It ain’t all fluffy and blue sky out there!

Who’s this guy?

Ward Spangenberg, Director of Security Operations, Zynga

Game Network

No - I won’t whack the Petville boss who just broke into your

cafe and made away with all your “grave dirt” riding a “luv-

ewe”.

Founding Member of the Cloud Security Alliance

What’s he going to talk about?

Definitions: Same starting point for everyone.

Security: What does that even mean?

Compliance: Did he just say compliance and cloud in the

same sentence?

Privacy: All your cloud belong to us.

Stuff: quips, stories, advice, and hopefully some laughter.

Definition of Cloud Computing

Cloud computing describes a system where users can

connect to a vast network of computing resources, data and

servers that reside somewhere “cloudy,” usually on the

Internet, rather than locally or in the data center. Cloud

computing can give on-demand access to supercomputer-

level power, even from a thin client or mobile device such as

a smart phone or laptop. (or iPad)

(@tomme Agreed. Quit arguing about definition. Common

denominator: other people's ppl, other ppl's gear - let's focus

on benefits #ccevent)

The NIST Cloud Definition

Definitions of Architecture

IaaS: “based on pure virtualization. Vendor owns all the

hardware and controls the network infrastructure, and you

own everything from the guest operating system up. You

request virtual instances on-demand and let them go when

you are done.”

PaaS: ““infrastructure as well as complete operational and

development environments for the deployment of your

applications.”

SaaS: ““a web-based software deployment model that makes

the software available entirely through a web browser.”

Architecture Model Examples

Deployment Models

Public

Private ("I'm just going to call a private cloud a data center."

--Kash Rangan, Managing Director, Merrill Lynch)

Hybrid Mongrel/Mutt

Why consider the cloud?

Increased productivity

Decreased capital investments

Reduced Costs for IT

Scalable systems with low overhead

Increased Storage

Flexibility

Shift company focus

What works?

Stateless

Computer Intensive

Non-sensitive data

Changing workload pattern

Increased workload with greater subscription rate

What doesn’t work?

Special hardware

Huge data set

Sensitive data

Low latency requirements

99.999% Availability

Cloud Computing a “security nightmare”-John Chambers, CEO CISCO

Security + Cloud = ?

As my friend Hoff likes to say: “...it is difficult to frame

meaningful discussion around what security and Cloud

Computing means...”

Yes, no, maybe.

Actually security is not a cloud specific issue. The real

struggle is “operational, organizational and compliance

issues that come with this new unchartered (or poorly

chartered) territory.”

What are you worried about?

Top Threats to Cloud Computing

Abuse and Nefarious Use of Cloud Computing

Insecure Application Programming Interfaces

Malicious Insiders

Shared Technology Vulnerabilities

Data Loss/Leakage

Account, Service & Traffic Hijacking

Unknown Risk Profile

OWASP Top 10

A1 – Injection

A2 – Cross Site Scripting (XSS)

A3 – Broken Authentication and Session Management

A4 – Insecure Direct Object Reference

A5 – Cross Site Request Forgery (CSRF)

A6 – Security Misconfiguration (NEW)

A7 – Failure to Restrict URL Access

A8 – Unvalidated Redirects and Forwards (NEW)

A9 – Insecure Cryptographic Storage

A10 - Insufficient Transport Layer Protection

Web Application Security Consortium

Lessons?

Somethings are no different in the cloud than they are in the

enterprise.

The bad guys still want to abuse the resources.

It still comes down to data loss.

Many different actors are

involved

Complex policy requirements

Simplified procedural

operations

Many moving parts

Learning curve for operations &

security staff

Traditional security boundaries

shift with cloud deployments

Who’s your neighbor?

The “Process Next Door” may be behaving badly or be under

attack.

Unbalanced resource consumption can affect operational

availability.

Shared IP space may have a “bad reputation”

Possible hypervisor level attacks on IaaS platforms

Re-using IP addresses leads to unintentional DoS

Is it the same building?

Very different attack surface compared to traditional

infrastructure

Large attack surface + high profile = high value targets

Who has access to your data?

Clouds bypass the "physical, logical and personnel controls"

IT shops exert over in-house programs*

Lack of visibility into data access by privileged users

Got a handyman?

Management tools & development frameworks may not

provide all the security features they should or could.

Tool vendors need to keep up to date with cloud providers

feature enhancements.

Limited security toolsets are available in cloud

environments.

Cloud forensics can be challenging.

Compliance possible?

Ability to leverage compliance and certifications cloud

provider already has.

Difficult to get feature/policy/procedure changes from cloud

vendor to meet other regulatory requirements or

certifications.

Distributed nature of cloud services can add jurisdictional

issues to regulatory compliance.

Investigative support & forensics may be difficult to obtain

from your cloud provider.

Where for art thou?Increased regulatory complexities of having data stored in multiple legal jurisdictions.

Foreign governments, agencies or corporations may gain access to your data without your knowledge.

Increased data availability & resiliency of having data automatically replicated to multiple sites.

Intra-application communications may unintentionally span multiple locations

Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.

Any chance that comes with a warranty?

Long term viability of cloud partners is a critical

consideration in PaaS vendors.

Lock-in with IaaS & SaaS vendors may be less of an issue.

Data transfer costs are can be the toughest part of vendor

lock-in.

As open cloud platforms emerge and the hybrid deployment

model gains popularity, standards will ease some of the

current lock-in concerns.

Does it matter?

All types of cloud systems can be leveraged for malicious purposes.

IaaS clouds can be used for large scale spam, DoS, or Command & Control functions.

PaaS platforms have already been used as Command & Control for botnets.

Hijacked accounts can be used to stage internal DoS attacks within the cloud provider’s infrastructure.

Defending against cloud based attacks can be extremely difficult.

Public deployment security issues

Advantages Disadvantages

Anonymizing effect Collateral damage effect

Large security investmentsData & AAA security

requirements

Pre-certificationRegulatory Compliance &

Certifications

Multi-site system & data redundancy

Multi-jurisdiction data store

Fault tolerance & excess capacity Known vulnerabilities are global

Mongrel deployment security issues

Advantages Disadvantages

Externalization of attack surfaceData transfer/access

considerations

Overcomes private cloud scaling limits

Increased architecture complexity

Multi-site system & data redundancy

Credential management

Isolation & segregation of secure data

Regulatory Compliance & Certifications

Community Deployment Issues

Advantages Disadvantages

Increased redundancy & availability

Extremely high level of complexity

Shared risk & security costs Federation requirements

Compliance & certification requirements

Increased Privileged User attacks

Easy targeting of high value systems

IaaS Security Issues

Advantages Disadvantages

Increased control of encryption Account hijacking

Minimized privileged user attacks Credential management

Ability to use familiar AAA mechanisms API security risks

More standardized deployments Lack of role based authorization

Rapid cross vendor redeploymentDependence on security of the

virtualization platform

Full operational control at the VM level Full responsibility for operations

PaaS Security Issues

Advantages Disadvantages

Less operational responsibilityLess operational control than

IaaS

Instant multi-site business continuity

Vendor lock-in

Massive scale & resiliencyLack of security tools, reporting,

etc.

Simplification of compliance analysis

Increased privileged user attack likelihood

Built-in framework security features

Cloud provider’s long term viability

SaaS Security Issues

Advantages Disadvantages

Clearly defined access controls Inflexible reporting & features

Vendor is responsible for data-center & application security

Lack of version control

Predictable scope of account compromise

Inability to layer security controls

Integration with internal directory services

Increased vulnerability to privileged user attacks

Simplified User ACD No control over legal discovery

Stuff you should know…

Cloud Security Alliance http://cloudsecurityalliance.org/

Sun’s Cloud Security

Toolshttp://www.sun.com/solutions/cloudcomputing/secur

ity.jsp

AWS http://aws.amazon.com/security/

Azure http://msdn.microsoft.com/en-

us/magazine/ee291586.aspx

Opscode http://www.opscode.com/

Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia Wars, Vampire Wars and occasionally Yoville.

Ward Spangenberg

wardspan@zynga.com

twitter: @wardspan