1Filename/RPS Number (C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved. DRAFT-NEVIN

Security Challenges in Moving to the Cloud

Ron Ritchey, PhD

June 2009

2

2

There are specific Security Challenges that organizations will face when moving to the Cloud

Security of Data-in-Transit

Data Availability and Recovery

- FISMA

- HIPAA

- Sarbanes-Oxley

- GBLA

Maintaining Complia

nce

HACKER

VIRUSES

SPYWARE

Data Protection and Privacy

Incident Investigation

Hacker / Nation-States

3

UNIX OSWeb Tier

Windows OSWeb Tier

UNIX OSApplication Tier

Application TierWindows OS

Zone 1

CLOUD #1

IDS

Network

Network

Users

IDS

UNIX OSWeb Tier

Windows OSWeb Tier

UNIX OSApplication Tier

Application TierWindows OS

Zone 2

CLOUD #2

IDS

Network

Zone 3

Zone 4 SecurityMonitor

SAN Storage

Database Servers

Basic perimeter security techniques need to be re-thought in a cloud environment

•IP based rules?• Migration of rule sets to other Clouds?• Maintaining state?

(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.

44

Enterprises will want assurances from Cloud providers that their proprietary and personal data will be adequately protected

• The Security Challenge: Protection of Data– Cloud providers are responsible for maintaining separation of data as they promote

the sharing of Cloud applications such as databases. Data of different enterprises and protection levels stored in a shared environment brings with it unique challenges that must be addressed and demonstrated by providers

– Data must be controlled and protected from unauthorized access. The very act of storing data in the Cloud to improve availability and access from anywhere in the world substantially increases the number and types of threats to that data

– Encryption accidents, such as loss of encryption keys or unavailability of encryption infrastructure, can make user data that has been encrypted useless

– Controls must be put in place to protect from threats such as hackers, online crime, viruses, spyware

55

Enterprises will want assurances from Cloud providers that their proprietary and personal data will be adequately protected

• What are the solutions to this problem?– Encryption of data-at-rest - Who is responsible? Some vendors leave the decision

to encrypt and the method of encryption up to the user, while others maintain their own encryption key infrastructure

– Partitioning a specific area of a Public cloud for .mil or .gov use

– Authentication technologies such as digital certificates and biometrics will go a long way in protecting Cloud users’ data

– Cloud providers may “separate” customer’s data in individual instances of applications such as databases

66

Data must be adequately protected as it is transferred between the end user and the Cloud Data Center

• The Security Challenge: Protection of Data-in-Transit

– Unsecured data is susceptible to interception and compromise during transmission between end points. Hackers can use packet sniffers to monitor traffic passing through nodes between the sender and receiver or intercept improperly secured wireless communications to conduct session hijacking and Man-in-the-Middle attacks

– If Confidentiality and Integrity of data can not be maintained during transmission, data loses its value to the end user

– Technology to protect data-in-transit is readily available and easy to implement. However, this technology must be properly implemented and monitored, and encryption keys and infrastructure must be protected

77

• What are the solutions to this problem?– Encryption of the data stream utilizing HTTPS (SSL, TLS), Secure

VPN, and IPv6

– Federal and DoD users connecting to a government-owned Private Cloud could utilize NSA encryption devices such as KG-235 and KIV-7

– Dedicated, private connections between Cloud provider and end user

Data must be adequately protected as it is transferred between the end user and the Cloud Data Center

88

Vendors will be responsible for ensuring users have 24x7 access to their data, and the data must be immediately

recoverable in all cases

• The Security Challenge: Data Availability and Recovery– The most critical and difficult of the Cloud Security Challenges– Threats to data availability such as Denial of Service attacks, technical, and

natural disasters– Peaks in network usage from the end user, ISP, Internet, or Cloud provider may

have a negative impact on bandwidth– Ineffectiveness of MOA’s and SLA’s; agreements will only apply to vendor-

controlled services, not Internet or ISP performance. Agreements may guarantee payment for substandard performance but what is the impact to business if data is not accessible?

– Recovery of resources from provider loss or bankruptcy - Recent examples of Cloud storage vendors

99

Vendors will be responsible for ensuring users have 24x7 access to their data, and the data must be immediately

recoverable in all cases

• What are the solutions to this problem?– Dedicated MPLS/VPN network connections between Cloud vendor and

end user; supports SLA’s/MOA’s– Implement Best of Industry data backup and recovery solutions such as

virtualization and replication of data and application infrastructure across multiple sites

– Cloud users could home Internet service with at least two of the same ISP’s as the Cloud provider

– Use of Internet technologies such as Akamai to distribute web content near the user to improve availability

– Cloud users may have to maintain backups of their data

1010

Cloud vendors must understand the part they play in assisting customers in meeting and maintaining compliance with Federal

data protection, privacy laws, and regulations

• The Security Challenge: Regulatory Compliance– Public and private enterprises and agencies have regulations and standards that

they must adhere to in regards to data privacy and protection. These regulations require the data owner to take appropriate actions to ensure the security and integrity of the data, such as developing security policy, auditing, ensuring proper controls are in place, and performing risk assessments

– Data protection and privacy laws differ with commercial (HIPAA, GBLA) and Federal/Defense agencies (FIPS 140-2, FISMA, NIST), so priorities of Public Cloud providers will focus on needs of the commercial sector

– Where is your data located? Data privacy and security laws in foreign countries may differ. Administrators and law enforcement officials of foreign countries may have full access and control of end user data

– Providers must be willing and technically capable to support investigative and forensic efforts in case of incidents such as data spills (classified data on an unclass system)

11

Certification of cloud systems requires certification of the application plus the cloud infrastructure

Use of Cloud Computing changes the risks organizations will face and certification must adapt to help manage these risks

Cloud Computing will impact how system security boundaries are defined

“Boundaries that are unnecessarily expansive (i.e., including too many hardware, software, and firmware components) make the security certification and accreditation process extremely unwieldy and complex.”

NIST SP 800-37, p16

Cloud Providers will be implementing a set of management, operational, and technical security controls. Need a clear understanding of security control responsibility (provider/consumer) and how provider controls are to be offered, provided, and measured/evaluated on a continuing basis

Inheritance of validated security controls that are shared by two or more systems could speed up the C&A process for organizations accessing Cloud Computing resources (leveraging a DIACAP approach)

(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.

1212

Cloud vendors must understand the part they play in assisting customers in meeting and maintaining compliance with Federal

data protection, privacy laws, and regulations

• What are the solutions to this problem?

– This is the primary catalyst for government-owned Private clouds

– Partitioning a specific area of a Public cloud for .mil or .gov use only

– Partner with Public cloud vendors to ensure the Cloud Industry has an understanding of relevant Government IA and Security issues

– Data encryption – protect data regardless of where it resides

1313

Additional Cloud Computing security challenges include…

• Incident Investigation and Forensics– The ability to investigate incidents such as data spills and unauthorized

access is the cornerstone of the security process. However, outsourcing your IT needs to a third party such as a Cloud provider may make these efforts difficult.

– Cloud vendors must be willing to support investigations by providing the necessary security staff and computing resources, such as logs

1414

Additional Cloud Computing security challenges include…

• Attraction to Hackers / Nation-States– Networked environments with large amounts of data from hundreds or

thousands of organizations may be very attractive targets for hackers, both recreational and professional.

– Hackers or nation-states that are able to compromise one or more Cloud providers may be able to harness the massive computing capabilities of the Cloud to stage attacks against:

The Internet Governments Corporations Other Clouds

– Will the massive Cloud Computing facilities that house corporate and government data now be the new targets for enemy states (missiles) and terrorist attacks?

1515

Additional Cloud Computing security challenges include…

• Data Dispersal and International Privacy Laws

– U.S. Data privacy laws often differ with foreign countries. While direct access to your data might not be allowed in the U.S., such access may be the norm in other nations

– Make sure you understand where your data resides in the Cloud before committing to relocating proprietary or sensitive data

16

There are also many Security Features and Benefits that may drive organizations to the Cloud…

Best of Industry Security Solutions – As both Public and Private Cloud vendors have paying clients they can afford to implement and maintain “best of industry” security solutions to protect users data. IT departments of individual enterprises and agencies typically must fight for budget, and critical security solutions are often left on the negotiating table due to budget cuts

Cloud users can avoid large investments in security hardware, software, and security staff by transferring some security responsibility to Cloud providers. Although Cloud users must still maintain security for their enterprises a move to the Cloud can reduce overall security costs

24x7 Security Support – Cloud vendors will be able to provide 24x7 security services such as fw monitoring, intrusion detection and prevention, and patch management. Cloud vendors may also provide in-house forensic support.

Major Cloud providers can develop the capacity, infrastructure, and expertise to fight off large-scale threats such as DDoS attacks far more cost effectively than individual agencies

17

…Cloud vendors may offer Managed Security Services to entice users to the cloud

Managed Security Services – Cloud vendors may offer turnkey security services, which will include firewall management, virus defense, e-mail filtering, and spam/spyware-fighting technologies

Economy of Scale – The inherent economy of scale in Cloud Computing will allow Cloud vendors to provide high-end security services to mobile users’ on-demand and at costs far below what most enterprises could realize

On-Demand Security Controls – Pay-as-you-go security services for specific situations such as 1) Deploying additional monitoring and filtering of communications during times of sensitive business negotiations 2) employing specific analytic resources to search large quantities of log data for forensic analysis 3) putting in place additional protective controls in anticipation of a temporary period of increased risk

Extend Security to Mobile Users –Anti-virus software, personal firewall applications, and whole-disk encryption technology can be distributed to mobile users on demand or as mandatory in specific situations, such as at initial connection to the Cloud environment. Cloud vendors can also evaluate devices each time they connect to ensure all security patches and fixes have been applied prior to accessing the Cloud infrastructure.

18

…and Cloud Computing could offer additional security benefits to users such as disaster recovery, reduced risk of data loss, and pre-accredited and tested environments

Disaster Recovery – Could be utilized as low-cost alternatives for disaster recovery. Most Cloud vendors charge significantly less for data storage and recovery than online backup services.

Reduced Risk of Data Loss – Storing corporate data in one central location that is accessible from anywhere in the world (with Internet access) minimizes the need to store local copies of data on fixed or mobile devices. Numerous recent examples where laptops with thousands of records were lost

Access to Accredited Cloud Images and Environments –Cloud environment must meet current security policy and standards

Cloud users more willing to accept risk of computing in the Cloud if such an environment is “proven” through prior Certification and Accreditation.

Pre-Accredited environments will enable Cloud users to rapidly access existing Cloud services or deploy new services without additional C&A.

Cloud users have access to a wide variety of virtual machine images in which security has already been built-in – pre-hardened, STIG’d, and accredited images

19

Cloud Computing will also have an impact on traditional enterprise security roles

The role of security management will shift to manage relationships with primary Cloud providers and all sub-vendors, whether Public or Private Cloud

IA professionals will need to become more familiar with technologies used by Cloud providers, such as virtualization and API’s, and the particular security strengths and weaknesses of these technologies

Security professionals will increase focus to areas of security such as protection of data-in-transit and the unique privacy and compliance issues raised by Cloud Computing versus in-house security concerns

Secure Systems Engineers will need to understand the unique architectures of Cloud computing and the impact of extending the enterprise infrastructure to a single or multiple Cloud environments

IA staff will spend less time on many routine tasks such as virus defense, patch management, and e-mail filtering and more time managing security solutions rather than providing technical expertise

20

Summary

Security must be designed into the fabric of a cloud infrastructure

Cloud Computing is basically an outsourcing model – the question is whether the Cloud provider will live up to their security obligations

It is unclear whether Cloud Computing infrastructures are better, worse or equivalent to current operations

Need clear understanding of where Cloud Computing provider responsibilities start and stop

To establish and maintain confidence in a Cloud Computing implementation, need to have sufficient visibility to see who was doing what and how across the infrastructure

Cloud computing creates risks and requires a rethink - but not reinvention - of security controls and architecture

(C) 2009 Booz Allen Hamilton, Inc. All Rights Reserved.