Embed Size (px)
Citation preview
www.enisa.europa.eu
Cloud Computing Security
ENISA Daniele Catteddu, CISM, CISA
Convegno Associazione Italiana Information Systems Auditors
www.enisa.europa.eu
Agenda
Introduction to ENISA
ENISA objectives in Cloud computing
Reaching the objectives
2009
Benefits, risks and recommendations for InfoSec
Cloud Information Assurance Framework
2010
Security and resilience in Gov clouds: achieving an informed decision
Conclusions
www.enisa.europa.eu
ENISA: Who are we?
3
The European Network & Information Security Agency (ENISA) was formed in 2004.
The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security.
We facilitate the exchange of information between EU institutions, the public sector and the private sector.
www.enisa.europa.eu
Focus
ENISA assists Member States and the Commission in global issues that affect the European Community as a whole.
ENISA contribute to the harmonization of appropriate technical and organizational security measures by providing expert advice.
This is an advisory role and the focus is on prevention and preparedness.
ENISA does NOT have any operational responsibilities either within the EU institutional framework or with respect to Member States.
ENISA has no special role in the security process protecting EU institutions.
www.enisa.europa.eu
What is cloud computing – ENISA’s understanding
Highly abstracted hw sw resources
Near instant scalability and flexibility
Near instantaneous provisioning
Shared resources (hardware, database, memory, etc...)
‘Service On demand’, usually with a ‘pay as you go’ billing system
Programmatic management (e.g. through Web Services API)
www.enisa.europa.eu
Cloud computing is not a new technology
Cloud computing is a new business model
It is a way of delivering computing resources
What is cloud computing – ENISA’s understanding
www.enisa.europa.eu
ENISA Cloud Computing Objectives
7
Help business and governments to reap the costand security benefits of cloud computing.
While maintaining service availability, dataconfidentiality, integrity and privacy.
www.enisa.europa.eu 8
Creating trust and trustworthiness throughpromoting best practice and assurance standards
ENISA Cloud Computing Objectives
www.enisa.europa.eu 9
Improving transparency
ENISA Cloud Computing Objectives
www.enisa.europa.eu 10
Recommending smart investment in R&D
ENISA Cloud Computing Objectives
www.enisa.europa.eu
Reaching the objectives
11
ENISA Deliverables and Ongoing Activities
Cloud Computing: Benefits, Risks and Recommendations for Information security 2009
Assurance framework 2009
Research Recommendations 2009
Gov-Cloud security and resilience analysis (2010)
Common Assurance Maturity Model(CAMM) consortium 2010
2011 (proposed) procurement and monitoring guidance for government cloud contracts.
www.enisa.europa.eu
Cloud Computing: Benefits, Risks and Recommendations for Information security
12
www.enisa.europa.eu
Highlights from the report
13
27 experts involved
Mainly based on an SMEs requirements
8 security benefits
53 vulnerabilities considered
24 cloud specific risks identified
Information Assurance (framework), Legal and Research recommendations
www.enisa.europa.eu 14
Security
Benefits
www.enisa.europa.eu
Economy of Scale
www.enisa.europa.eu
Economies of scale and Security
All kinds of security measures are cheaper when implemented on a larger scale
(e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc)
The same amount of investment in security buys better protection.
www.enisa.europa.eu
Other benefits of scale
Multiple locations by default -> redundancy and failure independence
Edge networks: content delivered or processed closer to its destination
Staff specialization & experience
Cloud providers big enough to hire specialists in dealing with specific security threats.
www.enisa.europa.eu
Improved management of updates and defaults
Updates can be rolled out much more rapidly across a homogenous platform
Default VM images and software modules can be updated with the latest patches and security settings
Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.
www.enisa.europa.eu
The Risks
www.enisa.europa.eu
Very high value assets
Most risks are not new, but they are amplified by resource concentration
Trustworthiness of insiders.
Hypervisors - hypervisor layer attacks on virtual machines are very attractive.
More Data in transit (Without encryption?)
Management interfaces – big juicy targets
www.enisa.europa.eu
Loss of Governance
The client cedes control to the Provider on a number of issues effecting security:
External pen testing not permitted.
Very limited logs available.
Usually no forensics service offered
No information on location/jurisdiction of data.
Outsource or sub-contract services to third-parties (fourth parties?)
SLAs may not offer a commitment to provide the above services, thus leaving a gap in security defences.
www.enisa.europa.eu
Lock in
Few tools, procedures or standard formats for data and service portability.
Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment.
Potential dependency of service provision on a particular CP.
www.enisa.europa.eu
Compliance Challenges
Cloud Provider cannot provide evidence of their own compliance to the relevant requirements
Cloud Provider does not permit audit by the Cloud Customer
In certain cases, using a cloud implies certain kind of compliance cannot be achieved
www.enisa.europa.eu
Legal and contractual risks
Data in multiple jurisdictions, some of which may be risky.
Lack of compliance with EU Data Protection Directive
Potentially difficult for the customer (data controller) to check the data handling practices of the provider
Multiple transfers of data exacerbated the problem
Subpoena and e-discovery
Confidentiality and Non-disclosure
Intellectual Property
Risk Allocation and limitation of liability
www.enisa.europa.eu
Isolation failure
Storage (e.g. Side channel attacks see http://bit.ly/12h5Yh)
Memory
Virtual machines
Entropy pools (http://bit.ly/41sIiN)
Resource use (e.g. Bandwidth)
www.enisa.europa.eu
RESOURCE EXHAUSTION
Denial of Service Freak eventsResource allocation algos
Caused by:
Overbooking Underbooking
www.enisa.europa.eu
Key management
Key management is (currently) the responsibility of the cloud customer
Key provisioning and storage is usually off-cloud
One key-pair per machine – doesn’t scale to multiple account holders/RBAC
Credential recovery sometimes available through management interface (protected by UN/PWD by)
Copies of VM images may contain keys if not well-managed
www.enisa.europa.eu
Recommendations2009
28
www.enisa.europa.eu
Increasing transparency through
a minimum baseline for:
comparing cloud offers
assessing the risk to go Cloud
reducing audit burden for CP
and security risks
Cloud Information Assurance Framework
www.enisa.europa.eu
Cloud Information Assurance Framework
An example
• Network architecture controls
• Well-defined controls are in place to mitigate DDoS (distributed denial–of-service)attacks e.g.
o Defence in depth (traffic throttling, packet black-holing, etc..)
o Defences are in place against ‘internal’ (originating from the cloud providersnetworks) attacks as well as external (originating from the Internet or customernetworks) attacks.
• Measures are specified to isolate resource usage between accounts for virtualmachines, physical machines, network, storage (e.g., storage area networks),management networks and management support systems, etc.
• The architecture supports continued operation from the cloud when the customer isseparated from the service provider and vice versa (e.g., there is no criticaldependency on the customer LDAP system).
www.enisa.europa.eu
Research recommendations -2009
BUILDING TRUST IN THE CLOUD Certification processes and standards for clouds
Return on security investments (ROSI) the measures cloud computing can enable to improve the accuracy of ROI for security
Techniques for increasing transparency while maintaining appropriate levels of security
Tagging, e.g., location tagging, data type tagging, policy tagging
Privacy preserving data provenance systems, e.g., tracing data end-to-end through systems
End-to-end data confidentiality in the cloud and beyond:
Encrypted search (long term)
Encrypted processing schemes (long term)
Encryption and confidentiality tools for social applications in the cloud
Higher assurance clouds, virtual private clouds, etc
www.enisa.europa.eu
Research recommendations - 2009
DATA PROTECTION IN LARGE-SCALE CROSS-ORGANIZATIONAL SYSTEMS The following areas require further research with respect to cloud computing:
Data destruction and lifecycle management
Integrity verification - of backups and archives in the cloud and their version management
Incident handling - monitoring and traceability
Dispute resolution and rules of evidence
International differences in relevant regulations, including data protection and privacy
Legal means to facilitate the smooth functioning of multi-national cloud infrastructures
Automated means to mitigate problems with different jurisdictions.
www.enisa.europa.eu
Governments recommendations 2009
Public clouds are (usually) not suitable for critical government applications.
Clearly define international differences in DP legislation.
Should there be breach notification requirements on cloud providers.
...
www.enisa.europa.eu 34
2010 - Government towards the Cloud
www.enisa.europa.eu
Governments and the Cloud
35
UK
DK
USA
Singapore
Japan
Australia
Gov Agencies and Public Organizations around the globe are moving non-critical applications towards a "cloud approach".
In Europe we have some fast adopters, i.e. Denmark and UK, announcing/planning to move into the cloud.
In the short-medium term (1 to 3 years) an increasing number of Public Organizations, in EU Member States, will consider/adopt cloud computing.
...
www.enisa.europa.eu
2010 – Security and resilience in Gov clouds: achieving an informed decision
www.enisa.europa.eu
Objectives and scope
to support MSs in elaborating their cloud strategy
to guide Public Bodies in defining their risk profile
to evaluate S.W.O.T. of cloud computing
to provide good practices
The main focus is the impact on resilience and security of services.
www.enisa.europa.eu 38
3 scenarios considered:
a local healthcare authority implementing the electronic healthcare records and other e-services,
a local public administration rolling out new services for the citizens and rationalizing internal IT services, and finally,
a Ministry planning the creation of governmental cloud as a business incubator
Security and resilience in Gov clouds: achieving an informed decision
www.enisa.europa.eu
Business/Operational,
Legal and Regulatory
requirements
Security and Resilience
requirements
IT services – architectural
options and delivery
models
COMPARATIVE RISK
ASSESSMENT
(SWOT or RISK ANALYSIS &
ASSESSMENT)
Select
IT solution
Identify threats,
weaknesses
Select
Partner-Provider
Prepare Request for
Proposal (RpF)
Risk treatment
www.enisa.europa.eu
Security and Resilience parameters
PreparednessRisk Analysis and Assessment
Prevention and Detection
Patch Management
Access Control and Accountability
Supply Chain
Business continuity
Service DeliveryAvailability and Reliability
Scalability and Elasticity
Cloud Access
Recovery and response
Legal and regulatory compliance
www.enisa.europa.eu
Strengths Community Cloud
Common requirements and constraints and risks
More bargaining power as a group (with the cloud provider)
Ability to be a walled garden
Membership vetting according to the trustworthiness of the candidate
If based on federation -> edge networks
Private Cloud
Full transparency and control over legal requirements (e.g. Geography)
Ability to implement your own practices (e.g. risk analysis and assessment)
Possibility to fully monitor all security events,
BCP testing
Auditablilty
Priority in service resumption
Public Cloud
Strong security and resilience capabilities (e.g. prevention and detection, patch management, availability and reliability, tolerance and elasticity, performance, response and recovery, business continuity and physical security
CAVEAT: these strength are directly related with the scale of the provider
www.enisa.europa.eu
Weaknesses
Community Cloud
difficult to agree on security baselines, the client-based common logging formats, etc
compared to a private cloud, you are a bigger target.
access control and authentication are weakened
Private Cloud
no advantage of economies of scale
potentially less tolerance to malicious attacks
less comprehensive redundancy regime,
no geo-redundancy
less flexibility
Public Cloud
lack of control on the access control systems,
the lack accountability (audits are not allowed).
you need negotiations power to be able to ask the right info the provider.
external forensics very difficult
geo location constrains as a weakness: data cannot leave the country
www.enisa.europa.eu
OpportunitiesCommunity Cloud
common ToR and security policies, standards etc...
Potential flexibility of security policies
closedness – e.g. more strict security
Public Cloud
Risk Analysis and Assessment, Penetration testing, Real time security monitoring
In order for a public cloud to take advantage of these opportunities a the following measure should be in place: 1) full control on asset inventory, 2) detailed physical assets, information and services classification, 3) integration between risk analysis/assessment and real time security monitoring processes, 4) effective screening of employees
Public Cloud
In a private cloud, users and applications oriented monitoring mechanisms can be implemented making possible a quick adjustment of resources to meet peaks in the demand. Furthermore, security events of interest can be fully monitored.
www.enisa.europa.eu
ThreatsCommunity Cloud
Lack of exit criteria
Community might grow too quickly
Harder to predict resource usage (than private cloud)
Failure of isolation mechanisms (not compared to public)
Difficulty of identifying the legal entity
Public Cloud
Lack of legal and regulatory compliance (data retention, forensics, reporting).
Attractive target for criminals and Insiders
Isolation failure, information leakage, illegal monitoring
Lack of linkability and accountability in case illegal activities
poor requirements definition and asset classification.
You might incur in supplementary – multiple jurisdiction
Change of control (Risk of provider acquisition)
Private Cloud
politically motivated attacks
damages to reputation
Big brother effect
Poor requirements definition and asset classification may results in loss of security and integrity when scaling from a private cloud to an hybrid one.
Inadequate definition of the contracts with business partner(s) and lack of monitoring of the contract execution may be critical in relation with the size of the provider.
www.enisa.europa.eu
Key messages
Private and community clouds appear to be the solution that best fits the needs of public bodies
they offer the highest level of governance, control and visibility.
Baer in mind that if a private/community cloud does not reach the necessary infrastructural critical mass, most of the resilience and security benefits of the cloud model will not be realised.
Public cloud is the option that offers potentially the highest level of service availability at lowest cost
but currently its adoption should be limited to non sensitive applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.
www.enisa.europa.eu
Conclusions
Cloud computing can represent an improvement in security and resilience
Transparency is crucial: users must be given a means to assess and compare provider security practices
In the current state of the art, migrating critical and sensitive applications and data to the cloud is still very risky
Much more effort is required to achieve security levels required for higher assurance applications in the cloud
For once we can build security in by design, let’s not miss the chance
www.enisa.europa.eu
The Penultimate Slide
Watch out for the results of ENISA’s cloudsecurity study – out end of November(http://www.enisa.europa.eu)
www.enisa.europa.eu
Daniele Catteddu [email protected]
European Network and Information Security AgencyScience and Technology Park of Crete (ITE)P.O. Box 130971001 Heraklion - Crete – Greece
www.enisa.europa.eu
Contact
