it ain’t all fluffy and blue sky out there!assets.en.oreilly.com/1/event/48/cloud security_ it...
TRANSCRIPT
It ain’t all fluffy and blue sky out there!
Who’s this guy?
Ward Spangenberg, Director of Security Operations, Zynga
Game Network
No - I won’t whack the Petville boss who just broke into your
cafe and made away with all your “grave dirt” riding a “luv-
ewe”.
Founding Member of the Cloud Security Alliance
What’s he going to talk about?
Definitions: Same starting point for everyone.
Security: What does that even mean?
Compliance: Did he just say compliance and cloud in the
same sentence?
Privacy: All your cloud belong to us.
Stuff: quips, stories, advice, and hopefully some laughter.
Definition of Cloud Computing
Cloud computing describes a system where users can
connect to a vast network of computing resources, data and
servers that reside somewhere “cloudy,” usually on the
Internet, rather than locally or in the data center. Cloud
computing can give on-demand access to supercomputer-
level power, even from a thin client or mobile device such as
a smart phone or laptop. (or iPad)
(@tomme Agreed. Quit arguing about definition. Common
denominator: other people's ppl, other ppl's gear - let's focus
on benefits #ccevent)
The NIST Cloud Definition
Definitions of Architecture
IaaS: “based on pure virtualization. Vendor owns all the
hardware and controls the network infrastructure, and you
own everything from the guest operating system up. You
request virtual instances on-demand and let them go when
you are done.”
PaaS: ““infrastructure as well as complete operational and
development environments for the deployment of your
applications.”
SaaS: ““a web-based software deployment model that makes
the software available entirely through a web browser.”
Architecture Model Examples
Deployment Models
Public
Private ("I'm just going to call a private cloud a data center."
--Kash Rangan, Managing Director, Merrill Lynch)
Hybrid Mongrel/Mutt
Why consider the cloud?
Increased productivity
Decreased capital investments
Reduced Costs for IT
Scalable systems with low overhead
Increased Storage
Flexibility
Shift company focus
What works?
Stateless
Computer Intensive
Non-sensitive data
Changing workload pattern
Increased workload with greater subscription rate
What doesn’t work?
Special hardware
Huge data set
Sensitive data
Low latency requirements
99.999% Availability
Cloud Computing a “security nightmare”-John Chambers, CEO CISCO
Security + Cloud = ?
As my friend Hoff likes to say: “...it is difficult to frame
meaningful discussion around what security and Cloud
Computing means...”
Yes, no, maybe.
Actually security is not a cloud specific issue. The real
struggle is “operational, organizational and compliance
issues that come with this new unchartered (or poorly
chartered) territory.”
What are you worried about?
Top Threats to Cloud Computing
Abuse and Nefarious Use of Cloud Computing
Insecure Application Programming Interfaces
Malicious Insiders
Shared Technology Vulnerabilities
Data Loss/Leakage
Account, Service & Traffic Hijacking
Unknown Risk Profile
OWASP Top 10
A1 – Injection
A2 – Cross Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration (NEW)
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards (NEW)
A9 – Insecure Cryptographic Storage
A10 - Insufficient Transport Layer Protection
Web Application Security Consortium
Lessons?
Somethings are no different in the cloud than they are in the
enterprise.
The bad guys still want to abuse the resources.
It still comes down to data loss.
Many different actors are
involved
Complex policy requirements
Simplified procedural
operations
Many moving parts
Learning curve for operations &
security staff
Traditional security boundaries
shift with cloud deployments
Who’s your neighbor?
The “Process Next Door” may be behaving badly or be under
attack.
Unbalanced resource consumption can affect operational
availability.
Shared IP space may have a “bad reputation”
Possible hypervisor level attacks on IaaS platforms
Re-using IP addresses leads to unintentional DoS
Is it the same building?
Very different attack surface compared to traditional
infrastructure
Large attack surface + high profile = high value targets
Who has access to your data?
Clouds bypass the "physical, logical and personnel controls"
IT shops exert over in-house programs*
Lack of visibility into data access by privileged users
Got a handyman?
Management tools & development frameworks may not
provide all the security features they should or could.
Tool vendors need to keep up to date with cloud providers
feature enhancements.
Limited security toolsets are available in cloud
environments.
Cloud forensics can be challenging.
Compliance possible?
Ability to leverage compliance and certifications cloud
provider already has.
Difficult to get feature/policy/procedure changes from cloud
vendor to meet other regulatory requirements or
certifications.
Distributed nature of cloud services can add jurisdictional
issues to regulatory compliance.
Investigative support & forensics may be difficult to obtain
from your cloud provider.
Where for art thou?Increased regulatory complexities of having data stored in multiple legal jurisdictions.
Foreign governments, agencies or corporations may gain access to your data without your knowledge.
Increased data availability & resiliency of having data automatically replicated to multiple sites.
Intra-application communications may unintentionally span multiple locations
Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.
Any chance that comes with a warranty?
Long term viability of cloud partners is a critical
consideration in PaaS vendors.
Lock-in with IaaS & SaaS vendors may be less of an issue.
Data transfer costs are can be the toughest part of vendor
lock-in.
As open cloud platforms emerge and the hybrid deployment
model gains popularity, standards will ease some of the
current lock-in concerns.
Does it matter?
All types of cloud systems can be leveraged for malicious purposes.
IaaS clouds can be used for large scale spam, DoS, or Command & Control functions.
PaaS platforms have already been used as Command & Control for botnets.
Hijacked accounts can be used to stage internal DoS attacks within the cloud provider’s infrastructure.
Defending against cloud based attacks can be extremely difficult.
Public deployment security issues
Advantages Disadvantages
Anonymizing effect Collateral damage effect
Large security investmentsData & AAA security
requirements
Pre-certificationRegulatory Compliance &
Certifications
Multi-site system & data redundancy
Multi-jurisdiction data store
Fault tolerance & excess capacity Known vulnerabilities are global
Mongrel deployment security issues
Advantages Disadvantages
Externalization of attack surfaceData transfer/access
considerations
Overcomes private cloud scaling limits
Increased architecture complexity
Multi-site system & data redundancy
Credential management
Isolation & segregation of secure data
Regulatory Compliance & Certifications
Community Deployment Issues
Advantages Disadvantages
Increased redundancy & availability
Extremely high level of complexity
Shared risk & security costs Federation requirements
Compliance & certification requirements
Increased Privileged User attacks
Easy targeting of high value systems
IaaS Security Issues
Advantages Disadvantages
Increased control of encryption Account hijacking
Minimized privileged user attacks Credential management
Ability to use familiar AAA mechanisms API security risks
More standardized deployments Lack of role based authorization
Rapid cross vendor redeploymentDependence on security of the
virtualization platform
Full operational control at the VM level Full responsibility for operations
PaaS Security Issues
Advantages Disadvantages
Less operational responsibilityLess operational control than
IaaS
Instant multi-site business continuity
Vendor lock-in
Massive scale & resiliencyLack of security tools, reporting,
etc.
Simplification of compliance analysis
Increased privileged user attack likelihood
Built-in framework security features
Cloud provider’s long term viability
SaaS Security Issues
Advantages Disadvantages
Clearly defined access controls Inflexible reporting & features
Vendor is responsible for data-center & application security
Lack of version control
Predictable scope of account compromise
Inability to layer security controls
Integration with internal directory services
Increased vulnerability to privileged user attacks
Simplified User ACD No control over legal discovery
Stuff you should know…
Cloud Security Alliance http://cloudsecurityalliance.org/
Sun’s Cloud Security
Toolshttp://www.sun.com/solutions/cloudcomputing/secur
ity.jsp
AWS http://aws.amazon.com/security/
Azure http://msdn.microsoft.com/en-
us/magazine/ee291586.aspx
Opscode http://www.opscode.com/
Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia Wars, Vampire Wars and occasionally Yoville.