virtual techdays india │ 9-11 february 2011 securing the cloud manu zacharia │ information...
Post on 21-Dec-2015
214 Views
Preview:
TRANSCRIPT
virtual techdaysINDIA │ 9-11 February 2011
SECURING THE CLOUD
Manu Zacharia │ Information Security EvangelistMVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCPCertified ISO 27001:2005 Lead Auditor
Cloud Architecture NIST Working Definition of Cloud Computing Some Myths
C-RISK (Cloud Based Security RISKs) Security Issues Cloud Transparency
Ensuring Security & Privacy Risk Based Approach Risk Assessment for Cloud
virtual techdaysINDIA │ 9-11 February 2011
S E S S I O N A G E N D A
The opinion here represented are my personal ones and do not necessary reflect my employers views.
Registered brands belong to their legitimate owners. The information contained in this presentation does not break any
intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)
Information and resources from Internet (including publications from Cloud Security Alliance, NIST, etc) were used as references for the creation of this presentation.
virtual techdaysINDIA │ 9-11 February 2011
DISCLAIMER & REFERENCES
cloud is loud Headline stealer Everybody is concerned about Cloud Security Privacy concerns Why handle cloud differently?
Simple – power of cloud With any new technology comes new risks New vectors - that we need to be aware of
virtual techdaysINDIA │ 9-11 February 2011
WHY THIS TALK?
Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade."
102 billion objects as of March 2010 in Amazon Cloud The New York Times stores PDF's of 15M scanned news articles. NASDAQ uses cloud to deliver historical stock information. A 64 node server cluster can be online in just five minutes
Forget about those sleepless nights in your data centers
virtual techdaysINDIA │ 9-11 February 2011
POWER OF CLOUD
Providing a collection of services, applications, information, and infrastructure
comprised of pools of compute, network, information, and storage
resources.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD
In Simple Terms
From an architectural perspective; there is much confusion How cloud is both similar to and different from existing models of
computing? Same old, Same old - Marcus Ranum Same Client / Server paradigm from Mainframe days – Bruce Schneier
If we don’t understand these similarities and differences, it will impact the organizational, operational, and technological approaches
to information security practices.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD CONFUSION
In Simple Terms
Current Working Draft 15 / Current Working Defenition 15 “Cloud computing is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of : five essential characteristics, three service models, and four deployment models.”
Ref: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
virtual techdaysINDIA │ 9-11 February 2011
CLOUD ARCHITECTURE
NIST Working Definition of Cloud Computing
Five essential characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service
virtual techdaysINDIA │ 9-11 February 2011
CLOUD ARCHITECTURE
NIST Working Definition of Cloud Computing
Divided into three archetypal models. The three fundamental classifications are known as the SPI Model. Various other derivative combinations are also available. Three Cloud Service Models
Cloud Software as a Service (SaaS). Cloud Platform as a Service (PaaS). Cloud Infrastructure as a Service (IaaS).
virtual techdaysINDIA │ 9-11 February 2011
CLOUD ARCHITECTURE
NIST Working Definition of Cloud Computing
Regardless of the service model, there are four cloud deployment models: Public Cloud Private Cloud Community Cloud Hybrid Cloud
Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand. Example - Virtual Private Clouds - Public cloud infrastructure in a
private or semi-private manner using VPN.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD ARCHITECTURE
NIST Working Definition of Cloud Computing
Myth 1 - Virtualization is mandatory Answer is No
Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies
There is no requirement that ties the abstraction of resources to virtualization technologies
In many offerings virtualization by hypervisor or operating system container is not utilized.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD - MYTHS
Myths about Cloud Computing Essential Characteristics
Myth 2 - Multi-tenancy as an essential cloud characteristic Multi-tenancy is not called out as an essential cloud characteristic by NIST
but is often discussed as such.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD - MYTHS
Myths about Cloud Computing Essential Characteristics
New twist on an old concept :) Bursting into the cloud when necessary, or using the cloud when additional compute resources are required
temporarily
virtual techdaysINDIA │ 9-11 February 2011
CLOUD JARGONS
Cloud Bursting
How it is different from the traditional bursting? Traditionally been applied to resource allocation and automated
provisioning / de-provisioning of resources, mainly focused on bandwidth. In the cloud, it is being applied to resources such as:
servers, application servers, application delivery systems, and other infrastructure…
required to provide on-demand computing environments that expand and contract as necessary, without manual intervention.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD JARGONS
Cloud Bursting
Without manual intervention means? We generally call it - automation But is automation sufficient for cloud? or Is it the right thing for cloud?
virtual techdaysINDIA │ 9-11 February 2011
CLOUD JARGONS
Cloud Bursting
Orchestration describes the automated arrangement, coordination, and management of
complex computer systems, middleware, and services.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD JARGONS
Cloud Orchestration
Open and proprietary APIs are evolving which seek to enable things such as management, security and inter-operatibility
for cloud. Examples include: Windows Azure Storage Services REST API Open Cloud Computing Interface Working Group, Amazon EC2 API, VMware’s DMTF-submitted vCloud API, Sun’s Open Cloud API, Rackspace API, and GoGrid’s API.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD API
OPEN & PROPRIETARY
Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks.
IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS
As the capabilities are inherited, so are information security issues and risk.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD REFERENCE MODEL
RELATIONSHIPS & DEPENDENCIES
virtual techdaysINDIA │ 9-11 February 2011
CLOUD REFERENCE MODEL
RELATIONSHIPS & DEPENDENCIES
From an attackers point of view: The boxes, Storage, Applications
Cloud based security issues Also commonly know as Cloud Based Risk or C-RISK
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
WHAT COULD BE TARGETTED?
Cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT
Different cloud service providers use different API – not compatible with each other for migrating the data
Lack of: Tools, Procedures, Standard data formats, and Interfaces,
can considerably delay or prevent a successful migration.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
LOCK-IN
Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform
May affect the other tenants and associated stake holders. Examples - Shared Service Consequences:
Blocking of IP ranges Confiscation of resources as part of an investigation - the availability is in question. The diversity of application running on the cloud platform and a sudden increase in the
resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Shared Service Consequences
Cloud is upcoming and promising domain for organizations to venture and expand.
Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Sudden Acquisitions and Take-overs
Similar to the conventional run on the bank concept. Bankruptcy and catastrophes does not come with an early warning. What happens if the majority clients withdraw the associated services from
a cloud infrastructure? The cloud service providers may try to prevent that move through direct
and indirect methods – which may include a lock-in also.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Run-on-the-cloud
Organizations need to ensure that they can maintain the same when moving to cloud.
Generally - ToU prohibits VA/PT This may introduce security vulnerabilities and gaps Result – Loose your certification. Example - Maintaining Certifications:
In general scenario, the PCI DSS compliance cannot be achieved with most of the cloud service.
Major downfall in performance and quality metrics may affect your certifications.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Maintaining Certifications & Compliance
Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure.
Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Technical and Procedural Vulnerability
The information deleted by the customer may be available to the cloud solution provider as part of their regular backups.
Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Confidentiality is @ Risk
The service provider may be following good security procedures, but it is not visible to the customers and end users.
May be due to security reasons. But end user is finally in the dark. End user questions remains un-answered:
how the data is backed up, who back up the data, whether the cloud service provider does it or has they outsourced to
some third party,
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Lack of transparency in cloud
how the backup is transferred to a remote site as part of the backup policy,
is it encrypted and send, is the backup properly destroyed after the specified retention period or is it lying somewhere in the disk, what kind of data wiping technologies are used.
The lists of questions are big and the cloud users are in dark
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Lack of transparency in cloud
Problems testing the cloud? Permission How do you get permission to test your application running on a cloud
when the results of your testing probably could show you data from another client completely?
Getting black hole or getting kicked-off "In networking, black holes refer to places in the network where incoming traffic is silently
discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
(Security) Testing in Cloud
How do you track version? How do you do regression testing? How do you know what version of the application is currently running on
the cloud? If you test an application today and find it vulnerable or not vulnerable,
how do you know that the app you testing tomorrow is the same one that you tested yesterday? – Chances are very less
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
(Security) Testing in Cloud
Adopt a risk based approach Evaluate your tolerance for moving an asset to cloud Have a framework to evaluate cloud risks.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Addressing Security Issues in Cloud
Identify the asset for cloud. Evaluate the asset Map the asset to cloud deployment models Evaluate cloud service models & providers Sketch the potential data flow
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Risk Assessment Framework for Cloud
Step 1 - Determine exactly what data or function is being considered for the cloud.
Include potential use of the asset once it moves to the cloud This will help you account for scope creep Note: Data and transaction volumes are often higher than expected.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Identify the asset for cloud.
Determine how important the data or function is to the organization. An assessment of the following is recommended:
how sensitive an asset is? and how important an application / function / process is?
How do we do it?
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Evaluate the asset
For each asset, ask the following questions: How would we be harmed if the asset became widely public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the process or function were manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the information/data were unexpectedly changed? How would we be harmed if the asset were unavailable for a period of time?
By doing the above we are Assessing confidentiality, integrity, and availability requirements for the asset; and how those are affected if all or part of the asset is handled in the cloud?
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Evaluate the asset
Map the asset to potential cloud deployment models Determine which deployment model is good for the organizational
requirement. For the asset, determine if you are willing to accept the following options:
Public. Private, internal/on-premises. Private, external (including dedicated or shared infrastructure). Community Hybrid
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Map the asset to cloud deployment models
Focus on the degree of control you’ll have at each SPI tier to implement any required risk management.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Evaluate cloud service models & providers
Map out the data flow between: your organization, the cloud service, and any customers/other nodes.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Sketch the potential data flow
You should have a clear understanding of the following: the importance of what you are considering moving to the cloud, risk tolerance, which combinations of deployment and service models are acceptable,
and potential exposure points for sensitive information and operations.
virtual techdaysINDIA │ 9-11 February 2011
CLOUD SECURITY
Conclusion
virtual techdaysTHANKS│9-11 February 2011
m@hackit.co │ http://manuzacharia.blogspot.com
top related