Security Cloud

Tewfiq El Maliki, HES-SO

With the collaboration of Martin Gwerder, FHNW

Document : CC BY-SA 3.0

Cloud Security

• Une science ou un Art !

2

Table of Content

• Recap

–Data Protection Laws

–Comparison Traditional vs Virtual DC

• Securing a Cloud list from X.1601 Chap 9

–Identity and Access Management (IAM),

Authentication, Authorization and Transaction

Audit

–Virtualization Environment

• Physical Security

• Interface Security

• Computing Virtualization Security

• Network Security

–Data Isolation, Protection and Confidentiality

Protection

• Processes

–Security Coordination, Operational Security;

Incident Management

–Disaster Recovery

–Service Security Assessment and Audit

• Standard compliance

–Interoperability, portability and reversibility

Context

• Cloud is not just the virtualization (NIST definition)

• May be based on Type 1-3 hypervisor or a container

• A cloud platform is typically shared among multiple Tenants. These parties are many to many relationship

but at least one CSP and multiple CSC.

• Sharing resources and the synergy measurements (such as memory/storage deduplication or cache

sharing) augment attack surface – the majority of flaws and threats come from this side.

• A cloud is not weaker in terms of security. Think about simplicity against complexity. It is just more complex

and adds thus more points we have to think of. Generally the implementation of a cloud is underestimated

security wise and thus weaker and consequences are catastrophic – Attack on OVH has generated 1 Pbit/s

traffic-

4 CSP : Cloud service Provider CSC : Cloud Service Consumer

Recap Data Protection Act

Art. 4 Principles

1 Personal data may only be processed lawfully.

2 Its processing must be carried out in good faith and must be proportionate.

3 Personal data may only be processed for the purpose indicated at the time of

collection, that is evident from the circumstances, or that is provided for by law.

4 The collection of personal data and in particular the purpose of its processing

must be evident to the data subject.

5 If the consent of the data subject is required for the processing of personal

data, such consent is valid only if given voluntarily on the provision of adequate

information. Additionally, consent must be given expressly in the case of

processing of sensitive personal data or personality profiles.

Art. 6 Cross-border disclosure

1 Personal data may not be disclosed abroad if the privacy of the data subjects would be

seriously endangered thereby, in particular due to the absence of legislation that guarantees

adequate protection.

2 In the absence of legislation that guarantees adequate protection, personal data may be

disclosed abroad only if:

a. sufficient safeguards, in particular contractual clauses, ensure an adequate level of

protection abroad

b. the data subject has consented in the specific case

c. the processing is directly connected with the conclusion or the performance of a

contract and the personal data is that of a contractual party

d. disclosure is essential in the specific case in order either to safeguard an overriding

public interest or for the establishment, exercise or enforcement of legal claims before

the courts

e. disclosure is required in the specific case in order to protect the life or the physical

integrity of the data subject

f. the data subject has made the data generally accessible and has not expressly

prohibited its processing

g. disclosure is made within the same legal person or company or between legal persons

or companies that are under the same management, provided those involved are

subject to data protection rules that ensure an adequate level of protection.

3 The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26)

must be informed of the safeguards under paragraph 2 letter a and the data protection rules

under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide

information.

5

Articles : Data protection Art. 4 Principes

1 Tout traitement de données doit être licite.1

2 Leur traitement doit être effectué conformément aux principes de la

bonne foi et de la proportionnalité.

3 Les données personnelles ne doivent être traitées que dans le but

qui est indiqué lors de leur collecte, qui est prévu par une loi ou

qui ressort des circonstances.

4 La collecte de données personnelles, et en particulier les finalités

du traitement, doivent être reconnaissables pour la personne

concernée.2

5 Lorsque son consentement est requis pour justifier le traitement de

données personnelles la concernant, la personne concernée ne

consent valablement que si elle exprime sa volonté librement et

après avoir été dûment informée. Lorsqu'il s'agit de données

sensibles et de profils de la personnalité, son consentement doit

être au surplus explicite.3

Art. 61Communication transfrontière de données

1 Aucune donnée personnelle ne peut être communiquée à

l'étranger si la personnalité des personnes concernées devait s'en

trouver gravement menacée, notamment du fait de l'absence d'une

législation assurant un niveau de protection adéquat.

6

2 En dépit de l'absence d'une législation assurant un niveau de

protection adéquat à l'étranger, des données personnelles peuvent être

communiquées à l'étranger, à l'une des conditions suivantes

uniquement:

a. des garanties suffisantes, notamment contractuelles, permettent

d'assurer un niveau de protection adéquat à l'étranger;

b. la personne concernée a, en l'espèce, donné son consentement;

c. le traitement est en relation directe avec la conclusion ou l'exécution

d'un contrat et les données traitées concernent le cocontractant;

d. la communication est, en l'espèce, indispensable soit à la

sauvegarde d'un intérêt public prépondérant, soit à la constatation,

l'exercice ou la défense d'un droit en justice;

e. la communication est, en l'espèce, nécessaire pour protéger la vie ou

l'intégrité corporelle de la personne concernée;

f. la personne concernée a rendu les données accessibles à tout un

chacun et elle ne s'est pas opposée formellement au traitement;

g. la communication a lieu au sein d'une même personne morale ou

société ou entre des personnes morales ou sociétés réunies sous une

direction unique, dans la mesure où les parties sont soumises à des

règles de protection des données qui garantissent un niveau de

protection adéquat

Recap Comparison of Physical vs Virtual Datacenters

Physical

• Physical presence in the location may be required to

destroy, remove, copy or damage assets.

• Privileged access to root consoles or similar is only

available on premises.

• Image copies of machines are hard to reuse as only

seldom the same HW is available upon failure.

• Access control is easy as there are physical access

controls installed on premise.

• Location of physical machine is always known

• Network boundaries are physical and may not be bridged

by accident.

• A normal “full breach” of a physical machine only discloses

the data of the respective system.

• Hardware failure of a host affects just one system. The

failed system may require hours to days to recover.

• Redundancy must be explicitly built.

Virtual

• Assets are destroyed, removed, copied over networks.

• Privileged access is available over the network.

• Image copies allow to recover or copy any machine on

any infrastructure within minutes.

• Access control is hard as Network access is broadly

available and thus needs to be splitted in admin and

“regular” traffic.

• Location of a virtual is volatile and may change during

operation.

• Network boundaries are logical and may be bridged or

even breached without visible impact.

• A normal “full breach” of a cloud host discloses the data of

many systems (either full host or full cluster)..

• Hardware failure of a host affects many systems. The

failed systems may recover within minutes

• Redundancy (on HW level) is implicitly available.

7

Cloud Service Model

• Cloud brings us an entire new set of value

• Application scalability

• Flexibility

• Economies of scale

• Cost reduction

• Resources efficiencies

• OWASP Top 10

• Application Security Risks - 2017

• The (NIST), whose cloud definition is widely accepted in the industry,

omits virtualization as a criterion for cloud. 8

www.bsi.bund.de

VM vs BM

• Two types of clouds

• VM vs Bare metal

• You should consider VM cloud for highly dynamic workloads

• Application that spins up and down rapidly

• Application is sensitive to performance, bare metal can be unbeatable

• Resources dedicated to a single customer

• Greater processing power and input/output operations per second (IOPS)

• More consistent disk and network I/O performance

• Quality of Service (QoS) that guarantees elimination of the noisy neighbor

problem in a multitenant environment.

9

Docker hardware deployment

10

• Type 2 Hypervisor, VMware Workstation for example.

• Type 2 with VM Guest Docker.

• Native host Docker.

• Type 1 Hypervisor, native IBM Z, VMware ESX and others.

• Type 1 with VM Guest Docker.

How does Asynchronous Mirroring differ

from Synchronous Mirroring?

• Asynchronous Mirroring captures the state of the source volume at a

particular point in time and copies just the data that has changed since

the last image capture, whereas Synchronous Mirroring

reflects all changes made on the source volume to the target volume.

• Asynchronous

• Communication Supports iSCSI and Fibre Channel interfaces between storage arrays.

• Distance Unlimited Support for virtually unlimited distances between the local and remote

storage arrays, with the distance typically limited only by the capabilities of the network and

the channel extension technology.

• Synchronous

• Communication via Fibre Channel Supports only Fibre Channel interfaces between arrays.

• Distance Restricted Typically must be within about 10 km (6.2 miles), of the local storage

array to meet the latency and application performance requirements.

•

11

Trust model IAM

• Identity and Access Management (IAM) is the security discipline that

enables the right individuals to access the right resources at the right

times for the right reasons.

• Multiple administrators and users are involved in cloud computing

services, and these cloud computing services are accessed and used

internally (CSPs) and externally (CSCs).

• IAM contributes to the confidentiality, integrity and availability of

services and resources, and thus becomes essential in cloud

computing. Single sign-on and sign-off.

• Transaction audit protects against repudiation, enables forensic

analysis after a security incident, and acts as a deterrent to attacks

(both intrusion and insider). 12

Physical Access

• Access to premises containing CSP equipment is restricted to

authorized persons and only to those areas directly necessary for their

job functions; this is part of the IAM process.

• Multiple sites are needed to guarantee resilience.

• The likelihood of a breach is the same as traditional data centers

13

Interface security

• This capability secures interfaces open to CSCs and/or other contracted

CSPs through which various kinds of cloud computing services are

delivered, and secures communications based on these interfaces.

Mechanisms available to ensure interface security include but are not

limited to:

• unilateral/mutual authentication, integrity checksum, end-to-end encryption,

digital signature, etc.

14

Computing virtualization security

• Refers to the security of the whole computing virtualization env.

• Protects the hypervisor from attacks, protects the host platform from

threats originating in the computing virtualization environment.

• Enables VM isolation, and protects the VM images and suspended VM

instances in storage and during migration.

• The hypervisor configured with the minimum set of services.

• Unnecessary interfaces and application programing interfaces (APIs) is closed,

• Irrelevant service components will be disabled.

• VMs covered those created by CSC in IaaS, and any VMs created by

SaaS and PaaS. Virtual machines is isolated when sharing memory, a

central processing unit (CPU) and storage capacities. 15

Network security

• Both physical and virtual network isolation,

• Secures communications among all participants.

• Enables network security domain partition,

• Network border access controls (e.g., firewall), intrusion detection and

prevention,

• Network traffic segregation based on security policies, and

• Protects the network from attacks in both the physical and virtual

network environments.

16

Data isolation, protection and confidentiality

protection

• They have legal implications.

• Data isolation : a tenant is prevented from accessing data belonging to

another tenant (A given CSC may have multiple tenants Bussines-IT)

• Data protection : Data protection ensures that CSC data and derived

data held in a cloud computing environment is appropriately protected

• Confidentiality protection : The collection, use, transfer, handling,

storage and destruction of private information can be subject to

confidentiality regulations or laws.

• A risk assessment of private information can assist a CSP in identifying

the specific risks of confidentiality breaches involved in an envisaged

operation 17

Securing a Cloud Virtualization environment: Physical environment -- example

Datacenter 1 Datacenter 2

• VM storage is typically coupled asynchronously or even

periodically mirrored. Synchronous replication is very

hard and expensive to achieve.

• Host clusters typically do not span multiple physical

datacenters or they are likely to break redundancy on

VM level.

• An outage of a physical host is typically recovered within

minutes automatically without significant data loss.

• An outage of a datacenter is typically recovered within

hours with typical loss of up to 24 hours of data (due to

mirroring) and failover and fall back are typically

manual.

Securing a Cloud Virtualization environment: Computing Virtualization Security

• Sharing resources in overcommitted systems may result in security relevant data exposures. Some of the

exposures (e.g. RAM or Disk) may be addressed by zeroing or disk sanitization.

• However, in some cases such as a cache this does not work. Most of the known, general attacks on

virtualization systems do address this vector.

Typically used vectors are:

• Timing information from other virtual machines and their core adherence

• Timing information when accessing Cache

• Timing information when writing to deduped memory or storage

• Hardware security features are typically not available in todays cloud environment (or badly supported).

19

Securing a Cloud Virtualization environment: Network security

• Traditionally multiple networks have to be physically separated on a host.

– Guest networks

– Admin network

– Heartbeat network

– Migration networks

– Storage network (includes regular and backup networks)

20

Admin Network

Migration Network

Guest Networks

Storage Network

Processes Security coordination, operational security, and incident management

• Security coordination depends on the interoperability and harmonization

of diverse security mechanisms.

• Monitoring the CSP's security measures and their effectiveness, and

giving appropriate reports to affected CSCs and applicable third-party

auditors (acting as a CSN), which can enable the CSC to measure

whether a CSP is delivering on SLA security commitments.

• Incident management provides incident monitoring, prediction, alerting

and response. In order to know whether the cloud computing service is

operating as expected through the whole infrastructure, continuous

monitoring is necessary.

21

Disaster recovery

• Fast and possibly automated disaster recovery is a key strength of a cloud system.

• Disaster recovery represents the capability to respond to catastrophic disasters, to recover to

a safe state and to resume normal operations as quickly as possible. This capability provides

continuity of provided service with minimum interruption.

22

Service security assessment and audit

• This capability enables the security evaluation of cloud computing

services. It enables an authorized party to verify that a cloud service

complies with the applicable security requirements. Security

assessment or security audit could be performed by the CSC, CSP or a

third party (CSN), and security certification could be performed by an

authorized third party (CSN).

• Auditing and certification are good means to manage risk and to

ameliorate security

23

Standard Compliance Interoperability, portability and reversibility

• Cloud services are only limmited interoperable. While VM migration

within a cluster is «daily business», a migration between two clouds (of

same or different type) require usually a set of common factors.

• Please differentiate:

• Online interoperability

Capability to move a running virtual machine between clouds

• Offline interoperability

Capability to move a stopped virtual machine between clouds

• P2V (Physical to Virtual), V2P (Virtual to Physical)

Capability to convert a physical machine into virtual or the inverse

24

Standard Compliance Common Disk File formats

• VDIVirtualBox uses the VDI (Virtual Disk Image) format for image files. None of the OpenStack Compute

hypervisors support VDI directly,

• VHD Microsoft Hyper-V uses the VHD (Virtual Hard Disk) format for images.

• VHDX format, which has some additional features over VHD such as

• support for larger disk sizes and protection against data corruption during power failures.

• VMDK VMware ESXi hypervisor uses the VMDK (Virtual Machine Disk)

• format for images. Supports thin and thick provisioning.

• QCOW2

Main disk file format for QEMU. Supports thin provisioning,

AES encryption, copy on write and transparent decompression.

• RAW : The raw image format is the simplest one, and is

• Natively supported by both KVM and Xen hypervisors

• This format does not support thin provisioning, deduplication

25

NIST Definitions

• Vulnerability : Any weakness of the security system that could be unintentionally

triggered or intentionally exploited and result in a violation of the system’s security

policy.

• Threat source : a situation and method that may accidentally trigger a vulnerability.

• Threat : The potential for a “threat source” to exploit (intentional) or trigger

(accidental) a specific vulnerability.

26

RISK

THREAT

IMPACT PROBABILIT

Y

Actor

-Person

-Organization

Government

THREAT

Threat

Source

Vulnerability

-Flaw

-Weakness

Motivatio

n

-Financial

-Political

Security model (NIST)

27

System

Confidentiality

Integrity

Availability Accountability Non-repudiation

Assurance

Intrusion

detection

Cryptographic key management

Protected communications

Authentication Authorization

System protections

Transaction privacy

Security administration

Access

Control

Tolerance

Security Effort

28

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

Security

Effort (free scale)

Security (effort)

Effort*

Security*

Effort*

Security*

DEffort

DSecurity

Risk Management

29

Risk

Threats

Vulnerabilities

likel ihood

Safeguards

Assets Consequences

Risk

>Threshold

Detect

analyze

Act

Sensing Context

internal and

external elements

No

Yes

Decide

Control Loop description of autonomic system

30

AnalyzeAct

Collect

Decide

Control Loop

Decision Theory

Risk Management

Trust & Reputation

Autonomic Control loop

Environmental

Sensors

User

Context

Deming Wheel – ISO certification

• Iso 27k

31

Cloud and ISO 27k

• 2008 : foundation of Cloud Security Alliance (Cloud Security Matrix)

• 2010 : Group comity 38 in ISO

• 2011 : Publication de la NIST 800-145 (Definition of Cloud Computing)

• 2014 : Publication de ISO 27018 1st edition

• 2015 : Publication de ISO 27017 1st edition

32

ISO 27k

33

Goal of ISO 27017

• Fournir un guide de bonnes pratiques spécifiques aux services de cloud

computing

• L’ISO/IEC 27017 (Code de pratique pour les contrôles de sécurité de

l'information fondés sur l'ISO/IEC 27002 pour les services en nuage) est un

catalogue de bonnes pratiques pour les contrôles de sécurité adapté aux

services en nuage

• Ces bonnes pratiques sont additionnelles à celles de l’ISO/IEC 27002 sur

la sécurité de l’information, dans le cas où on s’inscrit dans le cadre de

l’ISO/IEC 27001

• Elle intègre des bonnes pratiques et techniques et organisationnelles • Le

recours à la norme ISO/IEC 27017 peut être utile dans une procédure de

mise en conformité dans le contexte spécifique du cloud 34

Sommaire de la norme ISO 27017

Foreword •

0 Introduction •

1 Scope •

2 Normative references ▫

2.1 Identical recommendations International Standards ▫

2.2 Addi tional references •

3 Terms and definitions ▫

3.1 Terms defined elsewhere ▫

3.2 Abbreviations •

4 Overview ▫

4.1 Overview ▫

4.2 Supplier relationshipin cloud services ▫

4.3 Relationships between cloud service customers and

cloud service provider ▫

4.4 Managing information security risks in cloud ser vices ▫

4.5 Structure of this standard •

5 Information security policies ▫

5.1 Management direction for information security •

6 Organization of information security ▫

6.1 Internal organization ▫

6.2 Mobile devices and teleworking •

35

7 Human resource security ▫

7 .1 Prior to employment ▫

7 .2 During employment ▫

7 .3 Termination and change of employment •

8 Asset management ▫

8.1 Responsibility for assets ▫

8.2 Information classification ▫

8.3 Media handling •

9 Access control ▫

9.1 Business requirements of access control ▫

9.2 User access management ▫

9.3 User responsibilities

9.4 System and application access control •

10 Cryptography ▫

10.1 Cryptographic controls •

11 Physical and environmental security ▫

11 .1 Secure areas ▫

11 .2 Equipment •

12 Operations security ▫

12.1 Operational procedures and responsibilities ▫

12.2 Protection from malware ▫

12.3 Backup ▫

12.4 Logging and monitoring ▫

12.5 Control of operational software ▫

12.6 Technical vulnerability management ▫

12.7 Information systems audit considerations •

13 Communications security ▫

13.1 N etwork security management ▫

13.2 Information transfer •

14 System acquisition, development and mai ntenance ▫

14.1 Security requirements of information systems ▫

14.2 Security in development and support processes ▫

14.3 Test data •

15 Supplier relationships ▫

15.1 Information security in supplier relationships ▫

15.2 Supplier services delivery management •

16 Information security incident management ▫

16.1 Management of information security incidents and

improvements •

17 Information security aspects of business conti nuity

management ▫

17 .1 Information security continuity ▫

17 .2 Redundance •

18 Compliance ▫

18.1 Compliance with legal and contractual r equirements ▫

18.2 Information security reviews •

Annex A (normative) Cloud service extended control set •

Annex B References on information security risk related to

cloud computing •

Bibliography

ISO 27k organization

36

Risk management

37

Steps for risks and threat

management

38

39

Most important Questions

40

1. Security architecture/model and framework

2.Security management and audit technology

3. BCP/disaster recovery and storage security

4.Data and privacy protection

5.Account/identity management

6.Network monitoring and incidence response

7.Network security

8.Interoperability security

9.Service portability

Management CyberSecurity （Main）cloud IdM/Bio

X.1601 Security framework for cloud computing

7. Security threats for cloud computing

8. Security challenges for cloud computing

9. Cloud computing security capabilities

10. Framework methodology

X.1601——7. Security threats for cloud computing

7.1 Security threats for cloud service customers

(CSCs)

• 7.1.1 Data loss and leakage

• 7.1.2 Insecure service access

• 7.1.3 Insider threats

7.2 Security threats for cloud service providers (CSPs)

• 7.2.1 Unauthorized administration access

• 7.2.2 Insider threats

X.1601—8. Security challenges for cloud computing

43

8.1 Security challenges for cloud service

customers (CSCs)

• 8.1.1 Ambiguity in responsibility

• 8.1.2 Loss of trust

• 8.1.3 Loss of governance

• 8.1.4 Loss of privacy

• 8.1.5 Service unavailability

• 8.1.6 Cloud service provider lock-in

• 8.1.7 Misappropriation of intellectual property

• 8.1.8 Loss of software integrity

8.2 Security challenges for cloud service providers (CSPs)

• 8.2.1 Ambiguity in responsibility

• 8.2.2 Shared environment

• 8.2.3 Inconsistency and conflict of protection mechanisms

• 8.2.4 Jurisdictional conflict

• 8.2.5 Evolutionary risks

• 8.2.6 Bad migration and integration

• 8.2.7 Business discontinuity

• 8.2.8 Cloud service partner lock-in

• 8.2.9 Supply chain vulnerability

• 8.2.10 Software dependencies

8.3 Security challenges for cloud

service partners (CSNs)

• 8.3.1 Ambiguity in responsibility

• 8.3.2 Misappropriation of intellectual property

• 8.3.3 Loss of software integrity

X.1601

9.Cloud computing security capabilities

9.1 Trust model

9.2 Identity and access management (IAM), authentication, authorization, and transaction audit

9.3 Physical security

9.4 Interface security

9.5 Computing virtualization security

9.6 Network security

9.7 Data isolation, protection and privacy protection

9.8 Security coordination

9.9 Operational security

9.10 Incident management

9.11 Disaster recovery

9.12 Service security assessment and audit

9.13 Interoperability, portability, and reversibility

9.14 Supply chain security 44

ITU cloud security Recommendation

structure

45

X.1601 ——10. Framework methodology

Step 1: Use clauses 7 and 8 to identify security threats and security implications of the challenges in the cloud computing service under study.

Step 2: Use clause 9 to identify the needed high level security capabilities based on identified threats and challenges which could mitigate security threats and address security challenges.

Step 3: Derive security controls, policies and procedures which could provide needed security abilities based on identified security capabilities.

The European Network and Information

Security Agency (ENISA) Model

47

Risks

48

CCM

• Version 1.x Releases – 1.0 (April 2010), 1.01 (Oct 2010), 1.1 (Dec 2010), v1.2 (Aug 2011), v1.3 Aprill, 2013,

• v1.4 (TBD)

• CCM 1.4 • Baseline Control Assurance Framework for Cloud Security mapped to:

• **COBIT 4.1

• **HIPAA / HITECH Act

• ISO/IEC 27001:2005

• **NIST Special Publication (SP) 800-53 Rev 3

• FedRAMP 3.0

• PCI DSS v2.0

• BITS Shared Assessments

• AICPA Trust Services Principles & Criteria (TSP)

49

CSA Security Guidance v3.0

50

CLOUD CONTROLS MATRIX

• Application & Interface Security

• Audit Assurance & Compliance

• Business Continuity Management & Operational Resilience

• Change Control & Configuration Management

• Data Security & Information Lifecycle Management Classification

• Datacenter Security Asset Management

• Encryption & Key Management Entitlement

• Governance and Risk Management: Baseline Requirements

• Human ResourcesAsset Returns

51

CLOUD CONTROLS MATRIX

• Identity & Access Management Audit Tools Access

• Infrastructure & Virtualization Security

• Audit Logging / Intrusion Detection

• Interoperability & PortabilityAPIs

• Mobile Security : Anti-Malware

• Security Incident Management, E-Discovery, & Cloud Forensics

• Contact / Authority Maintenance

• Supply Chain Management, Transparency, and Accountability

• Threat and Vulnerability Management

• Anti-Virus / Malicious Software

52

The security Key strength according to NIST

• https://www.keylength.com/en/

53