round-theclock incident response. In developing and managing our Enterprise Cloud services, we ve applied best practices gleaned from more than 50 years of delivering IT outsourcing services to public sector and high-security enterprise customers. Our cloud controls program covers compliance, data governance, facility security, and risk management and information security. Our clouds are based on a holistic defense-in-depth security framework that delivers the physical and logical security, access control and data integrity options needed to support production applications. INTEGRATION OF LEADING TECHNOLOGIES Our multiboundary cloud infrastructure safeguards against intrusions, breaches, viruses and worms. We combine and integrate leading technologies within our cloud services to enable: Encryption of VPN traffic entering and leaving the CSC cloud Use of VLAN within the cloud to separate and protect traffic and data Firewalls or virtual firewalls between organizations and between virtual applications in an organization s cloud environment Protection against network-based threats network intrusion prevention Active Directory integration for authentication and security policies Group and role-based access control (RBAC) with integration into the subscriber organization s AD/LDAP directory MPLS and dedicated VPN connections CSC s Enterprise Cloud delivers the transparency needed to monitor performance and gain full visibility into the cloud environment. Visibility into our services includes performance, security, availability and usage tracking, along with show-back/bill-back, enabling effective governance, security and management control. 7

9 SECURITY OPTIONS With CSC IaaS, we provide infrastructure monitoring, service desk and data services to every client, and offer data protection services such as backup and disaster recovery as options. We provide additional security options to our clients such as Host Intrusion Prevention Services (HIPS), CSC Audit Log Assurance Services, and encryption for data at rest. CSC offers a variety of encryption services to protect our clients critical data while it is at rest, in transit or in storage. CSC always delivers encryption of data in motion, without exception. Any interface that is not encrypted is simply not welcome. CSC offers encryption for data at rest based on the client s requirements and needs. CSC Audit Log Assurance supports companies obligated to comply with government mandates such as the Sarbanes-Oxley Act (SOX) and the Gramm- Leach-Bliley Act (GLBA). It is a CSC service that ensures all vital network and system logs are centrally stored, correlated and analyzed by our team of security experts to lower the total cost of ownership and increase our clients ability to track infrastructure resources across the enterprise. As an optional service for our clients, we also provide security scanning at the operating system level, based on what application/version level is installed and the patches issued to address bug fixing. CSC offers a highly secure cloud environment with the choices organizations need to match their industry and application requirements to CSC s cloud deployment models and security options. We hope you will consider CSC as your cloud provider. 1 This is clear if one searches through the National Vulnerability Database ( and compares the number of serious vulnerabilities of hypervisors like VMware ESX with, for example, operating systems. 2 Cross-VM Side Channels and Their Use to Extract Private Keys, Yinqian Zhang, Gartner, Inc.: Magic Quadrant for Cloud Infrastructure as a Service, 19 August 2013, by Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes. 4 The Forrester Wave: Managed Security Services: North America, Q1, 2012, by Ed Ferrara with Nick Hays and Stephanie Balaouras. 8

10 Worldwide CSC Headquarters The Americas 3170 Fairview Park Drive Falls Church, Virginia United States Asia, Middle East, Africa 20 Anson Road #11-01 Twenty Anson Singapore Republic of Singapore Australia 26 Talavera Road Macquarie Park, NSW 2113 Australia +61(2) Central and Eastern Europe Abraham-Lincoln-Park Wiesbaden Germany Nordic and Baltic Region Retortvej 8 DK-2500 Valby Denmark South and West Europe Immeuble Balzac 10 place des Vosges Paris la Défense Cedex France UK and Ireland Region Royal Pavilion Wellesley Road Aldershot, Hampshire GU11 1PZ United Kingdom +44(0) About CSC CSC is a global leader in next-generation IT services and solutions. The company s mission is to enable superior returns on our clients technology investments through best-in-class industry solutions, domain expertise and global scale. For more information, visit us at Computer Sciences Corporation. All rights reserved.