Virtualization and Cloud Computing

Similar documents
Flexible Identity Federation

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

SAP Single Sign-On 2.0 Overview Presentation

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

USING FEDERATED AUTHENTICATION WITH M-FILES

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Agenda. How to configure

Identity. Provide. ...to Office 365 & Beyond

OVERVIEW. DIGIPASS Authentication for Office 365

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

VMware Identity Manager Administration

Copyright: WhosOnLocation Limited

Flexible Identity Federation

Leveraging SAML for Federated Single Sign-on:

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

User Identity and Authentication

Protect Everything: Networks, Applications and Cloud Services

SAML-Based SSO Solution

SECUREAUTH IDP AND OFFICE 365

SAML-Based SSO Solution

Key Enablers for the Cloud Service Broker: Identity, Privacy, and Security

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

The Top 5 Federated Single Sign-On Scenarios

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

Single Sign On. SSO & ID Management for Web and Mobile Applications

nexus Hybrid Access Gateway

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Using SAML for Single Sign-On in the SOA Software Platform

Casper Suite. Security Overview

2-FACTOR AUTHENTICATION WITH OPENLDAP, OATH-HOTP AND YUBIKEY. Axel Hoffmann

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

IDENTIKEY Product Family

Introduction to SAML

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Perceptive Experience Single Sign-On Solutions

Security Overview Enterprise-Class Secure Mobile File Sharing

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Enhancing Web Application Security

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

API-Security Gateway Dirk Krafzig

enstratus User Management Copyright 2012 enstratus Networks, Inc.

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

A Standards-based Mobile Application IdM Architecture

Integrating Single Sign-on Across the Cloud By David Strom

A Guide to New Features in Propalms OneGate 4.0

STREAM FRBC

Application Security Made in Switzerland

Security & Cloud Services IAN KAYNE

FortiAuthenticator. User Authentication and Identity Management. Last Updated: 17 th April Copyright Fortinet Inc. All rights reserved.

SharePoint 2013 Logical Architecture

Implementing and Managing Windows Server 2008 Hyper-V

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Swivel Multi-factor Authentication

GE Measurement & Control. Cyber Security for NEI 08-09

Copyright Pivotal Software Inc, of 10

Cloud Security Overview

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

SAML 2.0 SSO Deployment with Okta

Media Shuttle s Defense-in- Depth Security Strategy

How To Use Salesforce Identity Features

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

managing SSO with shared credentials

Mirantis OpenStack Express: Security White Paper

NCSU SSO. Case Study

Netzwerkvirtualisierung? Aber mit Sicherheit!

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

PortWise Access Management Suite

A Survey on Cloud Security Issues and Techniques

Contextual Authentication: A Multi-factor Approach

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

SINGLE & SAME SIGN-ON ASPECTS

FileCloud Security FAQ

SAML and OAUTH comparison

Entrust IdentityGuard Comprehensive

Security Best Practices for Microsoft Azure Applications

IBM Tivoli Federated Identity Manager

PICO Compliance Audit - A Quick Guide to Virtualization

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

Ondřej Výšek Sales Lead, Microsoft MVP.

Virtualization System Security

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

APS Connect Denver, CO

Identity and Access Management for the Cloud What You Need to Know About Managing Access to Your Clouds

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

The Cloud, Mobile and BYOD Security Opportunity with SurePassID

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

SonicWALL PCI 1.1 Implementation Guide

Transcription:

Virtualization and Cloud Computing Virtualization, Cloud and Security Mgr. Michael Grafnetter

Agenda Virtualization Security Risks and Solutions Cloud Computing Security Identity Management

Virtualization and Cloud Computing Virtualization Security Risks and Solutions

Blue Pill Attack

Blue Pill Attack Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

Red Pill Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed

VMM Vulnerability By attacking a VMM, one could attack multiple servers at once

Datacenter Management SW Virtualization infrastructure management software (VMware vcenter, Microsoft SC VMM) is used to control multiple hosts at once

Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

One Ring to rule them all Management commands available using PowerShell or Web APIs Get-VM Name * Stop-VM Get-VM Name * Remove-VM Copy-VMGuestFile Invoke-VMScript Type Bash

Disabling Host-VM Communication

Physical vs. Virtual Firewall With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

Traffic isolation

Traffic Monitoring

Other risks of virtualization Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

Security Solutions Virtual Firewall Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI)

Agentless AV

Extensible Switch

Mobile Virtualization Platform

Mobile Virtualization Platform

Virtual Desktop Infrastructure

Virtualization and Cloud Computing Pass-the-Hash Attacks

LSASS NTLM Hashes

Passing the Hash

Win10 Virtual Secure Mode

Win10 Virtual Secure Mode

Virtualization and Cloud Computing Cloud Computing Security Risks

Who has access to our data?

Physical Security

Hard Disk Crushers

Storing Recovery Keys in Cloud

Azure Key Vault

Other Cloud Risks Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

Virtualization and Cloud Computing Identity Management

Identity Management Basic Concepts Two-factor authentication Role-Based Access Control (RBAC) External user DBs Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

Multi-Factor Authentication

One-time Passwords HMAC-based One-time Password (HOTP) Time-based One-time Password (TOTP) Out-of-Band TANs Pre-generated (POTP) SMS Push Notifications

TOTP HMAC(K, C) := SHA1(K 0x5C5C... SHA1(K 0x3636... C)) HOTP(K, C) := Truncate(HMAC(K,C)) & 0x7FFFFFFF K Secret Key C Counter/Clock

Problem: Lost Device Recovery Questions What is the maiden name of your mother? E-Mail Verification POTP In-Person Verification (used in enterprise environments, but not usable with cloud services)

Application-Specific Passwords Some protocols (or their implementations) like SSH, SFTP or IMAP do not support 2FA

Role-Based Access Control

External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

Cloud vs. On-Prem Accounts

Azure AD Password Sync

Azure AD Password Sync Hash

Azure AD Hash Plaintext: Pa$$w0rd NT Hash (Stored in on-prem Active Directory): 92937945B518814341DE3F726500D4FF OrgId Hash (Sent to Azure AD): v1;pph1_md4,317ee9d1dec6508fa510,100, f4a257ffec53809081a605ce8ddedfbc9df9777b80 256763bc0a6dd895ef404f;

Identity Federation

Identity Federation Protocols OAuth OpenID WS-Federation + SAML JWT RADIUS

OAuth Used to delegate user authorization to a 3 rd -party service provider

OAuth

Authorization Management

DoS Risk

DoS Risk

OpenID http://someopenid.provider.com/john.smith

OpenID

OpenID

Claims-based Identity First Name: John Last Name: Doe Login: John Mail: john@doe.com Role: User Role: Administrator

SAML Security Assertion Markup Language Similar to OpenID, but targeted to the enterprise XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication

SAML

SAML (Google Apps)

SAML Response Example <saml:assertion ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:issuer>https://idp.example.org/saml2</saml:issuer> <ds:signature>...</ds:signature> <saml:conditions NotBefore="2004-12-05T09:17:05" </saml:conditions> <saml:attributestatement> NotOnOrAfter="2004-12-05T09:27:05"> <saml:attribute x500:encoding="ldap" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"> <saml:attributevalue xsi:type="xs:string">member</saml:attributevalue> <saml:attributevalue xsi:type="xs:string">staff</saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion>

Shibboleth SAML-based federation portal Open Source

Microsoft Active Directory Federation Services SAML-based Typically used to give access to intranet portals to business partners

JWT (JSON Web Token) Header: { typ: 'JWT', alg: 'HS256' } Payload/Claims: { user: john, admin: true, exp: 8.1.2015, 15:27 } Signature => BASE64

Identity Bridges

Identity Bridges: Azure Access Control Service

RADIUS Proxy (Eduroam)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information