It ain t all fluffy and blue sky out there!

Transcription

1 It ain t all fluffy and blue sky out there!

2 Who s this guy? Ward Spangenberg, Director of Security Operations, Zynga Game Network No - I won t whack the Petville boss who just broke into your cafe and made away with all your grave dirt riding a luvewe. Founding Member of the Cloud Security Alliance

3 What s he going to talk about? Definitions: Same starting point for everyone. Security: What does that even mean? Compliance: Did he just say compliance and cloud in the same sentence? Privacy: All your cloud belong to us. Stuff: quips, stories, advice, and hopefully some laughter.

4 Definition of Cloud Computing Cloud computing describes a system where users can connect to a vast network of computing resources, data and servers that reside somewhere cloudy, usually on the Internet, rather than locally or in the data center. Cloud computing can give on-demand access to supercomputerlevel power, even from a thin client or mobile device such as a smart phone or laptop. (or ipad) (@tomme Agreed. Quit arguing about definition. Common denominator: other people's ppl, other ppl's gear - let's focus on benefits #ccevent)

5 The NIST Cloud Definition

6 Definitions of Architecture IaaS: based on pure virtualization. Vendor owns all the hardware and controls the network infrastructure, and you own everything from the guest operating system up. You request virtual instances on-demand and let them go when you are done. PaaS: infrastructure as well as complete operational and development environments for the deployment of your applications. SaaS: a web-based software deployment model that makes the software available entirely through a web browser.

7 Architecture Model Examples

8 Deployment Models Public Private ("I'm just going to call a private cloud a data center." --Kash Rangan, Managing Director, Merrill Lynch) Hybrid Mongrel/Mutt

9 Why consider the cloud? Increased productivity Decreased capital investments Reduced Costs for IT Scalable systems with low overhead Increased Storage Flexibility Shift company focus

10 What works? Stateless Computer Intensive Non-sensitive data Changing workload pattern Increased workload with greater subscription rate

11 What doesn t work? Special hardware Huge data set Sensitive data Low latency requirements % Availability

12 Cloud Computing a security nightmare - John Chambers, CEO CISCO

13 Security + Cloud =? As my friend Hoff likes to say:...it is difficult to frame meaningful discussion around what security and Cloud Computing means... Yes, no, maybe. Actually security is not a cloud specific issue. The real struggle is operational, organizational and compliance issues that come with this new unchartered (or poorly chartered) territory.

14 What are you worried about?

15 Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile

16 OWASP Top 10 A1 Injection A2 Cross Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Security Misconfiguration (NEW) A7 Failure to Restrict URL Access A8 Unvalidated Redirects and Forwards (NEW) A9 Insecure Cryptographic Storage A10 - Insufficient Transport Layer Protection

17 Web Application Security Consortium

18 Lessons? Somethings are no different in the cloud than they are in the enterprise. The bad guys still want to abuse the resources. It still comes down to data loss.

19 Many different actors are involved Complex policy requirements Simplified procedural operations Many moving parts Learning curve for operations & security staff Traditional security boundaries shift with cloud deployments

20 Who s your neighbor? The Process Next Door may be behaving badly or be under attack. Unbalanced resource consumption can affect operational availability. Shared IP space may have a bad reputation Possible hypervisor level attacks on IaaS platforms Re-using IP addresses leads to unintentional DoS

21 Is it the same building? Very different attack surface compared to traditional infrastructure Large attack surface + high profile = high value targets Who has access to your data? Clouds bypass the "physical, logical and personnel controls" IT shops exert over in-house programs* Lack of visibility into data access by privileged users

22 Got a handyman? Management tools & development frameworks may not provide all the security features they should or could. Tool vendors need to keep up to date with cloud providers feature enhancements. Limited security toolsets are available in cloud environments. Cloud forensics can be challenging.

23 Compliance possible? Ability to leverage compliance and certifications cloud provider already has. Difficult to get feature/policy/procedure changes from cloud vendor to meet other regulatory requirements or certifications. Distributed nature of cloud services can add jurisdictional issues to regulatory compliance. Investigative support & forensics may be difficult to obtain from your cloud provider.

24 Where for art thou? Increased regulatory complexities of having data stored in multiple legal jurisdictions. Foreign governments, agencies or corporations may gain access to your data without your knowledge. Increased data availability & resiliency of having data automatically replicated to multiple sites. Intra-application communications may unintentionally span multiple locations Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.

25 Any chance that comes with a warranty? Long term viability of cloud partners is a critical consideration in PaaS vendors. Lock-in with IaaS & SaaS vendors may be less of an issue. Data transfer costs are can be the toughest part of vendor lock-in. As open cloud platforms emerge and the hybrid deployment model gains popularity, standards will ease some of the current lock-in concerns.

26 Does it matter? All types of cloud systems can be leveraged for malicious purposes. IaaS clouds can be used for large scale spam, DoS, or Command & Control functions. PaaS platforms have already been used as Command & Control for botnets. Hijacked accounts can be used to stage internal DoS attacks within the cloud provider s infrastructure. Defending against cloud based attacks can be extremely difficult.

27 Public deployment security issues Advantages Anonymizing effect Large security investments Pre-certification Multi-site system & data redundancy Disadvantages Collateral damage effect Data & AAA security requirements Regulatory Compliance & Certifications Multi-jurisdiction data store Fault tolerance & excess capacity Known vulnerabilities are global

28 Mongrel deployment security issues Advantages Externalization of attack surface Overcomes private cloud scaling limits Multi-site system & data redundancy Isolation & segregation of secure data Disadvantages Data transfer/access considerations Increased architecture complexity Credential management Regulatory Compliance & Certifications

29 Community Deployment Issues Advantages Increased redundancy & availability Shared risk & security costs Compliance & certification requirements Disadvantages Extremely high level of complexity Federation requirements Increased Privileged User attacks Easy targeting of high value systems

30 IaaS Security Issues Advantages Increased control of encryption Disadvantages Account hijacking Minimized privileged user attacks Credential management Ability to use familiar AAA mechanisms API security risks More standardized deployments Rapid cross vendor redeployment Full operational control at the VM level Lack of role based authorization Dependence on security of the virtualization platform Full responsibility for operations

31 PaaS Security Issues Advantages Less operational responsibility Instant multi-site business continuity Massive scale & resiliency Simplification of compliance analysis Built-in framework security features Disadvantages Less operational control than IaaS Vendor lock-in Lack of security tools, reporting, etc. Increased privileged user attack likelihood Cloud provider s long term viability

32 SaaS Security Issues Advantages Disadvantages Clearly defined access controls Vendor is responsible for datacenter & application security Predictable scope of account compromise Integration with internal directory services Simplified User ACD Inflexible reporting & features Lack of version control Inability to layer security controls Increased vulnerability to privileged user attacks No control over legal discovery

33 Stuff you should know Cloud Security Alliance Sun s Cloud Security Toolshttp:// ity.jsp AWS Azure Opscode

34 Yes, I play Farmville, Petville, Fishville, Texas Hold em, Mafia Wars, Vampire Wars and occasionally Yoville.

35 Ward Spangenberg