hp labs g-cloud a secure cloud infrastructure - tt · hp labs g-cloud a secure cloud infrastructure...
TRANSCRIPT
CLOUD COMPUTING SECURITY
HP Labs G-CloudA Secure Cloud Infrastructure
Frederic Gittler
Cloud and Security Laboratory, HP Labs
©2009 HP Confidential22© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Covering…– A few words about HP Labs– An outline of Cloud Computing
• Business drivers, Goals, etc.
– Cloud Security- Stakeholders and their issues- Routes of attack- Properties required
– Secure services- Control over security properties
– Infrastructure design- Virtual machines, networks and storage- Sensors and monitoring
©2009 HP Confidential33© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
HP LABS AROUND THE WORLD– Global talent, local innovation
EMEA• 10 university collaborations in EMEA• 4 EU FP7 consortia, UK Tech Strategy
Board awards• UK CASE PhD support
APJ• 7 university collaborations in
the Asia-Pacific Region• A*STAR and EDB support,
Singapore
PALO ALTO
HAIFA
BRISTOL
BEIJING
BANGALORE
SINGAPORE
ST. PETERSBURG
AMERICAS• 46 university collaborations in the Americas• Guadalajara Advanced Prototyping Center $1M• 29 projects with HP Brazil R&D• DARPA, DOE, US Army, MPO external funding• NSF Post-Docs support $1M• UC Discovery awards
©2009 HP Confidential44© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
HP LABS RESEARCH AREAS– Innovation at every touchpoint of information
InformationAnalytics
Mobile &ImmersiveExperience
Printing& Content
DeliveryService & Solutions
Networking & Communications
IntelligentInfrastructure
Cloud &Security
Sustainability
©2009 HP Confidential55© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
A long history1998
2001
20032004
2005
2009
2010
2011
2012
OpenCall2000 Cells
Proposal
The Painter
SE3D
1999 2000
2002
2006
2007
2008
Service Sensors
G-Cloud Demo
Williams F1Sanger
DreamWorks
Cells v1
SmartFrog
19971996
Data Sharing
©2009 HP Confidential66© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cloud Services
IT delivered as a logical service, available on demand, charged by usage
Logical Service: details of delivery hidden
On Demand: scales up and down immediately and seamlessly
Charged by Usage: metering and billing of services, pay for what you use
Cloud computing is computation offered as a service
©2009 HP Confidential77© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cloud computing Concepts
– Multi-tenancy• Shared service infrastructure, running simultaneous collocated workloads, for multiple customers
• Dynamic sharing for flexibility and utilisation efficiency
– Cloud-scale infrastructure• Commodity scale-out hardware• Targeting extreme economies of scale
– Ubiquitous access• Using portable client devices• Any where, any time
©2009 HP Confidential88© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Cloud Computing benefits– Cost management
• Benefit from economies of scale• Avoids cost of over-provisioning• Reduction in up-front capital investment, switch to expense more in line with business needs
– Risk reduction• Someone else worries about running the data-centre, protecting your data, and providing disaster recovery
• Reduces risk of under-provisioning
– Flexibility• Add/remove services on demand• Scale up and down as needed – rapidly
– Ubiquity• Access from any place, any device, any time
©2009 HP Confidential99© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Barriers to adoption
– Security, Regulatory, Data locality concerns
– Concerns about lock-in, lack of multi-vendor options
– Challenge of migrating from in-house (or outsourced) apps
– Trust in the service vendors• Service levels• Stability• Geographic presence
– Vested Interests
©2009 HP Confidential1010© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
The Cloud
Roles in the Cloud
©2009 HP Confidential1111© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
community
public
private
private
©2009 HP Confidential1212© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
InfrastructureProvider
Roles in the Cloud
install andadminister
community
private
publicprivate
©2009 HP Confidential1313© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
InfrastructureProvider
App StoreServiceDeveloper
community
private
publicprivate
©2009 HP Confidential1414© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the CloudServiceProvider
InfrastructureProvider
App StoreServiceDeveloper
community
private
publicprivate
©2009 HP Confidential1515© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the CloudServiceProvider
InfrastructureProvider
App Store
procure
ServiceDeveloper
community
private
publicprivate
©2009 HP Confidential1616© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the CloudServiceProvider
InfrastructureProvider
App Store
procure
ServiceDeveloper
community
private
publicprivate
©2009 HP Confidential1717© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the CloudServiceProvider
InfrastructureProvider
App Store administer
ServiceDeveloper
community
private
publicprivate
©2009 HP Confidential1818© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
service
ServiceProvider
InfrastructureProvider
App StoreServiceDeveloper
community
private
publicprivatecomposed
©2009 HP Confidential1919© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
community
private
publicprivate
Roles in the CloudServiceProvider
InfrastructureProvider
App StoreServiceDeveloper
multi-tenanted
©2009 HP Confidential2020© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
service
ServiceProvider
ServiceUsers
InfrastructureProvider
App StoreServiceDeveloper
community
private
publicprivate
©2009 HP Confidential2121© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Roles in the Cloud
service
ServiceProvider
ServiceUsers
InfrastructureProvider
App StoreServiceDeveloper
community
private
publicprivate
Cyber-Criminal
Social Attack
Engineered Attack
©2009 HP Confidential2222© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential2323© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
a Cell is a container for a service - including all its virtualized infrastructure
©2009 HP Confidential2424© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential2525© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
spec
©2009 HP Confidential2626© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential2727© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential2828© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
routing and firewall rules
external internet
©2009 HP Confidential2929© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
spec
©2009 HP Confidential3030© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential3131© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
©2009 HP Confidential3232© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
bipartite agreement
©2009 HP Confidential3333© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Model-Based
– Describe “desired” end-point• Can freely update the description of the end-point
– Allow the system to create it• Asynchronous convergence for scale and performance
– Errors and status reported relative to model• Provides uniformity of mechanism
©2009 HP Confidential3434© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Model-Based: Why
– Declarative• Enables analysis and tool support
• Cross-model properties and policies
• Basis for compliance and transparent management
• Enables different principals to sign different parts of the model, independent of right of model submission, and mapping into enterprise IT roles
• Enables IT best practice
– Inherently idempotent• Hugely simplifies interaction model, improves security
– Enables back-end asynchrony and parallelism for scale and performance
– Template descriptions of services • Simplifies service packaging
• Ease of integration with a Cloud Marketplace
– Easy to map transactional interfaces to model-based; hard to do the other way around and maintain the advantages
©2009 HP Confidential3535© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Models
vnet
VM
VVolVVol
vnet
VM
VM
VVolVVol
VVol
cell
Topology managed by grantsCommunication managed by rules
HTTP Only
©2009 HP Confidential3636© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Future Modelling
– Currently we provide explicit description of topology and some security properties
– However, this is but the start….• Support for loose models and constraints− Models that are configured according to user or business-level concepts
• Order-dependencies − Declarative description of state transitions and dependencies on the state
• Specification of QoS policies− linked through sensor framework, constraints and dependencies, to create auto-flexing models
• Specification of service high-availability policies− Automatically mapped into placement and recovery decisions
− Federation properties
• Specification of additional security policies− Guiding placement and other aspects such as providing “security probes”
− Semantic controls over data sharing
©2009 HP Confidential3737© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Virtualization
– To build the isolation, we need virtualized environments
– Virtualization introduces security issues• But there are ways around it, for example placement algorithms can keep sensitive workloads apart from each other
– Virtualization enables new security and isolation techniques• sitting “below” the virtual machine allows a range of control points, sensors and mitigations that are impossible in a physical world
– Indeed virtualization can be seen as the KEY to producing secure multi-tenanted systems
©2009 HP Confidential3838© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Infrastructure Integrity
– We must protect the cloud at all costs
– Threats come from• Services run upon it
• Direct attacks from outside
• Internal administrators
– We must understand these threats, and the paths that they may use to undermine the cloud
– We must provide a number of engineering solutions to deal with the threats• Minimize attack surface, defence in depth
• Provide a framework for countermeasures• Sensors to detect attacks, both attempts and successes• Mitigations to remove attempted and successful attacks• Diagnosing attacks by turning sensor data into diagnoses
©2009 HP Confidential3939© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Threats
identification
detection
preventionmitigation
©2009 HP Confidential4040© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
Core
©2009 HP Confidential4141© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
server and storage nodes
supporting services
utility controllers
©2009 HP Confidential4242© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
server and storage nodes
supporting services
utility controllersVMs(trusted
virtualization)
VNets(diverter,
rules)VVols(CoWs, caching)
©2009 HP Confidential4343© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service
server and storage nodes
supporting services
utility controllersVMs(KVM)
VNets(diverter,
rules)VVols(CoWs, caching)
system orchestration
©2009 HP Confidential4444© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtual Networking
– Goals• Support full layer-3 unicast, multicast and broadcast packets• Create the illusion of subnets and routing• Provide all the inter-VM and subnet routing policies• Strong and secure separation
VM
VM
Single shared physical network
©2009 HP Confidential4545© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtual Storage
Origin image
COW volume BCOW volume A
CopyA CopyB
Storage area networkLVM+
CopyA
LVM+
CopyB
RO
RW RW
VMVM
©2009 HP Confidential4646© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtualization Security: Threat
– The main requirement is that the core virtualization technology is secure
– What happens if a VM successfully breaks out of its container and takes over the host?
Hypervisor
Dom 0
Physical host
Dom U
©2009 HP Confidential4747© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtualization Security: Prevention
– Use trusted virtualization technologies to minimize risk of attack and reduce impact
– Subdivide the Hypervisor and DOM0 into smaller, simpler, more secure parts and limiting the impact of success
Hypervisor
Physical host
Dom U
©2009 HP Confidential4848© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Virtualization Security: Host Compromise
– Provide host peer-peer detection of dom0 “misbehaviour”
Hypervisor
Dom 0
Physical host
Dom U
??
©2009 HP Confidential4949© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensors
Aim to detect:
– Illegal Actions• System components detecting or initiating abnormal activity with other system components: this is either a bug or a
successful attack and needs immediate attention
• Attempts of user VMs to communicate with disallowed targets
– Abnormal behaviour• Sudden changes in profiles of IO or CPU usage
• Requests for VMs or other resources beyond reasonable or specified limits
• Excessive churn in topology
• Sudden widening of network rules
Sensors are implemented everywhere
©2009 HP Confidential5050© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensors: System
Dom 0 Dom 0 Dom 0 Dom 0 Dom 0 Dom 0 Dom 0 Dom 0 Dom 0
System
VM
System components can verify requests for
“reasonableness”
System components inter-communicate in
limited waysSystem
VMSystem
VMSystem VMs
©2009 HP Confidential5151© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Enforcing and Sensing: IO
Hypervisor
Dom U
Storage IO
Network IO
Enforcement Points and I/O Sensors, e.g.•dropped or illegal packets •writes to protected areas
Includes checks on System VMs
©2009 HP Confidential5252© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service Integrity
– A virused or malicious service is not strictly a threat to the integrity of the whole cloud, however...
– We must prevent (where possible) attacks on another services by providing robust isolation and detection of attack attempts
– We must detect when an attack succeeds by• monitoring from outside of the service
• spotting abnormalities in behaviour
• forensic examination of service VMs
– We must be able to mitigate when an attack is detected• Shutting down, restarting or freezing VMs or services
©2009 HP Confidential5353© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Service Sensors
– We want to allow service writers to be able to create sensors that monitor their own services• run outside of the service, looking in, and undetectable to it• service owners have a better view of the service semantics• can be offered by 3rd party monitoring specialists (NSA for USG)• that do not have any privileged access to core system capability
– Virtualization gives control over what one compartment can do or see with another compartment.
– We can use the fact that one virtual machine can (given permission) • look into the memory space of another.• Interpose itself into an IO path of another.
©2009 HP Confidential5454© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensor VMs
Hypervisor
Dom 0 ServiceSensor
inspection ofVM memory
• Invisible to the service VM
• Viruses and root-kits cannot hide by altering OS or disabling virus checkers
• Enabled by an API in the hypervisor
• Needs care to ensure that it doesn’t become another vector for attack!
©2009 HP Confidential5555© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensor VMs
– Deployable by the service provider, infrastructure provider or trusted 3rd party
Hypervisor
Dom 0 ServiceSensor
inspection ofVM IO
©2009 HP Confidential5656© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Sensor VM properties
– We can look for evidence of the use of different “virus components”
– We do not look only for specific attacks
– We gain evidence to suggest the existence of malware.
– It’s hard to detect the presence of the sensors.
– It’s impossible to hide the code or IO from the sensors
– We can see if the OS tables have been manipulated
– We can see into disc and network buffers
– We can sit in the IO path and carry out specific deep inspection
©2009 HP Confidential5757© Copyright 2010-2012 Hewlett-Packard Development Company, L.P.
Our Demonstrator