Virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010

virtual techdaysINDIA │ 9-11 February 2011

SECURING THE CLOUD

Manu Zacharia │ Information Security EvangelistMVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCPCertified ISO 27001:2005 Lead Auditor

Cloud Architecture NIST Working Definition of Cloud Computing Some Myths

C-RISK (Cloud Based Security RISKs) Security Issues Cloud Transparency

Ensuring Security & Privacy Risk Based Approach Risk Assessment for Cloud


S E S S I O N A G E N D A

The opinion here represented are my personal ones and do not necessary reflect my employers views.

Registered brands belong to their legitimate owners. The information contained in this presentation does not break any

intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)

Information and resources from Internet (including publications from Cloud Security Alliance, NIST, etc) were used as references for the creation of this presentation.


DISCLAIMER & REFERENCES

cloud is loud Headline stealer Everybody is concerned about Cloud Security Privacy concerns Why handle cloud differently?

Simple – power of cloud With any new technology comes new risks New vectors - that we need to be aware of


WHY THIS TALK?

Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade."

102 billion objects as of March 2010 in Amazon Cloud The New York Times stores PDF's of 15M scanned news articles. NASDAQ uses cloud to deliver historical stock information. A 64 node server cluster can be online in just five minutes

Forget about those sleepless nights in your data centers


POWER OF CLOUD

Providing a collection of services, applications, information, and infrastructure

comprised of pools of compute, network, information, and storage

resources.


CLOUD

In Simple Terms

From an architectural perspective; there is much confusion How cloud is both similar to and different from existing models of

computing? Same old, Same old - Marcus Ranum Same Client / Server paradigm from Mainframe days – Bruce Schneier

If we don’t understand these similarities and differences, it will impact the organizational, operational, and technological approaches

to information security practices.


CLOUD CONFUSION

In Simple Terms

Current Working Draft 15 / Current Working Defenition 15 “Cloud computing is a model for enabling convenient, on-demand network

access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of : five essential characteristics, three service models, and four deployment models.”

Ref: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc


CLOUD ARCHITECTURE

NIST Working Definition of Cloud Computing

Five essential characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service


CLOUD ARCHITECTURE


Divided into three archetypal models. The three fundamental classifications are known as the SPI Model. Various other derivative combinations are also available. Three Cloud Service Models

Cloud Software as a Service (SaaS). Cloud Platform as a Service (PaaS). Cloud Infrastructure as a Service (IaaS).


CLOUD ARCHITECTURE


Regardless of the service model, there are four cloud deployment models: Public Cloud Private Cloud Community Cloud Hybrid Cloud

Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand. Example - Virtual Private Clouds - Public cloud infrastructure in a

private or semi-private manner using VPN.


CLOUD ARCHITECTURE


Myth 1 - Virtualization is mandatory Answer is No

Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies

There is no requirement that ties the abstraction of resources to virtualization technologies

In many offerings virtualization by hypervisor or operating system container is not utilized.


CLOUD - MYTHS

Myths about Cloud Computing Essential Characteristics

Myth 2 - Multi-tenancy as an essential cloud characteristic Multi-tenancy is not called out as an essential cloud characteristic by NIST

but is often discussed as such.


CLOUD - MYTHS

Myths about Cloud Computing Essential Characteristics

New twist on an old concept :) Bursting into the cloud when necessary, or using the cloud when additional compute resources are required

temporarily


CLOUD JARGONS

Cloud Bursting

How it is different from the traditional bursting? Traditionally been applied to resource allocation and automated

provisioning / de-provisioning of resources, mainly focused on bandwidth. In the cloud, it is being applied to resources such as:

servers, application servers, application delivery systems, and other infrastructure…

required to provide on-demand computing environments that expand and contract as necessary, without manual intervention.


CLOUD JARGONS

Cloud Bursting

Without manual intervention means? We generally call it - automation But is automation sufficient for cloud? or Is it the right thing for cloud?


CLOUD JARGONS

Cloud Bursting

Orchestration describes the automated arrangement, coordination, and management of

complex computer systems, middleware, and services.


CLOUD JARGONS

Cloud Orchestration

Open and proprietary APIs are evolving which seek to enable things such as management, security and inter-operatibility

for cloud. Examples include: Windows Azure Storage Services REST API Open Cloud Computing Interface Working Group, Amazon EC2 API, VMware’s DMTF-submitted vCloud API, Sun’s Open Cloud API, Rackspace API, and GoGrid’s API.


CLOUD API

OPEN & PROPRIETARY

Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks.

IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS

As the capabilities are inherited, so are information security issues and risk.


CLOUD REFERENCE MODEL

RELATIONSHIPS & DEPENDENCIES


CLOUD REFERENCE MODEL

RELATIONSHIPS & DEPENDENCIES

From an attackers point of view: The boxes, Storage, Applications

Cloud based security issues Also commonly know as Cloud Based Risk or C-RISK


CLOUD SECURITY

WHAT COULD BE TARGETTED?

Cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT

Different cloud service providers use different API – not compatible with each other for migrating the data

Lack of: Tools, Procedures, Standard data formats, and Interfaces,

can considerably delay or prevent a successful migration.


CLOUD SECURITY

LOCK-IN

Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform

May affect the other tenants and associated stake holders. Examples - Shared Service Consequences:

Blocking of IP ranges Confiscation of resources as part of an investigation - the availability is in question. The diversity of application running on the cloud platform and a sudden increase in the

resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure.


CLOUD SECURITY

Shared Service Consequences

Cloud is upcoming and promising domain for organizations to venture and expand.

Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation.


CLOUD SECURITY

Sudden Acquisitions and Take-overs

Similar to the conventional run on the bank concept. Bankruptcy and catastrophes does not come with an early warning. What happens if the majority clients withdraw the associated services from

a cloud infrastructure? The cloud service providers may try to prevent that move through direct

and indirect methods – which may include a lock-in also.


CLOUD SECURITY

Run-on-the-cloud

Organizations need to ensure that they can maintain the same when moving to cloud.

Generally - ToU prohibits VA/PT This may introduce security vulnerabilities and gaps Result – Loose your certification. Example - Maintaining Certifications:

In general scenario, the PCI DSS compliance cannot be achieved with most of the cloud service.

Major downfall in performance and quality metrics may affect your certifications.


CLOUD SECURITY

Maintaining Certifications & Compliance

Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure.

Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data.


CLOUD SECURITY

Technical and Procedural Vulnerability

The information deleted by the customer may be available to the cloud solution provider as part of their regular backups.

Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users.


CLOUD SECURITY

Confidentiality is @ Risk

The service provider may be following good security procedures, but it is not visible to the customers and end users.

May be due to security reasons. But end user is finally in the dark. End user questions remains un-answered:

how the data is backed up, who back up the data, whether the cloud service provider does it or has they outsourced to

some third party,


CLOUD SECURITY

Lack of transparency in cloud

how the backup is transferred to a remote site as part of the backup policy,

is it encrypted and send, is the backup properly destroyed after the specified retention period or is it lying somewhere in the disk, what kind of data wiping technologies are used.

The lists of questions are big and the cloud users are in dark


CLOUD SECURITY

Lack of transparency in cloud

Problems testing the cloud? Permission How do you get permission to test your application running on a cloud

when the results of your testing probably could show you data from another client completely?

Getting black hole or getting kicked-off "In networking, black holes refer to places in the network where incoming traffic is silently

discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia


CLOUD SECURITY

(Security) Testing in Cloud

How do you track version? How do you do regression testing? How do you know what version of the application is currently running on

the cloud? If you test an application today and find it vulnerable or not vulnerable,

how do you know that the app you testing tomorrow is the same one that you tested yesterday? – Chances are very less


CLOUD SECURITY

(Security) Testing in Cloud

Adopt a risk based approach Evaluate your tolerance for moving an asset to cloud Have a framework to evaluate cloud risks.


CLOUD SECURITY

Addressing Security Issues in Cloud

Identify the asset for cloud. Evaluate the asset Map the asset to cloud deployment models Evaluate cloud service models & providers Sketch the potential data flow


CLOUD SECURITY

Risk Assessment Framework for Cloud

Step 1 - Determine exactly what data or function is being considered for the cloud.

Include potential use of the asset once it moves to the cloud This will help you account for scope creep Note: Data and transaction volumes are often higher than expected.


CLOUD SECURITY

Identify the asset for cloud.

Determine how important the data or function is to the organization. An assessment of the following is recommended:

how sensitive an asset is? and how important an application / function / process is?

How do we do it?


CLOUD SECURITY

Evaluate the asset

For each asset, ask the following questions: How would we be harmed if the asset became widely public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the process or function were manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the information/data were unexpectedly changed? How would we be harmed if the asset were unavailable for a period of time?

By doing the above we are Assessing confidentiality, integrity, and availability requirements for the asset; and how those are affected if all or part of the asset is handled in the cloud?


CLOUD SECURITY

Evaluate the asset

Map the asset to potential cloud deployment models Determine which deployment model is good for the organizational

requirement. For the asset, determine if you are willing to accept the following options:

Public. Private, internal/on-premises. Private, external (including dedicated or shared infrastructure). Community Hybrid


CLOUD SECURITY

Map the asset to cloud deployment models

Focus on the degree of control you’ll have at each SPI tier to implement any required risk management.


CLOUD SECURITY

Evaluate cloud service models & providers

Map out the data flow between: your organization, the cloud service, and any customers/other nodes.


CLOUD SECURITY

Sketch the potential data flow

You should have a clear understanding of the following: the importance of what you are considering moving to the cloud, risk tolerance, which combinations of deployment and service models are acceptable,

and potential exposure points for sensitive information and operations.


CLOUD SECURITY

Conclusion

virtual techdaysTHANKS│9-11 February 2011

[email protected] │ http://manuzacharia.blogspot.com

Documents

Virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010