Virtualization & Cloud Computing Risks NASSCOM-DSCI Information Security Summit 2009 November 24, 2009

Similar documents
Effective End-to-End Cloud Security

Virtualization System Security

Cloud Computing Governance & Security. Security Risks in the Cloud

Catbird vsecurity : Securing the virtual data center

How To Protect Your Cloud From Attack

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Mitigating Information Security Risks of Virtualization Technologies

Secure Administration of Virtualization - A Checklist ofVRATECH

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

Security Virtual Infrastructure - Cloud

managing the risks of virtualization

Virtualization Impact on Compliance and Audit

Catbird vsecurity : Security and Compliance For The Virtualized Data Center

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

End to End Security do Endpoint ao Datacenter

PICO Compliance Audit - A Quick Guide to Virtualization

Lecture 02a Cloud Computing I

Total Cloud Protection

Proactively Secure Your Cloud Computing Platform

Cloud Security Overview

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Security of Cloud Computing

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Computing Trends

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

PCI Compliance in a Virtualized World

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Virtualization and Cloud Computing

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Keyword: Cloud computing, service model, deployment model, network layer security.

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

Netzwerkvirtualisierung? Aber mit Sicherheit!

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Introduction to Cloud Computing

Cloud Computing Security Master Seminar, Summer 2011

Virtualization with VMware and IBM: Enjoy the Ride, but Don t Forget to Buckle Up!

What Cloud computing means in real life

Learn the essentials of virtualization security

Cloud Security Who do you trust?

Security Issues in Cloud Computing

How to Achieve Operational Assurance in Your Private Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Security and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto

5 Best Practices to Protect Your Virtual Environment

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

Solutions as a Service N.Konstantinidis Technical Director - MNG

The Cloud, Virtualization, and Security

HP Virtual Controller and Virtual Firewall for VMware vsphere 1-proc SW LTU

Learn the Essentials of Virtualization Security

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Shavlik NetChk Protect 7.1

Top virtualization security risks and how to prevent them

How Data-Centric Protection Increases Security in Cloud Computing and Virtualization

Network Access Control in Virtual Environments. Technical Note

Top Virtualization Security Mistakes (and How to Avoid Them)

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

D. L. Corbet & Assoc., LLC

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Securing Oracle E-Business Suite in the Cloud

WHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

Cloud Security:Threats & Mitgations

TECHNOLOGYBRIEF. The Impact of Virtualization on Network Security. Discover. Determine. Defend.

Cloud-Security: Show-Stopper or Enabling Technology?

Security Issues In Cloud Computing And Their Solutions

Assessing Risks in the Cloud

Windows Server 2003 End of Support. What does it mean? What are my options?

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Securing Virtual Applications and Servers

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Access Control In Virtual Environments

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Cloud IaaS: Security Considerations

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

2010 State of Virtualization Security Survey

Can PCI DSS Compliance Be Achieved in a Cloud Environment?

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Cloud Computing Security

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

The Magazine for IT Security. May issue 3. sör alex / photocase.com

IBM EXAM QUESTIONS & ANSWERS

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

A Trend Micro ebook / 2009

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Marco Mantegazza WebSphere Client Technical Professional Team IBM Software Group. Virtualization and Cloud

Control your corner of the cloud.

Cloud Courses Description

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

PCI DSS 3.0 Compliance

Stephen Coty Director, Threat Research

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Cloud Security: The Grand Challenge

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Transcription:

Virtualization & Cloud Computing Risks NASSCOM-DSCI Information Security Summit 2009 November 24, 2009 Felix Mohan CISO, Bharti Airtel Ltd

Virtualization & Cloud Computing Strategic Technologies with Significant Impact Top 10 Strategic Technologies, which will make significant impact on enterprises in next 3 years: 2008 5. Virtualization 2009 1. Virtualization 2. Cloud Computing 2010 1. Cloud Computing 2. Virtualization & Availability Gartner

Virtualization 78% of organizations will have implemented virtualization by end of 2010 Only 19% indicated that virtualization security was a priority It is alarming that though virtualization security should be a concern, majority of organizations & security leaders are ignoring its implication E&Y 12 th Annual Global Information Security Survey, November 2009 (Conducted across 60 countries, 1900 companies) The biggest security problem in Virtualization & Cloud Computing, analysts say, is not the security issue itself, rather the inability to recognize security concerns 1. Drive Awareness.

Virtualization Risks VM Change & Configuration Management-Related Exponential VM Sprawl Admins can create, clone, delete, move or roll-back the execution state of a VM Difficult to audit and apply security policies By 2010, VM Sprawl will reach the same level of concern as unmanaged endpoints in 2007 Gartner Patch Management Regular Patches for online & offline VMs required - VMware buys Blue Lane Technologies in 2008 VM Mobility VMs can be moved literally with the click of a button VMware vmotion Should pass through NAC before getting into production systems Virtual Appliances Download The downloaded virtual appliances may be malicious or misconfigured/unpatched VMware marketplace has over 1000 virtual appliances many free uploaded by partners With client hypervisors to be available from 2010, virtual appliance downloads will grow exponentially Number of virtualized PCs will grow from 5 million in 2008 to 660 million in 2012 - Gartner

Virtualization Risks Hypervisor-Related Lucrative target for Attack Hypervisor manages all VMs and virtual processes is a single point of failure Though hardened with extremely thin OS, it can have vulnerabilities VMware issued patches for its ESX hypervisor in Sep 2008 for Buffer Overflow vulnerability Hypervisor Attack Surface Direct console access to hypervisor UI requires physical access to hypervisor host Network access to hypervisor UI interface VM breakout through subversion of hypervisor through manipulation of shared memory Attack Demonstrated July 2009 - Black Hat meet, researcher Kostya Kortchinsky demonstrated how to attack the hypervisor from a VM through a memory leak exploit - (Cloudburst) Trusted Boot Tampered Hypervisor should be prevented from booting Root trust in hardware - Trusted Platform Module (TPM) with checksums/hash values

Virtualization Risks Virtual Networks-Related Composed of virtual routers, switches and I/O channels within the memory backplane of the hypervisor Non-virtualized tools are Blind Virtual networks run inside the physical host, handling traffic which is invisible to anything outside of that host Non-virtualized security tools (firewalls, IPS, Vulnerability scanners) cannot see or validate what is happening in a virtual network This opens up risks of malicious activities going unnoticed Lack of visibility is a major security issue - Vmware bought Determina in 2007 VMware VMSafe APIs (released in 2008) can be used by security vendors to gain visibility into VMs memory, network traffic etc Lack of Network Segmentation Virtual networks flattens the infrastructure there is no network segregation based on Trust Levels or security policies - Vmware vshield Zones released in 2009 Administrator activities Cannot be monitored permitting them to act with impunity

Virtualization Risks Virtual Administrator-Related Loss of Separation of Duties Virtual centre administrator does the role of procurement, system admin, network admin, and security administrator all rolled into one A single administrator has the keys to the kingdom Abuse of Privilege Collapse of roles can lead to escalation of privilege, & Abuse of Privilege Fraud Admin can make unauthorized changes to the hypervisor, decrypt network traffic, peek into physical memory, take snap shots of data all without any fear of detection 22% of data breaches are due to Admin Privilege Abuse Verizon Business Data Breach Investigation Report 2009

Cloud Computing

Cloud Computing Cloud computing is a new way of delivering computing resources, not a new technology Virtualization + Web 2.0 + Distributed parallel computing (Hadoop & MapReduce) Infinite pool of additional capacity available on demand payable by the usage Capex to Opex Quicker provisioning 58% organizations are examining cloud computing for adoption Shavlik Technologies Survey at VMWorld, Sep 2009 Worldwide forecast for cloud services in 2009 = $17.4bn; The estimation for 2013 = $44.2bn IDC Analysis Two Thirds of Firms Are Using Cloud Computing, Despite Risks Computerweekly.com, Nov 2008

Cloud Computing Risks Organization-Related Lock-in Extremely difficult to migrate from one provider to another SaaS - Customer data in custom database schemas PaaS Code developed using custom API offered by provider IaaS VM and software non-portability Sep 2008, Open Virtual Machine Format specification (OVF 1.0) by Microsoft, VMware, Citrix, HP, IBM & Dell Provider & Supply Chain-Related Possibility of provider going out of business, or restructuring offer of services etc Provider may have outsourced their production chain to 3 rd parties. Non-extension of contractual obligations, or control, on 3 rd party Governance & Compliance-Related The control is with the provider, however the accountability is with the Customer Providers don t permit audits & when permitted is complex due to distributed nature of cloud Compliance requirements such as segregation of duties, audit, separation of customer data etc required by regulations/standards like PCI DSS cannot be met by cloud providers Amazon E2C has stated this upfront

Cloud Computing Risks Legal-Related Location & Jurisdictions Distribution of data over multiple jurisdictions; lack of transparency on where the data is located Forensics & e-discovery Little control on forensics, e-discovery, and provision of evidentiary data to law enforcement Inadequate proof of non-tampering of log data Confiscation of servers by law enforcement Confiscation of physical servers may mean loss of confidentiality/privacy of all tenants data Privacy-Related Privacy of customer data held at provider s cloud cannot be guaranteed. Though provider is data processor, the customer is data controller, and legally liable for privacy Secondary usage of data Contractual enforcement to limit usage of customer data by provider Response to privacy breach Provider may not monitor for breach, which may affect data breach notification compliance requirements, and make Customer legally liable

Cloud Computing Risks Virtualization Technology -Related Loss of Separation amongst customers Failure of mechanisms to isolate compute capacity, storage or network between multiple customers Guest-hopping attacks and SQL injection attacks exposing multiple customers data stored in same file Attacks on Hypervisor Exploit un-patched hypervisor vulnerabilities or from within VM (VM outbreaks) Can lead to complete & anonymous control of data in all customer environments Can be used to reduce resources assigned to customers leading to DOS People-Related Malicious insiders Malicious activities or abuse of root privilege by cloud administrators can lead to loss of data confidentiality/privacy Like call centre agents associated with financial industry are targeted, cloud provider administrators will also be targeted by criminal gangs

Cloud Computing Risks Data-Related Interception Interception of data in transit can occur during: Data synchronization amongst distributed images within provider cloud, or Data upload/ download between customer and provider Sniffing, spoofing, man-in-middle attacks, and replay attacks are possible threats Deletion Extremely difficult to ensure data deletion in the cloud Full deletion only possible by destruction of disk which contains others data also

Thank You

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information