virtual security in cloud networks
DESCRIPTION
Understanding the difference between Cloud and VirtualizationTRANSCRIPT
![Page 1: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/1.jpg)
Virtualization Security is NOT Cloud Security!
Privacy, Security and Trust Issues arising from Cloud
Computing
Flash Talk
![Page 3: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/3.jpg)
General Idea and Agenda
• Understanding the difference between Cloud and Virtualization
• Definition of Cloud computing
• The problem of the cloud
• The common risks
• The real risks
• Possible solutions
• Deeper concerns
![Page 4: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/4.jpg)
Not Focusing on any vendor
![Page 5: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/5.jpg)
Intended Audience
This presentation is more theorical than technical so its main audience is;
-All Sysadmins-Security Auditors- Infrastructure designers-Virtualization professionals
![Page 6: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/6.jpg)
“Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.”
NIST definition of Cloud Computing
![Page 7: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/7.jpg)
NIST does not include virtualization as part of their cloud description so;
CLOUD COMPUTING IS NOT VIRTUALIZATION
Cloud Computing is a new paradigm that offers a number of new features.
Any new paradigm has weaknesses characteristic to its very design.
What is NOT cloud computing
![Page 8: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/8.jpg)
The Power Grid Analogy
![Page 9: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/9.jpg)
What they want us to believe
-Totally secure
-Management Free
-Pay-as-you-go
-No Downtime
![Page 10: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/10.jpg)
The Problem
![Page 11: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/11.jpg)
Organizational Ownership?
Who owns the Virtual network?
VMServiceProcess
VMServiceProcess
VMServiceProcessVMService
Process
VMServiceProcessVMService
ProcessVM
VMServiceProcessVMService
ProcessVMServiceProcess
Management
VMVM
Ph
ys
ica
l NIC
s
Physical Network Virtual Network
Traditional Security Who’s Watching?
Network Admin
Server Admin
Application Owners
Data Custodians
?
![Page 12: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/12.jpg)
Data becomes part of an abstraction model
![Page 13: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/13.jpg)
People only care about data
![Page 14: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/14.jpg)
So what are the common threats?
![Page 15: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/15.jpg)
As in any model, you just have to find the gaps
![Page 16: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/16.jpg)
More Virtual = More Gaps
![Page 17: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/17.jpg)
Downtimes
![Page 18: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/18.jpg)
Phishing“hey! check out this funny blog about you...”
![Page 19: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/19.jpg)
19
Password Cracking
![Page 20: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/20.jpg)
Botnets and Malware
![Page 21: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/21.jpg)
But what are the real threats?
![Page 22: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/22.jpg)
• Ring -3 – User mode rootkits• Ring -0 – Kernel mode rootkits
• Ring -1 – Hypervisor rootkits• Ring -2 – SMM rootkits• Ring -3 – AMT rootkits
Lord of the Rings
![Page 23: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/23.jpg)
• Threat #1: Abuse and Nefarious Use of Cloud
• Threat #2: Insecure Interfaces and APIs
• Threat #3: Malicious Insiders
• Threat #4: Shared Technology Issues
• Threat #5: Data Loss or Leakage
• Threat #6: Account or Service Hijacking
• Threat #7: Unknown Risk Profile
The usual suspects
![Page 24: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/24.jpg)
What should we do about this?
![Page 25: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/25.jpg)
Don’t let one person managing all the devices • Enforce Separation of Duties (SOD)
SOD makes sure that one individual cannot complete a critical task by himself.
Avoid the same person can manage the hosts and the Virtual Machine
Use Role Based Access Control
• RBAC is the model used in Virtual Center
FOCUS ON DATA
![Page 26: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/26.jpg)
Network Access Control grants access to enterprise network resources is granted based upon authentication
of the user and device as well as only if compliat with policy
Authentication
![Page 27: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/27.jpg)
Authorization
![Page 28: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/28.jpg)
Follow best practices
![Page 29: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/29.jpg)
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
Administrator
Operator
UserAnne
Harry
Joe
Enforce Strong Access Controls
![Page 30: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/30.jpg)
• Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)• Secure your VMs as you would physical machines
• Secure the Network• Use Separate Private backup and SAN network• Use Separate Private Management Console network
• Favor Type 1 Hypervisors for Production and Testing Servers• VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.
• Favor Type 2 use in Security applications• Disable Hardware Acceleration• Use QEmu (full emulation mode w/out kqemu) • Disable all sharing features
• Favor Type 2 for Development environments• Run different security zones VMs on separate physical hosts
• Use separate physical switches or VLANs in physical switches• Run different Management stations
• Disable/remove unnecessary virtual hardware
Keep follow best practices
![Page 31: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/31.jpg)
So that’s it?
![Page 32: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/32.jpg)
Software-as-a-service Problems
![Page 33: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/33.jpg)
Platform-as-a-service Problems
![Page 34: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/34.jpg)
Infrastructure-as-a-service Problems
![Page 35: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/35.jpg)
What about forensics?
![Page 36: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/36.jpg)
• Most CSP does not provide incident analysis
• Access to log is restricted to the customers
• Forensics become almost impossible
• CSP force you to trust in their security
Incident Analysis
![Page 37: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/37.jpg)
God please save me!
![Page 38: Virtual Security in Cloud Networks](https://reader034.vdocument.in/reader034/viewer/2022042714/55585164d8b42a993b8b49ad/html5/thumbnails/38.jpg)
• Possible solutions are;• HIDS• Virtual Firewalls• Catbird Security• Vshield
• Of course the old ones;• Data encryption• Data integrity check ( during VMs
transfer )
Is not that bad!