Outline SECURE CLOUD COMPUTING Introduction (of many buzz words) References What is Cloud Computing Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud Security Management in the Cloud Privacy Audit and Compliance Legal aspects Cloud Service Providers Security as a Service Impact of Cloud Computing Directions OpenStack- architecture Part of slides are from Dr. Bhavani Thuraisingham, 2011 References Cloud Security Alliance, https://cloudsecurityalliance.org/education/white-papers-andeducational-material/ NIST: Cloud Computing Security Reference Architecture (SP 500-299) All material from Security Guidance for Critical Areas of Focus in Cloud Computing v2.1, http://www.cloudsecurityalliance.org All figures in this talk taken from this paper NIST Cloud Model: www.csrc.nist.gov/groups/sns/cloudcomputing/index.html Various cloud working groups Open Cloud Computing Interface Working Group, Amazon EC2 API, Sun Open Cloud API, Rackspace API, GoGrid API, DMTF Open Virtualization Format (OVF) Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O Reilly Publishers What is Cloud Computing? Overview Definition The SPI Framework Traditional Software Model Cloud Services Delivery Model Deployment Model Key Drivers Impact Governance Barriers Or simply: The Network is the Computer (Sun Microsystems, 1997)
Definition of Cloud Computing Somewhat hard. The following aspects should somehow be involved Multitenancy - shared resources Massive scalability Elasticity on demand, expand or shrink resources Self provisioning of resources Moveable resources Pay as you go (e.g. Amazon EC2) A Massive Concentration of Resources Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of users represents a concentration of threats Ultimately, you can outsource responsibility but you can t outsource accountability. What, When, How to Move to the Cloud Identify the asset(s) for cloud deployment Data Applications/Functions/Process Evaluate the asset Determine how important the data or function is to the org SPI Framework What the Cloud offers Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) Several Technologies work together to make this work Cloud access devices Browsers and thin clients High-speed broadband access Data centers and Server farms Storage devices Virtualization technologies APIs
Traditional Software Model Some characteristics Large upfront licensing costs Annual support costs Depends on number of users Not based on usage Organization is responsible for hardware Security is a consideration Customized applications Cloud Services Delivery Model SaaS Rent software on a subscription basis Service includes resources: software, hardware and support Users access the service through an authenticating interface Suitable for a company to outsource hosting of apps PaaS Vendor offers development environment to application developers Provide develops toolkits, building blocks, payment hooks IaaS Processing power and storage service Hypervisors used to turn HW into IaaS Deployment Models SaaS Paas IaaS Public Clouds Hosted, operated and managed by third party vendor Security and day to day management by the vendor Private Clouds Networks, infrastructures, data centers owned by the organization Hybrid Clouds Sensitive applications in a private cloud and non-sensitive applications in a public cloud Community Clouds Infrastructure shared by organizations to support a community Virtual Private Clouds Simulate Private cloud in other cloud
Sample Clouds Key Drivers of CC Smaller investment and low operating costs Economies of scale Open standards Sustainability From Security Guidance for Critical Areas of Focus in Cloud Computing v2.1, p.18 Impact Governance Apps Services How are the following communities impacted by the Cloud? Individual Customers Individual Businesses Start-ups Small and Medium sized businesses Large businesses Five layers of governance for IT Network, Storage, Server, Services and Apps For on premise(traditional) hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks For SaaS model all layers are controlled by the vendor For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor Server Storage Network
Impact of cloud computing on the governance structure of IT organizations Barriers to CC Security Privacy Connectivity and Open access Reliability Interoperability Independence from CSP (cloud service provider) Economic value Incident Response governance Changes in IT organization Political issues From [6] Cloud Security and Privacy by Mather and Kumaraswamy Companies are still afraid to use clouds Cloud Computing Infrastructure Security Infrastructure Security at the Application Level Infrastructure Security at the Host Level Infrastructure Security at the Network Level Apps Services Server Storage Network We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels [Chow09ccsw]
Security at the Network Level Security at the Host Level Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider Ensuring proper access control (AAA) to resources in the public cloud Ensuring availability of the Internet facing resources of the public cloud used by the organization Replacing the established network zones and tiers with domains Available methods mitigate the risk factors? Host security at PaaS and SaaS Level Both the PaaS and SaaS hide the host operating system from end users Host security responsibilities in SaaS and PaaS are transferred to CSP Host security at IaaS Level Virtualization software security Hypervisor security Threats: Blue Pill attack on the hypervisor Customer guest OS or virtual server security Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts Security at the Application Level Cloud Storage and Data Security Usually it s the responsibility of both the CSP and the customer Application security at the SaaS level SaaS Providers are responsible for providing application security Application security at the PaaS level Security of the PaaS Platform Security of the customer applications deployed on a PaaS platform Application security at the IaaS Level Customer applications treated a black box IaaS is not responsible for application level security Aspects of Data Security Data Security Mitigation Provider Data and its Security
Aspects of Data Security Data Security Mitigation Security for Data in transit Data at rest Processing of data including multitenancy Data Lineage Data Provenance Data remnance Solutions include encryption, identity management, sanitation Even through data in transit is encrypted, use of the data in the cloud will require decryption.that is, in most cases the cloud will operate on unencrypted data Mitigation Sensitive data cannot be stored in a public cloud Homomorphic encryption may be a solution in the future or in special cases today Provider Data and its Security What data does the provider collect e.g., metadata, and how can this data be secured? Data security issues Access control, Key management for encrypting Confidentiality, Integrity and Availability are objectives of data security in the cloud Identity and Access Management (IAM) in the Cloud Trust boundaries and IAM Why IAM? IAM challenges IAM definitions IAM architecture and practice Getting ready for the cloud Relevant IAM standards and protocols for cloud services IAM practices in the cloud Cloud authorization management Cloud Service provider IAM practice
Trust Boundaries and IAM Why IAM In a traditional environment, trust boundary is within the control of the organization This includes the governance of the networks, servers, services, and applications In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes Improves operational efficiency and regulatory compliance management IAM enables organizations to achieve access cont6rol and operational security Cloud use cases that need IAM Organization employees accessing SaaS se4rvidce using identity federation IT admin access CSP management console to provision resources and access foe users using a corporate identity Developers creating accounts for partner users in PaaS End uses access storage service in a cloud Applications residing in a cloud serviced provider access storage from another cloud service IAM Challenges IAM Definitions Provisioning resources to users rapidly to accommodate their changing roles Handle turnover in an organization Disparate dictionaries, identities, access rights Need standards and protocols that address the IAM challenges Authentication Verifying the identity of a user, system or service Authorization Privileges that a user or system or service has after being authenticated (e.g., access control) Auditing Exam what the user, system or service has carried out Check for compliance
IAM Practice IAM process consists of the following: User management (for managing identity life cycles), Authentication management, Authorization management, Access management, Data management and provisioning, Monitoring and auditing Provisioning, Credential and attribute management, Entitlement management, Compliance management, Identity federation management, Centralization of authentication and authorization, Some relevant IAM Standards, Protocols for Cloud IAM Standards and Specifications for Organizations SAML (Security Assertion Markup Language) SPML (Service Provisioning Markup Language) XACML (extensible Access Control Markup Language) OAuth (Open Authentication) cloud service X accessing data in cloud service Y without disclosing credentials IAM Standards and Specifications for Consumers OpenID Information Cards Open Authenticate (OATH) Open Authentication API (OpenAuth) IAM Practices in the Cloud Cloud Authorization Management Cloud Identity Administration Life cycle management of user identities in the cloud Federated Identity (SSO) Enterprise an enterprise Identity provider within an Organization perimeter Cloud-based Identity provider XACML is the preferred model for authorization RBAC is being explored Dual roles: Administrator and User IAM support for compliance management
Security Management in the Cloud Security Management in the Cloud Security Management Standards Security Management in the Cloud Availability Management Access Control Security Vulnerability, Patch and Configuration Management Availability Management Access Control Vulnerability Management Patch Management Configuration Management Incident Response (ISO/IEC) System use and Access Monitoring Availability Management Access Control Management in the Cloud SaaS availability Customer responsibility: Customer must understand SLA and communication methods SaaS health monitoring PaaS availability Customer responsibility PaaS health monitoring IaaS availability Customer responsibility IaaS health monitoring Who should have access and why How is a resources accessed How is the access monitored Impact of access control of SaaS, PaaS and IaaS
Security Vulnerability, Patch and Configuration (VPC) Management Privacy How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment What is the impact of VPS on SaaS, PaaS and IaaS Privacy and Data Life Cycle Key Privacy Concerns in the Cloud Who is Responsible for Privacy Privacy Risk Management and Compliance ion the Cloud Legal and Regulatory Requirements Privacy and Data Life Cycle Privacy Concerns in the Cloud Privacy: Accountability of organizations to data subjects as well as the transparency to an organization s practice around personal information Data Life Cycle Generation, Use, Transfer, Transformation, Storage, Archival, Destruction Need policies Access Compliance Data Storage Retention Destruction Audit and Monitoring Privacy Breaches
Who is Responsible for Privacy Privacy Risk Management and Compliance Organization that collected the information in the first place the owner organization What is the role of the CSP? Organizations can transfer liability but not accountability Risk assessment and mitigation throughout the data lifecycle Knowledge about legal obligations Collection Limitation Principle Use Limitation Principle Security Principle Retention and Destruction Principle Transfer Principle Accountabality Principle Regulatory/External Compliance Legal, e-discovery PCI DSS (Payment Card Industry Data Security Standard) Healthcare regulations EU Directives and countries regulations on privacy EU Directives on legal intercept? Sarbanes-Oxley Act (US) Both parties must understand each other s roles Litigation hold, Discovery searches Expert testimony Provider must save primary and secondary (logs) data Where is the data stored? laws for cross border data flows What is the impact of Cloud computing on the above regulations? Unclear relation between Telecom regulations and IT (in general)
Legal, e-discovery Legal, e-discovery Functional: which functions & services in the Cloud have legal implications for both parties Jurisdictional: which governments administer laws and regs impacting services, stakeholders, data assets Contractual: terms & conditions Plan for unexpected contract termination and orderly return or secure disposal of assets You should ensure you retain ownership of your data in its original form Audit and Compliance Audit and Compliance Internal Policy Compliance Governance, Risk and Compliance (GRC) Control Objectives Regulatory/External Compliance Cloud Security Alliance Auditing for Compliance Defines Strategy Define Requirements (provide services to clients) Defines Architecture (that is architect and structure services to meet requirements) Define Policies Defines process and procedures Ongoing operations Ongoing monitoring Continuous improvement
Control Objectives Cloud Security Alliance (CSA) Security Policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information Security incident management Compliance Key Management Create and apply best practices to securing the cloud Objectives include Promote common level of understanding between consumers and providers Promote independent research into best practices Launch awareness and educational programs Create consensus White Paper produced by CSA consist of 15 domains Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - - Auditing for Compliance Some Cloud Service Providers Internal and External Audits Audit Framework SAS 70 SysTrust WebTrust ISO 27001 certification Relevance to Cloud Amazon Web Services (IaaS) Google (SaaS, PaaS) Microsoft Azure (SaaS, IaaS) Proofpoint (SaaS, IaaS) RightScale (SaaS) Slaeforce.com (SaaS, PaaS) Sun Open Cloud Platform Workday (SaaS)
Security as a Service Compliance & Audit Email Filtering Web Content Filtering Vulnerability Management Identity Management Hard to maintain with your sec/reg requirements, harder to demonstrate to auditors Right to Audit clause Analyze compliance scope Regulatory impact on data security Evidence requirements are met Do Provider have SAS 70 Type II, ISO 27001/2 audit statements? Minimize Lack of Trust: Policy Language MINIMIZE LACK OF TRUST Consumers have specific security needs but don t have a say-so in how they are handled What the heck is the provider doing for me? Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided) Standard language to convey one s policies and expectations Agreed upon and upheld by both parties Standard language for representing SLAs Can be used in a intra-cloud environment to realize overarching security posture - POLICY LANGUAGE/SLA - CERTIFICATION
Minimize Lack of Trust: Policy Language (Cont.) Create policy language with the following characteristics: Machine-understandable (or at least processable), Easy to combine/merge and compare Examples of policy statements are, requires isolation between VMs, requires geographical isolation between VMs, requires physical separation between other communities/tenants that are in the same industry, etc. Need a validation tool to check that the policy created in the standard language correctly reflects the policy creator s intentions (i.e. that the policy language is semantically equivalent to the user s intentions). Minimize Lack of Trust: Certification Certification Some form of reputable, independent, comparable assessment and description of security features and assurance Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud environment?) Risk assessment Performed by certified third parties Provides consumers with additional assurance Commercial alternatives OPENSTACK OpenStack is a cloud computing project to provide an IaaS.
OpenStack Is available in several Linux repositories (Ubuntu, Suse, Redhat) Good Reading Ken Pepple's Folsom Architecture Post http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/ Architecture http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
OpenStack supports many hypervisors. TPM + OpenStack = Trusted Pools Some supported hypervisors: KVM Xen / XCP HyperV VMWare Physical Provisioning ( in Grizzly ) etc, etc, etc. sky's the limit, bob's your uncle.