Security and Cloud Compunting - Security impacts, best practices and solutions -



Similar documents
Virtualization System Security

managing the risks of virtualization

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Learn the essentials of virtualization security

CompTIA Cloud+ 9318; 5 Days, Instructor-led

Network Access Control in Virtual Environments. Technical Note

Learn the Essentials of Virtualization Security

IBM EXAM QUESTIONS & ANSWERS

IBM Security in the Cloud

Mitigating Information Security Risks of Virtualization Technologies

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Effective End-to-End Cloud Security

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

PICO Compliance Audit - A Quick Guide to Virtualization

External Supplier Control Requirements

VMWARE VSPHERE 5.0 WITH ESXI AND VCENTER

VMware vsphere 5.1 Advanced Administration

VMware vcloud Air Security TECHNICAL WHITE PAPER

5 Best Practices to Protect Your Virtual Environment

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Cloud Security Who do you trust?

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Building A Secure Microsoft Exchange Continuity Appliance

Windows Server 2012 Hyper-V Virtual Switch Extension Software UNIVERGE PF1000 Overview. IT Network Global Solutions Division UNIVERGE Support Center

The first agentless Security, Virtual Firewall, Anti- Malware and Compliance Solution built for Windows Server 2012 Hyper-V

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Top virtualization security risks and how to prevent them

Virtualization and Cloud Computing

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

VMware vsphere 5.0 Boot Camp

Citrix XenServer 7 Feature Matrix

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ALTERNATIVES FOR SECURING VIRTUAL NETWORKS

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Lecture 02b Cloud Computing II

How To Make A Virtual Machine Aware Of A Network On A Physical Server

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Stephen Coty Director, Threat Research

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Deployment Guide: Unidesk and Hyper- V

CLOUD SECURITY: THE GRAND CHALLENGE

IBM Advanced Threat Protection Solution

STREAM FRBC

Tenable Webcast Summary Managing Vulnerabilities in Virtualized and Cloud-based Deployments

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

New Security Perspective for Virtualized Platforms

Meeting the Challenges of Virtualization Security

GoodData Corporation Security White Paper

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Course Venue :- Lab 302, IT Dept., Govt. Polytechnic Mumbai, Bandra (E)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Chapter 1 The Principles of Auditing 1

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

Network Virtualization Network Admission Control Deployment Guide

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Sygate Secure Enterprise and Alcatel

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Secure networks are crucial for IT systems and their

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

How Does Virtualization Change Your Approach to Enterprise Security and Compliance?

VMware: Advanced Security

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Before we can talk about virtualization security, we need to delineate the differences between the

Directory and File Transfer Services. Chapter 7

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Cloud computing White paper November IBM Point of View: Security and Cloud Computing

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

Security in the Software Defined Data Center

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

Securing Virtual Applications and Servers

Secure Software Programming and Vulnerability Analysis

CompTIA Security+ (Exam SY0-410)

OUR MISSION IS TO PROTECT EVERYONE FROM CYBERCRIME

Cloud Courses Description

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Transcription:

Security and Cloud Compunting - Security impacts, best practices and solutions - Andrea Carmignani Senior IT Architect

What is Cloud Security It s about business and data behind it The ability to maintain confidentiality, integrity, availability of business-critical IT assets Stored or processed on a cloud computing platform Some customer quotes I Like the Idea of a new generation data center based on cloud but I m concerned about security and network impacts How can you guarantee the same security level in a virtualized environment as well as a distributed one? What about identity propagation, audit & workflow segregation? What about impact on the existing infrastructure? 2

Some security measures could lose part of their effectiveness while moving toward a dynamic infrastructure Traditional Threats New threats to virtual environments Traditional threats can attack VMs just like real systems Management Vulnerabilities Virtual sprawl Dynamic VM state & relocation VM stealing Interbox communication can t be monitored by usual IPS and FW Stealth rootkits in hardware now possible Virtual NICs & Virtual Hardware are targets Resource sharing Single point of failure Reduced visibility & control Physical boundary moves inside Reduced visibility & control 3

New Elements bring new threats: the Hypervisor The Hypervisor, the Golden Gate to the Virtual Images and the Host Resources, it s the director granting resources sharing among Virtual Images As a new layer in the usual software stack it is the new target for emerging threats It s mandatory its ability to grant Virtual Image isolation avoiding resource sharing or data stealing Nowadays we re living with these assumptions: All Hypervisors have vulnerability (by design) There s no publicly know Hypervisor attack (except the one for Xbox) CVE-2008-0923 0923 Directory traversal vulnerability in the Shared Folders feature for VMWare ACE allows guest OS users to read and write arbitrary files on the host OS CVE-2007-0948 0948 Buffer overflow in Microsoft Virtual Server 2005, allows local guest OS administrators to execute arbitrary code on the host OS CVE-2007-5906 Xen 3.1.1 allows virtual guest system users to cause a denial of CVE-2005-3618 Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server allows remote attackers to perform unauthorized actions 4

Hypervisor, the first real attacks could be a question of time Today vulnerabilities are detected before there are exploited from an attacker. Just because: till 2007 virtualization was a niche market, lack of adoption meant lack of interest from attackers poor initial knowledge about virtualization technology and its background We expect the more virtualization will take place the more interest it ll have from the hackers So the first real Hypervisor attack is a question of time We must extend out existing patch, configuration and vulnerability management process to this platform X86 Virtualization Age Vulnerabilities Report NVD Microsoft bulletin Analysis NVD: Nation Vulnerability database http://nvd.nist.gov/ Xen VMware ESX 5 Y, since 2003 8 Y, since 2001 Total: 2 High: 2 Moderate: 0 Total: 23 High 33 Moderate: 13 N/A N/A Based on Linux Opens Source project Based on RHEL No IBM PowerVM vulnerability reported so far Hyper-V 2 Y since 2008 Total: 37 High: 33 Moderate: 4 Total: 34 Critical: 12 Important: 13 Based on Windows 2008 Most vulnerabilities reported are about IE and SMB 5

Physical Boundary and IntraBox Communication Issues, an example Server & Network Convergence, physical perimeters move inside the machine: Network extends through the Virtual Switch or the Virtual I/O Server Network Administration boundary moves into the Box: Could have some impacts on the network and server Management Process Could have some impacts on Roles & Responsibilities Communications between IntraBox Virtual Images cannot be monitored by external FW,IPS, or IDS therefore, attacks among Virtual Images are hard to detect via traditional methods. 6 11

Interbox communication, Virtual Images Mobility, a good flight it s a question of route and landing Partition mobility makes it possible to move running partitions from one physical server to another. This provides: considerable systems management flexibility improved availability applications no longer have to be shut down to move them from one server to another but some security Issues are awaiting through the journey from one host to another. Data in memory is copied from one system to another to create a clone of a running partition Today data are transferred without being encrypted; This means possible threats like VI stealing, VI tampering, VI replacing as well as on the target physical host Is the VI security compliant with the target host security baseline? Does the destination fulfill origins security policy and regulation? can I move a back end VI to a system hosting front end VMs? What about Firewall rules protecting the new system? Are they exposing the VI to some threat? Are they too strict preventing the VI to work properly? Hypervisor Hypervisor 7

Storage Security Last but not least security concerns Storage ecosystem have emerged in isolation with a focus on data availability and resiliency Data traceability is a challenge and rarely done Auditors and security professionals frequently treat the storage infrastructure as nothing more than attached storage It s possible to act on several levels, balancing trade-off among deployed infrastructure, regulatory requirements, business expectation Storage System Security (SSS) external authentication services, centralized logging, and firewalls. Storage Resource Management (SRM) Secure provisioning, monitoring, tuning, reallocation of the storage resources. Data In-Flight (DIF) Confidentiality, integrity and/or availability of data as they are transferred across the storage network, the LAN, and the WAN. Data At-Rest (DAR) Confidentiality, integrity and/or availability of data residing on servers, storage arrays, NAS appliances (according to SNIA) SAN Level FCAP Virtual SAN Switch Level Server Level Policy & Procedures Persistent Binding Zoning Lun Masking Port Binding Managemement 8

we need an interdisciplinary approach based on the following steps Develop a strategy Based on Business Requirements Security Best practices think holistically Design and Implement Take a risk-based approach to security Virtual/Physical Network Security Design Virtual/Physical Host Security Design Provisioning of virtual resources enforcing security domains and location constraints Secure Communication Identity Access and Management Audit/Log Infrastructure Technology and s Select Cloud technology and services modularity and standards are key SOA Security (es: WS-Security, WS- Federation) Identity Federation (es: SAML, OpendID) IEEE 802.1q Vlan Hypervisor Certifications (es: Common Criteria) 9 26/04/2010

Trusted Virtual Data Center The IBM model The trusted virtual data center (TVDc) is a set of technologies and processes to address the need for strong isolation and integrity guarantees in virtualized, cloud computing environments. VMs and associated resources are grouped into trusted virtual domains (TVDs) The goal of TVDc is to isolate workloads from each other. In particular, the TVDc aims to: 1) prevent data from leaking from one customer workload to another, even when a VM running the workloads malfunctions; 2) ensure that viruses and other malicious code cannot spread from one customer workload to another and that break-ins in one workload do not threaten the workloads active within the same physical resource; 3) prevent or reduce the incidence of failed configuration management tasks (i.e., misconfiguration) 10

IBM Security Solutions for Cloud Computing are composed by three main pillars Cloud Security Consulting Cloud Security Products 1 2 3 Technologies in support of cloud computing Cloud-based Security s Smart business Security s Offer IBM ISS professional security services to clients engaging in cloud initiatives. Develop products and technologies to protect cloud infrastructures and their tenants. Leverage the cloud as a delivery mechanism for IBM security services. Examples: Security Design leveraging standards, best practices, IBM products (TIVOLI, ISS, Websphere) Information security assessment Protection policy and standards development Cloud assessment services Penetration testing for the Cloud Examples: Proventia Network IPS and Virtual IPS appliances Virtual Server Security for VMware Identity and access management Security event and information management Examples: Vuln management service Email scrubbing service Web content filtering service Security event log management Security for the Cloud - Securing Cloud Infrastructures Security from the IBM ISS Cloud 11

Security For the Cloud Existing Professional Security s matching Cloud security needs 12

Security from the Cloud - IBM Cloud Managed Security s 13

IBM Virtualization Security Solutions deliver products and services, optimized for virtualization This solution will enable customers to realize the benefits of virtualization while maintaining their security posture Existing solutions certified for protection of virtual workloads Threat protection delivered in a virtual form-factor Integrated virtual environmentaware threat protection IBM Proventia Server Intrusion Prevention System (IPS) IBM Proventia Network IPS IBM Proventia Network Mail Security Systems Data Loss Prevention IBM Managed Security s Proventia Virtualized Network Security Platform Proventia Network Mail IBM Virtual Server Security for VMware 14

Summarizing security countermeasures into a cloud infrastructure A possible taxonomy Domain What How Network Network Isolation Network Access DataFlows Vlan Firewall & IPS (virtual and physical) Specific Security solution for Virtual environment ACLs Intra-box Storage Workload Isolation Granted Resource (CPU/IO/Mem) Inter Communication segregation & confidentiality Denial of Data isolation Data integrity Data confidentiality at rest Data confidentiality in flight Hardening Vlan Specific Security solution for Virtual environment Third party security Certifications Native or external solution (depending on the Hypervisor) Encryption Fiber Channel security enabled Zoning LUN Masking Inter-Box Infrastructure Management Security posture Virtual Network Access Control Confidentiality Segregation of duties such as Assign, Create, Deploy, Activate Specific Security solution for Virtual environment Specific Solution for patch management Ad hoc network for Inter-Box Mobility Hardening Security Policy Specific Management solution with RBAC capabilities 15

In conclusion some opinions Users will be challenged and served by these technology trends. Most will find a mix of onpremises application infrastructure and cloud application infrastructure services to be the best answer. However, the proportion of the two approaches will differ among users,industries and geographies. It will also change over time. Gartner http://www.gartner.com/it/content/1128400/1128412/key_issues_for_cloudenabled_app_inf.pdf You will be tempted to take a different path. Beware of this new path as it may lead to misfortune or danger. Business success. Good luck with money. You will be forced to make a very difficult decision which will pull you in many directions. This is a very stressful period. A trip taken now may result in a new friend. On Line Fortuneteller www.greekboston.com/fortuneteller/ Cloud Security requires change the usual security mindset trying to achieve company security baseline leveraging a mixture of technologies, standards, processes, trust models and best practices 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information