Swisscom Cloud Building a secure cloud SIGS, 09.09.2014 Christof Jungo
Cloud What is changing? 2 Enterprise Datacenter High secure tier 3 & 4 Server typ Processor architecture: various Baremetal & virtual (vmware) Static ressource allocation OS: various UNIX & Windows Storage SAN & NAS Connectivity Physical switches & router Network perimeter (3 tier model) Physical appliances (network) Host based security Encrypted data in motion Cloud Datacenter Tier 2 (MDL) -> Tier 4 (Banking) Server typ Processor architecure: x86 Virtual (vmware, Openstack) Elastic ressource allocation OS: RHEL6+, W2K8+ Storage Software defined storage (SDS) Connectivity Software defined network (SDN) Workload based security model Software based applicances Encrypted data at rest & in motion
Cloud Operation Operation Business Integration Cloud Overall architecture 3 Access Layer Enterprise Management Client Web Portals Admin Reseller Customer Developer Service Abstraction Operation Layer Service Management & Automation Dynamic Services (DCS) Software Services (SaaS) Elastic Plattform Services (PaaS) Monitoring & Metering Hardware Abstraction Hardware Ressource Layer
Threat model More virtualisation, more software, more threats 4 A threat model should include all the different scenarios covering banking grade services, my digital life and everything in between. Identity & Access Insecure storage of identities and personal data Data theft, loss and leakage PKI infrastructure threats Cross-user attacks Breach of administrative layer Elevation of privileges in user self service Elevation of privileges in administration SIEM (security incident & event mgmt) Manipulation of alerting, audit-log and monitoring Configuration Badly configured or programmed software Control layer bypass Breach of administrative layer Insufficient security features Hypervisor breaches Side Channel Attacks Abuse and harmful use of cloud computing Misconfiguration of the cloud environment Bad or missing asset management
Cloud Development topics 5
Cloud Operation Operation Business Integration Trusted environment Secure boot & remote attestation 6 Access Layer Enterprise Management Client Web Portals Admin Reseller Customer Developer Service Abstraction Operation Layer Service Management & Automation Dynamic Services (DCS) Software Services (SaaS) Elastic Plattform Services (PaaS) Monitoring & Metering Hardware Abstraction Hardware Ressource Layer
Cloud Operation Operation Business Integration Encryption by default Self encrypted drives 7 Access Layer Enterprise Management Client Web Portals Admin Reseller Customer Developer Service Abstraction Operation Layer Service Management & Automation Dynamic Services (DCS) Software Services (SaaS) Elastic Plattform Services (PaaS) Monitoring & Metering Hardware Abstraction Hardware Ressource Layer
Cloud Operation Operation Business Integration Secure software development coverage 8 Access Layer Enterprise Management Client Web Portals Admin Reseller Customer Developer Service Abstraction Operation Layer Service Management & Automation Dynamic Services (DCS) Software Services (SaaS) Elastic Plattform Services (PaaS) Monitoring & Metering Hardware Abstraction Hardware Ressource Layer
Secure software development Test results of cloud software components 9
Cloud Operation Operation Business Integration Dynamic workload protection Protection each workload indiviually 10 Access Layer Enterprise Management Client Web Portals Admin Reseller Customer Developer Service Abstraction Operation Layer Service Management & Automation Dynamic Services (DCS) Software Services (SaaS) Elastic Plattform Services (PaaS) Monitoring & Metering Hardware Abstraction Hardware Ressource Layer
Dynamic workload protection system 11 Threat level Governments Advanced Terrorism Organized Crime Hacktivist Skript Kiddies Persistent Threats Toolkit based approach Mitigation functions lookup Solution Pool function 1 Vendor A Vendor B Vendor C function 2 Vendor C Vendor E Vendor F function 3 Vendor A Vendor E Vendor G Continuous testing Application Provisioning of security function
Summary & Questions