whitepaper Cloud Servers: New Risk Considerations

Similar documents
Halo. for PCI Compliance. Who Needs PCI in the Cloud? What It Takes to be PCI Compliant

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Securing Industrial Control Systems on a Virtual Platform

WildFire. Preparing for Modern Network Attacks

Implementing Software- Defined Security with CloudPassage Halo

Enterprise Cloud Use Cases and Security Considerations

How To Protect Your Cloud From Attack

Virtualized Security: The Next Generation of Consolidation

Proactively Secure Your Cloud Computing Platform

Securing Cloud Infrastructures with Elastic Security

The Cloud, Virtualization, and Security

Securing Your Data In The Cloud: an insiders perspective

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

5 Best Practices to Protect Your Virtual Environment

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Chapter 11 Cloud Application Development

All the benefits of Public Cloud on Private, Dedicated Infrastructure. Benefits. Enterprise-Level Security. High Performance. Compliant and Audited

Agile Security at the Speed of Modern Business.

Top virtualization security risks and how to prevent them

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

vsrx Services Gateway: Protecting the Hybrid Data Center

10 Things Every Web Application Firewall Should Provide Share this ebook

IT Security at the Speed of Business: Security Provisioning with Symantec Data Center Security

Secure Virtualization in the Federal Government

Concierge SIEM Reporting Overview

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

SDN Unlocks New Opportunities for Cloud Service Providers

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Safeguarding the cloud with IBM Dynamic Cloud Security

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

Limiting the Spread of Threats: A Data Center for Every User

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Top 10 Reasons Enterprises are Moving Security to the Cloud

A Layperson s Guide To DoS Attacks

Cloud Computing and Amazon Web Services

Man, Machine and DDoS Mitigation

IBM Security QRadar Vulnerability Manager

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Total Cloud Protection

Capturing the New Frontier:

FACING SECURITY CHALLENGES

White Paper. Architecting the security of the next-generation data center. why security needs to be a key component early in the design phase

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Migration and Building of Data Centers in IBM SoftLayer with the RackWare Management Module

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Not for distribution or reproduction.

Introducing IBM s Advanced Threat Protection Platform

Database Security, Virtualization and Cloud Computing

Security of Payment Card Data on Cloud-Based Mobile Payment Platforms

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Introduction to Cloud Computing

Top 20 Critical Security Controls

24/7 Visibility into Advanced Malware on Networks and Endpoints

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Cisco Advanced Services for Network Security

The High Availability and Resiliency of the Pertino Cloud Network Engine

Security Virtual Infrastructure - Cloud

IAAS REFERENCE ARCHITECTURES: FOR AWS

Who moved my cloud? Part I: Introduction to Private, Public and Hybrid clouds and smooth migration

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Trend Micro. Advanced Security Built for the Cloud

The Business Case for Security Information Management

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

The Threat of Coexisting With an Unknown Tenant in a Public Cloud

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

AUTOMATING SECURITY FOR GREATER SaaS SUCCESS

IBM Software Cloud service delivery and management

INTRODUCING isheriff CLOUD SECURITY

VALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud

Cloud Computing for SCADA

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

CHECKLIST: ONLINE SECURITY STRATEGY KEY CONSIDERATIONS MELBOURNE IT ENTERPRISE SERVICES

How To Protect Yourself From A Dos/Ddos Attack

The Role of the Operating System in Cloud Environments

RightScale mycloud with Eucalyptus

Expert Reference Series of White Papers. Introduction to Amazon Relational Database Service (Amazon RDS)

Host/Platform Security. Module 11

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Securing the Intelligent Network

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

What Do You Mean My Cloud Data Isn t Secure?

Virtual Patching: a Proven Cost Savings Strategy

How To Secure Cloud Infrastructure Security

Extreme Networks Security Analytics G2 Vulnerability Manager

Cloud and Data Center Security

Firewall and UTM Solutions Guide

7 Ways OpenStack Enables Automation & Agility for KVM Environments

SANS Top 20 Critical Controls for Effective Cyber Defense

Transcription:

whitepaper Cloud Servers: New Risk Considerations Overview...2 Cloud Servers Attract e-criminals...2 Servers Have More Exposure in the Cloud...3 Cloud Elasticity Multiplies Attackable Surface Area...3 The Boomerang Problem...4 Managing New Cloud Risks...4 About CloudPassage...5 Copyright 2011, CloudPassage Inc. 1

Overview The tremendous scalability, flexibility, and speed of Infrastructure-as-a-Service (IaaS) make it one of the fastest-growing sectors of the cloud computing markets. IaaS providers combine virtualization technologies with massive infrastructure to deliver bandwidth, storage, and CPU power on-demand and with granular control over scale and costs. The potential benefits of hosting applications and workloads on cloud servers are enormous, making cloud servers the de facto norm for a rapidly growing set of use cases. Security and compliance, however, remain major challenges to adoption of public cloud infrastructure services. Usage agreements and documentation squarely make the user of IaaS, not the provider, responsible for protecting servers, applications and data in the cloud essentially everything from the virtual machine OS upward in the stack. 1 It is critical for organizations to understand the issues around securing IaaS environments as they move toward the flexibility, scale, and power of cloud hosting. The first step to understanding the issues is awareness of new exposures, threats, and risks. This white paper from CloudPassage presents specific details on the most pertinent new risks associated with adoption of cloud IaaS. It is based on real world learning, shared by companies we have worked with, to achieve security and compliance in the cloud. Software companies moving to SaaS business models, growing social media startups and long-established industry bellwethers have contributed to this knowledge. Cloud Servers Attract e-criminals Online fraud has grown into a sophisticated underground economy that requires infrastructure on a massive scale. Phishing, password cracking, and denial of service attacks leverage botnets illicit networks built from huge numbers of compromised servers and personal computers. Botnets consist of thousands of zombies personal computers infected by malware which carry out commands on behalf of the botnet operator. These compromised computers can bombard web servers with denial-of-service attacks, fire thousands of password attempts per hour, and participate in dozens of other online cracking activities. Fraudsters and e-criminals use command-and-control software to coordinate zombie attack execution. Command-and-control most frequently operates from compromised servers, without the server owner s knowledge. Fraudsters demand a constant stream of freshly compromised servers to keep botnets running. An entire underground business known as bot herding 2 emerged to capitalize on this illicit need. Bot-herders make their living by building botnets to then sell or rent to other e-criminals. This practice has evolved to the point of Fraud-as-a-Service, the sale of prebuilt botnets ondemand, for a few hundred dollars a month. 3 It takes bot herders time and resources to seek out and compromise vulnerable servers. Economies of scale and cost-benefit apply to a bot herding business just as any other. 1 For example, Amazon Web Services refers to this as the shared responsibility model in the AWS Overview of Security Processes. 2 See http://en.wikipedia.org/wiki/bot_herder 3 The term Fraud-as-a-Service is attributed to RSA, the Security Division of EMC. See RSA Online Fraud Report (April 2008) Copyright 2011, CloudPassage Inc. 2

Compromising an elastic cloud infrastructure environment can return a windfall versus hacking into a traditional hardware server. If a bot-herder is able to place command-and-control software on a VM that later is duplicated through cloning or cloud bursting, the botnet capacity will automatically grow. For stakeholders in cloud hosting environments, the implication is a higher expectation of being targeted for server takeovers, root-kitting and botnet command-and-control insertions. Servers Have More Exposure in the Cloud Servers hosted in public IaaS environments have more exposure to compromise than servers do within the traditional data center, where layers of perimeter controls defend server weaknesses from exploit. Cloud IaaS environments rarely offer the control over network topology required to implement perimeter security strategies. As a result, vulnerabilities on each cloud server are more exposed to compromise than those in a traditional data center. In a typical private data center environment, security chokepoints and/or network demarcation zones (DMZs) exist; firewalls, intrusion detection systems (IDS) and UTM devices easily inspect external traffic from sources such as Internet connectivity. Typically, hardware acceleration within the data center boosts performance and compensate for the processing demands required to inspect and control all network traffic in and out of an organization. Because public IaaS environments rarely offer control over hardware or topology, these control mechanisms are unavailable to enterprises hosting servers there. Traditional perimeter security depends heavily on control over network factors like IP addressing, physical topology and routing. Customers of cloud IaaS do not have this control; the cloud provider usually dictates network addressing and routing. Server IP addresses are unpredictable, creating serious complications in configuring security mechanisms. Public IaaS environments also typically segment network traffic at the VM level, meaning the only traffic a server can see is its own. It is not possible to use network-level IDS, IPS or wire-level UTM mechanisms in this environment. The performance implications of each cloud server performing traffic inspection at the wire level are staggering, especially given the lack of hardware control. Even in a traditional data center with perimeter defenses in place, server-level security such as hardening, secure application configuration, and patch management are important. In the cloud, where front-line defenses are extremely limited, server-level security protection is critical. Cloud servers are largely on their own to protect themselves; strong and highly automated host-based controls are essential. Cloud Elasticity Multiplies Attack Surfaces Elasticity is a key differentiator distinguishing IaaS from other infrastructure hosting models. Servers are no longer boxes mounted to racks bolted to the floor. With virtualization and cloud technologies, servers are now files and metadata that can be instantly copied, migrated, and stored offline for later reactivation in other words, elastic. This elasticity provides companies with the ability to cloudburst, expanding the number of servers and available compute power within minutes. However, this significantly increases the risk of compromise. The problem is quite simply that as a virtual server duplicates so do its vulnerabilities and exposures. Given the speed with which servers can multiply, this issue increases the attackable surface area of a cloud server farm dramatically within minutes. Inactive machine images or snapshots are virtual machines that are saved for later reactivation or as a Copyright 2011, CloudPassage Inc. 3

template for new servers. While this capability is clearly useful, offline server images do not get updates regarding newly discovered vulnerability, policy changes, or modification to user accounts and access rights. When a hibernated server is reactivated, there will be access privileges, software vulnerabilities, and outdated configurations that expose it to immediate compromise. When adopting a cloud-hosting model, system administrators and other stakeholders should be aware of and account for these issues. One misconfigured server, either created recently or resurrected from storage, could multiply during cloning and cloud-bursting operations to become the Typhoid Mary of the cloud farm. The Boomerang Problem Organizations often turn to cloud hosting for application development Public cloud hosting reduces barriers to application development, increasing speed to market for technology-related products. Special infrastructure skills, network configuration and hardware setup time are minimal. This is an attractive proposition, especially for business and technology managers frustrated with the perceived delays and red tape associated with infrastructure setup. Sometimes central information technology organizations sanction cloud-based development efforts; in some instances, individually business units charge ahead independently. At some point, all successful development projects go into production. Sometimes the application continues to run in the public cloud environment. Often the application code comes back in-house with the cloud server in a ready-to-run virtual machine image. If cloud servers used for development are not secured properly, disastrous results often occur. These servers are highly exposed, and often the dynamic nature of application development masks signs of intrusion. Compromise impact could include code theft or insertion of malicious functionality into the new application. Any live data used for development purposes (a disturbingly frequent occurrence) could be at risk and compromised with the server. If rootkits or other malware are dropped onto the cloud server, that malware could come back to the enterprise data center. Managing New Cloud Risks Clearly there is new set of exposures and risks associated with hosting applications, data and workloads in public IaaS environments. Perimeter-oriented methods of protection that have worked for years are highly difficult or completely untenable in these environments. The dynamic nature of public and hybrid cloud server farms further complicates matters. The lack of options to protect servers in high-risk public clouds can be the deal-killer that stops companies from embracing public IaaS and realizing the obvious benefits. There is a need to bridge the gap between traditional perimeter-oriented data center security and security in dynamic cloud environments. Securing the server itself in an automated, portable, and elastic manner represents the most effective approach to practical survivability in public and hybrid clouds. By implementing best practices in a cloud-capable, elastic model, enterprises can create security for cloud-hosted applications and data that meets or exceeds what traditional perimeter-centric models can deliver. n Copyright 2011, CloudPassage Inc. 4

This paper is the first in a series of white papers from CloudPassage. This series will offer technical and operational security considerations found valuable in developing real-world strategies for securing IaaS hosting environments. In later white papers, CloudPassage will examine models, best practices, and technology alternatives for achieving portable cloud server security. Visit us at www.cloudpassage.com to learn more. About CloudPassage CloudPassage is a security SaaS company offering the industry s first and only server security and compliance solutions purpose-built for elastic cloud environments. The company addresses the technical challenges of securing highly dynamic cloud hosting environments where consistent physical location, network control and perimeter security are not guaranteed. The company s early product feature set includes high-accuracy server security configuration and vulnerability management and centralized management of host-based firewalls. The innovative capabilities of the Halo platform operate across infrastructure models and seamlessly handle cloud server bursting, cloning, and migration. Headquartered in Menlo Park, California, CloudPassage is backed by a number of well-known venture capital firms and angel investors. Copyright 2011, CloudPassage Inc. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information