View
213
Download
0
Embed Size (px)
Citation preview
1Filename/RPS Number (C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved. DRAFT-NEVIN
Security Challenges in Moving to the Cloud
Ron Ritchey, PhD
June 2009
2
2
There are specific Security Challenges that organizations will face when moving to the Cloud
Security of Data-in-Transit
Data Availability and Recovery
- FISMA
- HIPAA
- Sarbanes-Oxley
- GBLA
Maintaining Complia
nce
HACKER
VIRUSES
SPYWARE
Data Protection and Privacy
Incident Investigation
Hacker / Nation-States
3
UNIX OSWeb Tier
Windows OSWeb Tier
UNIX OSApplication Tier
Application TierWindows OS
Zone 1
CLOUD #1
IDS
Network
Network
Users
IDS
UNIX OSWeb Tier
Windows OSWeb Tier
UNIX OSApplication Tier
Application TierWindows OS
Zone 2
CLOUD #2
IDS
Network
Zone 3
Zone 4 SecurityMonitor
SAN Storage
Database Servers
Basic perimeter security techniques need to be re-thought in a cloud environment
•IP based rules?• Migration of rule sets to other Clouds?• Maintaining state?
(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.
44
Enterprises will want assurances from Cloud providers that their proprietary and personal data will be adequately protected
• The Security Challenge: Protection of Data– Cloud providers are responsible for maintaining separation of data as they promote
the sharing of Cloud applications such as databases. Data of different enterprises and protection levels stored in a shared environment brings with it unique challenges that must be addressed and demonstrated by providers
– Data must be controlled and protected from unauthorized access. The very act of storing data in the Cloud to improve availability and access from anywhere in the world substantially increases the number and types of threats to that data
– Encryption accidents, such as loss of encryption keys or unavailability of encryption infrastructure, can make user data that has been encrypted useless
– Controls must be put in place to protect from threats such as hackers, online crime, viruses, spyware
55
Enterprises will want assurances from Cloud providers that their proprietary and personal data will be adequately protected
• What are the solutions to this problem?– Encryption of data-at-rest - Who is responsible? Some vendors leave the decision
to encrypt and the method of encryption up to the user, while others maintain their own encryption key infrastructure
– Partitioning a specific area of a Public cloud for .mil or .gov use
– Authentication technologies such as digital certificates and biometrics will go a long way in protecting Cloud users’ data
– Cloud providers may “separate” customer’s data in individual instances of applications such as databases
66
Data must be adequately protected as it is transferred between the end user and the Cloud Data Center
• The Security Challenge: Protection of Data-in-Transit
– Unsecured data is susceptible to interception and compromise during transmission between end points. Hackers can use packet sniffers to monitor traffic passing through nodes between the sender and receiver or intercept improperly secured wireless communications to conduct session hijacking and Man-in-the-Middle attacks
– If Confidentiality and Integrity of data can not be maintained during transmission, data loses its value to the end user
– Technology to protect data-in-transit is readily available and easy to implement. However, this technology must be properly implemented and monitored, and encryption keys and infrastructure must be protected
77
• What are the solutions to this problem?– Encryption of the data stream utilizing HTTPS (SSL, TLS), Secure
VPN, and IPv6
– Federal and DoD users connecting to a government-owned Private Cloud could utilize NSA encryption devices such as KG-235 and KIV-7
– Dedicated, private connections between Cloud provider and end user
Data must be adequately protected as it is transferred between the end user and the Cloud Data Center
88
Vendors will be responsible for ensuring users have 24x7 access to their data, and the data must be immediately
recoverable in all cases
• The Security Challenge: Data Availability and Recovery– The most critical and difficult of the Cloud Security Challenges– Threats to data availability such as Denial of Service attacks, technical, and
natural disasters– Peaks in network usage from the end user, ISP, Internet, or Cloud provider may
have a negative impact on bandwidth– Ineffectiveness of MOA’s and SLA’s; agreements will only apply to vendor-
controlled services, not Internet or ISP performance. Agreements may guarantee payment for substandard performance but what is the impact to business if data is not accessible?
– Recovery of resources from provider loss or bankruptcy - Recent examples of Cloud storage vendors
99
Vendors will be responsible for ensuring users have 24x7 access to their data, and the data must be immediately
recoverable in all cases
• What are the solutions to this problem?– Dedicated MPLS/VPN network connections between Cloud vendor and
end user; supports SLA’s/MOA’s– Implement Best of Industry data backup and recovery solutions such as
virtualization and replication of data and application infrastructure across multiple sites
– Cloud users could home Internet service with at least two of the same ISP’s as the Cloud provider
– Use of Internet technologies such as Akamai to distribute web content near the user to improve availability
– Cloud users may have to maintain backups of their data
1010
Cloud vendors must understand the part they play in assisting customers in meeting and maintaining compliance with Federal
data protection, privacy laws, and regulations
• The Security Challenge: Regulatory Compliance– Public and private enterprises and agencies have regulations and standards that
they must adhere to in regards to data privacy and protection. These regulations require the data owner to take appropriate actions to ensure the security and integrity of the data, such as developing security policy, auditing, ensuring proper controls are in place, and performing risk assessments
– Data protection and privacy laws differ with commercial (HIPAA, GBLA) and Federal/Defense agencies (FIPS 140-2, FISMA, NIST), so priorities of Public Cloud providers will focus on needs of the commercial sector
– Where is your data located? Data privacy and security laws in foreign countries may differ. Administrators and law enforcement officials of foreign countries may have full access and control of end user data
– Providers must be willing and technically capable to support investigative and forensic efforts in case of incidents such as data spills (classified data on an unclass system)
11
Certification of cloud systems requires certification of the application plus the cloud infrastructure
Use of Cloud Computing changes the risks organizations will face and certification must adapt to help manage these risks
Cloud Computing will impact how system security boundaries are defined
“Boundaries that are unnecessarily expansive (i.e., including too many hardware, software, and firmware components) make the security certification and accreditation process extremely unwieldy and complex.”
NIST SP 800-37, p16
Cloud Providers will be implementing a set of management, operational, and technical security controls. Need a clear understanding of security control responsibility (provider/consumer) and how provider controls are to be offered, provided, and measured/evaluated on a continuing basis
Inheritance of validated security controls that are shared by two or more systems could speed up the C&A process for organizations accessing Cloud Computing resources (leveraging a DIACAP approach)
(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.
1212
Cloud vendors must understand the part they play in assisting customers in meeting and maintaining compliance with Federal
data protection, privacy laws, and regulations
• What are the solutions to this problem?
– This is the primary catalyst for government-owned Private clouds
– Partitioning a specific area of a Public cloud for .mil or .gov use only
– Partner with Public cloud vendors to ensure the Cloud Industry has an understanding of relevant Government IA and Security issues
– Data encryption – protect data regardless of where it resides
1313
Additional Cloud Computing security challenges include…
• Incident Investigation and Forensics– The ability to investigate incidents such as data spills and unauthorized
access is the cornerstone of the security process. However, outsourcing your IT needs to a third party such as a Cloud provider may make these efforts difficult.
– Cloud vendors must be willing to support investigations by providing the necessary security staff and computing resources, such as logs
1414
Additional Cloud Computing security challenges include…
• Attraction to Hackers / Nation-States– Networked environments with large amounts of data from hundreds or
thousands of organizations may be very attractive targets for hackers, both recreational and professional.
– Hackers or nation-states that are able to compromise one or more Cloud providers may be able to harness the massive computing capabilities of the Cloud to stage attacks against:
The Internet Governments Corporations Other Clouds
– Will the massive Cloud Computing facilities that house corporate and government data now be the new targets for enemy states (missiles) and terrorist attacks?
1515
Additional Cloud Computing security challenges include…
• Data Dispersal and International Privacy Laws
– U.S. Data privacy laws often differ with foreign countries. While direct access to your data might not be allowed in the U.S., such access may be the norm in other nations
– Make sure you understand where your data resides in the Cloud before committing to relocating proprietary or sensitive data
16
There are also many Security Features and Benefits that may drive organizations to the Cloud…
Best of Industry Security Solutions – As both Public and Private Cloud vendors have paying clients they can afford to implement and maintain “best of industry” security solutions to protect users data. IT departments of individual enterprises and agencies typically must fight for budget, and critical security solutions are often left on the negotiating table due to budget cuts
Cloud users can avoid large investments in security hardware, software, and security staff by transferring some security responsibility to Cloud providers. Although Cloud users must still maintain security for their enterprises a move to the Cloud can reduce overall security costs
24x7 Security Support – Cloud vendors will be able to provide 24x7 security services such as fw monitoring, intrusion detection and prevention, and patch management. Cloud vendors may also provide in-house forensic support.
Major Cloud providers can develop the capacity, infrastructure, and expertise to fight off large-scale threats such as DDoS attacks far more cost effectively than individual agencies
17
…Cloud vendors may offer Managed Security Services to entice users to the cloud
Managed Security Services – Cloud vendors may offer turnkey security services, which will include firewall management, virus defense, e-mail filtering, and spam/spyware-fighting technologies
Economy of Scale – The inherent economy of scale in Cloud Computing will allow Cloud vendors to provide high-end security services to mobile users’ on-demand and at costs far below what most enterprises could realize
On-Demand Security Controls – Pay-as-you-go security services for specific situations such as 1) Deploying additional monitoring and filtering of communications during times of sensitive business negotiations 2) employing specific analytic resources to search large quantities of log data for forensic analysis 3) putting in place additional protective controls in anticipation of a temporary period of increased risk
Extend Security to Mobile Users –Anti-virus software, personal firewall applications, and whole-disk encryption technology can be distributed to mobile users on demand or as mandatory in specific situations, such as at initial connection to the Cloud environment. Cloud vendors can also evaluate devices each time they connect to ensure all security patches and fixes have been applied prior to accessing the Cloud infrastructure.
18
…and Cloud Computing could offer additional security benefits to users such as disaster recovery, reduced risk of data loss, and pre-accredited and tested environments
Disaster Recovery – Could be utilized as low-cost alternatives for disaster recovery. Most Cloud vendors charge significantly less for data storage and recovery than online backup services.
Reduced Risk of Data Loss – Storing corporate data in one central location that is accessible from anywhere in the world (with Internet access) minimizes the need to store local copies of data on fixed or mobile devices. Numerous recent examples where laptops with thousands of records were lost
Access to Accredited Cloud Images and Environments –Cloud environment must meet current security policy and standards
Cloud users more willing to accept risk of computing in the Cloud if such an environment is “proven” through prior Certification and Accreditation.
Pre-Accredited environments will enable Cloud users to rapidly access existing Cloud services or deploy new services without additional C&A.
Cloud users have access to a wide variety of virtual machine images in which security has already been built-in – pre-hardened, STIG’d, and accredited images
19
Cloud Computing will also have an impact on traditional enterprise security roles
The role of security management will shift to manage relationships with primary Cloud providers and all sub-vendors, whether Public or Private Cloud
IA professionals will need to become more familiar with technologies used by Cloud providers, such as virtualization and API’s, and the particular security strengths and weaknesses of these technologies
Security professionals will increase focus to areas of security such as protection of data-in-transit and the unique privacy and compliance issues raised by Cloud Computing versus in-house security concerns
Secure Systems Engineers will need to understand the unique architectures of Cloud computing and the impact of extending the enterprise infrastructure to a single or multiple Cloud environments
IA staff will spend less time on many routine tasks such as virus defense, patch management, and e-mail filtering and more time managing security solutions rather than providing technical expertise
20
Summary
Security must be designed into the fabric of a cloud infrastructure
Cloud Computing is basically an outsourcing model – the question is whether the Cloud provider will live up to their security obligations
It is unclear whether Cloud Computing infrastructures are better, worse or equivalent to current operations
Need clear understanding of where Cloud Computing provider responsibilities start and stop
To establish and maintain confidence in a Cloud Computing implementation, need to have sufficient visibility to see who was doing what and how across the infrastructure
Cloud computing creates risks and requires a rethink - but not reinvention - of security controls and architecture
(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.