uc cloud computing security
DESCRIPTION
Dean Jones has more than a 24-year track record in understanding technology-business interface, identifying & aligning clients technology needs with products & services, and solving complex problems. He has a successful and diverse background spanning technical, operational management, project delivery, and strategy development disciplines underscores expertise in engaging decision makers and devising winning strategies and solutions.TRANSCRIPT
•
•Infrastructure As A Service (IAAS)
BDPA DALLAS
•Dean Jones, Engagement Manager
UC Cloud Computing Security
May 31st Program Meeting
Discussion Topics
• Potential Security Breaches & Associated Cost• Cloud Computing and Topology• SIP – UC Cloud / IAAS Topology• Case Studies
Potential Security Breaches
The Cost of Unsecured Hosted and Private UC Environments.
One Successful Toll Fraud Attack $40,000
Cloud Computing 5
Steady CAPEX spend
Global Annual Server Spending (IDC)
Source: IBM Corporate Strategy analysis of IDC data
Uncontrolled management and energy costs
To make progress, delivery organizations must address the server, storage and network operating cost problem, not just CAPEX
$0B
50
100
150
200
250
300
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
New system spend Management and admin costsPower and cooling costs
A crisis of complexity. The need for progress is clear.
Majority of IT and security execs say insider vulnerabilities worry them most.
Mar 09, 2009 | 08:08 AMBy Tim WilsonDarkReading
It's official: Today's security managers are more worried about insiders leaking sensitive corporate data than they are about outsiders breaking in to steal it.
http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195
Reports: Security Pros Shift Attention From External Hacks To Internal Threats
Perimeter defense is essential – But it doesn’t guard data against the human factor
Lost or stolen devices
Intellectual property exposed to competitors
Sensitive customer data compromised Competitive information leaked to the
media
Exposed business processes
Extracts pulled for processing and reporting
Circulating data across organizations Workarounds during system outages
Malicious insiders
Malware deployed within the network Intentional misuse of company information Identity theft and Industrial espionage
Careless use of the corporate network
Viruses unwittingly downloaded at home Unsecured archives or copies of data Uncontrolled circulation of classified
documents or personal e-mail messages
Business PartnersSupply Chain
Coffee Shop HotelsHome
Inadequate, disjointed technology management
Foes, Gremlins, and Banana Peels
Increased collaboration brings increased complexityand increased risk.
Many companies expend resources on the network without achieving the expected results.
• A piecemeal approach to network security and updates leads to an overly complex infrastructure
– Time-consuming to pinpoint causes of performance problems, especially for newly added voice and video applications that impact traditional mission-critical applications
– Difficult to determine the best way to optimize costs and performance
– Hard to estimate future expenditures and justify current costs
– Almost impossible to predict capacity requirements accurately• Through 2011, enterprises will waste $100 billion buying
the wrong networking technologies and services3
– Unnecessary technologies
– Excess bandwidth
– Unwarranted upgrades3 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 and Beyond, Daryl C. Plummer and others, December 2006.
Ponemon Institute’s Security Breach Studies
• Ponemon Institute’s released two separate reports, ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances:
• a median cost of $3.8 million for an attack per year, including all costs, from detection, investigation, containment, and recovery to any post-response operations.
• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed reached $139 billion.
• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen
• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, although hacks represent only about 16 percent of the data breaches
• Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year
• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders, 100,300 USD.
Cloud Security Breach Examples
• Google Doc allowed shared permission without user knowledge
– http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en
• Salesforce.com phishing attack led to leak of a customer list; subsequent attacks
– http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html
• Vasrev.com Webhost hack wipes out data for 100,000 sites– http://www.theregister.co.uk/2009/06/08/webhost_attack/
• Twitter company files leaked in Cloud Computing security failure
– http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure/• DDoS attack that downed Twitter also hit Facebook
– http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_2009-08-07
UC Cloud Computing Security and Topology
15 Cloud Computing
Cloud: Consumption & Delivery Models Optimized by Workload
• A new consumption and delivery model inspired by consumer Internet services.
Private, Public and Hybrid
Workload and/or Programming Model Specific
The Industrialization of Delivery for IT supported Services
Cloud Services
Cloud Computing Model
Self-service
Sourcing options
Economies-of-scale
Multiple Types of Clouds
will co-exist:
“Cloud” represents:
Cloud enables:“Cloud” is:
Cloud Computing
Is cloud computing really new? Yes, and No.
Cloud computing is a new consumption and delivery model inspired by consumer Internet services. Cloud computing exhibits the following 5 key characteristics:
• On-demand self-service • Ubiquitous network access• Location independent resource pooling• Rapid elasticity• Pay per use
While the technology is not new, the end user focus of self-service, self-management leveraging these technologies is new.
Virtualization ServiceAutomation & SOA
UsageTracking Web 2.0
End User Focused
Cloud Computing
Enterprise
Today there are three primary delivery models that companies are implementing for cloud
Public Cloud
IT activities/functions are provided “as a service,” over the Internet
Key features:– Scalability– Automatic/rapid provisioning– Standardized offerings– Consumption-based pricing.– Multi-tenancy
Traditional Enterprise IT
Private Cloud
IT activities/functions are provided “as a service,” over an intranet, within the enterprise and behind the firewall
Key features include:– Scalability– Automatic/rapid provisioning– Chargeback ability– Widespread virtualization
Hybrid Cloud
Internal and external service delivery methods are integrated, with activities/functions allocated to based on security requirements, criticality, architecture and other established policies.
Private Cloud
Public Clouds
Hybrid Cloud
Source: IBM Market Insights, Cloud Computing Research, July 2009.
Security Implications of the Delivery Models
UC Cloud Computing
Cost savings and faster time to value are the leading reasons why companies consider cloud
Respondents could rate multiple drivers items
50%
72%
77%
Improve reliability
Faster time to value
Reduce costs
Improve system availability
Pay only for what we use Hardware savings
Software licenses savings Lower labor and IT
support costs Lower outside maintenance costs
Take advantage of latest functionality
Simplify updating/upgrading Speed deployment
Scale IT resources to meet needs
•
•
•
•
Improve system reliability
•
•
•
To what degree would each of these factors induce you to acquire public cloud services?
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
Cloud Computing 21
Managing Cloud Adoption
• Cloud economics can be compelling– Small companies will adopt as reliable, easy-to-use services are available– Scale economics are within reach of many enterprises
• Client migration will be work load driven– Trade-off is value vs. risk of migration– Workload characteristics are critical – New workloads will emerge as cloud makes them affordable (e.g. pervasive
analytics, Smart Healthcare)
Virtualized environments only get benefits of scale if they are highly utilized
Drives lower capital requirements
More complexity = less automation possible
= people needed
Take repeatable tasks and automate
Lab
or
Lev
erag
eIn
fras
tru
ctu
re
Lev
erag
e
Clients who can “serve themselves” require less support and get services
Elements that Drive Cloud Efficiency and Economics
Self Service
Automation of Management
Standardization of Workloads
Virtualization of Hardware
Utilization of Infrastructure
Cloud Computing
Enterprise Benefits from Cloud Computing
Server/Storage Utilization 10-20%
Self service None
Test Provisioning Weeks
Change Management Months
Release Management Weeks
Metering/Billing Fixed cost model
Standardization Complex
Payback period for new services Years
70-90%
Unlimited
Minutes
Days/Hours
Minutes
Granular
Self-Service
Months
Legacy environments Cloud enabled enterprise
Cloud accelerates business value across a wide variety of domains.
Capability From To
Clients told us their implementation strategies — public or private Cloud, present or future — for 25
specific workloadsAnalytics• Data mining, text mining, or other analytics• Data warehouses or data marts• Transactional databases
Business Services• CRM or Sales Force Automation• e-mail• ERP applications• Industry-specific applications
Collaboration• Audio/video/web conferencing• Unified communications• VoIP infrastructure
Desktop and devices• Desktop• Service/help desk
Development and testing• Development environment• Test environment
Infrastructure• Application servers• Application streaming• Business continuity/disaster recovery• Data archiving• Data backup• Data center network capacity• Security• Servers• Storage• Training infrastructure• WAN capacity
BusinessServices
Collaboration
Analytics
Desktop and Devices
Infrastructure
Development and Test
Source: IBM Market Insights, Cloud Computing Research, July 2009.
Clients cite "push factors" for and "barriers" against cloud adoption for each workload type
Push factors
Fluctuating demand Highly standardized
applications Modular, independent applications
Unacceptably high costs
Higher propensity for cloud
Lower propensity for cloud
Barriers
Data privacy or regulatory and
compliance issues High level of Internal
control required Accessibility and
reliability are a concern
Cost is not a concern
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
… delivering “services” and service management Standardized processes Service management systems provide visibility, control and automation Lower operational costs and higher productivity
… optimizing workloads Rate and degree of standardization of IT and business services Complex transaction and information management processes Rapid return-on-investment and productivity gains
Desktop and Devices
Development and Test
Infrastructure BusinessServices
CollaborationAnalytics
… deployment choices New models are emerging for the enterprise Self-service, economies-of-scale, and flexible sourcing options New choices of deployment – define these new models
IT needs to become smarter about…
Modular, Self-contained, Scalable Workload Delivery Platform
WORKLOAD A
Modular, Self-contained, Scalable Workload Delivery Platform
WORKLOAD B
Legacy Environment :NON – IBM SolutionsRequiring workload connectivity
WORKLOAD C
Service Management
Service Management
Service Management
Architectural and process level integration that delivers business aligned Visibility, Control and Automation of all Data Center Elements
End to End Service Management
Focus on Managing Services
Facilities Infrastructure
ProductionInfrastructure
MobilityInfrastructure
TechnologyInfrastructure
Communications Infrastructure
+ + + +
3 options to deploy workloads – providing you the choice to meet your business needs!
Smart Business Services – cloud services delivered.1. Standardized services on the cloud – Public Cloud.2. Private cloud services, built and/or run by Private Cloud.
Smart Business Systems – purpose-built infrastructure.3. Integrated Service Delivery Platform
Desktop and Devices
Development and Test
Infrastructure BusinessServices
CollaborationAnalytics
SIP – UC Cloud / IAAS Topology
What do we mean by Unified Communications and Collaboration?
VoiceMobile
Communities
Web Conferencing
Call Management
Instant MessagingE-Mail
Calendaring
Messaging VideoConferencing
Unified Communications + Collaboration = UC²with the added power of mobility
Renovate & Innovate
• How do we address the immediate pressure to cut costs, reduce risk and complexity?
• How do we Innovate to take advantage of new opportunities?
How can we do both at the same time?
• We focus on delivering services in new ways - lowering cost while increasing speed and flexibility!
Benefits of Unified Communications
• UC benefits come from extending the UC network
• New modes of collaboration– Extended workforce– Suppliers– Partners– Clients
• Corporate policies– Business continuity– Privacy compliance, auditing– Green initiatives
• Cost reduction– Converged infrastructure– SIP trunks
Clients
Suppliers, Partners
Enterprise
Extended Workforce
IP-PBXUC Assets
Employees, Departments
Remote Phones SIP Trunks
SIP TrunksInternal Phones
Enterprise
Challenges of Extending UC• IP PBX & phone protection• Policy and compliance
enforcement• Device and user authentication• Signaling and media privacy• Deployment
– Phone configuration and management
– Corporate firewall configuration– Remote firewall traversal
Clients
Suppliers, PartnersExtended Workforce
IP-PBXUC Assets
Employees, Departments
Remote Phones SIP Trunks
Internal Phones SIP Trunks
Rogue Employee Spammer
Internet Hacker Infected PC
Additional Security Concerns
• The significant security concerns for this type of deployment are mainly SIP/SCCP/H.323 call control and application level attacks along with:
• Attacks originating from a peering network• End user Spam attacks• Border control and traversal issues• Handling of domain policies
ComplianceComplying with SOX, HIPPA,
PCI DSS, FERPA and other regulations may prohibit the use of clouds
for some applications. Comprehensive auditing capabilities are essential.
High-level Cloud Security concerns
Less ControlMany companies and governments are uncomfortable with the idea of
their information located on systems they do not control.
Providers must offer a high degree of security transparency to help
put customers at ease. ReliabilityHigh availability will be a key concern. IT departments will worry about a loss
of service should outages occur. Mission critical applications may not
run in the cloud without strong availability guarantees.
Security ManagementProviders must supply easy, visual controls to manage
firewall and security settings for applications and runtime environments in the
cloud.
Data SecurityMigrating workloads to a
shared network and compute infrastructure
increases the potential for unauthorized exposure.
Authentication and access technologies become
increasingly important.
Industry, Government, Risk & Corporate Compliance
Numerous mandates for privacy apply to UC deployments as well as data protection• FDIC VoIP Guidelines• FERPA: Family Educational Rights and Privacy Act• GLBA: Gramm-Leach-Bliley Act – consumer data protection• FTC Safeguards for consumer protection, enforcing GLBA• HIPAA: The Health Insurance Portability and Accountability Act• PCI DSS: The Payment Card Industry Data Security Standard
Inherent Technology Threats
Cloud Security 101: Simple Example
?
We Have Control
It’s located at X.
It’s stored in server’s Y, Z.
We have backups in place.
Our admins control access.
Our uptime is sufficient.
The auditors are happy.
Our security team is engaged.
Who Has Control?
Where is it located?
Where is it stored?
Who backs it up?
Who has access?
How resilient is it?
How do auditors observe?
How does our securityteam engage?
?
?
?
??
TODAY TOMORROW
Lesson Learned: We have responded to these questions before… clouds demand fast, responsive, agile answers.
What is a SIP Trunk?
LAN
PSTN
Internet
ISPITSPSIP Trunk
PBXMGW
IPCS
Enterprise
Definition: • SIP Trunk is a service offered by
an ITSP (Internet Telephony Service Provider) that connects a company's IP-PBX to the telephone system (PSTN) via Internet using the SIP VoIP standard.
(Source: wikipedia.org)
Extending VoIP: • With IP-PBX enterprise’s have
converged data and Voice over LAN, SIP trunk allows enterprises to do the same over WAN/Internet
SIP Trunk Requirements
LAN
PSTN
Internet
ITSPSIP Trunk
PBX
IPCS
Enterprise
Threat protection• What about toll fraud, Spam, DoS• Who has access to my PBX• Monitoring of security incidences
Policy enforcement• Need to change Fire Wall policy?• Control services and features
Access control• Who, from where, when
Privacy• Who has access to my private
communication
Deployment issues• Will it work• Change, upgrades• Voice Quality• Visibility QoS/SLA
SIP Trunk Requirements Cont’d
Key Benefits of UC Cloud Computing Security
The UC Cloud Computing Security Competitive Advantage
Threat Protection• Block reconnaissance• Block DoS floods• Block DDoS floods• Block stealth DoS• Block fuzzing/malformed messages• Block spoofing, masquerading, toll
fraud• Rogue media blocking• Block and verify anomalous behavior
Access Control• SSL/TLS X.509 certificate-based mutual
authentication• Clientless two-factor (RSA SecurID)
authentication• Local firewall/NAT traversal• Secure channel NAT traversal• SIP digest authentication• RADIUS AAA integration• Call admission control
Policy Enforcement• Domain and user level blacklist• Network, user, device, ToD-based
policy control• Application control• Signaling control• Media control• Security rules and profiles• Soft key control• Device security profiles• Web application control
Privacy• Encryption (TLS to TCP) signaling proxy• Encryption (SRTP or ERTP to RTP)
media proxy• Topology hiding (network privacy)• User and caller ID privacy (user
privacy)
Security Services• Asset Discovery• Security Posture Assessment• Business Risk Assessment• Security Recommendations
Security Research• Vulnerability Discovery• Threat Advisory• Exploit Tools (Sipera LAVA)• Security Signature Development
Case Studies
The Cost Benefits of a SIP Deployment
Return on Security Investment
• Return on Security Investment factors– Single Loss Expectancy (SLE)
• Dollar amount assigned to event
– Annualized Rate of Occurrence (ARO)• Estimated frequency of event
– Annualized Loss Expectancy (ALE)• SLE x ARO = ALE
Theft of Service Assumptions
• Large Enterprise with 500 SIP trunks– 50% average utilization
• Without SIP trunk security– Billing rate 2¢ / min– Event forces theft of 20% of average utilized trunks– SLE = 20% x 250 x 2¢ = $ 1/min– ARO = 365 days x 24 hours x 60 min = events/year– ALE = 365 x 24 hours 60 min x $1 = $525,600
• With UC Security -protected SIP Trunk– VOIP Vulnerability Assessment– Best practices– Comprehensive UC security
Theft of Service Business CaseUnprotected SIP Trunk Protected SIP TrunkItem Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)VOIP Sec AssesUC-Sec 2000 HAUC-SEC EMSInstallation
2 weeks1 pair11
$10,000$65,950
$7,495$3,000
$20,000$65,950
$7,495$3,000
Total Capital Cost $0 Total Capital Cost $96,445
Monthly Service Theft Cost Monthly Maintenance CostTheft 30*24*60
= 43,200$1 $43,200 UC-Sec Maint.
EMS Maint.1 yr / 121 yr / 12
$13,190$1,499
$1,099$125
Total Monthly Theft Cost $43,200 Total Monthly Maintenance Cost $1,224
Pay Back Period: 3 months and IRR > 75%With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600
Pay Back Period: 3 months and IRR > 75%With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600
Loss of Service Assumptions
• Large enterprise– 25,000 users– 20% using softphones
• Assets– 5 Avaya SES SIP servers– 25,000 IP Phones– 5,000 Softphones – Softphone laptops carry company confidential
data
Threat Level Assumptions
• Threat level or probability of exploit– 37 Vulnerabilities discovered – 7 high threats with exploit probability
>70% per month– 5 medium threats with exploit
probability >50% per month– 26 low threats with exploit probability
<50% per month• SIP Servers
– Integrity• 1 medium: Spoof Call Server
– Availability• 2 high: Denial of Service• 1 medium: Service degradation
• IP Phones, Softphones– Confidentiality
• 1 medium: Unencrypted snoop– Integrity
• 2 medium: Spoofing / hijacking– Availability
• 2 high: Denial of Service, fuzzing• 1 medium: QoS degradation
• Softphones only– Confidentiality and availability
• 2 high: Fuzzing with execute shell code
– Integrity (no high/medium)
Loss of Service ALE CalculationNumber Vulnerability Type Probability of
ExploitAssets Affected $Loss on single
occurrenceAnnualized rate of occurrence
Annualized Loss Expectancy
1 DoS High Server 15 mins, $50,000 7 350,000
2 DoS High Server 15 mins, $50,000 7 350,000
3 Degradation Medium Server 15 mins, $25,000 5 125,000
4 Spoofing Medium Server 15 mins, $35,000 5 175,000
5 DoS High IP Phone, Softphone
1 hr, $50 35 1,750
6 DoS High IP Phone, Softphone
1 hr, $50 35 1,750
7 Degradation Medium IP Phone, Softphone
1 hr, $25 25 625
8 Spoofing Medium IP Phone, Softphone
1 hr, $500 25 6,250
9 Hijack Medium IP Phone, Softphone
1 hr, $500 25 6,250
10 Sniffing Medium IP Phone, Softphone
1 hr, $500 25 6,250
11 Buffer overflow, Shell-code
High Softphone Company, $3000, 35 105,000
12 Buffer overflow, Shell-code
High Softphone Company, $3000, 35 105,000
Total 12 7 High, 5 medium ~ $1.2 million
Loss of Service Business CaseUnprotected IP-PBX Sipera-protected IP-PBXItem Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)VIPER AssesUC-Sec 50k HAUC-SEC EMSInstallation
2 weeks1 pair11
$10,000$229,850
$7,495$3,000
$20,000$229,850
$7,495$3,000
Total Capital Cost $0 Total Capital Cost $260,345
Monthly Service Loss Cost Monthly Maintenance CostLoss 1 $100,000 $100,000 UC-Sec Maint.
EMS Maint.1 yr / 121 yr / 12
$30,000$1,499
$2,500$125
Total Monthly Loss Cost $100,000 Total Monthly Maintenance Cost $2,625
Pay Back Period: 3 months and IRR > 60%With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000
Pay Back Period: 3 months and IRR > 60%With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000
Other Downtime Effects
• Impact on stock price • Cost of fixing / replacing equipment • Cost of fixing / replacing software • Salaries paid to staff unable to undertake
productive work • Salaries paid to staff to recover work
backlog and maintain deadlines• Cost of re-creation and recovery of lost
data • Loss of customers (lifetime value of each)
and market share • Loss of product• Product recall costs • Loss of cash flow from debtors
• Interest value on deferred billings • Penalty clauses invoked for late delivery
and failure to meet Service Levels • Loss of profits • Additional cost of credit through reduced
credit rating • Fines and penalties for non-compliance • Liability claims • Additional cost of advertising, PR and
marketing to reassure customers and prospects to retain market share
• Additional cost of working; administrative costs; travel and subsistence etc.
Hacking Tools - YouTube Movies
• http://youtu.be/89fXxmaca4E• http://youtu.be/x56j2BRkUME• http://youtu.be/DU8hg4FTm0g