cloud security: beyond the buzz

33
Cloud Security: Beyond the Buzz Real-world case studies show how time-tested security concepts are applied to the Cloud

Upload: rinky25

Post on 11-May-2015

1.653 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Cloud Security: Beyond the Buzz

Cloud Security: Beyond the Buzz

Real-world case studies show how time-tested security concepts are applied to the Cloud

Page 2: Cloud Security: Beyond the Buzz

Today’s Chat

• Introduction• Me, my company, and why we care about Cloud.

• What’s Cloud?• SaaS, IaaS, PaaS

• What’s Cloud Security?• Different for SaaS, IaaS, PaaS

• The Nitty Gritty• Considerations and case studies

Page 3: Cloud Security: Beyond the Buzz

Introduction: Terremark Worldwide

• World-class Data Centers• NAP of the Americas, NAP of the Capital Region• Network-agnostic (e.g, ~100 ISPs in NAPOTA)

• World-class Managed Hosting• Built on InfiniStructure – a virtualized platform• Large sensitive clients: H&R Block, Broadlane, ...

• Enterprise Cloud• Built on InfiniCenter, evolved from InfiniStructure

Page 4: Cloud Security: Beyond the Buzz

Terremark and the Cloud

• Gartner Magic Quadrant• VMWare Service Provider of the Year

• VMWare recently bought 5% of TMRK• Deep Cisco partnership• Large Federal Cloud deployments• Large Banking Cloud deployments• Security is a key differentiator for us!

Page 5: Cloud Security: Beyond the Buzz

Introduction: Mario D. Santana

• Director, Secure Information Services• Security/risk consulting, forensics, etc.• Security of Terremark’s hosting environments• Expert witness, lectures, etc.

• CISSP, CISA, GIAC, ECTF, Infragard, etc…• Systems developer/designer in the 80’s• Systems administrator/architect in the 90’s• Security guy in the 00’s

Page 6: Cloud Security: Beyond the Buzz

WHAT’S “THE CLOUD?”Depends who you ask. It’s some level of IT abstraction.

Page 7: Cloud Security: Beyond the Buzz

What’s Cloud?

• Depends who you ask!• Much agreement on NIST’s1 5 characteristics:

• On-demand self-service• Ubiquitous network access• Location-independent resource pooling• Rapid elasticity• Measured service

• You know this: you’re at CloudWorld!

Page 8: Cloud Security: Beyond the Buzz

Cloud is Abstraction

• NaaS: Network as a Service• The original cloud, as in network diagrams

• We don’t care how it works, it’s a black box• “Service” “Utility” “On-Demand” etc…

• Not to be confused with “managed” services• These are more of a partnership with a vendor

• Bottom line: Cloud is someone else’s problem. “It just works.”

Page 9: Cloud Security: Beyond the Buzz

Different Kinds of Cloud Computing

• Infrastructure as a Service (IaaS)• “Abstract away the data center”• Amazon EC2, Terremark e-Cloud

• Platform as a Service (PaaS)• “Abstract away the middleware”• Google AppEngine, Microsoft Azure

• Software as a Service (SaaS)• Salesforce.com, countless others…

Page 10: Cloud Security: Beyond the Buzz

The Cloud Stack

• Higher layers are built on lower layers

• Higher abstractions “include” lower ones

• Clouds used to be all (SaaS) or nothing (NaaS)

• Today’s marketplace has more fine-grained distinctions

Page 11: Cloud Security: Beyond the Buzz

Moving Target

• In analyst-speak: it’s a “dynamic marketplace”• Semantics matter

• New solutions break young, unrefined definitions• They yield insight about why Cloud is useful• As the marketplace matures, definitions solidify

• Players are making moves• SaaS players offering PaaS and IaaS, for example• Amazon’s multitude of offerings are coalescing

Page 12: Cloud Security: Beyond the Buzz

WHAT’S CLOUD SECURITY?It’s technology + process + due diligence. The core issue is trust.

Page 13: Cloud Security: Beyond the Buzz

Technology, Process, Shoe Leather

• There’s no magic technology in the Cloud• The stack is made up mostly of the same old stuff• There are a very few special considerations

• The Cloud is more than the technology• It’s also the business, cost, and operating models• Cloud security can look like security of outsourcing

• Bottom line: understand and secure the layers• The secret ingredient is due diligence

Page 14: Cloud Security: Beyond the Buzz

Technology: Defense in Depth

• Defend each layer independently• A few special considerations: shared

resources• All models: shared networking• IaaS: shared virtualization and storage• PaaS: shared middleware, database, etc.• SaaS: shared everything

• Mostly, non-Cloud security measures translate fairly easily to Cloud environments

Page 15: Cloud Security: Beyond the Buzz

The Real Issue: Trust

• Obviously, reputation matters• How long has the vendor been doing Cloud?• How solid is their past security record?• What are their plans? Will they be around long?

• Fundamental approach: Trust but Verify• Without verification, it’s more faith than trust• Partnerships with trustworthy third parties can help

• Weaknesses don’t have to be fatal• If you know about them, you can work with them

Page 16: Cloud Security: Beyond the Buzz

IAASThe Nitty Gritty: Considerations and Case Studies

Page 17: Cloud Security: Beyond the Buzz

IaaS: security challenges

• Virtualization issues• VM “break-out” attack: scary but rare• Miscellanea (e.g., hypervisor log-file flooding)

• Shared infrastructure issues• Shared storage: clean it before de-allocating it• Shared CPU/RAM: don’t over-allocate resources

• Depend on outsourced datacenter practices• These will cover pretty much everything else!

Page 18: Cloud Security: Beyond the Buzz

IaaS: security benefits

• Virtualization benefits• Machine-level instrumentation (e.g., VMSafe)• Simplified incident response, forensics, recovery

• Shared infrastructure benefits• Shared, industrial-strength instrumentation• Correlate security information across customers

• Relatively simple to understand• IaaS is much like any other outsourced data center

Page 19: Cloud Security: Beyond the Buzz

IaaS case study: Enterprise Cloud

• Terremark’s offering – I’m very familiar with it• Right now it’s a pure IaaS play

• Meeting the IaaS security challenges:• Mature architecture evolved over five years• Zero-on-read for shared storage• No over-allocation of CPU or RAM

• Leveraging IaaS security benefits:• Robust, integrated managed security offerings

Page 20: Cloud Security: Beyond the Buzz

PAASThe Nitty Gritty: Considerations and Case Studies

Page 21: Cloud Security: Beyond the Buzz

PaaS: security challenges

• Complex, powerful APIs are hard to protect• The platform itself must be safe from attack• Applications must be isolated from each other

• Security mechanisms are “secret sauce”• Details are scarce and vendors aren’t talking• Awkward to do due diligence or compliance

• Applications might still be insecure• Even a perfectly secure platform can’t fix that

Page 22: Cloud Security: Beyond the Buzz

PaaS: security benefits

• Centrally-managed platform• Fixes and countermeasures help all users• Correlation of security information across users

• More and better expertise about the platform• The best and brightest people• More attention to (security-related) detail

• Many non-Cloud measures translate directly• Application firewalls, strong authentication, etc.

Page 23: Cloud Security: Beyond the Buzz

PaaS case study: Google Apps

• Awkward case study, since Google isn’t talking• Severely limited API (reduce complexity)• Big promises, backed by a strong reputation1

• There is fuel for speculation:• Guido is on board (Google bets on smart people)• Java was designed with sandboxing from early on

• Recent issues2 have scared sensitive clients3

• Continued evolution of real and perceived security

Page 24: Cloud Security: Beyond the Buzz

SAASThe Nitty Gritty: Considerations and Case Studies

Page 25: Cloud Security: Beyond the Buzz

SaaS: security challenges

• Even more than with PaaS, trust is the key• The vendor runs everything, soup to nuts• The due diligence takes more effort

• As with PaaS, vendors are tight-lipped• Again, there’s “secret sauce” involved• More limited use cases expose fewer details

• No opportunity to work around weaknesses• The vendor controls every layer of the technology

Page 26: Cloud Security: Beyond the Buzz

SaaS: security benefits

• Centrally-managed application• Security is stressed by many users• Attack information correlated from many users

• Attention to the application• Unlike for users, running this app is the business• Shared costs brings more expertise and resources

• Little or no technical skill needed to assess• Lean on processes, certifications, and reputation

Page 27: Cloud Security: Beyond the Buzz

SaaS case study: Salesforce.com

• Very mature platform, yet still evolving• Started as a focused SaaS pure play• Solidly placed in the PaaS market today

• Security history typical of outsource partner• In 2007, over 900K customer identities stolen• In 2009, an extended outage during peak hours

• Original concept is simple• Keep watching as force.com gains momentum

Page 28: Cloud Security: Beyond the Buzz

BONUS ROUNDAdditional thoughts.

Page 29: Cloud Security: Beyond the Buzz

Bonus Round

• Typical recommendations• The “what” is the same for Cloud or no Cloud.

• How-to considerations• The plumbing is different in virtual environments• In theory, everything is easy; in practice, it depends

• Testing for security in the Cloud• Shared environments are always tricky to test• Bottom line: coordinate with your vendor

Page 30: Cloud Security: Beyond the Buzz

Typical Recommendations

• Full packet capture with session reassembly• NetFlow analysis (especially for DDoS)• Detailed incident response plan• Full forensics capability predefined• Code-level security review of applications• Application-level firewall• End-user metrics and analytics

These are the same for Cloud or no Cloud.

Page 31: Cloud Security: Beyond the Buzz

How-To Considerations

• Plumbing is different in a virtualized datacenter• Software switches and things like VMSafe• Be careful not to expose more attack surface

• In theory, everything is easier• The flexible plumbing opens a new world of options

• In practice, it depends• The vendor controls the virtualization layer• Do they have the wherewithal to cater to your

custom needs?

Page 32: Cloud Security: Beyond the Buzz

Testing for Security in the Cloud

• Shared environments are tricky to test• Read and understand the acceptable use policy• By design, security tests look like hacking activity• Illegal access vs. pen-testing: what’s the difference

• Bottom line: coordinate with your vendor• Clearly define the rules of engagement• Any findings will improve the service you receive• You can still incorporate the element of surprise

• E.g., perform authorized tests at random intervals

Page 33: Cloud Security: Beyond the Buzz

THANK YOU!Questions and discussion.