Security & Cloud Services IAN KAYNE
CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE
CloudComponents Public Private CLOUD SERVICES Hybrid (Single & Multi Tenant) Private WAN NETWORK ACCESS Internet Hybrid INTERNAL ESTATE User Devices, BYO IT Estate Data
Cloud Services Customer Provider SaaS Software As A Service Managed Messaging Applications Web Services Least control Most control Abstraction of Environment - End User Application Provision Platform As A Service PaaS Operating Systems Middleware Database Abstraction of Infrastructure Tool and Service Provision Infrastructure As A Service IaaS Compute Power Storage & Backup Networking Automated Scalability & Resilience Virtual Datacenter Most control Least control
Virtualization Resource Pool VMware Hypervisor ESX VMware Hypervisor ESX VMware Hypervisor ESXi Physical Servers
Virtualization Virtual Switch Virtual Storage Network Hypervisor VMware ESXi Shared Storage Physical Host
Virtualization Zone Zone Hypervisor VMware ESXi Hypervisor VMware ESXi
Virtualization Attack Vectors App level attacks (especially legacy apps) O/S level attacks Infrastructure attacks Hypervisor breakout VENOM flaw (2015) Escalation from VM via flaw in legacy disk driver Remote DoS VMWare ESXi Hypervisor (2012) No authentication/credentials required Breaks vsphere SOAP API Infrastructure management tools lose all connectivity
Cloud Attack Vectors All the Virtualization attack vectors, plus: Insecure web app design (OWASP top 10) API flaws Platform service flaws (middleware, databases etc) Management systems flaws DoS(resource exhaustion) Access anywhere credentials theft Plus the attacker gets free access!
Security Principles Integrity Confidentiality Availability Security Principles
Cloud Provider -Security Standard security practices, OWASP top 10 Customer / Environment isolation (zoning) Enhanced auditing Service& architecture based on customer need (eg:pci) Security Info & Event Management Collation of monitoring data from multiple sources Agent / SNMP based Centralized storage & assessment Trend analysis, deviation from norm alerting (tuning required)
Cloud Customer -Considerations Regulatory compliance challenges Unknown risk profiles, black box service Low data and service portability Vendor tool and service restrictions Visibility Loss of hands on control of valuable data Privacy cloud provider has access to data Education Identity management islands BYOD Network Reliance Multi-tenant interference Enforced change to environment Inaccessibility on network or vendor outage (DDoS)
Security Design Principles Cloud customers must protect both internal and cloud services shared responsibility Defence in depth DMZ / Bastion / Perimeter security controls Least privilege Fail secure, fail closed, default deny Simplify ( economy of mechanism ) Avoid shared access mechanisms ( least common ) and a few more (no security through obscurity etc)
More Security Design Principles Human Factor & usable security Password Policies People are often the weakest link Cloud services reduce the control over systems & data
Data Classification Data in Cloud Services Customer internal infrastructure Cloud customer security challenge is data classification knowing the value of your data
Data Classification Know the value of data Understand the impact of data aggregation Understand the impact of a security breach Understand data states: In Use in memory (stack, heap) In Motion in transit (network) At Rest in storage (disk) Data protection = encryption?
Encryption Any encryption keys must exist as long as the encrypted data exists. And storing those keys becomes as important as storing the unencrypted data was. In a way, encryption doesn't reduce the number of secrets that must be stored securely; it just makes them much smaller. - Bruce Schneier Data at rest -encryption plays a supporting role, keeps data confidentiality from cloud service provider, but you don t attack the encryption Encryption has a cost time and processing Access and end point control is critical
Convenience > Security Every website. Every web browser. Convenient apps (e.g.: LastPass).
Encryption Keys We suffered a security breach, but our confidential customer data was encrypted How was the data used? Where were the keys stored? All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.
Cloud Encryption Appliances Encryption happens on premises before transmission to cloud service Separates key storage from data at rest Requires two pronged attack to breach data Plain text Encrypted Encryption appliance
Data Loss Prevention Proactive detection & prevention Network egress points End point protection Detects sensitive information in transit based on policy Used by organizations with critical confidential data that s widely accessible to internal staff (e.g.: banks)
Identity Access Management the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. Gartner Key to (regulatory) compliance Centralized control of data and app access was hard for internal IT systems local accounts, shadow IT Becomes critical in cloud environments
Federated SSO & SAML Provides single source of authentication and authorization to multiple service providers Security Assertion Markup Language Requires preset trust 3: Identity Provider requests information (credentials) from Principle 1: Principle (user) accesses resource (can be any directory) 2: Service Provider requests assertion from Identity Provider
Secure Architecture Design No one size fits all Dependent on customer need, cloud service (SaaSis different to IaaS) Dependent on risk profile & data classification BYOD & cloud access anywhere creates challenges
Architecture OOB Management
Foundations Security is much more than just devices & config: Governance Policies Auditing Processes Design patterns Cloud security is a shared responsibility between consumers and providers
Open Security Architecture Group
Thank you Q&A This document was created using the official VMware icon and diagram library. Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware does not endorse or make any representations about third party information included in this document, nor does the inclusion of any VMware icon or diagram in this document imply such an endorsement.