310 likes | 436 Vues
Are Clouds Secure? Security and Privacy Implications of Cloud Computing. Subra Kumaraswamy, Sun Tim Mather, RSA 04/21/09 | Session ID: HOT-105 Session Classification: Intermediate. What We’re Not Going to Discuss.
E N D
Are Clouds Secure? Security and Privacy Implications of Cloud Computing Subra Kumaraswamy, Sun Tim Mather, RSA 04/21/09 | Session ID: HOT-105 Session Classification: Intermediate
What We’re Not Going to Discuss • Existing aspects of information security which are not impacted by ‘cloud computing’ • There are plenty of existing sources of useful information about information security, and we will not attempt to recreate those sources, nor rehash unchanged practices
Information Security – Data Information Security – Infrastructure (network-, host-, application-level) Security Management Services (security management, security monitoring, identity services) Other Important Considerations (audit & compliance, privacy) Security-as-a- [Cloud] Service (SaaS) What We Are Going to Discuss Where Risk Has Changed:
The Cloud: Pyramid of Flexibility (SaaS) (PaaS) (IaaS) 6
Components of Information Security Security Management Services Identity services – provisioning, AAA, federation, delegation Security monitoring – network, host, application Management – patching, hygiene, VA, ACL management Application-level Host-level Network-level Information Security – Data Encryption, data masking, content protection Information Security – Infrastructure 9
Infrastructure – Network-level • Shared Infrastructure • VLAN – private and public (tagged) • DHCP server, firewall, load balancer • Limitations • No zones – domains instead • Traditional port/protocol filtering irrelevant • Point-to-point encryption (in transit) is doable • Extranet security jeopardized – unless ‘you’ control cloud (IP) addressing (questionable) • Security monitoring – no transparency 11
Infrastructure – Network-level • Threats • Lack of widespread adoption of secure BGP • Secure BGP (S-BGP), Secure Origin BGP (soBGP), and Pretty Good BGP (pgBGP) • Traffic redirection for eavesdropping • DNS: domain hijacking • Lack of widespread adoption of Secure DNS • Only country-wide adoption: Sweden • DoS / DDoS • Mitigations • Virtual private cloud – VPN-based solution with strong authentication • SSL with client-side certs 12
Infrastructure – Host-level • Shared infrastructure • Hardware – CPU, memory, disks, network • Software – virtualization layer (e.g., Xen) • Web Console – provisioning, image management • Limitations • Ephemeral IP address assignment • Patch, configuration management of large number of dynamic nodes • SLAs are mostly standard – click-through user agreement • Host-based IDS is customer responsibility • Access management – OS and vendor specific 13
Infrastructure – Host-level • Threats • Image configuration drift and vulnerabilities • Targeted DOS attack • Potential breakout of VMs; examples: Subvert, Blue Pill, HyperVM • Attack on standard OS services • Mitigations • Reduce attack surface – Secure-by-default, harden image, turn off OS services, use software firewall, enable logging • Institute process – Access provisioning, patch, config. mgmt. • Extend existing IT security standards, practice & processes • Host-based IDS – Tripwire, OSSEC 14
Infrastructure – Application-level • Shared Infrastructure • Virtualized host, network, firewall (if hosted on IaaS or PaaS) • Virtualized stack (e.g., LAMP) • Database Vs Dataspace (e.g., SimpleDB, BigTable) • Limitations • SaaS – application security is a black box • SaaS/PaaS – no CVE participation • IaaS/PaaS – customer responsibility to secure applications • IaaS/PaaS – Limited capabilities for encryption, identity management • No option to install application firewall 15
Infrastructure – Application-level • Threats • OWASP Top 10 • Mash up security • Denial of service by corporate IPS/Firewalls • Developers side stepping controls • Mitigations • Traditional application security testing and monitoring • Review provider SDLC and security assurance process • If possible encrypt data stored in DB • Manage and protect application “secret keys” • User awareness – phishing attacks on users 16
Data Security • Confidentiality, Availability • Multi-tenancy • Data-at-rest possibly not encrypted • Data being processed definitely not encrypted • Data lineage (mapping data flows) • Data provenance • Data remanence 18
Sun Confidential- Internal Only Security Monitoring – Customer view
Identity Services • Generally, strong authentication is available only through delegation • Federated identity generally not available • Support for SAML v2, WS* and XACML is sporadic • OpenID is not enterprise-ready • OpenID OATH OAuth OpenAuth OpenSSO • All five are “open” and deal with authentication, but…. • Delegated authorization generally not available • Generally weak credential management – of weak credentials 22
Audit & Compliance • No audit standards specific to the ‘cloud’ • Not operational, procurement (e.g., FAR), or security • SAS-70 Type 2 is an audit format – not specific audit criteria • Most cloud providers don’t even have a SAS-70 • Compliance: so-called Patriot Act Problem • Location, location, location • Issue is assurance of compliance (e.g., data lineage – let alone data providence) 24
Privacy • Loss of Fourth Amendment protection • Legal order served on provider – not ‘you’ • Some data can be accessed merely by NSLs • Magistrate judge court orders under §215 • Probably no encryption of data-at-rest • No indexing or sorting of encrypted data • Definitely no encryption while data processed • Promise of 2-DNF (homomorphic encryption), Predicate Encryption (asymmetric encryption) • Data remanence: limited attempt to address • NIST Special Publication 800-88, Guidelines for Media Sanitization 25
Security Through the Cloud • Proliferation of endpoints • Different OSs, form factors – but all with access to organizational data • Scalability & manageability of existing solutions stretched too far • USENIX paper in July 2008 in San Jose • “CloudAV: N-Version Antivirus in the Network Cloud” • Network-centric: e-mail, vulnerability assessment • Former host resident: anti-malware, content filtering 27
Conclusions • Part of ‘your’ infrastructure security moves beyond your control – Get Ready! • Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than ‘your’ expectations • Data security becomes significantly more important • Weak access control, credential mgmt. – unless delegated back to ‘you’ 28
Conclusions • No established standards for redaction, obfuscation, or truncation’ • No cloud-specific audit requirements or guidance • “Extending” SAS-70 Type 2 to cloud providers • No cloud-specific regulatory requirements – yet • Some foreign prohibitions on using U.S. cloud providers 29
Questions? 30
Speakers • Subra Kumaraswamy, Senior Security Manager • Sun Microsystems • subrak@sun.com • Tim Mather, Chief Security Strategist • RSA, The Security Division of EMC • tim.mather@rsa.com 31