Cloud Security Development and Standardization Focusing on ITU-T FG Koji NAKAO KDDI Corporation, Information Security Fellow
Content Current Security Threats (e.g. Malwares, DDoS, Target Attack) ITU-T FG Cloud Computing - Objectives - Management FG Cloud Computing Activities - Deliverables - Cloud Security Future Direction 2
Internet Users Transition Researched by MIC in 2.3% 3 27
Produced by Meng Chow Kan A short history of computing & insecurity 7 7 7 7 2 3 4 5 6 7 2 3 4 5 6 7 2 2 2 2 2 3 2 4 2 5 Standalone Systems Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing) Apple II Computer Commodore Atari TI- TRS- First Worm developed in Xerox Palo Alto Discovery First Self-destruct program (Richard Skrenta) First Self-replicate program (Skrenta s Elk Cloner) Ken Thompson demo first Trojan Horse Fred Cohen s VAX Viruses Brain Virus developed by two Pakistanis Yale, Cascade, Jerusalem, Lehigh, etc. Morris Worm Cukoo s Egg in LBL FBI arrest 44s Hacker Group Computer Crimes Trusted Operating Systems (Orange Book) Stealth virus (Whale) Variable Encryption (26) Experimentation Robert T Morris fined $K, 3 years probation Protocol Weaknesses/Buffer overflow Trusted Network (Red Book) ITSEC First Concept Macro Virus Phishing begins in AOL Kevin Mitnick arrested, five years imprisonment Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering Cyber Crimes Slammer Blaster WeiChia Code Red Nimda Philippines I LOVE YOU virus Criminal Exploitation Melissa virus ($m) Excel Macro Virus (cross platform) Information Warfare Solar Sunrise - Two California Teens attack on 5 Military, Govt, & Private Computer Systems UK Green Book to BS 77 to ISO 77 Common Criteria (ISO 54) MyDoom Sasser Melissa s author sentenced 2 months jail DDoS on 3 root servers SPAM Mails Phishing attacks proliferated Spyware Bots Pharming attacks 4 (DNS poisoning)
Monitor data through Dark-Net Dark-Net: Unassigned IP addresses space and they are not connected to the Real Servers/PCs. Types of Packets arrived to the Dark-Net: Scans by means of Malwares; Malwares infection behaviors; DDoS attacks by Backscatter; Miss configurations/mistakes It is very useful to Observe the serious attacks behavior over the Internet. Darknet 5
Atlas: Real-time Packet Source Visualization of source of incoming packets at our darknet Visualization 6 6
Showing arrivals of scanning packets CUBE: 3-D display of real-time incoming packet flow UDP TCP SYN ICMP TCP SYN/ACK TCP of non-syn or non- SYN/ACK port scanning address scanning 7
Basic concept of Botnets According to analysis of Agobot source code. Owner of Botnets (HERDER) DDoS! IRC SV Sometimes, many IRC Servers are used. It is configured at the site which Herder has hacked. HERDER Internet Malicious orders are transmitted via IRC PCs at home and company TARGET DDoS, SPAM, any Infected PCs
Correlation between NW monitor and Malware analysis Bot Virus Darknet Monitor MacS: Macro analysis System Visualization 3D View WM View Analysis Engine! Worm Correlation analysis for binding darknet traffic and malware samples Phenomena Root Cause NemeSys: Network and malware enchaining System Correlation Engine IHS: Incident Handling System Analysis Work Bench Report ------------ ------------ ------------ Incident Report Government! Internet Service Providers (ISPs) Malware Samples MicS: Micro analysis System Code Analyzer Behavior Analyzer! Honeypot End Users
Correlation Analysis In the Wild Correlation In the Lab Goal: To bind phenomena (attacks) observed from Darknet and root cause (malwares) inspected in the honnypot system. Specifies the type of assumed malware at the infected host. That is, scan observed in the darknet may be sent from the malware.
Cyber Clean Center (CCC) activities Bot-infected PCs (Users of participating ISPs) (6)Sending e-mail to alert the use of the infection and urge the removal of bots ()Infection activities ISP (5)Identifying infected PCs Internet (4)Requesting for identification of infected PCs Cyber Clean Center Analysis (7)Accessing the countermeasures website ()Downloading the bot bremoval tools Bot-infected PCs (General users) Accessing the disclosure website Downloading the bot removal tools Honeypots Countermeasures website Disclosure website (2)Detection of infection activities Capture of bot analysts Analysts and related information (3)Preparation of bot removal tools
Infection rate of Malwares in the world 27 2 Based on Microsoft Security Intelligence Report 2
Cloud Security? )Cloud Computing is just a New Business Model and is not a new set of technologies. It is broader combination of the existing technologies. 2) Most of security threats which are currently recognized in the existing business are directly taking over in the Cloud environment. 3)Are there any required new technologies especially for Cloud? 4)If we (Cloud user) require security capabilities to Cloud service providers, we do not know how they correctly implemented the requirements in the Cloud service providers. 5)Combining the existing security countermeasures, we have to develop an appropriate secure Cloud environment. 3
ITU-T Focus Group (FG) on Cloud Computing FG meetings: The st meeting:4 th -6 th June 2 Geneva, 4 participants, countries The 2 nd meeting:2 nd -6 th September 2 Geneva, 35 participants, countries The 3 rd meeting:3 th Nov.-3 rd Dec. 2 Lannion, 3 participants, countries The objective of the Focus Group: To collect and document information and concepts that would be helpful for developing Recommendations to support cloud computing services/applications from a telecommunication/ict perspective. Management team: Chair: Victor Kutukov (Russia) Vice-Chairman: Jamil Chawki (France) Vice-Chairman: Kangchan Lee (Korea) Vice-Chairman: Mingdong Li (China) Vice-Chairman: Monique Morrow (USA) Vice-Chairman: Koji Nakao (Japan) 4
Major Categories of Cloud Services for Telecommunication/ICT discussed in FG Application services (SaaS) Resource services (IaaS) Platform services (PaaS) Network services (NaaS) The capability provided to the consumer from telecommunication operators is to provide network communications, billing, and intelligent features as services to consumers. Communication services (CaaS) The capability of hardware and software is to provide support for communication and collaboration services. Such services include voice over IP, instant messaging, video conferencing, for both fixed and mobile devices. Security services (SaaS: Security as a Service) The capability provided to the consumer is to deliver core security services remotely over the Internet. While the typical security services provided are rudimentary, more sophisticated services are becoming available such as identity management. 5
Cloud Ecosystem (France) 6
Content: Cloud Security in FG ) Review the existing activities (from CSA, DTMF, GICTF...) including liaison from SG7 2) Considerations on Security Threats based on Eco-system or RA Usecase 3) Security requirements in views of providers, users, management, 4) Subjects for security study for ITU-T Overview of SDOs Security Threats Security Requirements Security Subjects 7
Cloud Security works in SDOs CSA CSA/TCI (Cloud Security Alliance / Trusted Cloud Initiative) DMTF GICTF NIST Open Cloud Manifesto & Cloud Computing Use Cases Group CloudAudit OASIS OMG ISO/IEC JTC/SC27
Cloud Security Alliance(CSA) Initiatives in Progress/Released CSA Guidance V2. Released Dec 2 CSA Top Threats Research Released March 2 CSA Cloud Controls Matrix Released April 2 Trusted Cloud Initiative Release Q4 2 Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Audit The Governance, Risk Management and Compliance (GRC) Stack The Telecommunication working group Cloud CERT Certificate of cloud security knowledge -- User Certification
CSA: Controls matrix Divided into 3 domains Contains 7 controls Cross-referenced to CObIT, HIPAA, ISO, NIST 2
Threats for Cloud Users )Lack of trusting cloud provider's security level Cloud Users are often facing to have difficulty to recognize Cloud Service Providers' trust level (security level) in use of the cloud services. Furthermore, cloud users have no abilities to evaluate security implementation level achieved by the provider. 2)Lack of Information/Asset Management When applying to use Cloud Computing Services, the cloud user will have serious concerns on lack of information/asset management by cloud service providers such as location of sensitive asset/information, lack of physical control for data storage, reliability of data backup (data retention issues), countermeasures for BCP and Disaster Recovery and so on. Furthermore, the cloud users also have important concerns on exposure of data to foreign government and on compliance with privacy law such as EU data protection directive. 3)Data loss and leakage Loss of encryption key or privileged access code will bring serious problems to the cloud users. Accordingly, lack of cryptographic management information such as encryption keys, authentication codes and access privilege will heavily lead sensitive damages on data loss and unexpected leakage to outside. 4)Loss of Account/Service management Account or service hijacking is not new threat. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks (from CSA). 5)Others 2
Security Requirements for Users (Requirement-) Method to trust cloud providers' security level shall be provided. Security assessment, security audit, security certification/accreditation scheme shall be established in order for cloud user to select appropriate cloud service provider based on his security requirements. Furthermore, security criteria for the selection shall be implemented so as to provide mutual understandings of security level among cloud user and service provider. (Requirement-2) Information/asset shall be appropriately managed in secure and reliable manner. Location of sensitive asset/information of cloud user, physical control for data storage, reliability of data backup, and countermeasures for BCP and Disaster Recovery shall be appropriately implemented as a requirement in the cloud user perspective. (Requirement-3) Confidentiality/integrity of data against loss or leakage shall be required. Cryptographic management information such as encryption keys, authentication codes and access privileges shall be securely managed and controlled as a requirement in the cloud user perspective. This is required to protect insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and/or authentication keys; operational failures; disposal problems and so on against loss or leakage of data. (Requirement-4) Proper account/identity management against account/service hijacking shall be provided. IDs to be used for account/service management between cloud user and service providers shall be appropriately implemented as a requirement in the cloud user perspective. This is required not only for protecting against phishing, fraud, and exploitation of software vulnerabilities, but also for ensuring the use of account/service in Inter-Cloud environment. (Requirement-5) Others 22
Security Subjects (draft) )Security Management and Audit Technology a) Guidelines for identifying security requirements for cloud user b) Security guidelines or security criteria for assessing and auditing cloud service providers c) Standardized SLA (Service Level Agreement) template 2) BCP/Disaster Recovery and Storage Security 3) Security and privacy protection 4) Account/identity management 5) Network monitoring and incident response 6) Others 23
The CYBEX Initiative: basic model for information exchange Cyber security Organization Cyber security Information acquisition (out of scope) Structure information Identify & discover cyber security information and organizations Trusted exchange of cyber security information Cyber security Organization Cyber security Information use (out of scope) Work item Network monitoring and incident response identified in the FG will be studied in connection with CYBEX (Q4/SG7 in ITU-T) and Cloud-CERT. 24
Direction of Research on Cloud Security? ) Security for Cloud User, Providers Lack of Transparency of Technical Components and Implementation inside Cloud providers. Recognizing an importance of Monitoring and Tracing capabilities for Incidents in Cloud (Behavior Monitoring) *Visualization of Data Transfer in the Cloud (Atlas-X) Video *Implementation of Risk Assessment *How to configure Firewall/IDS *Security as a Services? etc. Threats Analysis Evaluate and assess Cloud Service Providers from the outside (Vulnerability Test, Technical Security Audit, etc.) 25
Direction of Research on Cloud Security? 2) Security Technologies by using Cloud -Implement Security Monitoring Tool such as Honey-Pot (emulating Web,DNS,FTP, etc) as a Cloud User; -Construct a Platform of Security Information Sharing by using Cloud. -Implementation method on Security as a Service (SaaS) 26
Implement & use Security* Design Security* Monitor & review Security* Maintain & improve Security* 27