Cloud Security Challenges and Guidelines

Cloud Security Challenges and Guidelines Theo Dimitrakos Chief Security Researcher, BT Research & Technology Professor of Computer Science, University of Kent Contact: theo.dimitrakos@bt.com British Telecommunications plc Template Version 1.2 BT Assure. Security that matters

Security Research & Innovation Protect BT Cyber SOC Global Threat Monitoring Cable Theft Physical Security Application areas Future Home Security Secure Cloud Storage Intelligent Protection Network Alarm Correlation. Enabling technologies Visual Analytics AI Malware Evolution Virtualisation and application security

Change factors in a networked world Cloud Computing Network Virtualisation Internet of Things Content Networks & New Media Mobile Network Evolution Social Networks Cyber Crime Cyber Terrorism Disappearing perimeters Business services distributed over the network Global operations Big data at rest on the network / exposed via the network Virtualisation of networks and network devices New ways of operating network infrastructures Massive interconnection of cloud services and smart devices Global distribution (Smart Cities, Smart Health, Smart Energy, etc.) Fusion of services with nw areas that did not rely on IT networks New and more complex content Complex content and media delivery schemes 4G evolution and deployment BOYD proliferation Complex interleaving communication channels New socio-technical models Fusion of traditional and internet crime Reputation damage and attacks Network increasingly a theatre of state, group and activist terrorism Complex supply chains Fusion of civil/defence networks

Example: Commonly referenced cloud security incidents Bad co-hosts Service Availability Amazon: Hey Spammers, Get Off My Cloud! (2008) Megaupload US prosecutor investigation (2012) Bitbucket's Amazon DDoS - what went wrong (2009) AWS EBS cloud storage services outage (2011) impact on Netflix vs. Foursquare Risk communication & Response Diginotar (June 2011) RSA SecureID (March2011) In-cloud federated Identity Management Entitlement Management Security issues with Google Docs Security Issues with Sony User Network Lack of Standards Hypervisor & Virtual Machine Vulnerabilities An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Blue Pill http://en.wikipedia.org/wiki/blue_pill_(malware) see also http://invisiblethingslab.com/itl/about.html Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/kortchinsky/bhusa09-kortchinsky-cloudburst-slides.pdf Crypto Ops in VM Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine Data Provanence Where did the data come from? Data Remanence You can check out but can t leave Location & Privacy Who looks at/after your data? And where? Jurisdictions?

Cloud Security: the challenges Shared processor and memory among virtual appliances Overhead on packet processing Overhead on forwarding rate Security processing impact Virtualized network governance Network Virtualisation Packet processing on a virtualized infrastructure Improperly configured virtual firewalls or networking Inspection of intra-vm traffic on virtual networks Virtualisation / Hypervisor Security threats Data leakage through offline images Improperly configured hypervisor Hypervisor vulnerabilities & malware Virtual machine images / virtual appliances containing malicious code (prebuilt) Confidentiality efficient data encryption process & encrypted processing function Integrity integrity monitoring: virtual image, network traffic & protocol processing ; accountability Resource isolation bandwidth slicing ; virtual to physical mapping ; network processor scheduling

Cloud Security: the challenges CSPs don t: allow clients to classify data offer different levels of security based upon data sensitivity offer DLP services Data Leakage Prevention Co-ordinate security policies & provisioning for network & server virtualisation Location/resource optimisation End-to-end Virtualisati on Active Shielding Cloud & Virtual Infrastructure Security Near real-time virtual patching Intrusion Prevention at Hypervisor level below Guest OS Malware prevention / detection at Hypervisor level Isolation (Inter-VM & Hypervisor) VM Security Robust at system level (modulo kernel bugs) Issues at management plane Memory hijacking Guest OS needs security protection Resilient VM lifecycle dynamic at massive scale Crypto doesn t like virtual Current algorithms set to optimise resource pooling Can t always use specialised HW Encryption key management Physical - to- Virtual Mapping Hypervisor Security Hypervisor / trusted VM: the best place to secure Limited compute resources Security API standards Difficult to exploit but high-impact Do you trust Microsoft? Do you trust VMWare?

Cloud Security: the challenges Lack of standards Lack of interoperability Limited service portability Incompatible management processes Security of shared resources Process isolation Data segregation Data sharding (fragment across images) Entitlement & Access Mgmt (policy issuing authority) Multitenancy Cloud Platform Lock-in Law & Compliance Cloud Data & Services Security Provider & resource / data location Cross-border data movement PII and privacy obligations (HIPAA, GLBA) Auditing and compliance (PCI, ISO 27001) Poor quality of evidence Data Location & Mobility Resilience & Availability EU vs. US vs. China (Gov. access) Differences in data protection Cost of keeping data hosting in EU Audit data legally owned by CSP refusal to hand over audit logs? Difficult to involve law enforcement with CSP activities Latency sensitive applications Enforcement of SLA obligations Insufficient capabilities to cater for managing critical data In-cloud segregation of data: difficult Accidental seizure of customer data during forensic investigations Data Comingling Security in Depth VMs provided by IaaS provider Platform stack by PaaS provider IaaS, PaaS issues + application security

Cloud Security: the challenges Distributed Access Management Credential Mapping Authorization with Constrained Delegation (Policy Integrity & Recognition of Authority) Trust & Federation Security Auditing Identity Lifecycle Management Provisioning Identity Integration User Management Credential Management Entitlement Management Device Credentials, PKI Infrastructure Cloud Application Security Application Service Integration Virtual Directory Services Active Directory/LDAP - Attributes, Credentials and Groups for Edge servers Federation and Edge Server Security Secure Application Integration Fabric (Secure ESB Gateway)

Example: Cloud Computing Technology Innovation vs Cyber Security Challenges Commoditised virtualisation Cloud islands Common capabilities Virtual Private Clouds Community Clouds Cloud aware applications Cloud service assembly Open cloud federation Cloud Aggregation Ecosystem Security API for hypervisor Virtual Data Centre Service Management Layer Commoditised elasticity Commoditised data abstraction & data federation User-defined hosting On-demand Elasticity Flexible charging model Rapid provisioning / de-provisioning Customer defined standalone cloud applications Cloud islandspecific security indepth Pre-customer isolation & multitenancy Cloud vs. managed service delivery model Reusable and customisable enabling services offered via a cloud service delivery model: Identity & access, Data & system security, Data federation, Performance monitoring, Intelligent reporting Auditing Usage control, Licensing, Optimisation Customer defined security and QoS Customer-centric identity & access federation Customer-aware process & data isolation Customer-defined process and data federation Secure private network overlay offered as a service over the internet customer-centric loud application composition Communityspecific virtual private clouds In-cloud collaboration, community management & identity federation services Vertical integration of hosting and community-specific cloud applications Shared Commoditisation of cloud application stores Commoditisation of SDK for cloud applications Take advantage of cloud IaaS or PaaS to develop SaaS Ability deploy your cloud SaaS over a targeted SaaS / PaaS SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning Standardisation of cloud service management interfaces Commoditisation of cloud assembly processes & tools Vertical value chain specific federation Ability to mix-andmatch cloud infrastructure & incloud common capabilities when producing cloud applications Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3 rd party PaaS; PaaS on 3 rd party IaaS Standardisation of cloud common capabilities cloud service management interfaces cloud access management & federated identity models cloud service monitoring & reporting cloud license management services Virtual Private Local Network over the Internet User defined Virtual Private Cloud Standardised cloud charging models including auctions Standardisation of cloud service assembly processes Virtual Data Centres assembled over multiple IaaS clouds by different providers PaaS over federated IaaS with integrated common capabilities by multiple 3 rd parties Commoditisation of Make your own Cloud capability

Example: Cloud security innovation roadmap at BT Research & Technology Cloud Security Innovation Strategy Strategic Foresight Market evolution analysis Cloud information assurance metrics In-cloud security cost-benefit analysis Cloud ecosystem security value network Market analysis revision Cloud security value network revision Technical innovation challenges & solutions Cloud security risk assessment (egov) Recommendations for High-level Secure Cloud Architecture for Government (IaaS) Recommendations for High-level Secure Cloud Architecture for Government (SaaS) Cloud federation Secure Cloud Service Broker Virtual hosing on federated clouds Multi-Cloud Intelligent Protection Multi-Cloud Secure Storage Cloud Federation Management Cloud Federation Fabric Cloud Aggregation Environment Cloud CERT Cloud Security services SSO & Identity Management as a Cloud Service Accountable Entitlement Management (in-cloud) Secure cloud storage service Cloud SaaS securityconfidentiality enhancements Cloud Cyber-Incident Management Cloud Security infrastructure Virtual Patching In-cloud malware scanning Cloud information assurance metrics Cloud security analytics Application aware Behavioural Malware detection (in-cloud) Secure Virtualisation Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention Use of trusted hardware in Virtual Data Centres & Cloud BT core technology innovation activity Long term research British Telecommunications plc Research Collaboration Strategy / Guidelines Slide 10

Cloud Security Challenges and how we address them Technology Risks Multi-tenancy (shared infrastructure) Protection in depth & Security at multiple layers Resilience & Availability Data Location & Mobility Information Assurance & Compliance Hypervisor vulnerabilities. Lack of cloud specific security solutions Defence in depth is complex to achieve in the Cloud Resource sharing Poor Process isolation /Data Segregation Data Sharding, remanance (erasure), Co-mingling Virtual image provided by IaaS provider Platform stack provided by PaaS SaaS application security Latency controls for sensitive applications Inability to enforce high-assurance SLAs CSP unable to provide QoS for sensitive applications EU vs. US vs. China regulations (Government access) Differences in data protection between EU regions Examples of CSP refusing to hand over audit logs Cross-border data movement Privacy obligations ( DPA, HIPAA, GLBA) Auditing and compliance (PCI, ISO 27001) Direct Innovation downstream to BT MFUs / Platforms Influence EU / UK policy (via expert advisory groups / agencies) Cloud vendor lock in Corporate Risks British Telecommunications plc Lack of standards / interoperability Limited service portability Incompatible management processes Lack of transparency Limited audit ability Global CSP - Regulatory compliance. Influence industry via CSA and ISF Slide 11

Examples of Collaborative Research Impact & Value Generation: overview Cloud Computing: Benefits, Risks Recommendations Security and Resilience of Governmental Clouds Procure Secure: security levels in cloud contracts Governmental Clouds: Good Practice Guide Incident Reporting in the Cloud Influence Strategy & Policy at EU British Telecommunications plc and National Level: Contributors to ENISA advisory reports on Cloud Security Intelligent Protection Secure Cloud Storage Multi-cloud VPN overlay Trust Assessment Cloud Compliance Assessment 2010-2013 EU collaboration Cloud Technology Development Governmental Cloud Store Capabilities Intelligent Protection for Governmental Applications Cloud Data Protection Services Federated Identity as a Service for PSN and G-Cloud Trials Central Government Greek Ministry of Finance Municipalities London, UK Genova, Italy Belgrade, Serbia 2014-2017 Cloud Technology Trials & Validation Slide 12

Examples of Collaborative Research Impact & Value Generation: illustrative case FP6 TrustCoM IP 2004-7 Security policy management automation FP6 BEinGRID IP 2006-9 Common Capabilities for Cloud, Cloud Architecture Security Patterns FP6 OPTIMIS IP 2010-13 Secure Cloud Broker, Common capabilities for Cloud Data & Application Protection FP7 FED4FIRE experiments 2014 Multi-cloud Data & Application Protection at large scale CIP STRATEGIC Secure cloud service store EIT HII Trusted Cloud Secure cloud platform BT Cloud Compute - Platform, Application, Data Security - Identity Federation BT Security - Cloud Security Services - Identity as a Service British Telecommunications plc Research, Development & Experimentation Technology & Business Validation BT customisation & productisation Slide 13

Cloud security: current areas of BT innovation and solutions In-Cloud Security Services Secure Community Clouds Cloud security research Cloud security research Application & Identity & Storage & Data Virtual Server Federation Protection Governance, Standards, ProtectionCompliance, Assurance Platform & Infrastructure Security Protecting BT s Cloud Platforms Protect BT s use of cloud infrastructure, platform and application services British Telecommunications plc Slide 14

One capability multiple cloud security service models Multi-cloud protection Cloud store Marketplace Cloud platform enhancement Cross-cloud application defined security policy One Security dashboard Security policy management interface Governance process Many Control points Cloud platforms Applications & servers Horizontal / reusable capability Fully integrated with cloud application deployment Automated policy derivation (security intelligence) Automated security patching per application Customisable selfmanagement interface Multi-cloud One click to buy Horizontal / reusable capability Configurable security options Fully integrated with cloud application deployment Automated policy derivation (security intelligence) Automated security patching per application One click to buy Inflight-provisioning Inventory sync Multi-cloud deployment Application defined virtual network overlay Application defined security policy group Fully managed Cloud-based On-premise Self-managed

BT Cloud Security Services Incubator - Enabling Open Innovation Idea generation Strategic collaboration Customer trials New products & propositions Ideas for new products and services Ideas for changing commercial models and value propositions Ideas to make things faster Define community, qualify and prioritise opportunities Research prototype to refine concept in partnership with community Validate candidate technologies/software Working with customers to trial new innovations Obtain early market feedback and test commercial attractiveness and commercial viability When concepts have been proven with customers then they will be down-streamed to product platforms Research Alpha Beta Platform British Telecommunications plc Alpha at Adastral Park run by R&T Supports ISV integration, hot houses, etc. Beta at London GS2 run by GS, tactical ops from IP Soft Targeting LatAm, US, Asia-Pac Slide 16

Thought-leadership: Innovation Demonstrators Cloud Broker & Federation Cloud Application Security Cloud System Security Secure Virtualisation Secure Cloud Service Broker Cloud community management Cloud Identity and Federation managemnt Intelligent Application Protection Accountable Entitlement Management Confidentiality/Compliance for Cloud SaaS GRC Assessor Secure data storage & sharing Intelligent System Protection Virtual Security Patching Hypervisor level Malware Detection Hypervisor level Intrusion Prevention Hypervisor level Data Leak Prevention British Telecommunications plc Slide 17

The BIG picture: Towards a Secure Cloud blueprint British Telecommunications plc Slide 18

BT thought-leadership: Overview of external collaborations Co-authors of ENISA expert advisory report on Cloud Security Risk Analysis Contributors to CSA security guidelines and lead of Virtualisation Security work stream Co-authors of the BT Cloud Security standard. Contributors to ENISA expert group on Government use of Cloud computing Leading Governmental Cloud Services Store & Clooud Security activities on STRATEGIC a 5 million innovation validation project Led Cloud Brokerage & Federation use case at OPTIMIS a 10.5 million collaborative R&D project Led BEinGRID (Chief scientist / technical director) the largest R&D investment ( 25 million) on next generation SOA in Europe Invited speakers at events: InfoSec, CloudSecurity, RSA, e-crime, Intellect, ISF, CSO Summit, etc. 3 books and several technical papers in Cloud & Next Generation SOA British Telecommunications plc Slide 19

Protection in the Cloud: BT Intelligent Protection Theo Dimitrakos theo.dimitrakos@bt.com

Intelligent Protection Service Security is secretly out of control Protection of Systems & Apps in the Cloud What is it? A cloud security service that has ben designed and developed to address customer demand for protecting virtual servers and hosted applications on cloud infrastructures. Supports multiple cloud service providers, including BT Cloud Compute, Amazon EC2, vcloud etc. Comprehensive security solution: Virtual firewall, Intrusion Prevention/Detection, Security Patch management, Anti-malware. Deploy security patching & intrusion prevention with no down time. Central Security Portal to manage protection in Multiple Cloud Platforms. Automatically Protect deployed applications / systems in Virtual Environment. Flexible delivery of protection: At Hypervisor / virtualisation management level. By self-installing agents on 3 rd party environments. Automatically integrate with Application Deployment via Service Store. Current status About to go live in the next release of BT Cloud Compute. Market place and intelligent protection service can be used to autoprovision on most popular cloud infrastructure / platform providers Benefits Reduction of complexity through integration with the cloud environment for automatic capability provisioning, life-cycle management and inventory synchronisation. Provides vulnerability protection. Eliminates the cost and risk of deployment, integration and management of complex security software or appliances. Next steps Inclusion in BT Compute product roadmap BT Wholesale Proposition DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc

Important elements of cyber security strategy & innovation Protection life-cycle Adapt & Respond Remediation planning & Impact Analysis Continuous Assessment Intelligence Prevention & Protection Other important elements Think global Understand the societal, business & technology evolution Share intelligence with care Carefully attribute responsibility: think of the whole supply-chain Design for change & adaptation Understand the impact of change Learn from own and others mistakes Centralise visibility & control Distribute ability to enforce & selfadapt within policy & context

BT Intelligent Protection Core strengths & innovative features In flight intrusion prevention, no down time Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware 360 o Protection of customer applications Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud Intelligent Protection British Telecommunications plc Security Dashboard Cloud portal Slide 23

Automatic Application Protection Cloud Service Provisioning During Application Provisioning, Customers / Tenants: Purchase intelligent protection License for the required Security Modules (Firewall, Anti-Malware, Intrusion Detection, Integrity Monitoring, Log Inspection) Select an Application from the Application Market Place. Automatic Protect deployed Application with selected Security Options. 24

Automatic Application Protection 25

Automatic Application Protection 26

Automatic Application Protection 27

Cloud Security Services protection of data in the cloud Security is secretly out of control Secure cloud data protection service What is it? Not just another cloud (i.e. network accessible) storage service A cloud security service enabling customers to manage data protection across many cloud infrastructures Virtual hard-disk volume encryption offered as a service Decryption only possible in safe environments following policy-based approval Protected data mobility across servers and across clouds Customer in control of compliance with dataprotection policies across many clouds and regions Faults & security breaches visible across clouds Seamless integration with Cloud Service stores and interoperability with most cloud platforms Current status About to go live on BT Cloud Compute. Market place and intelligent protection service can be used to auto-provision on most popular cloud IaaS/PaaS BT Intellectual Property (2 core and 9 related patents) Estimated impact of protecting revenue > 30M p.a. Selected for trial with Municipalities UK, Italy, Serbia) and Central Government services (Lithuania, Greece) How it works Customer is in control of connection, protection, access to secure virtual storage. Decryption only possible when data is used in a specific safe environment following policy-based approval. Policy-driven key management Uses identity and integrity based enforcement to ensure only authorised virtual machine receive keys and access to secure storage. Automates key release and virtual machine authorisation for rapid operation. Enables the use of policies to determine when and where keys were used. Advanced Encryption techniques Features FIPS 140-2 certification and FIPS approved AES encryption. Encrypts and decrypts information in real time, so that data is always protected. Applies whole volume encryption to secure all data, metadata, and associated structures. Robust auditing, reporting, and Alerting Logs actions in the management console for audit purposes. Provides detailed reporting and alerting features with incident-based and interval-based notifications DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc

Cloud-based Identity Management Service Future Challenge: Traditional enterprise in a changing world Social Media Silo expansion Identity shadowing Policy fragmentation Loss of control Cloud Apps & Web Services Cloud Platform & Infrastructure SaaS Internal Enterprise Cloud British Telecommunications plc Slide 29

Cloud-based Identity Management Service Future Challenge: Cloud-ready always connected enterprise Cloud/hosted service - Holistic identity life-cycle management - Privileged identity - Governance, audit - Federation and SSO - Fraud prevention for both on-premise and in-cloud services & applications Social Media Cloud Apps & Web Services Cloud Platform & Infrastructure SaaS Gateway/bridge to - Identity management - Enterprise governance - Access management - Information protection for enterprise resources Internal Enterprise Cloud British Telecommunications plc Future identity challenges case study: BT Cloud Compute Service Store Slide 30

British Telecommunications plc Slide 31