Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
What is the future of cloud security linked in
1. What is the future of Cloud Security?
March 16, 2012
Author: Jonathan J. Spindel, Ph.D.
White Paper – Cloud Security
1
2. What is the future of Cloud Security?
March 16, 2012
Summary
An open ended question, within every IT industry leaders mind is, “how do I operate
in an open environment, allow for the maximum use of resources, and still keep a lid
on security related issues”. Within Cloud Computing this question is even more
prevalent, as we attempt operate in an open environment, and still worry about
security concerns. This new quandary holdsvalidity, if the correct actions are taken
to target attacks, which almost seam to be programmatically created for such a
technology. In order to control and remediate emerging threats, we must adopt
intuitive security policies and procedures, along with proactive defenses,
whileincorporating intelligent management to solemnize these processes. This
paper will delve into those avenues, address pinpointed benchmarks, within the
subjects of distributed computing security, capitalizing on the
Private/Hybrid/Public Cloud topics, and the management/remediation of such
issues.
Understanding the underlying complexities, as relates to information and data
security, will help the reader expose their own concerns regarding internal and
external security related concerns, as well as propose solutions that will assist in the
remediation of those issues. Address anxieties revolving around the adoption of
outdated information security concepts, andsolutionsmerging innovative ideas
surrounding “intelligent” protocol and application behavioral analysis and pattern
“DNA” matching techniques, utilizing more advanced computational tools.
In tandem with protocol and application behavioral analysis, these techniques will
assist the reader in understanding the value proposition in using more advanced
intelligent technology, and how that will add, and level out theirapprehensions. By
the end of this paper, the reader should be able to understand emerging threats, as
they are rapidly changing, in succession, adopting new attack patterns, targeting
application based computing, and assuming more lucrative attack scenarios.
2
3. What is the future of Cloud Security?
March 16, 2012
Overview
Cloud Computing, as they say, is an old idea, officiated through new technology.
The inclusions added over the years, give distributed computing new depth,
growing from an infantile rationality to what we view as a distributed cloud model,
or fabric, today.
As history shows us, we transgress from the typical roaming profile to VDI (Virtual
Desktop Infrastructure), from smartphones, to mobile computing platforms, from
virtualization to full elastic computing. As we grow and feel the pains of adjusting to
such development, our security infrastructure must follow closely to account for
changes. With this in mind, take a look at the technological hurdles we have leaped,
through the mastery of innovation, and then visualize how security mustfollow.
Threats have become more brazen, and have targeted objectives; ones, which if
overlookedwill have drastic consequences. We moved beyond the typical DOS
(Denial of Service) attacks, to cyber-criminals targeting serversat the application
layer; these emerging and advanced persistent threats are distributedwith the sole
purpose, being monetary gain. Information or data theft has become one of the
number one issues surrounding monetary loss from a corporate and end-user
standpoint.
1
With the increase in distributed architectures, such as cloud computing, we alter the
direction of, not only how we achieve business IT objectives, but in the way in which
we enable our internal IT establishments. The industry is seeing a gradual, yet
1
http://www.riskandinsurancechalkboard.com/uploads/file/Ponemon Study(1).pdf
3
4. What is the future of Cloud Security?
March 16, 2012
definitive, shift towards these models as a whole, through not only the typical server
venues, but alsosimilarly the change in mobile computing. The “distributed model”
has multiple issues such as scalability, application elasticity, orchestration,
automation, etc., these are not as difficultorcomplex as cloud security itself. Unlike
legacy or local area computing, which communicates primarily through layers 1-4,
Cloud is labeled as being much more application based and communicates primarily
through layers 4-7 of the OSI model. There are also concerns regarding user, and
usability, such as remote user authentication, to a much higher degree. This is
takingdata, or information security to a new parallel, understanding application
communication, how these processes, and protocols effectively communicate, and
how to manage overall security for such fabrics. The underlying fact is, that because
of this shift, attacks have transitioned from the transitional signatures, to the more
advanced attack scenarios, such as advanced persistent attacks (APT).2
In recent years, the security industry has been inundated with news of
informationtheft or dissemination of internal proprietary data, penetrations
resulting in catastrophic loss, through attacks programmatically engineered,
targeting application based computing. These subjects are far outweighed by
security vendors themselves having issues themselves, with theft or loss of data, and
the distribution of classified material, from multiple government agencies. Such
concerns are mostly internal, and do not translate to hybrid or public cloud
2
http://www.cio.com.au/article/406586/assessing_apt_threat/?fp=4&fpid=18
4
5. What is the future of Cloud Security?
March 16, 2012
computing, not because it hasn’t, or could happen, but the under utilization of public
resources. These anomalies can generally point toward fear of losing control over
resources, and/or general mistrust of the public/hybrid cloud, due to overall lack
ofsecurity or concerns regarding security capabilities as a whole. 3. As it stands
today, cloud overall, is an annual $37B enterprise, growing exponentially, to an
estimated $121B by 20154, and only a portion is related to Public Cloud.5
Elastic computing models could save organization billions in overall hardware costs,
head count, and increase revenue. The “on-demand” ability to scale up or down
seamlessly offers a dynamic value add to DR (Disaster Recovery), and HA (High
Availability), as well as the “pay for what you use” model offer a great value-add to
small, medium, and enterprise customers across the board. Hybrid Cloud usage
combines public and private fabrics, allowing the ability to gain functionality from
public cloud resources, and in tandem, utilize private cloud resources internally.
Although these models are best of breed, they exhibitsome of thesame
characteristics regarding security, and even add more legitimacy as the solutions
breed more complexity.
Proportionally the public cloud is utilized, under the auspices of an unsecured fabric.
Although security itself, if you want to route requests through a physical portal, is
rather robust. There are several organizations offering solutions stacks,
surrounding the usage of public cloud without the necessity of rerouting data,
mostly packages, which rely on agent based architectures, or virtual appliances
utilizing agents within the virtual instance itself. These solutions, although robust in
nature, are somewhat diluted by the inability to manage multiple rule sets, and/or
the ability to communicate with other virtual appliances within the fabric, and
functionally forget about the hypervisor structure itself. The idea of managing a
singular blade server, through one virtual appliance, has been brought up in many
different fashions, from usability to the assumption of managing each blade server
in a separate virtual container.6
Some issues surrounding these architecture genres’ stem from the idea of resource
pools, and the presence of multiple virtual appliances within pools. From this we
can discern that the possibilities of collisions between these appliances are a
definite possibility, as well as manageability concerns of the pools themselves, i.e.
“what handles what and where?”
3
"Hype Cycle for Cloud Application Infrastructure Services (PaaS), 2011") – Gartner Review
Cloud Application Infrastructure Services. Cloud application infrastructure services (also known as platform as a service, or PaaS) form the foundation of a cloud computing
platform by enabling development, execution, management and life cycle control for cloud-based application solutions (see"Hype Cycle for Cloud Application Infrastructure
Services (PaaS), 2011"). It is a less developed and less understood layer in the cloud computing architecture when compared with system infrastructure services (IaaS) and
application services (SaaS), but is the fastest growing with innovation and new vendor investments.
4
http://www.marketsandmarkets.com/Market-Reports/cloud-computing-234.html The global cloud computing market is expected to grow from $37.8 billion in 2010 to $121.1
billion in 2015 at a CAGR of 26.2% from 2010 to 2015. SaaS is the largest segment of the cloud computing services market, accounting for 73% of the market’s revenues 2010.
The major SaaS-providers include Adobe Web Connect, Google Mail, Cisco WebEx, and Yahoo Mail. Content, communications, and collaboration (CCC) accounts for about 30%
of the SaaS market revenues.
5
Cloud computing's fear factor: Acknowledge, reduce, move on http://radar.oreilly.com/2010/12/cloud-computing-the-fear-facto.htmlYou also need to be aware and mitigate your
security concerns. It's possible the security risk is over-stated. Most of us do personal online banking don't we? And aren't huge components of our infrastructure such as energy,
financial markets, and the military already large consumers of the cloud? (Little consolation, I agree, when there is a breach -- but a fact on the ground you can't deny). I argue
that in the short-term these issues are about deliberate and diligent organizational planning and in the long-term it's simply about normal business continuity design. When
something innovative becomes widely adopted, it just becomes business as normal.
6
Hype Cycle for Privacy, 2011 http://www.gartner.com/DisplayDocument?doc_cd=214943&ref=g_fromdocPrivacy. The first "Hype Cycle for Privacy, 2011" is a tool for privacy
officers and other IT professionals who have a responsibility for privacy in the organization. As attention to privacy as a whole reaches a peak, it justifies a closer look at which
regulations are emerging and which have matured, and which technologies are deployed to deal with legal requirements and cultural expectations
5
6. What is the future of Cloud Security?
March 16, 2012
In any Cloud scenario, the presence of a “Single Pane of Glass” management
methodology should be commonplace to function as a “Manager of Managers”, offering
the capability of “Cross Platform Management”, and a central point of configuration.
Within the typical data security model, this becomes a little bit more difficult, as
communication between devices, is considered to be bad practice. However, there are
various ways in which management of solutions could be learned, without direct
connection and/or communication. Offeringmanagement structures allows the
administrators to streamline operations across multiple machines, resources pools, and
the ability to manage heterogeneous, multitenant environments, which are becoming
more prevalent in the cloud industry.
Programmaticallymodifying these methodologies, as our technological capabilities
increase, is a must, as we are faced with novel attack scenarios that hamper our
securitypolicies and procedures. Intelligent systems, with the capability of learning
patterns within these transmissions, “protocol and application behavior analysis”, “packet
assembly and de-assembly”, are becoming more established, as these threats matrixes
mature, some utilizing the same signatures, but altering behavior. As our tool-sets
develop, utilizing new technology to assess, interrogate, track, and assemble,
transmissions are becoming more difficult to decode, as threats are focusing on
applications, rather than the typical hardware based communications.
These new genres‟ of attacks have surfaced, bringing a new mantra on how we protect
our assets. We hear more about theft of proprietary information, infiltration of financial
institutions, andintrusions within the defense industry. Advanced threats take on a new
intonation, one of singularity, the focus is to either obtain information through illegal
means, funneling monetary value from an institution, or disseminating information over
the wire to discredit an organization or cause harm to individuals.
7
7
http://superconductor.voltage.com/2011/07/breaches-vs-european-countries.html
6
7. What is the future of Cloud Security?
March 16, 2012
All thesedevelopments focus on one subject, causing disruption for monetary gain, the
ability to use stealth like technologies to mask intrusion over multiple sessions,
resembling internally to avoid detection. Although there have always been those whom
have desired to gain from these acts, the ever growing presence of ones who have a
harmful intent, have drastically increased. With that increase, so have their technologies,
as attack methods become more sophisticated.8
The ability to forensically approach these issues, and “dig deeper” into the behavior of
either the protocol or applications being assessed, the way in which the packets are being
transmitting, or the destination of the request itself. All thesepoints must be met, in order
to secure a fabric such as the “cloud”. How “we” manage these issues will be key in
stopping the intrusion, and/or the unlawful dissemination of proprietary data. Delving
into the behavior of such transmissions, and the protocol or application itself is where
technology is headed. The ability to assess the transmission, and the way in which the
protocol, or application, is behaving is the essence in which we can discern its‟ true
nature, or the proper use of the transmission destination. Focusing on the behavior is key,
whether that is protocol, or application based transmission, being able to interrogate that
data assists in the ability of alerting or stopping the intrusion or transmission of
proprietary information. By way of cohesively applying target based processors assigned
to a varied number of protocols or applications,it is possible to determine if there is a
malicious nature to a transmission, in which, again is possible to alert or drop associated
packets or sessions, depending on the destination or the desire of dropping vs. alerting.
This is accomplished by encapsulating the virtual instance, or instances, in which affords
the capability of interrogating packets and transmissions through protocol/application
analysis and/or behavior.
8
Common Monitoring and Management Solutions
http://www.infosecurity-magazine.com/blog/2011/5/3/who-moved-my-cloud/334.aspx
A single pane of glass is often required to provide a unified look of the entire infrastructure. This will provide an auditor the ability to verify the provider is delivering the level of
service guaranteed by the solution. Auditors often look for event handling and common management across all systems. By automating the deployment of such monitoring
solutions, and relying on a common platform for the management (including patch management, software revision control, and system lockdown procedures) a level of assurance
can be provided to the auditor that all systems are uniform and follow the controls of the monitoring and management criteria.
7
8. What is the future of Cloud Security?
March 16, 2012
In reality, the logical way of determining attack protocols is to measure what is normal vs.
what isn‟t. In kind, that measurement should incorporate the “normal” behavior of a
system, thereby being able to determine, or decipher what isn‟t. This realization elevates
the need for determining the behavior of like application or system attacks. Attaching or
capturing the “DNA” or “foot print” of normal activity within the actions or behavior of
such protocols, applications, or servers one will be able to determine the actions of any
malicious activity, including emerging threats, being able to remediate such activity in an
in-line, or on-tap scenario.
The same concept holds true in reference to the cloud, public, hybrid or private,again
being far underutilized, mainly because worries of the inability to remain compliant, and
the underlying factor, lack of a cohesive security solution. The same does not hold true
in other locations, as use is increasing, especially in Europe as the market expands. Some
of the reasoning for the anomaly is compliancy restrictions, referred to above, as well as
the loss of control, security concerns, and the ability to operate autonomously throughout
the fabric. These anxieties arise from the inability to control our own infrastructure,
someone else having access to that technology, and/or the ability to access information
remotely.9
9
http://wallstreetandtech.com/2012-outlook/the-cloudThe move to the public cloud also will be dictated by the size of the institution. Small to mid-size firms that do not have their
own proprietary data centers will be among the first to move to the low-cost capacity the public cloud offers, while larger banks will initially continue to utilize their large, private
clouds.
8
9. What is the future of Cloud Security?
March 16, 2012
EncapsulatingCloud environments, whether that be physical, virtual, or Hybrid/Public
Cloud based, allows for “dual vector” protection from the „outside in‟, and „inside out‟,
affords organizations a value add, gaining back some of that control. Increasing the
ability to see what is emerging, not only within the IaaS (Infrastructure-as-a-Service)
layer, but also in the SaaS (Software-as-a-Service) or application layer. This allows the
use to gain control, by protecting resources as if they were internal. This is accomplished
via location parameters, and use of proprietary models that encompass the resources in a
secured mesh, thereby allowing for protection of the resources through a holistic model.
This enables the deployment of high-value, high-risk Cloud applications, while
mitigating the risks associated with such applications. Intrusion detection and Prevention
must include attack recognition beyond simple signature matching, and the ability to drop
malicious sessions as opposed to simple resetting of connections.10
We must become more knowledgeable in way we conduct security operations, and how
we design systems to manage and remediate breaches. Intelligent systems capable of
managing such traffic, network discovery, analyzing traffic patterns and protocols,
officiates processes, as they do not rely on application changes or structure. These tool-
sets attendto traffic, patterns, and protocol behavior, adopting a set of rules capable of
matching like patterns to suspicious activity. There must be an ability to incorporate
intelligence, and machine learning technology, to combat these changes, capitalizing
onprotocol and application behavior, and DNA patterns of the transmissions. These
actions must be met with a robust, like minded, response to a malicious action, with the
capability of forensic level capture, affording the capability to stay compliant, in a time
where compliancy is so integral to vital business initiatives.
10
Public sector cloud use on the rise
http://www.thecloudcircle.com/article/public-sector-cloud-use-rise The number of public sector organizations using the cloud is rising steadily, if not spectacularly, the Cloud
Industry Forum, with 11 per cent increased clouds usage over the last nine months. The independent study of the latest cloud adoption rates showed that of the 300 UK-based
organizations surveyed, 53 per cent are utilizing cloud services in some form. The private sector continues to lead the public sector with 56 per cent and 49 per cent respectively.
9