The next session will look at security and privacy in the cloud. We'll examine the new risks, and what tools can mitigate them. We'll discuss governance, compliance, and what systems we need to use to access cloud resources securely. We'll deal with identity, single-sign-on, and so on.
2. WHO’S THIS GUY?
Ward Spangenberg, Director of Security Operations, Zynga
Game Network
No - I won’t whack the Petville boss who just broke into your
cafe and made away with all your “grave dirt” riding a “luv-
ewe”.
Founding Member of the Cloud Security Alliance
3. WHAT’S HE GOING TO
TALK ABOUT?
Definitions: Same starting point for everyone.
Security: What does that even mean?
Compliance: Did he just say compliance and cloud in the
same sentence?
Privacy: All your cloud belong to us.
Stuff: quips, stories, advice, and hopefully some laughter.
4. DEFINITION OF CLOUD
COMPUTING
Cloud computing describes a system where users can
connect to a vast network of computing resources, data and
servers that reside somewhere “cloudy,” usually on the
Internet, rather than locally or in the data center. Cloud
computing can give on-demand access to supercomputer-
level power, even from a thin client or mobile device such as
a smart phone or laptop. (or iPad)
(@tomme Agreed. Quit arguing about definition. Common
denominator: other people's ppl, other ppl's gear - let's focus
on benefits #ccevent)
6. DEFINITIONS OF
ARCHITECTURE
IaaS: “based on pure virtualization. Vendor owns all the
hardware and controls the network infrastructure, and you
own everything from the guest operating system up. You
request virtual instances on-demand and let them go when
you are done.”
PaaS: ““infrastructure as well as complete operational and
development environments for the deployment of your
applications.”
SaaS: ““a web-based software deployment model that makes
the software available entirely through a web browser.”
8. DEPLOYMENT MODELS
Public
Private ("I'm just going to call a private cloud a data center."
--Kash Rangan, Managing Director, Merrill Lynch)
Managed
Hybrid Mongrel/Mutt
9. WHY CONSIDER THE
CLOUD?
Increased productivity
Decreased capital investments
Reduced Costs for IT
Scalable systems with low overhead
Increased Storage
Flexibility
13. SECURITY + CLOUD = ?
As my friend Hoff likes to say: “...it is difficult to frame
meaningful discussion around what security and Cloud
Computing means...”
Yes, no, maybe.
Actually security is not a cloud specific issue. The real
struggle is “operational, organizational and compliance
issues that come with this new unchartered (or poorly
chartered) territory.”
15. TOP THREATS TO
CLOUD COMPUTING
Abuse and Nefarious Use of Cloud Computing
Insecure Application Programming Interfaces
Malicious Insiders
Shared Technology Vulnerabilities
Data Loss/Leakage
Account, Service & Traffic Hijacking
Unknown Risk Profile
16. OWASP TOP 10
A1 – Injection
A2 – Cross Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration (NEW)
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards (NEW)
A9 – Insecure Cryptographic Storage
A10 - Insufficient Transport Layer Protection
18. LESSONS?
Somethings are no different in the cloud than they are in the
enterprise.
The bad guys still want to abuse the resources.
It still comes down to data loss.
19. CLOUD
SECURITY
COMPLEXITY
Many different actors are
involved
Complex policy requirements
Simplified procedural
operations
Many moving parts
Learning curve for operations &
security staff
Traditional security boundaries
20. WHO’S YOUR
NEIGHBOR?
The “Process Next Door” may be behaving badly or be under
attack.
Unbalanced resource consumption can affect operational
availability.
Shared IP space may have a “bad reputation”
Possible hypervisor level attacks on IaaS platforms
Re-using IP addresses leads to unintentional DoS
21. IS IT THE SAME
BUILDING?
Very different attack surface compared to traditional
infrastructure
Large attack surface + high profile = high value targets
Who has access to your data?
Clouds bypass the "physical, logical and personnel controls"
IT shops exert over in-house programs*
Lack of visibility into data access by privileged users
22. GOT A HANDYMAN?
Management tools & development frameworks may not
provide all the security features they should or could.
Tool vendors need to keep up to date with cloud providers
feature enhancements.
Limited security toolsets are available in cloud
environments.
Cloud forensics can be challenging.
23. COMPLIANCE
POSSIBLE?
Ability to leverage compliance and certifications cloud
provider already has.
Difficult to get feature/policy/procedure changes from cloud
vendor to meet other regulatory requirements or
certifications.
Distributed nature of cloud services can add jurisdictional
issues to regulatory compliance.
Investigative support & forensics may be difficult to obtain
from your cloud provider.
24. WHERE FOR ART
THOU?
Increased regulatory complexities of having data stored in
multiple legal jurisdictions.
Foreign governments, agencies or corporations may gain
access to your data without your knowledge.
Increased data availability & resiliency of having data
automatically replicated to multiple sites.
Intra-application communications may unintentionally span
multiple locations
Cloud providers blocking or having their traffic blocked
based on geographic location can have a major business
impact.
25. ANY CHANCE THAT COMES WITH
A WARRANTY?
Long term viability of cloud partners is a critical
consideration in PaaS vendors.
Lock-in with IaaS & SaaS vendors may be less of an issue.
Data transfer costs are can be the toughest part of vendor
lock-in.
As open cloud platforms emerge and the hybrid deployment
model gains popularity, standards will ease some of the
current lock-in concerns.
26. DOES IT MATTER?
All types of cloud systems can be leveraged for malicious
purposes.
IaaS clouds can be used for large scale spam, DoS, or
Command & Control functions.
PaaS platforms have already been used as Command &
Control for botnets.
Hijacked accounts can be used to stage internal DoS attacks
within the cloud provider’s infrastructure.
Defending against cloud based attacks can be extremely
difficult.
27. PUBLIC DEPLOYMENT
SECURITY ISSUES
Advantages Disadvantages
Anonymizing effect Collateral damage effect
Data & AAA security
Large security investments
requirements
Regulatory Compliance &
Pre-certification
Certifications
Multi-site system & data
Multi-jurisdiction data store
redundancy
Fault tolerance & excess capacity Known vulnerabilities are global
28. MONGREL DEPLOYMENT
SECURITY ISSUES
Advantages Disadvantages
Data transfer/access
Externalization of attack surface
considerations
Overcomes private cloud scaling Increased architecture
limits complexity
Multi-site system & data
Credential management
redundancy
Isolation & segregation of secure Regulatory Compliance &
data Certifications
29. COMMUNITY
DEPLOYMENT ISSUES
Advantages Disadvantages
Increased redundancy & Extremely high level of
availability complexity
Shared risk & security costs Federation requirements
Compliance & certification Increased Privileged User
requirements attacks
Easy targeting of high value
systems
30. IAAS SECURITY ISSUES
Advantages Disadvantages
Increased control of encryption Account hijacking
Minimized privileged user attacks Credential management
Ability to use familiar AAA mechanisms API security risks
More standardized deployments Lack of role based authorization
Dependence on security of the
Rapid cross vendor redeployment
virtualization platform
Full operational control at the VM level Full responsibility for operations
31. PAAS SECURITY
ISSUES
Advantages Disadvantages
Less operational control than
Less operational responsibility
IaaS
Instant multi-site business
Vendor lock-in
continuity
Lack of security tools, reporting,
Massive scale & resiliency
etc.
Simplification of compliance Increased privileged user attack
analysis likelihood
Built-in framework security Cloud provider’s long term
features viability
32. SAAS SECURITY
ISSUES
Advantages Disadvantages
Clearly defined access controls Inflexible reporting & features
Vendor is responsible for data-
Lack of version control
center & application security
Predictable scope of account Inability to layer security
compromise controls
Integration with internal Increased vulnerability to
directory services privileged user attacks
Simplified User ACD No control over legal discovery
33. QUESTIONS?
Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia
Wars, Vampire Wars and occasionally Yoville.
34. CONTACT INFO
Ward Spangenberg
wardspan@zynga.com
twitter: @wardspan
Editor's Notes
IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. Further, IaaS incorporates the capability to abstract resources (or not) as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of API’s which allows for management and other forms of interaction with the infrastructure by the consumer of the service.
PaaS sits atop IaaS and adds an additional layer of integration with application development frameworks, middleware capabilities and functions such as database, messaging, and queuing that allows developers to build applications which are coupled to the platform and whose programming languages and tools are supported by the stack.
SaaS in turn is built upon the underlying IaaS and PaaS stacks and provides a self- contained operating environment used to deliver the entire user experience including the content, how it is presented,
Private Clouds are provided by an organization or their designated service provider and offer a single-tenant (dedicated) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure may be owned by and/or physically located in the organization’s datacenters (on-premise) or that of a designated service provider (off- premise) with an extension of management and security control planes controlled by the organization or designated service provider respectively.
Public Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is generally owned by and managed by the designated service provider and located within the provider’s datacenters (off-premise.)
Managed Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is owned by and/or physically located in the organization’s datacenters with an extension of management and security control planes controlled by the designated service provider.
Hybrid Clouds are a combination of public and private cloud offerings that allow for transitive information exchange and possibly application compatibility and portability across disparate Cloud service offerings and providers utilizing standard or proprietary methodologies regardless of ownership or location. This model provides for an extension of management and security control planes
Security concerns have been the top factor cited as delaying cloud adoption for the past several years.
In part this is due to a lack of standards around testing, reporting, SLAs and other standard business agreements that have already been worked out in more mature markets (like hosting).
Another major factor is that the terms used with cloud-computing can have very different meanings based on context and so discussing cloud security can be tricky without laying down some ground work as far as definitions and context.
Public deployments have the advantage of leveraging the service provider’s experience, security budget, process & procedure at a minimal cost to the consumer, however, if a provider doesn’t offer a security feature that is critical to your deployment you’re pretty much out of luck.
Annonimizing effect: Being a small fish in a large ocean makes targeted attacks against your infrastructure very difficult to orchestrate. This is amplified by the transitory nature of IP addressing in most IaaS provider offerings. PaaS & SaaS offerings take this further by providing such massively scaled systems that the cost of producing a successful attack can outweigh the potential benefits.
Collateral Damage: Attacks against the overall cloud provider or against specific systems sharing the same physical infrastructure as yours can lead to collateral damage from attacks not directly targeted at your organization. The “VM Next Door” (same processor, same network segment, etc…) may be a bad actor of the target of one. Cloud providers are high value targets that present a large attack surface on public networks. This coupled with other items in this list such as the global scope of vulnerabilities can have a huge impact when doing a risk assessment for public cloud deployments.
Large Security Investments: Public cloud providers have dedicated security teams, battle tested policies and procedures and more advanced security tools than most organizations can afford. This plays into the major economic motivators for public cloud adoption which is leveraging the expertise and budget of the cloud provider.
Data & AAA security: Keeping secure data on a multi-tenant, non-isolated system requires additional planning and resources than keeping it in a private data store. You need to work how & when to encrypt data as well as how to manage access to that data. Managing AAA (Authentication, authorization & accounting) functions can be more challenging in a public cloud deployment. The lack of multi-user role based access controls in most IaaS & PaaS offerings makes managing access to underlying system controls challenging. However, the SOA oriented nature of public cloud services generally means you get a standardized method of accessing, collecting and acting upon AAA data.
Pre-certification: Public cloud providers continue to amass different security certifications as well as guidelines, policies and procedures that can help their clients reach particular certification levels (ie: Amazon’s SAS-70 datacenter certifications). Public cloud providers will probably also become major players in helping shape new certification requirements going forward (ie: The development of new cloud based PCI compliance requirements have been announced)
Regulatory Compliance & Certifications: While “pre-certification” is in the advantages column, it is a double edged sword with public cloud providers. If a cloud provider does not have a particular certification you require, or does not provide a report or feature you require to attain a certification or compliance, the likelihood of being able to influence their feature sets is minimal.
Multi-site system & data redundancy: The automated sharding and distribution of data and workloads to multiple sites is major benefit of public cloud deployments. The cost and ease with which this is accomplished within public clouds is a major factor favoring their adoption.
Multi-jurisdiction data store: The flip side to automated data replication to multiple geographic sites is that your data will most likely end up in multiple legal jurisdictions either in whole or in part. You may not even know which jurisdictions your data is in at any time. This can pose serious problems achieving certain regulatory requirements (Ie: EU Data Protection Directive, US Safe Harbour program). Additionally, you may not know when legal actions (ie: foreign data supoenas) have been issued against your data. Having data in multiple jurisdictions also has implications for legal data ownership & recovery issues.
Fault tolerance & excess capacity: The automated systems and APIs used by IaaS, Paas & SaaS providers has allowed for the creation of incredibly fault tolerant systems, from autoscalling instances in EC2 to the total cloaking of the hardware & network layers in AppEngine and SalesForce.com. In terms of excess capacity public cloud providers allow you to scale to continue providing service in the face of DoS attacks, they also provide amazing resiliency and RESTORATION OF SERVICES following an attack or other security incident.
Know vulnerabilities are global: This related back to the “Collateral Damage” item in that once a vulnerability in your public cloud provider’s infrastructure is discovered, it will generally affect all accounts. We have already seen this with several SaaS providers such as Google Apps.
Externalization of attack surface: By placing the public side of your application in a public cloud, you can deflect attacks from your corporate environment to the cloud provider who may be bettr suited to dealing with them or mitigating them.
Data Transfer & Access Considerations: Though has to be given to how data is transferred into out of the public cloud. What are the security requirements? If you have access controls inplace internally, how do you extend those AAA functions to the public cloud?
Private cloud scaling limits: Hybrid scenarios offer the promise of allowing private clouds to “spill-over” excess compute requirements into a public cloud as required. In reality these types of hybrid systems are very difficult to implement today, however temporarily moving certain workloads between private clouds and public clouds for special events can provide enormous ROI.
Increase architectural complexity: Marshalling and managing separate AAA systems, data transfers and application communications between private infrastructure and public clouds can be tricky and requires lots of planning.
Multi-site system & data redundancy: Hybrid solutions also promise to allow corporations to quickly implement disaster recovery and business continuity plans. The costs associated with having a hot or warm standby secondary site are more complicated than in a pure public cloud deployment yet quite more cost effective than with a private cloud deployment.
Credential Management: Managing access to the public cloud APIs as well as managing inbound traffic from application components hosted in a public cloud can be daunting. Can you validate that inbound messages to your private cloud actually originate from your own systems in the public cloud?
Isolation & segregation: Hybrid cloud deployments allow corporations to maintain control over the isolation and segregation of their most sensitive data while still providing many of the benefits inherit in a public cloud.
Regulatory compliance: This can be trickiest in the hybrid model as requirements may span both your corporate systems and those of your cloud provider partners. More on regulatory compliance below.
Redundancy & Availability: by partnering with organizations that share similar requirements, goals & data organizations can build clouds that provide many of the redundancy aspects offered by public clouds yet make sure that the overall security posture and feature set meets their needs.
Complexity: More organizations = more complexity. Negotiations on requirements can be a major stumbling block.
Shared risk & security costs: by pooling security resources among several organizations, community clouds are able to offer security features and services that a single organization might not be able to afford.
Federation requirements: Mapping role based access controls to users and interconnecting disparate corporate directory service and AAA systems can be extremely time consuming but can add a level of flexibility for security arrangements between partners that are unavailable in other cloud models.
Compliance requirements: Members of a community cloud deployment can ensure that “their cloud” meets their particular regulatory and certification requirements. Ie: HIPPA, SoX, PCI-DSS, etc..
Increased privilege user attacks: Depending on the cloud and application architecture, many more people may have direct access to your organizations data in a community cloud model. This leads to the increased possibility of privileged user attacks.
Easy targeting: Community clouds can be a treasure trove for malicious actors looking for specific information. You cannot hide behind the annonimity of public clouds to avoid targeted attacks against your organization or data “types”.
Increased control of encryption: IaaS is the only cloud model that allows you to fully dictate when and how data gets encrypted before being committed to persistent storage.
Account hijacking: Hijacking of cloud account credentials can place the “keys to the kingdom” in an attackers hand. Given the low levels of security generally required for exercising cloud account privileges this can be a major issue. Also changing cloud account credentials in an IaaS model can be more difficult than with other models.
Minimized privileged user attacks: Due to the increased low level controls compared to other cloud service models, IaaS provides the least vulnerability to privileged user attacks.
Ability to use familiar AAA mechanisms: Since IaaS clouds are providing familiar VMs, you can leverage your existing knowledge of how to secure and manage them.
API security risks: Think about a private enterprise datacenter and all the layers of security you would need to transverse to shutdown a system from a remote location (2 factor VPN authentication, bastion host login, corporate directory credential authorization, ssh authentication, sudo restrictions, etc…). NOW, think about what it takes to remotely shutdown a system on EC2 or in Azure remotely. A simple API call from any internet enabled device.
More standardized deployments: IaaS provider best practices and methodologies force, guide and cajole system engineers to rely on automated deployment systems. This leads to a much more standardized deployment and change management process.
Lack of role based authorization: Many IaaS providers still do not provide mechanisms for restricting which systems different operations staff can access or control via API in a granular manner.
Rapid cross vendor redeployment: Again due to the fact that IaaS clouds are providing well know OS VMs moving functionality between cloud providers is relatively easy (barring data transfer costs)
Dependence on security of the virtualization platform: IaaS vendors rely on the security features of the hypervisor or virtualization software to provide security controls. Vulnerabilities in these cloud building blocks can impact all cloud provider customers.
Full operational control at the VM level: Your organization maintains full control over your systems from the VM level upwards.
Full responsibility for operations: Even though you have no control over the physical infrastructure or the network, your IT team is still responsible for the security and operations of your production systems. If a PaaS or SaaS provider has an outage you can’t be held responsible, if a IaaS provider has an outage, it was up to you to plan for that eventuality.