a cloud security ghost story craig balding

81
A Cloud Security Ghost Story Craig Balding

Upload: craigbalding

Post on 17-Nov-2014

3.114 views

Category:

Technology


0 download

DESCRIPTION

Presented at Black Hat Europe 2009 by Craig Balding, founder of http://cloudsecurity.org

TRANSCRIPT

  • 1. A Cloud Security Ghost Story Craig Balding

2. DisclaimerThe views and opinions expressed here arethose of Craig Balding only and in no way represent the views, positions or opinions -expressed or implied - of my employer oranyone else. 3. Happy to take questions as we go Will limit in-ight answers to 2 minutes... ...to allow time for Q&A at end If you want SAP Pwnage, other track ;-) 4. Tweeting/Blogging?Please add the tag: cloudsec 5. Clown Computing? Cloud == Internet Its Outsourcing! Its Virtualization! Overhyped Fad Nothing NewDont Believe in Clouds? 6. A Service Model*aaS: ...as a ServiceOn-DemandPay As You Go (CC)ElasticAbstracted ResourceWhat Is Cloud? 7. Cloud Securityvs. Security in the Cloud Avoid the Facepalm 8. This is not ASP Shared Hardware Shared Fabric / Host Scalability / Cost Multi Tenancy 9. DB Security Model 10. DB == Tenant 11. DB == Tenant 1..n 12. Engineering FeatScalabilityAvailabilityNew techniques1000:1GreenIts Only Day 1 13. Cloud Magic: Just Say No 14. Evil State Replication Woes Patching Devils Insidious Integrity Funding Cloud FAIL 15. Risk Management Your Liable Compensating Controls Plan for Failure Trust but Verify Web Services Security Browsers Are BrittleSecurity Givens 16. Ghost Central 17. *aaS: ...as a ServicePay As You Go (CC)ElasticOutages Very PublicSupport Forums Public Clouds 18. Classic SPI Model Software as a Service Platform as a Service Infrastruture as a Service 19. Examples Software as a Service Platform as a Service Infrastruture as a Service 20. SaaS CRM force.com == PaaS AppExchange Code Reviews Service CloudSalesforce 21. Examples Software as a Service Platform as a Service Infrastruture as a Service 22. PaaS Python VM Justin Ferguson Java VM Data Import/Export SDCGoogle App Engine 23. Google Secure Data Connector 24. Software & ServicesTechnology PreviewIdentity (Cameron) Microsoft Azure 25. Software + Services 26. Examples Software as a Service Platform as a Service Infrastruture as a Service 27. Public IaaS PioneerEC2, S3, SQS etcYou secureSecurity WhitepaperEvangelismData CleansingAmazon Web Services 28. One KeyManagement PlaneNew Policy LanguageReport a ScanIf a HD is Stolen...AWS EcosystemAmazon Web Services 29. Dynamo Paper Consistency Availability Integrity Out of order No Time PromisesEventually Consistent 30. AWS Dev friendlyDev TestimonialsAMZN PMTS866-216-1072AWS API endpointsPOST/PUT/DELETEDevelopers with Credit Cards 31. VisibilityMutantsCloud StacksIntegrationPrivacyRegulationsSLAs Haunted House of the Cloud 32. The Visibility Ghost Ship 33. When Controls Fail Lingua Franca: API Manage SSL EC2 vs NSM Immature logging DLPThe Visibility Ghostship 34. IaaS vs Paas vs SaaS Scan & Get Canned Idea: AllowScan API Pen-testing Scope Assurance 35. Virtual Data Center Version Control View as Timeline Pre/post Commit Sanity Checks Proactive PollingData Center Tripwire 36. Call Premium Support Cloud Clamour No Business Context Incident Response 37. IaaS vs Paas vs SaaS Ghosting a Ghost Logs & Integration Ofine Forensic VMs AWS EBS Cloning Forensics as a Service Cloud IR Teams? Forensics 38. IaaS vs Paas vs SaaS Mash-ups 1...n Theft of Hard Drive... First, nd the DC Jurisdictional Hell Investigations 39. The March of the Mutated Hypervisor 40. AWS EC2Xen with modsNo Dom0 AccessXen DomUExpose via XML APIThe March of the Mutated Hypervisor 41. BIOS Functionality++ Research++ Cache Snooping Hypervisor Attack Persistent RootkitsThe Vampire BIOS 42. Ghost in the Stacks 43. Dependent ServicesConsume & ProvideTrust by InheritenceMind the GapPass the Buck Cloud Stacks/Layers 44. Appirio Salesforce App Hook API Divert Attachments Client > EC2 > S3 Stored in Plaintext!Example 45. Net vs Storage Crypto 46. Enterprise Integration Road to Hell 47. Identity is > PeopleFederated AuthVisibilityDLPMetricsBillingEnterprise Integration 48. IaaS vs Paas vs SaaSVM PortabilityFrameworksAWS as defacto APIUnied Cloud? Interoperability 49. Cloud Lock-in 50. The Green Latern of Privacy 51. EPIC CompliantMisstating SecuritySnafus & VulnsLack of CryptoBar of chocolate?$SOCIALNETWORKSThe Green Lantern of Privacy 52. The Screaming Regulator 53. PCI: The Mosso Pitch HIPAA: AWS / Apps Screaming or silent? VirtSec / PCI DSS Groundhog Day The Screaming Regulator 54. Jurisdiction IP rights Content ownership Contract Law Wins Licensing Raid 8Legal Concerns 55. The Curse of the Bloodstained SLA 56. Blah Blah Blah No CHANGELOGBlah Blah Blah Internet == No promisesBlah Blah BlahCC_OK || rm -rf /cloudBlah Blah Blah Service Credits FTW!Blah Blah Blah Blood Stained SLA 57. AWS Security Pledge 7.2 We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 aboveand Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. 58. AWS Security Advice 7.2. ...We strongly encourage you, where availableand appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. 59. Not even Service Credits? ;-) 7.2. ...We will have no liability to you for anyunauthorized access or use, corruption, deletion,destruction or loss of any of Your Content orApplications. 60. Cloud Nirvana: The Rise of theEnterprise Private Cloud 61. Maximum Control Interoperability Cloudbursting Extend Off-site VMware / CISCO Eucalyptus (OSS)Private Clouds 62. Source: Chris Hoff 63. Infrastructure 1.0 Firewall Mentality Controls vs Data Investments vs Risk DL Time Bombs Visibility & IREnterprise Skeletons 64. 346 Legacy AppsAudit Reports3rd Party MonstersAging PoliciesControls AssetsInner Control FreakGood Old Days Call from the Grave 65. Eucalyptus (OSS) API == AWS EC2 Xen + KVM Ship w/Ubuntu 9.04 Open Source Private Cloud 66. Centralised ControlsPassword CrackingForensic ReadinessNever Ending LogsSecurity BuildsSecurity TestingEmbrace the Cloud 67. Cloud AggregatorInternet TradingPlatformquot;Public/PrivateHandle Billing Cloud Brokers 68. Example: Zimory 69. Pick Your Poison Gold: A gold SLA cloud delivers the strongest quality standards. This includes availability and security standards. The providers offering these resources are compliant with all relevant security certications.Silver: A silver SLA offers high availability and security standards. The providers are known brands.Bronze: A bronze SLA delivers the usual quality and availability standards of hosting providers. It does not contain certications and additional security offerings. 70. Cloud Spirits GeneralJohn Willis: IT ESM and Cloud (Droplets)Kevin L. Jackson: Cloud Musing (Federal) James Urquhart (CISCO): Wisdom of Clouds Werner Vogels (AWS CTO): All Things DistributedGoogle GroupsCloud ComputingSecurityChristofer Hoff: rationalsurvivability.comCraig Balding (aka Me): cloudsecurity.org 71. Cloud SecurityAllianceENISA CloudSecurity WorkingGroup Cloud Security Initiatives 72. Cloud Security AllianceNon-prot organization Promote practices to provide security assurance Comprised of many subject matter experts from a wide variety disciplines Ofcial launch next week @ RSA Join? Linkedin Group Cloud Security Alliance open to all 73. ENISA Cloud Computing Risk AssessmentEuropean Policymakers responsible for funding Cloud risk mitigation research, policy, economic incentives, legislative measures, awareness-raising initiativesBusiness leaders to evaluate Cloud risks of and possible mitigation strategies.Individuals/citizens to evaluate cost/benet of consumer Cloud services. 74. Hosting => Cloud Cloud Platform Wars Cloud Pwnage Trust Indicators Vertical Clouds Data Centric Security? Social Engineering++ Futures 75. Ghost Alley / Amsterdam 76. Thanks 77. Q&A Craig Balding 78. CSA: Domains Information lifecycle Portability &management InteroperabilityData Governance and Center OperationsEnterprise RiskManagementManagementIncident Response, Compliance & Audit Notication, Remediation General Legalquot;Traditionalquot; Security eDiscovery impact (business Encryption and Key Mgt continuity, disaster Identity and Access Mgtrecovery, physical security) StorageArchitectural Virtualization Framework Application Security