Más contenido relacionado La actualidad más candente (20) Similar a Zimory White Paper: Security in the Cloud pt 1/2 (20) Zimory White Paper: Security in the Cloud pt 1/22. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 1
TABLE OF CONTENTS
Introduction and Problem Description........................................................ 2
Security vs. Decision of Moving to the Cloud............................................. 2
Market Perspectives for Virtualization............................................................................ 3
Cloud Security Best Practices........................................................................................ 4
Benefits of Cloud Security.......................................................................... 5
Security Implications in the Zimory Cloud Suite......................................... 5
Security Standards and Testing Procedures: The Zimory Cloud Suite case ................ 5
Conclusion ................................................................................................. 7
Contact Information.................................................................................... 8
3. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 2
INTRODUCTION AND
PROBLEM DESCRIPTION
The Cloud stopped being a trend, it is now a reality. However, some aspects of the Cloud
cause of hesitation for both customers considering moving to the Cloud and Cloud
Service Providers.
The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From
the customer's point of view, they might seem difficult to control with conventional IT
security standards. Cloud computing security is, in reality, not isolated from the standard
IT security and data protection policies and regulations.
Main security concerns are:
Data protection
Sharing of resources
Differences in country legislations
The following document analyzes on one hand, security in virtualized environments from
the Cloud customer’s point of view, justifying the importance of customer awareness
about security issues in the Cloud.
The second part of this white paper puts Zimory as an example of Cloud management
services, meeting high quality and security standards. This section includes the
description of penetration tests performed by one of Zimory’s customers in order to
observe responses of the Zimory Cloud Suite, facing simulated attacks.
SECURITY VS. DECISION
OF MOVING TO THE CLOUD
When deciding to move to the Cloud, customers must demand to openly discuss have
with Cloud Service Providers and vendors any security doubt or question they may have.
Clarity and efficiency are a must when dealing with these issues on any IT environment.
Even more so in Cloud Computing environments where elements that are by definition
intrinsic to them (abstracted resources, scalability and flexibility, shared resources,
programmatic management, etc.) can create some uncertainties for all parties involved.
As stated by the European Network and Information Security Agency (ENISA),”Cloud’s
economies of scale and flexibility are both a friend and a foe from a security point of view.
4. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 3
The massive concentrations of resources and data present a more attractive target to
attackers, but cloud-based defenses can be more robust, scalable and cost-effective”1
.
Security issues can be a major question mark for businesses hesitating to move to the
Cloud. The Cloud with its innovative technology has also found effective means to face
and resolve these issues in order to provide guarantees.
MARKET PERSPECTIVES
FOR VIRTUALIZATION
Regarding virtualization projections in the IT market, the following chart presents
Gartner's predictions regarding the progression of virtualization by 2015:
Figure 1. Progress towards Virtualization
Source: Gartner (May 2012)
Based on the previous chart, it is important to mention basic principles regarding the
transition from the “physical” security environment to a virtualized security environment2
,
such as:
Management consoles: Often being the target of an attack.
Multi-tenancy and shared resources.
Compromising the hypervisor.
1
Catteddu, Daniele and Hogben, Giles: “Cloud Computing Security Risk Assessment”. European Network and
Information Security Agency- ENISA: 2009.
2
For more details regarding this transition, see “Security in the Cloud- Part II:
Threats and Solutions”. Zimory, 2012.
5. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 4
Providers should be able to offer high-quality security standards in order to limit liability,
“minimizing vulnerabilities and using effective security controls”3
This is clearly one of the
main challenges of the Cloud Computing market due to its novelty and rapid evolution.
CLOUD SECURITY BEST PRACTICES
Ideally, in order to keep Cloud Computing Services balanced and in continuous evolution,
there are certain aspects to be considered even as a best practices check-list
1
:
1. Customers must be aware of risks when adopting Cloud services.
2. Customers should compare different Cloud provider offerings in order to
make an informed decision.
3. Cloud providers should provide customers with as much assurance as possible.
4. Not all the assurance burden should fall on Cloud providers.
5. Awareness of regulations of the country where data is stored, where the
company is located and where the cloud service provider is located.
6. Awareness of who controls and regulates data. Customers using services of a
US company are exposed to the Patriot Act, for example.
7. Transparency as work principle and basis of the cloud computing
companies and customers.
8. Whenever possible, allow customers to test Cloud services. Testing procedures
will become a guarantee for Cloud Services.
All implicated players in the cloud computing contracts must be aware of the applicable
regulation to their businesses. It is of high importance for Cloud Service Vendors to
explain security issues to their customers before moving to the Cloud.
3
Gartner Inc. Securing and Managing Enterprise Cloud. John Pescatore. May 2012
6. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 5
BENEFITS OF
CLOUD SECURITY
As stated in ENISA’s Cloud Computing Security Assessment
1
, security in the Cloud can
also imply multiple benefits for all parties involved:
1. Security as a differentiator: Cloud services meeting high security standards can
be a stand-out point in a very competitive market.
2. The larger scale, the cheaper the implemented security measures.
3. Efficient and effective scaling of resources: An intrinsic quality of Cloud services
is the ability to dynamically reallocate resources for multiple purposes, which has
many advantages for resilience.
4. Audits and gathering consumption information: Zimory Cloud Suite offers a pay-
per-use policy and the possibility of exporting resource consumption reports. All
of which leads to more effective resource and cost management.
5. Advantages of Resource concentration: This is generally seen as a risk for Cloud
Computing. It can also facilitate, however, the application of many security-
related measures.
SECURITY IMPLICATIONS IN THE
ZIMORY CLOUD SUITE
The Zimory Cloud suite can be taken as an example of testing the performance of Cloud
management services.
To be more concrete, Zimory manages for one of its customers, public cloud services for
large companies. High security standards are especially required for these security
environments where virtual private clouds are working inside public clouds. A clear
challenge for security issues on software management for public cloud services offered
inside the high security networks of telecommunication companies. When providing these
solutions, the Zimory Cloud Suite successfully proves to be capable of meeting all
security requirements of a carrier grade IaaS management software.
Furthermore, Zimory's multi-layered security approach provides clear and concrete
answers regarding security issues. This approach is based on a compensation method,
which implies that in case one security layer is compromised, other layers will back-up the
security system integrity. This back-up procedure will maintain the system stable and
secure, avoiding complete shutdown.
SECURITY STANDARDS AND TESTING PROCEDURES:
THE ZIMORY CLOUD SUITE CASE
7. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 6
Testing procedures are thus of key importance to support and provide security standards
to the performance of Cloud services. Therefore, Zimory welcomed one of their
customers to perform penetration tests on the Zimory Cloud Suite, based on well-defined
security standards.
Penetration tests or pentests are defined by Search Software Quality as “the practice of
testing a computer system, network or Web application to find vulnerabilities that an
attacker could exploit”4
. These tests simulate both internal and external attacks, including
four main steps:
Step 1: Preparing the Test. During this step, an access methodology to the tested
system is created. Some of the tasks performed during this step are:
Defining the system to be tested: In this case, zimory®manage was the tested
component, since it allows direct interaction with an end and external user.
Determining visibility of the system and the company: Identifying existing limits of
the Information availability.
Setting test depth and aggressiveness.
Determining methodology to approach problems, such as software damages,
information leaks, etc.
Step 2: Gathering Information. This step identifies for example, elements that need to
be “less visible”. Other tasks of this step include:
Providing documentation.
Surveying the development process.
Examining the I-modules, which constitute the “test steps that serve for pure
provision of information”.
Step 3: Evaluation of Gathered Information. Analysis of the information gathered
during the previous step, including:
Identifying critical areas.
Identifying achievable goals.
Selecting and examining e-modules, or the “active penetration attempts”
4
Describing test cases.
Step 4: Execution Phase or Active Intrusion.
Applying the testing procedures described above, penetration tests were performed on
the Zimory Cloud Suite on April 2011 and included both on-site and remote tests.
4
Gershater, Jonathan and Mehta, Puneet. Pen Test (Penetration Testing). Search Software Quality, 2011.
Retrieved from: http://searchsoftwarequality.techtarget.com/definition/penetration-testing
8. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 7
After pentest implementation, Zimory software presented no abnormalities regarding
essential test parameters such as:
Verification of Security laws.
Failure causes.
Command, XPath and SQL injections: Techniques used to attack software.
XML poisoning.
XDoS attacks: XML denial of service.
Most of the problems, which were minor issues, detected during the penetration testing
procedure and regarding for example, cross-site scripting issues, have been already
solved ever since.
Cloud vendors allowing customers and Service Providers to perform test procedures with
high standards could be nearly considered as a breakthrough in the Cloud Computing
world. Lack of standard testing procedures, especially with regards to security issues, has
been identified as one of the main customer concerns when moving to the Cloud and one
of the reasons for the slow take-off of the Cloud Computing market5
.
Moreover, testing software with such high standard procedures and without having any
major issues detected is a clear indicator of carrier grade software meeting high quality
standards.
CONCLUSION
It is of key importance for customers to be aware and well informed with regards to
security implications from the moment they decide to move to the Cloud. Providers, on
the other hand, should be able to offer high-quality security standards in order to limit
liability, “minimizing vulnerabilities and using effective security controls”
3
. Security in the
Cloud is a matter concerning all actors involved, who must actively contribute to build
confidence in the Cloud.
Cloud security measures are not at all isolated from the conventional IT security
measures. Customers and Cloud service users need to analyze and beware of security
conditions before actually deciding to move to the Cloud.
Finally, the Zimory Cloud Suite can be considered an example of carrier grade IaaS
management software, meeting high quality and security standards. As described in this
paper, Zimory is open and secure enough to submit its product to rigorous tests regarding
security parameters of the product. All of this confirms product guarantees regarding data
protection, scalability, flexibility, hardening of virtual machines and hypervisors, etc.
Our Cloud Suite is without a doubt, a secure option for managing Cloud services.
5
For more information, see “Cloud Computing Market: Understanding its Slow Take-Off in Europe”. Zimory,
2012
9. SECURTY IN THE CLOUD – PART 1
Copyright© 2013, Zimory GmbH 8
CONTACT INFORMATION
Zimory GmbH
Alexanderstrasse 3,
10178 Berlin
Germany
Email: info@zimory.com
Tel: +49 (0)30 609 85 07-0
For the latest information, please visit www.zimory.com
The information contained in this document represents the current view of Zimory GmbH
on the issues discussed as of the date of publication. Because Zimory must respond to
changing market conditions, this document should not be interpreted to be a commitment
on the part of Zimory, and Zimory cannot guarantee the accuracy of any information
presented after the date of publication. The information represents the product at the time
this document was published and should be used for planning purposes only. Information
is subject to change at any time without prior notice.
This document is for informational purposes only.
ZIMORY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2009 Zimory GmbH. All rights reserved. Zimory is a registered trademark of Zimory
GmbH in Germany. All other trademarks are the property of their respective owners.