cloud security: beyond the buzz
Embed Size (px)
- 1.Cloud Security: Beyond the BuzzReal-world case studies show how time-testedsecurity concepts are applied to the Cloud
2. Todays Chat Introduction Me, my company, and why we care about Cloud. Whats Cloud? SaaS, IaaS, PaaS Whats Cloud Security? Different for SaaS, IaaS, PaaS The Nitty Gritty Considerations and case studies 3. Introduction: Terremark Worldwide World-class Data Centers NAP of the Americas, NAP of the Capital Region Network-agnostic (e.g, ~100 ISPs in NAPOTA) World-class Managed Hosting Built on InfiniStructure a virtualized platform Large sensitive clients: H&R Block, Broadlane, ... Enterprise Cloud Built on InfiniCenter, evolved from InfiniStructure 4. Terremark and the Cloud Gartner Magic Quadrant VMWare Service Provider of the Year VMWare recently bought 5% of TMRK Deep Cisco partnership Large Federal Cloud deployments Large Banking Cloud deployments Security is a key differentiator for us! 5. Introduction: Mario D. Santana Director, Secure Information Services Security/risk consulting, forensics, etc. Security of Terremarks hosting environments Expert witness, lectures, etc. CISSP, CISA, GIAC, ECTF, Infragard, etc Systems developer/designer in the 80s Systems administrator/architect in the 90s Security guy in the 00s 6. Depends who you ask. Its some level of IT abstraction.WHATS THE CLOUD? 7. Whats Cloud? Depends who you ask! Much agreement on NISTs1 5 characteristics: On-demand self-service Ubiquitous network access Location-independent resource pooling Rapid elasticity Measured service You know this: youre at CloudWorld! 8. Cloud is Abstraction NaaS: Network as a Service The original cloud, as in network diagrams We dont care how it works, its a black box Service Utility On-Demand etc Not to be confused with managed services These are more of a partnership with a vendor Bottom line: Cloud is someone elses problem. It just works. 9. Different Kinds of Cloud Computing Infrastructure as a Service (IaaS) Abstract away the data center Amazon EC2, Terremark e-Cloud Platform as a Service (PaaS) Abstract away the middleware Google AppEngine, Microsoft Azure Software as a Service (SaaS) Salesforce.com, countless others 10. The Cloud Stack Higher layers are built on lower layers Higher abstractions include lower ones Clouds used to be all (SaaS) or nothing (NaaS) Todays marketplace has more fine-grained distinctions 11. Moving Target In analyst-speak: its a dynamic marketplace Semantics matter New solutions break young, unrefined definitions They yield insight about why Cloud is useful As the marketplace matures, definitions solidify Players are making moves SaaS players offering PaaS and IaaS, for example Amazons multitude of offerings are coalescing 12. Its technology + process + due diligence. The core issue is trust.WHATS CLOUD SECURITY? 13. Technology, Process, Shoe Leather Theres no magic technology in the Cloud The stack is made up mostly of the same old stuff There are a very few special considerations The Cloud is more than the technology Its also the business, cost, and operating models Cloud security can look like security of outsourcing Bottom line: understand and secure the layers The secret ingredient is due diligence 14. Technology: Defense in Depth Defend each layer independently A few special considerations: shared resources All models: shared networking IaaS: shared virtualization and storage PaaS: shared middleware, database, etc. SaaS: shared everything Mostly, non-Cloud security measures translate fairly easily to Cloud environments 15. The Real Issue: Trust Obviously, reputation matters How long has the vendor been doing Cloud? How solid is their past security record? What are their plans? Will they be around long? Fundamental approach: Trust but Verify Without verification, its more faith than trust Partnerships with trustworthy third parties can help Weaknesses dont have to be fatal If you know about them, you can work with them 16. The Nitty Gritty: Considerations and Case StudiesIAAS 17. IaaS: security challenges Virtualization issues VM break-out attack: scary but rare Miscellanea (e.g., hypervisor log-file flooding) Shared infrastructure issues Shared storage: clean it before de-allocating it Shared CPU/RAM: dont over-allocate resources Depend on outsourced datacenter practices These will cover pretty much everything else! 18. IaaS: security benefits Virtualization benefits Machine-level instrumentation (e.g., VMSafe) Simplified incident response, forensics, recovery Shared infrastructure benefits Shared, industrial-strength instrumentation Correlate security information across customers Relatively simple to understand IaaS is much like any other outsourced data center 19. IaaS case study: Enterprise Cloud Terremarks offering Im very familiar with it Right now its a pure IaaS play Meeting the IaaS security challenges: Mature architecture evolved over five years Zero-on-read for shared storage No over-allocation of CPU or RAM Leveraging IaaS security benefits: Robust, integrated managed security offerings 20. The Nitty Gritty: Considerations and Case StudiesPAAS 21. PaaS: security challenges Complex, powerful APIs are hard to protect The platform itself must be safe from attack Applications must be isolated from each other Security mechanisms are secret sauce Details are scarce and vendors arent talking Awkward to do due diligence or compliance Applications might still be insecure Even a perfectly secure platform cant fix that 22. PaaS: security benefits Centrally-managed platform Fixes and countermeasures help all users Correlation of security information across users More and better expertise about the platform The best and brightest people More attention to (security-related) detail Many non-Cloud measures translate directly Application firewalls, strong authentication, etc. 23. PaaS case study: Google Apps Awkward case study, since Google isnt talking Severely limited API (reduce complexity) Big promises, backed by a strong reputation1 There is fuel for speculation: Guido is on board (Google bets on smart people) Java was designed with sandboxing from early on Recent issues2 have scared sensitive clients3 Continued evolution of real and perceived security 24. The Nitty Gritty: Considerations and Case StudiesSAAS 25. SaaS: security challenges Even more than with PaaS, trust is the key The vendor runs everything, soup to nuts The due diligence takes more effort As with PaaS, vendors are tight-lipped Again, theres secret sauce involved More limited use cases expose fewer details No opportunity to work around weaknesses The vendor controls every layer of the technology 26. SaaS: security benefits Centrally-managed application Security is stressed by many users Attack information correlated from many users Attention to the application Unlike for users, running this app is the business Shared costs brings more expertise and resources Little or no technical skill needed to assess Lean on processes, certifications, and reputation 27. SaaS case study: Salesforce.com Very mature platform, yet still evolving Started as a focused SaaS pure play Solidly placed in the PaaS market today Security history typical of outsource partner In 2007, over 900K customer identities stolen In 2009, an extended outage during peak hours Original concept is simple Keep watching as force.com gains momentum 28. Additional thoughts.BONUS ROUND 29. Bonus Round Typical recommendations The what is the same for Cloud or no Cloud. How-to considerations The plumbing is different in virtual environments In theory, everything is easy; in practice, it depends Testing for security in the Cloud Shared environments are always tricky to test Bottom line: coordinate with your vendor 30. Typical Recommendations Full packet capture with session reassembly NetFlow analysis (especially for DDoS) Detailed incident response plan Full forensics capability predefined Code-level security review of applications Application-level firewall End-user metrics and analytics These are the same for Cloud or no Cloud. 31. How-To Considerations Plumbing is different in a virtualized datacenter Software switches and things like VMSafe Be careful not to expose more attack surface In theory, everything is easier The flexible plumbing opens a new world of options In practice, it depends The vendor controls the virtualization layer Do they have the wherewithal to cater to your custom needs? 32. Testing for Security in the Cloud Shared environments are tricky to test Read and understand the acceptable use policy By design, security tests look like hacking activity Illegal access vs. pen-testing: whats the difference Bottom line: coordinate with your vendor Clearly define the rules of engagement Any findings will improve the service you receive You can still incorporate the element of surprise E.g., perform authorized tests at random intervals 33. Questions and discussion.THANK YOU!