virtualization and cloud computing virtualization, cloud and security michael grafnetter
TRANSCRIPT
![Page 1: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/1.jpg)
Virtualization and Cloud Computing
Virtualization, Cloud and Security
Michael Grafnetter
![Page 2: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/2.jpg)
Agenda
Virtualization Security Risks and Solutions Cloud Computing Security Identity Management
![Page 3: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/3.jpg)
Virtualization and Cloud Computing
Virtualization SecurityRisks and Solutions
![Page 4: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/4.jpg)
Blue Pill Attack
![Page 5: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/5.jpg)
Blue Pill Attack
Presented in 2006 by Joanna Rutkowska at Black Hat conference
Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this)
Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)
![Page 6: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/6.jpg)
Red Pill
Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native
instructions External time sources (NTP) need to be used,
because system time could be spoofed
![Page 7: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/7.jpg)
VMM Vulnerability
By attacking a VMM, one could attack multiple servers at once
![Page 8: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/8.jpg)
Datacenter Management SW
Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hostsat once
![Page 9: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/9.jpg)
Web Access to DCs
Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.
![Page 10: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/10.jpg)
One Ring to rule them all…
Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash …
![Page 11: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/11.jpg)
Demo
DoS attack on virtualization infrastructure
![Page 12: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/12.jpg)
![Page 13: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/13.jpg)
Disabling Host-VM Communication
![Page 14: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/14.jpg)
Physical vs. Virtual Firewall
With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)
![Page 15: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/15.jpg)
Traffic isolation
![Page 16: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/16.jpg)
Demo
Configuring traffic isolationon Vmware ESXi
![Page 17: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/17.jpg)
Other risks of virtualization
Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep
![Page 18: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/18.jpg)
Security Solutions
Virtual Firewall Live migration Stretched clusters
Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI)
![Page 19: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/19.jpg)
Agentless AV
![Page 20: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/20.jpg)
Extensible Switch
![Page 21: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/21.jpg)
Mobile Virtualization Platform
![Page 22: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/22.jpg)
Mobile Virtualization Platform
![Page 23: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/23.jpg)
Mobile Virtualization Platform
Supported devices
![Page 24: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/24.jpg)
Virtual Desktop Infrastructure
![Page 25: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/25.jpg)
Virtualization and Cloud Computing
Cloud Computing Security Risks
![Page 26: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/26.jpg)
Who has access to our data?
![Page 27: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/27.jpg)
Physical Security
![Page 28: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/28.jpg)
Hard Disk Crushers
![Page 29: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/29.jpg)
Other Cloud Risks
Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in
![Page 30: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/30.jpg)
Virtualization and Cloud Computing
Identity Management
![Page 31: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/31.jpg)
Identity Management
Basic Concepts External user DBs Two-factor authentication Role-Based Access Control (RBAC)
Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges
![Page 32: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/32.jpg)
External User DBs
Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures
![Page 33: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/33.jpg)
Azure Active Directory
![Page 34: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/34.jpg)
Two-Factor Authentication
![Page 35: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/35.jpg)
Role-Based Access Control
![Page 36: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/36.jpg)
Identity Federation
![Page 37: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/37.jpg)
OAuth
Used to delegate user authorizationto a 3rd-party service provider
![Page 38: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/38.jpg)
Demo
Creating a web applicationwith Facebook/Twitter/
Microsoft Account authentication
![Page 39: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/39.jpg)
OpenID
![Page 40: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/40.jpg)
OpenID
http://someopenid.provider.com/john.smith
![Page 41: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/41.jpg)
SAML
Similar to OpenID, but targeted to the enterprise
Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated
authentication
![Page 42: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/42.jpg)
SAML
![Page 43: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/43.jpg)
SAML (Google Apps)
![Page 44: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/44.jpg)
SAML Example<saml:Assertion
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature>...</ds:Signature>
…
<saml:Conditions
NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05">
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute x500:Encoding="LDAP" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation">
<saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
![Page 45: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/45.jpg)
Microsoft Active Directory Federation Services
SAML-based Typically used to give access to intranet
portals to business partners
![Page 46: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/46.jpg)
Shibboleth
SAML-based federation portal Open Source
![Page 47: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/47.jpg)
Demo
Signing in to a federatedweb application
![Page 48: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/48.jpg)
RADIUS Proxy (Eduroam)
![Page 49: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/49.jpg)
Identity Bridges
![Page 50: Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter](https://reader035.vdocument.in/reader035/viewer/2022081504/56649cc95503460f949913e7/html5/thumbnails/50.jpg)
Identity Bridges:Azure Access Control Service