Virtualization & Cloud Computing Risks NASSCOM-DSCI Information Security Summit 2009 November 24, 2009 Felix Mohan CISO, Bharti Airtel Ltd
Virtualization & Cloud Computing Strategic Technologies with Significant Impact Top 10 Strategic Technologies, which will make significant impact on enterprises in next 3 years: 2008 5. Virtualization 2009 1. Virtualization 2. Cloud Computing 2010 1. Cloud Computing 2. Virtualization & Availability Gartner
Virtualization 78% of organizations will have implemented virtualization by end of 2010 Only 19% indicated that virtualization security was a priority It is alarming that though virtualization security should be a concern, majority of organizations & security leaders are ignoring its implication E&Y 12 th Annual Global Information Security Survey, November 2009 (Conducted across 60 countries, 1900 companies) The biggest security problem in Virtualization & Cloud Computing, analysts say, is not the security issue itself, rather the inability to recognize security concerns 1. Drive Awareness.
Virtualization Risks VM Change & Configuration Management-Related Exponential VM Sprawl Admins can create, clone, delete, move or roll-back the execution state of a VM Difficult to audit and apply security policies By 2010, VM Sprawl will reach the same level of concern as unmanaged endpoints in 2007 Gartner Patch Management Regular Patches for online & offline VMs required - VMware buys Blue Lane Technologies in 2008 VM Mobility VMs can be moved literally with the click of a button VMware vmotion Should pass through NAC before getting into production systems Virtual Appliances Download The downloaded virtual appliances may be malicious or misconfigured/unpatched VMware marketplace has over 1000 virtual appliances many free uploaded by partners With client hypervisors to be available from 2010, virtual appliance downloads will grow exponentially Number of virtualized PCs will grow from 5 million in 2008 to 660 million in 2012 - Gartner
Virtualization Risks Hypervisor-Related Lucrative target for Attack Hypervisor manages all VMs and virtual processes is a single point of failure Though hardened with extremely thin OS, it can have vulnerabilities VMware issued patches for its ESX hypervisor in Sep 2008 for Buffer Overflow vulnerability Hypervisor Attack Surface Direct console access to hypervisor UI requires physical access to hypervisor host Network access to hypervisor UI interface VM breakout through subversion of hypervisor through manipulation of shared memory Attack Demonstrated July 2009 - Black Hat meet, researcher Kostya Kortchinsky demonstrated how to attack the hypervisor from a VM through a memory leak exploit - (Cloudburst) Trusted Boot Tampered Hypervisor should be prevented from booting Root trust in hardware - Trusted Platform Module (TPM) with checksums/hash values
Virtualization Risks Virtual Networks-Related Composed of virtual routers, switches and I/O channels within the memory backplane of the hypervisor Non-virtualized tools are Blind Virtual networks run inside the physical host, handling traffic which is invisible to anything outside of that host Non-virtualized security tools (firewalls, IPS, Vulnerability scanners) cannot see or validate what is happening in a virtual network This opens up risks of malicious activities going unnoticed Lack of visibility is a major security issue - Vmware bought Determina in 2007 VMware VMSafe APIs (released in 2008) can be used by security vendors to gain visibility into VMs memory, network traffic etc Lack of Network Segmentation Virtual networks flattens the infrastructure there is no network segregation based on Trust Levels or security policies - Vmware vshield Zones released in 2009 Administrator activities Cannot be monitored permitting them to act with impunity
Virtualization Risks Virtual Administrator-Related Loss of Separation of Duties Virtual centre administrator does the role of procurement, system admin, network admin, and security administrator all rolled into one A single administrator has the keys to the kingdom Abuse of Privilege Collapse of roles can lead to escalation of privilege, & Abuse of Privilege Fraud Admin can make unauthorized changes to the hypervisor, decrypt network traffic, peek into physical memory, take snap shots of data all without any fear of detection 22% of data breaches are due to Admin Privilege Abuse Verizon Business Data Breach Investigation Report 2009
Cloud Computing
Cloud Computing Cloud computing is a new way of delivering computing resources, not a new technology Virtualization + Web 2.0 + Distributed parallel computing (Hadoop & MapReduce) Infinite pool of additional capacity available on demand payable by the usage Capex to Opex Quicker provisioning 58% organizations are examining cloud computing for adoption Shavlik Technologies Survey at VMWorld, Sep 2009 Worldwide forecast for cloud services in 2009 = $17.4bn; The estimation for 2013 = $44.2bn IDC Analysis Two Thirds of Firms Are Using Cloud Computing, Despite Risks Computerweekly.com, Nov 2008
Cloud Computing Risks Organization-Related Lock-in Extremely difficult to migrate from one provider to another SaaS - Customer data in custom database schemas PaaS Code developed using custom API offered by provider IaaS VM and software non-portability Sep 2008, Open Virtual Machine Format specification (OVF 1.0) by Microsoft, VMware, Citrix, HP, IBM & Dell Provider & Supply Chain-Related Possibility of provider going out of business, or restructuring offer of services etc Provider may have outsourced their production chain to 3 rd parties. Non-extension of contractual obligations, or control, on 3 rd party Governance & Compliance-Related The control is with the provider, however the accountability is with the Customer Providers don t permit audits & when permitted is complex due to distributed nature of cloud Compliance requirements such as segregation of duties, audit, separation of customer data etc required by regulations/standards like PCI DSS cannot be met by cloud providers Amazon E2C has stated this upfront
Cloud Computing Risks Legal-Related Location & Jurisdictions Distribution of data over multiple jurisdictions; lack of transparency on where the data is located Forensics & e-discovery Little control on forensics, e-discovery, and provision of evidentiary data to law enforcement Inadequate proof of non-tampering of log data Confiscation of servers by law enforcement Confiscation of physical servers may mean loss of confidentiality/privacy of all tenants data Privacy-Related Privacy of customer data held at provider s cloud cannot be guaranteed. Though provider is data processor, the customer is data controller, and legally liable for privacy Secondary usage of data Contractual enforcement to limit usage of customer data by provider Response to privacy breach Provider may not monitor for breach, which may affect data breach notification compliance requirements, and make Customer legally liable
Cloud Computing Risks Virtualization Technology -Related Loss of Separation amongst customers Failure of mechanisms to isolate compute capacity, storage or network between multiple customers Guest-hopping attacks and SQL injection attacks exposing multiple customers data stored in same file Attacks on Hypervisor Exploit un-patched hypervisor vulnerabilities or from within VM (VM outbreaks) Can lead to complete & anonymous control of data in all customer environments Can be used to reduce resources assigned to customers leading to DOS People-Related Malicious insiders Malicious activities or abuse of root privilege by cloud administrators can lead to loss of data confidentiality/privacy Like call centre agents associated with financial industry are targeted, cloud provider administrators will also be targeted by criminal gangs
Cloud Computing Risks Data-Related Interception Interception of data in transit can occur during: Data synchronization amongst distributed images within provider cloud, or Data upload/ download between customer and provider Sniffing, spoofing, man-in-middle attacks, and replay attacks are possible threats Deletion Extremely difficult to ensure data deletion in the cloud Full deletion only possible by destruction of disk which contains others data also
Thank You