cloud security challenges and guidelines · cloud federation management cloud federation fabric...

© British Telecommunications plc

Template Version 1.2BT Assure. Security that matters

Theo Dimitrakos

Chief Security Researcher, BT Research & TechnologyProfessor of Computer Science, University of KentContact: [email protected]

Cloud Security Challenges and Guidelines

Physical SecurityProtect BTCyber SOC

Cable TheftGlobal ThreatMonitoring

Visual Analytics Virtualisation andapplication security

Malware EvolutionEnablingtechnologies

AI

Applicationareas

Future HomeSecurity

IntelligentProtection

Network AlarmCorrelation

….

Secure CloudStorage

Security Research & Innovation

Change factors in a networked world

Cloud Computing

• Disappearing perimeters• Business services distributed over the network• Global operations• Big data at rest on the network / exposed via the network

Network Virtualisation • Virtualisation of networks and network devices• New ways of operating network infrastructures

Internet of Things• Massive interconnection of cloud services and smart devices• Global distribution (Smart Cities, Smart Health, Smart Energy, etc.)• Fusion of services with nw areas that did not rely on IT networks

Content Networks & NewMedia

• New and more complex content• Complex content and media delivery schemes

Mobile Network Evolution • 4G evolution and deployment• BOYD proliferation

Social Networks • Complex interleaving communication channels• New socio-technical models

Cyber Crime • Fusion of traditional and internet crime• Reputation damage and attacks

Cyber Terrorism• Network increasingly a theatre of state, group and activist terrorism• Complex supply chains• Fusion of civil/defence networks

Example: Commonly referenced cloud security incidents

Amazon: Hey Spammers, Get Off My Cloud! (2008)Megaupload US prosecutor investigation (2012)Bad co-hosts

Bitbucket's Amazon DDoS - what went wrong (2009)AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursquare

ServiceAvailability

Diginotar (June 2011)RSA SecureID (March2011)

Risk communication& Response

Security issues with Google DocsSecurity Issues with Sony User Network

EntitlementManagement

An Empirical Study into the Security Exposure to Hosts of HostileVirtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdfBlue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.htmlCloudburst: Arbitrary code execution vulnerability for VMWare

http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf

Hypervisor &Virtual MachineVulnerabilities

Resettable Public-Key Encryption: How to Encrypt on a Virtual MachineCrypto Opsin VM

In-cloud federatedIdentity Management

Lack of Standards

Data ProvanenceWhere did the data come from?

Data RemanenceYou can check out but can’t leave

Location & PrivacyWho looks at/after your data?And where? Jurisdictions?

Cloud Security: the challenges

NetworkVirtualisation

NetworkVirtualisation

Virtualizednetwork

governance

Virtualizednetwork

governance

Virtualisation /Hypervisor

Securitythreats

Virtualisation /Hypervisor

Securitythreats

Packetprocessing ona virtualized

infrastructure

Packetprocessing ona virtualized

infrastructure

Securityprocessing

impact

Securityprocessing

impact

• Improperly configured virtualfirewalls or networking

• Inspection of intra-VM trafficon virtual networks

• Data leakage throughoffline images

• Improperly configuredhypervisor

• Hypervisorvulnerabilities &malware

• Virtual machineimages / virtualappliances containingmalicious code (pre-built)

• Confidentiality efficient data encryption process & encrypted processing function• Integrity integrity monitoring: virtual image, network traffic & protocol processing ; accountability• Resource isolation bandwidth slicing ; virtual to physical mapping ; network processor scheduling

• Shared processor and memoryamong virtual appliances

• Overhead on packet processing• Overhead on forwarding rate


Robust at system level(modulo kernel bugs)Issues at management planeMemory hijacking

Cloud & VirtualInfrastructure

Security

Cloud & VirtualInfrastructure

Security

ActiveShielding

ActiveShielding

Isolation(Inter-VM &Hypervisor)

Isolation(Inter-VM &Hypervisor)

VMSecurity

VMSecurity

HypervisorSecurity

HypervisorSecurity

Physical -to- VirtualMapping

Physical -to- VirtualMapping

End-to-endVirtualisati

on

End-to-endVirtualisati

on

DataLeakage

Prevention

DataLeakage

Prevention

Near real-time virtual patchingIntrusion Prevention at Hypervisor level – below Guest OSMalware prevention / detection at Hypervisor level

Hypervisor / trusted VM:• the best place to secure• Limited compute resources• Security API standardsDifficult to exploit but high-impactDo you trust Microsoft?Do you trust VMWare?

Guest OS needssecurity protectionResilient VM lifecycle• dynamic• at massive scale

Crypto doesn’t like virtualCurrent algorithms set to

optimise resource poolingCan’t always use specialised HW

Encryption key management

Co-ordinate securitypolicies & provisioning for

network & server virtualisationLocation/resource optimisation

CSPs don’t:• allow clients to classify data

• offer different levels of securitybased upon data sensitivity

• offer DLP services


Cloud Data &ServicesSecurity

Cloud Data &ServicesSecurity

Law &Compliance

Law &Compliance

DataLocation &

Mobility

DataLocation &

Mobility

Resilience &Availability

Resilience &Availability

Security inDepth

Security inDepth

DataComingling

DataComingling

Multi-tenancy

Multi-tenancy

CloudPlatformLock-in

CloudPlatformLock-in

VMs provided by IaaS providerPlatform stack by PaaS providerIaaS, PaaS issues + application security

Lack of standardsLack of interoperability

Limited service portabilityIncompatible management processes

Provider & resource / data locationCross-border data movementPII and privacy obligations (HIPAA, GLBA)Auditing and compliance (PCI, ISO 27001)Poor quality of evidence

EU vs. US vs. China (Gov. access)Differences in data protectionCost of keeping data hosting in EUAudit data legally owned by CSPrefusal to ‘hand over audit logs?

Difficult to involve law enforcementwith CSP activities

Latency sensitive applicationsEnforcement of SLA obligationsInsufficient capabilities to caterfor managing critical data

In-cloud segregation of data: difficultAccidental seizure of customer data

during forensic investigations

Security of shared resourcesProcess isolationData segregation

“Data sharding”(fragment across images)

Entitlement & Access Mgmt(policy issuing authority)


ProvisioningIdentity IntegrationUser Management

Credential ManagementEntitlement Management

Device Credentials, PKIInfrastructure

Active Directory/LDAP -Attributes, Credentialsand Groups for Edgeservers

CloudApplication

Security

CloudApplication

Security

DistributedAccess

Management

DistributedAccess

Management

VirtualDirectory

Services

VirtualDirectory

Services

ApplicationService

Integration

ApplicationService

Integration

IdentityLifecycle

Management

IdentityLifecycle

Management

Credential MappingAuthorization with Constrained Delegation(Policy Integrity & Recognition of Authority)Trust & FederationSecurity Auditing

Federation and Edge Server Security –Secure Application Integration Fabric (SecureESB Gateway)

Example: Cloud Computing TechnologyInnovation –vs– Cyber Security Challenges

Commoditisedvirtualisation

• Security API forhypervisor

• Virtual Data CentreService ManagementLayer

• Commoditisedelasticity

• Commoditised dataabstraction & datafederation

Cloudislands

• User-definedhosting

• On-demandElasticity

• Flexible chargingmodel

• Rapid provisioning/ de-provisioning

• Customer definedstandalone cloudapplications

• Cloud island-specific security in-depth

• Pre-customerisolation & multi-tenancy

Commoncapabilities

• Cloud –vs.–managed servicedelivery model

• Reusable andcustomisableenabling servicesoffered via a cloudservice deliverymodel:• Identity & access,• Data & system

security,• Data federation ,• Performance

monitoring,• Intelligent

reporting• Auditing• Usage control,• Licensing,• Optimisation

VirtualPrivateClouds

• Customer definedsecurity and QoS

• Customer-centricidentity & accessfederation

• Customer-awareprocess & dataisolation

• Customer-definedprocess and datafederation

• Secure privatenetwork overlayoffered as aservice over theinternet

• customer-centricloud applicationcomposition

CommunityClouds

• Community-specific virtualprivate clouds

• In-cloudcollaboration,communitymanagement &identity federationservices

• Vertical integrationof hosting andcommunity-specificcloud applications

• Shared

Cloud awareapplications

• Commoditisation ofcloud applicationstores

• Commoditisation ofSDK for cloudapplications

• Take advantage ofcloud IaaS or PaaSto develop SaaS

• Ability deploy yourcloud SaaS over atargeted SaaS /PaaS

• SDK methods foron-demandelasticity, in-cloudhosting anddynamic resourceprovisioning

Cloudservice

assembly• Standardisation of

cloud servicemanagementinterfaces

• Commoditisationof cloud assemblyprocesses & tools

• Vertical valuechain specificfederation

• Ability to mix-and-match cloudinfrastructure & in-cloud commoncapabilities whenproducing cloudapplications

• Ability to specifyand rapidlyprovision mixeddelivery models:eg. SaaS on 3rd

party PaaS; PaaSon 3rd party IaaS

Open cloudfederation

• Standardisation of• cloud common

capabilities• cloud service

managementinterfaces

• cloud accessmanagement &federated identitymodels

• cloud servicemonitoring &reporting

• cloud licensemanagementservices

• Virtual Private“Local” Networkover the Internet

• User definedVirtual PrivateCloud

CloudAggregationEcosystem

• Standardised cloudcharging modelsincluding auctions

• Standardisation ofcloud serviceassemblyprocesses

• Virtual DataCentres assembledover multiple IaaSclouds by differentproviders

• PaaS overfederated IaaS withintegrated commoncapabilities bymultiple 3rd parties

• Commoditisationof “Make your ownCloud” capability


Slide 10

Example: Cloud security innovation roadmapat BT Research & Technology

Secure Cloud Service Broker Virtual hosing on federated clouds

Accountable EntitlementManagement (in-cloud)

Virtual Patching

Cloud SaaS security-confidentiality enhancements

Application awareBehavioural Malwaredetection (in-cloud)

In-cloud malwarescanning

Secure cloudstorage service

Cloud informationassurance metrics

Cloud securityanalytics

Hypervisor levelMalware Detection

Hypervisor level IntrusionPrevention Hypervisor level Data Leak Prevention Use of trusted hardware in

Virtual Data Centres & Cloud

Technical innovationchallenges & solutions

Cloud Security Innovation Strategy

Market evolutionanalysis

Recommendations for High-level SecureCloud Architecture for Government (IaaS)

In-cloud securitycost-benefit analysis

Cloud informationassurance metrics

Cloud security riskassessment (eGov)

Recommendations for High-level SecureCloud Architecture for Government (SaaS)

Cloud ecosystem securityvalue network

Market analysisrevision

Cloud securityCloud securityvalue network

revisionStrategicForesight

Cloudfederation

CloudSecurityservices

CloudSecurityinfrastructure

SecureVirtualisation

SSO & Identity Managementas a Cloud Service

Multi-CloudIntelligent Protection

Multi-CloudSecure Storage

Cloud Federation Fabric Cloud Aggregation EnvironmentCloud Federation Management Cloud CERT

Cloud Cyber-IncidentManagement

BT core technology innovation activity

Research Collaboration

Long term research

Strategy / Guidelines


Slide 11

• Hypervisor vulnerabilities.• Lack of cloud specific security solutions• Defence in depth is complex to achieve in the Cloud

Technology Risks

• Resource sharing• Poor Process isolation /Data Segregation• Data Sharding, remanance (erasure), Co-mingling

Multi-tenancy(shared infrastructure)

• Virtual image provided by IaaS provider• Platform stack provided by PaaS• SaaS application security

Protection in depth &Security at multiple layers

• Latency controls for sensitive applications• Inability to enforce high-assurance SLAs• CSP unable to provide QoS for sensitive applications

Resilience & Availability

• EU vs. US vs. China regulations (Government access)• Differences in data protection between EU regions• Examples of CSP refusing to ‘hand over audit logs’

Data Location & Mobility

•Cross-border data movement•Privacy obligations ( DPA, HIPAA, GLBA)•Auditing and compliance (PCI, ISO 27001)

Information Assurance& Compliance

• Lack of standards / interoperability• Limited service portability• Incompatible management processes

Cloud vendor lock in

• Lack of transparency• Limited audit ability• Global CSP - Regulatory compliance.

Corporate Risks

DirectInnovationdownstreamto BT MFUs/ Platforms

DirectInnovationdownstreamto BT MFUs/ Platforms

InfluenceEU / UKpolicy(via expertadvisorygroups /agencies)

InfluenceEU / UKpolicy(via expertadvisorygroups /agencies)

Influenceindustryvia CSAand ISF

Influenceindustryvia CSAand ISF

Cloud Security Challenges and how we address them


Slide 12

Examples of Collaborative Research Impact & Value Generation: overview

Cloud Computing:Benefits, RisksRecommendations

Security andResilience ofGovernmentalClouds

Procure Secure:security levels incloud contracts

GovernmentalClouds: GoodPractice Guide

Incident Reportingin the Cloud

Influence Strategy & Policy at EUand National Level: Contributors to

ENISA advisory reports on Cloud Security

IntelligentProtection

Secure CloudStorage

Multi-cloud VPNoverlay

Trust Assessment

CloudComplianceAssessment

GovernmentalCloud StoreCapabilities

Intelligent Protectionfor GovernmentalApplications

Cloud DataProtection Services

Federated Identityas a Service forPSN and G-Cloud

Trials•CentralGovernment•Greek Ministry ofFinance

•Municipalities•London, UK•Genova, Italy•Belgrade, Serbia

2010-2013EU collaboration

Cloud TechnologyDevelopment

2014-2017Cloud TechnologyTrials & Validation


Slide 13

Examples of Collaborative Research Impact &Value Generation: illustrative case

CIPSTRATEGIC

Secure cloud servicestore

EIT HII TrustedCloud

Secure cloudplatform

FP6 TrustCoM – IP 2004-7Security policy management automation

FP6 BEinGRID – IP 2006-9Common Capabilities for Cloud,Cloud Architecture Security Patterns

FP6 OPTIMIS– IP 2010-13Secure Cloud Broker,Common capabilities for Cloud Data &Application Protection

FP7 FED4FIRE experiments 2014Multi-cloud Data & ApplicationProtection at large scale

BT CloudCompute- Platform,

Application,Data Security

- IdentityFederation

BT Security- Cloud

SecurityServices

- Identity as aService

Research,Development &

Experimentation

Technology &BusinessValidation

BTcustomisation &productisation


Slide 14

Cloud security research

In-Cloud Security Services Secure Community Clouds

Protecting BT’s Cloud Platforms Protect BT’s use of cloudinfrastructure, platform and

application services

Cloud security researchIdentity &

FederationApplication &Virtual Server

ProtectionStorage & Data

ProtectionPlatform &

InfrastructureSecurityGovernance, Standards, Compliance, Assurance

Cloud security: current areas of BT innovation and solutions

One capability multiple cloud security servicemodels

Multi-cloudprotection

• One• Security dashboard• Security policy

management interface• Governance process

• Many• Control points• Cloud platforms• Applications & servers

Cloud storeMarketplace

• Horizontal / reusablecapability

• Fully integrated withcloud applicationdeployment

• Automated policyderivation (securityintelligence)

• Automated securitypatching per application

• Customisable self-management interface

• Multi-cloud• One click to buy

Cloud platformenhancement

• Horizontal / reusablecapability

• Configurable securityoptions

• Fully integrated withcloud applicationdeployment

• Automated policyderivation (securityintelligence)

• Automated securitypatching per application

• One click to buy• Inflight-provisioning• Inventory sync

Cross-cloudapplication defined

security policy• Multi-cloud deployment• Application defined

virtual network overlay• Application defined

security policy group

Cloud-based On-premise

Fully managed

Self-managed


Slide 16

BT Cloud Security Services Incubator - Enabling Open Innovation

• Working withcustomersto trial new innovations

• Obtain early marketfeedback and testcommercialattractiveness andcommercial viability

• Define community,qualify and prioritiseopportunities

• Research prototype torefine concept inpartnership withcommunity

• Validate candidatetechnologies/software

• Ideas for new productsand services

• Ideas for changingcommercial modelsand value propositions

• Ideas to make thingsfaster

• When conceptshave been provenwith customersthen they will bedown-streamed toproduct platforms

Ideageneration

Strategiccollaboration

Customertrials

New products& propositions

ResearchResearchResearch AlphaAlphaAlpha BetaBetaBeta PlatformPlatformPlatform

• Alpha at AdastralPark run by R&T

• Supports ISVintegration, hothouses, etc.

• Beta at London GS2run by GS, tacticalops from IP Soft

• Targeting LatAm, US,Asia-Pac


Slide 17

Thought-leadership: Innovation Demonstrators

Cloud Broker& Federation• Secure Cloud

Service Broker• Cloud community

management• Cloud Identity and

Federationmanagemnt

Cloud ApplicationSecurity• Intelligent Application

Protection• Accountable Entitlement

Management• Confidentiality/Compliance

for Cloud SaaS

Cloud SystemSecurity• GRC Assessor• Secure data

storage & sharing• Intelligent System

Protection• Virtual Security

Patching

SecureVirtualisation• Hypervisor level

Malware Detection• Hypervisor level

Intrusion Prevention• Hypervisor level Data

Leak Prevention


Slide 18

The BIG picture: Towards a Secure Cloud blueprint


Slide 19

BT thought-leadership: Overview of external collaborations• Co-authors of ENISA expert advisory report on Cloud Security Risk Analysis

• Contributors to CSA security guidelines and lead of Virtualisation Security work stream

• Co-authors of the BT Cloud Security standard.

• Contributors to ENISA expert group on Government use of Cloud computing

• Leading Governmental Cloud Services Store & Clooud Security activities on STRATEGIC a€5 million innovation validation project

• Led Cloud Brokerage & Federation use case at OPTIMIS a €10.5 million collaborative R&Dproject

• Led BEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on

next generation SOA in Europe

• Invited speakers at events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSOSummit, etc.

• 3 books and several technical papers in Cloud & Next Generation SOA

Protection in the Cloud: BT Intelligent ProtectionTheo [email protected]

Protection of Systems & Apps in the CloudWhat is it?• A cloud security service that has ben designed and

developed to address customer demand for protectingvirtual servers and hosted applications on cloudinfrastructures.

• Supports multiple cloud service providers, including BTCloud Compute, Amazon EC2, vCloud etc.

• Comprehensive security solution: Virtual firewall,Intrusion Prevention/Detection, Security Patchmanagement, Anti-malware.

• Deploy security patching & intrusion prevention with nodown time.

• Central Security Portal to manage protection in MultipleCloud Platforms.

• Automatically Protect deployed applications / systemsin Virtual Environment.

• Flexible delivery of protection:• At Hypervisor / virtualisation management level.• By self-installing agents on 3rd party environments.• Automatically integrate with Application Deployment

via Service Store.

Current statusAbout to go live in the next release of BT Cloud Compute.Market place and intelligent protection service can be used to auto-provision on most popular cloud infrastructure / platform providers

Benefits• Reduction of complexity through integration with the cloud

environment for automatic capability provisioning, life-cyclemanagement and inventory synchronisation.

• Provides vulnerability protection.• Eliminates the cost and risk of deployment, integration and

management of complex security software or appliances.

Next steps• Inclusion in BT Compute product roadmap• BT Wholesale Proposition

Intelligent Protection ServiceSecurity is secretly out of control

DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc

Important elements of cyber security strategy & innovation

Protection life-cycle Other important elements• Think global• Understand the societal, business &

technology evolution• Share intelligence with care• Carefully attribute responsibility: think

of the whole supply-chain• Design for change & adaptation• Understand the impact of change

Learn from own and others mistakes• Centralise visibility & control• Distribute ability to enforce & self-

adapt within policy & context

Intelligence

Prevention &Protection

ContinuousAssessment

Remediationplanning &

ImpactAnalysis

Adapt &Respond


Slide 23Cloud portal

Intelligent ProtectionSecurity Dashboard

Core strengths & innovative features• In flight intrusion prevention, no down time• Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware• 360o Protection of customer applications• Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud

BT Intelligent Protection

Automatic Application Protection

24

• During Application Provisioning, Customers / Tenants:• Purchase intelligent protection License for the required

Security Modules (Firewall, Anti-Malware, Intrusion Detection,Integrity Monitoring, Log Inspection)

• Select an Application from the Application Market Place.• Automatic Protect deployed Application with selected Security

Options.

Cloud Service Provisioning


25


26


27

Cloud Security Services – protection of data in the cloudSecurity is secretly out of control

Secure cloud data protection serviceWhat is it?• Not just another cloud (i.e. network accessible)

storage service• A cloud security service enabling customers to manage

data protection across many cloud infrastructures• Virtual “hard-disk” volume encryption offered ‘as a

service’• Decryption only possible in “safe” environments

following policy-based approval• Protected data mobility across servers and across

clouds• Customer in control of compliance with data-

protection policies across many clouds and regions• Faults & security breaches visible across clouds• Seamless integration with Cloud Service stores and

interoperability with most cloud platforms

Current statusAbout to go live on BT Cloud Compute.Market place and intelligent protection service can beused to auto-provision on most popular cloud IaaS/PaaSBT Intellectual Property (2 core and 9 related patents)Estimated impact of protecting revenue > £30M p.a.Selected for trial with Municipalities UK, Italy, Serbia)and Central Government services (Lithuania, Greece)

How it works• Customer is in control of connection, protection, access to secure

virtual storage.• Decryption only possible when data is used in a specific ‘safe’

environment following policy-based approval.

Policy-driven key management• Uses identity and integrity based enforcement to ensure only

authorised virtual machine receive keys and access to securestorage.

• Automates key release and virtual machine authorisation for rapidoperation.

• Enables the use of policies to determine when and where keys wereused.

Advanced Encryption techniques• Features FIPS 140-2 certification and FIPS approved AES

encryption.• Encrypts and decrypts information in real time, so that data is always

protected.• Applies whole volume encryption to secure all data, metadata, and

associated structures.

Robust auditing, reporting, and Alerting• Logs actions in the management console for audit purposes.• Provides detailed reporting and alerting features with incident-based

and interval-based notifications

DEMO at https://researchplatform.zion.bt.co.uk/demos/ipandsc


Slide 29

Cloud-based Identity Management ServiceFuture Challenge: Traditional enterprise in a changing world

InternalEnterprise

Cloud

Cloud Platform& Infrastructure

Cloud Apps &Web Services

Social Media

SaaS

Silo expansionIdentity shadowing

Policy fragmentationLoss of control


Slide 30

Cloud-based Identity Management ServiceFuture Challenge: Cloud-ready always connected enterprise

InternalEnterprise

Cloud

Cloud Platform& Infrastructure

Cloud Apps &Web Services

Social Media

SaaS

Cloud/hosted service- Holistic identity life-cycle

management- Privileged identity- Governance, audit- Federation and SSO- Fraud preventionfor both on-premise and

in-cloud services &applications

Gateway/bridge to- Identity management- Enterprise governance- Access management- Information protection

for enterpriseresources

Future identity challenges case study: BT Cloud Compute Service Store


Slide 31

cloud security challenges and guidelines · cloud federation management cloud federation fabric...

Documents