cloudy with , a chance of rain… · cloudy with , a chance of rain… or a walk in the cloudsor, a...
TRANSCRIPT
Cloudy, With A Chance of Rain…Cloudy, With A Chance of Rain…or A Walk In The Cloudsor, A Walk In The Clouds
or, Hey (hey), You (you), Get Off Of My Cloudor, Hey (hey), You (you), Get Off Of My Cloud
Arthur LessardArthur Lessard
Chief of Information Security
M tt l IMattel, Inc.
AgendaAgendaAgendaAgendaWhat is “cloud computing”?p gLegal issuesTechnical issuesTechnical issues
DisclaimersDisclaimersDisclaimersDisclaimers#1 - IANAL!
#2 - I do not currently use l d ticloud computing
resources, but have no ,bias for or against
DisclosureDisclosureDisclosureDisclosureMuch of my legal information comes from
The Electronic Frontier Foundation (www.eff.org), with special thanks to Jennifer Granick Dir Of Civil LibertiesGranick, Dir. Of Civil LibertiesAttorneys who shall remain nameless…
Technical information comes from iSEC partners…Black Hat presentation on partners…Black Hat presentation on SaaS/PaaS/IaaS concerns
So….what is “cloud computing”?So….what is “cloud computing”?So….what is cloud computing ?So….what is cloud computing ?
“…am I the only one who has an urge to y gpunch myself in the neck whenever I hear about ‘the cloud’?”
Arshan Dabirsiaghi, commenter at “Jeremiah’s Blog”
No.
F5 Comp tin ran a s r e in s mmer ’09 in ol in 250 F5 Computing ran a survey in summer ’09, involving 250 companies of 2.5K employees or more, presenting them with different definitions of “cloud computing”, and discovered…
…two-thirds or more didn’t believe any of the definitions were accurate and could not define what cloud computing iswhat cloud computing is…
…and 99% of respondents are currently using or plan to use cloud computing in the near future.
“I’ll know it when I see it…”
The definition that most resonated with survey takers?The definition that most resonated with survey takers?
“Cloud computing is a style of computing in p g y p gwhich dynamically scalable and often virtualized resources are provided as a service o er the Internet Users need not ha e over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the cloud.” (35%)gy ( )
Problem: I have no idea how to secure that…
What What isn’tisn’t cloud computingcloud computingWhat What isn tisn t cloud computingcloud computingVirtualization/VMWareRemote backups or DRPure hostingPure hostingMost things called “cloud computing”…
Cloud computing implies…Cloud computing implies…Cloud computing implies…Cloud computing implies…Lots of general use hostsCentralized managementDistributed storagegDistributed applications moving from system to systemyEasy provisioningRedundancyRedundancy
Axiom: “Leveraging true cloud computing” == “Rewriting your application”…
So what does “Cloud So what does “Cloud Computing Security” mean?Computing Security” mean?Assumption: Cloud Computing == SaaSAssumption: Cloud Computing SaaS
• Everything must go…Data is on remote disksApplications run on remote serversYour interface is whatever the vendor gives you
• Vendors include:Google Apps (GA)Google Apps (GA)Office Live (OL)Salesforce (SF)
What controls shift to the What controls shift to the vendor?vendor?
Perimeter defenses (physical and logical)Perimeter defenses (physical and logical)AuthenticationFine grained authorizationFine-grained authorizationVisibility into real-time incidentsUser provisioning?Auditing and logging?
Visibility concernsVisibility concernsVisibility concernsVisibility concernsCurrent SaaS vendors don’t provide a deep p p
level of logging/auditing• User Logins (GA/OL: no; SF: yes)g ( y )• Administrative actions (GA/OL: no; SF: yes)• Data writes (GA/OL/SF: yes)( y )• Data reads (GA/OL/SF: no)
Authentication concernsAuthentication concernsAuthentication concernsAuthentication concernsCustomers are limited to what vendor offers
• Account “quality” suffers• Account quality suffers…• Self-registration can have holes…• Most are based strictly on username/password…y p• Most offer no realtime login anomaly detection
S d ff t th ti tiSome vendors offer customer authentication; e.g. Google offers SAML integration• Alternative authentication (e.g. 2-factor)• Local password policies• Anomaly detection• Anomaly detection
Technical concerns: Technical concerns: InfrastructureInfrastructure
Cloud computing implies loss of control of platform p• What are they running? VMWare? Home-grown?• What flaws have been introduced by the new y
infrastructure/platform?• What flaws have been introduced by their y
tools/administration/network segmentation?
Technical concerns:Technical concerns:OSOS
Operating systems like Windows aren’t Operating systems like Windows aren t built to be easily “cloned”• Are private keys GUIDs salts unique in your • Are private keys, GUIDs, salts unique in your
instance?• OS’s often rely on hardware for non deterministic • OS s often rely on hardware for non-deterministic
functionse.g. pseudo random number generation becomes more g p gpredictable if I know the approximage OS boot timeOS’s gain “randomness” from keyboard, mouse, IRQs,
ll f hi h b i i l detc…all of which can become static in cloud
Possible Possible PRNGPRNG attack vectorattack vectorPossible Possible PRNGPRNG attack vectorattack vector
Presented by iSEC at Black Hat ’09Presented by iSEC at Black Hat 09• Fingerprint remote cloud victim to determine likely image
• Pull down image
• Grab image’s random seed
• Run image multiple times to get IRQ/disk timings
• Use prng simulator withUse prng simulator withEstimated initial RTCLikely IRQ disk deltas
• Simulate ssh keygen Test against fingerprint• Simulate ssh-keygen. Test against fingerprint.
• If fail, repeat 6
Legal concerns…Legal concerns…
…and once again, IANAL…g ,
Legal issues: Search and Legal issues: Search and S iS iSeizureSeizure“The right of the people to be secure in their persons,
h d ff t i t blhouses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, , p p ,supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized ”things to be seized…
…but the Founding Fathers didn’t specify hard drives, remote data centers or Cloud Computing…
Where is your data?Where is your data?The biggest issue seems to be the fact that, with hosting or cloud computing, your data no longer is g p g, y gon “your person”
“Storing data yourself, on your own computers – without relying on the cloud – is the most legally secure way torelying on the cloud is the most legally secure way to handle your private information, generally requiring a warrant and prior notice. The Government asserts it can subpoena your data from cloud computing providers withsubpoena your data from cloud computing providers, with no prior notice to you.”
- Granick and Opsahl, EFF
So what is the issue?So what is the issue?
In a “regular” hosting arrangement, your data sits i di id l t / t ton individual computers/storage system• …still have concerns regarding seizure, but
the situation is much clearer and you havethe situation is much clearer and you have control over how to answer requests
In a “Cloud Computing” environment, the entire point of the arrangement is that you don’t have control of where your data is stored…
• Data can be mixed on a drive with others’
Legal issues: Criminal casesLegal issues: Criminal casesLegal issues: Criminal casesLegal issues: Criminal casesThe closest thing that comes to protecting g p g
you is the Electronics Communication Statute• Designed to define rules regarding S&S for
telecommunication/ISP companies• May or may not apply to private hosting
providers…hasn’t been tested (much) in court
• If a vendor is deemed not to be covered b th t t t NO RULES i S&Sby the statute, NO RULES covering S&S
Electronic Communication Electronic Communication StatuteStatuteSeparates data kept by vendors into levels of
protection• Least protected: client information, including name,
h i l dd tphysical address, etc.• Next: Transaction data (e.g. e-mail), including
to/from/dates/times/IP address• Most protected: Actual content, including files
Caveat: If data is “opened”, or older than 180 days, the protection level drops…
Protections providedProtections providedProtections providedProtections providedProtection levels define what the
government needs to gain access…
L d S l b h h • Least protected: Simple subpoena…which may not get to you (e.g. handled by ISP)
• Most protected: Requires a warrant, specific and articulated facts, probable cause, etc.p
So what do we lose?So what do we lose?So what do we lose?So what do we lose?Government serves subpoenas and p
warrants on the site at which the data exists• So the hosting/cloud facility is getting the
request• How will they respond? Depends a lot on
their understanding of legalities and niceties of the law…and appetite for a fight with the government…
Legal Legal S&SS&S recaprecapLegal Legal S&SS&S recaprecapIn-house storage of data requires government
h f d to get a search warrant; remote storage of data reduces your ability to respond to subpoenasGovernment asserts right to go directly to Government asserts right to go directly to vendors, bypassing youGovernment asserts right to subpoena vendors g pwithout prior notice to youYou (possibly) lose the ability to fight seizure a p i i h b k f j di i l i f priori, quash subpoena, ask for judicial review of warrants, etc…
Civil LitigationCivil LitigationCivil LitigationCivil Litigation
Only content is protected by the statuteOnly content is protected by the statute…• For data kept in-house, access is usually obtained
by plaintiffs through discovery processby plaintiffs through discovery process• For remote storage, litigants can request anything
up to the content without going through discovery; p g g g y;• Provides an “end-run” of the discovery process
Civil Litigation cont’dCivil Litigation cont’dCivil Litigation cont dCivil Litigation cont dAs an example, civil litigant can request data from
a cloud vendor to “validate discovery”• Can request information from the vendor to
“ l t” di “supplement” discovery process• Can quickly turn into a fishing expedition, requesting
transaction records, customer information, etc, ,• Hasn’t been seen against bigger companies yet, but
has been used in smaller cases; e.g. lawsuit against h i d l li i bl i housing development – litigant was able to examine ISP’s records to look for “comments critical against the housing development project.”
Google responseGoogle responseGoogle responseGoogle response“Google complies with valid legal process. Google
requests that all third-party legal process be directed at requests that all third party legal process be directed at the customer, not at Google, and we provide our customers with the tools and/or data required to respond to process directly. If Google directly receives p p y g ylegal process concerning customer or end-user data, it is Google policy to inform the customer of said process, unless legally prevented from doing so. We
i d i i h f d are committed to protecting user privacy when faced with law enforcement requests. We have a track record of advocating on behalf of user privacy in the face of such requests (including U S Dept of Justice subpoenas) such requests (including U.S. Dept. of Justice subpoenas). We scrutinize requests carefully to ensure that they adhere to both the letter and the spirit of the law before complying.”p y g
Legal: Other concernsLegal: Other concernsLegal: Other concernsLegal: Other concerns
LiabilityLiabilityStandard EULAs are minimal; very little regarding
Breach notificationLoss (or seizure) of dataBusiness interruption
S lf iSelf scanning• Ability to scan your own site is usually specifically
not allowed (may breach EULA) but is negotiable not allowed (may breach EULA), but is negotiable (e.g. GA, SF allow app-level pentesting)
SummarySummarySummarySummaryLots of people love the idea of Cloud Computing even though they may not know Computing, even though they may not know what it isCC (and even hosting) provides dramatic CC (and even hosting) provides dramatic challenges to securityCC provides real barriers for security folks CC provides real barriers for security folks around authentication, auditing and OS issuesCC should give your Legal department the CC should give your Legal department the “heebie jeebies”
Questions?Questions?
Arthur LessardArthur Lessard
Chief of Information Security
M tt l IMattel, Inc.