Cloudy Computing y p g

Assessing the risks and applying controls

Pete Lindstrom, Spire Security p petelind@spiresecurity.com @ p y Im a Twit! @SpireSec

2011 Spire Security. All rights reserved.

About Me
Pete Lindstrom, CISSP Research Di R h Director COO, ISSA

Over 20 years in Finance, IT, Security Independent analyst performing reading, writing, rithmetic on security matters Former Marine (veteran), Big Six IT Auditor, Internal A dit Security Architect A dit I t l Auditor, S it A hit t & Manager BBA Finance, University of Notre Dame Fi U i it f N t D
2
2011 Spire Security. All rights reserved.

Cloud Security Agenda

Cloud and Risk Overview Cloud Architecture Cloud Impact on Threats Cloud Impact on Vulnerabilities Applying Controls y g Recommendations
3
2011 Spire Security. All rights reserved.

Oh, Yes!
THE CLOUD IS MORE SECURE! WEB 2.0 IS MORE SECURE! VIRTUALIZATION IS MORE SECURE! RISKS ARE INSIGNIFICANT!

4
2011 Spire Security. All rights reserved.

Oh, Yes! NO!

THE CLOUD IS MORE SECURE! WEB 2.0 IS MORE SECURE! VIRTUALIZATION IS MORE SECURE! RISKS ARE INSIGNIFICANT!

EVERYWHERE!
5
2011 Spire Security. All rights reserved.

The Truth is it Depends

The cloud is more secure! Web 2.0 is more secure! Virtualization is more secure!

Image credit: http://blogs.msdn.com/b/willy-peter_schaub/archive/2009/09/19/tfs-migration-tools-should-we-opt-for-migration-or-synchronization-part-1.aspx

6
2011 Spire Security. All rights reserved.

Assessing the Risk

Risk is a derivative of Expected Value
ALE = (Probability of Loss) x (Amount of Loss) ( y ) ( )

Risk {threats, vulns, consequences} q VaR = Risk * Consequences

7
2011 Spire Security. All rights reserved.

Thinking about Risk

It is very difficult to quantify risk absolutely, absolutely but not hard to estimate things relatively Current State Cloud Scenario(s)
Option 1 Option 2

Threat Vulnerability Consequences q

2011 Spire Security. All rights reserved.

Threat Vulnerability Consequences q

8

Risk increases when

Vulnerability piece:
o o o o you add users dd you open ports you add administrators you add apps/services or systems

Threat piece:
o you lower the cost to attack
Increased popularity of software platform

o you increase the access to the system

Consequences piece:
o you increase the value of the resources
9
2011 Spire Security. All rights reserved.

Risk decreases when

Vulnerability piece:
o o o o you remove users you close ports you remove administrators you stop apps/services or systems

Threat piece:
o you increase the cost to attack o you restrict the access to the system

Consequences piece:
o you reduce the value of the resources
But we dont want to do this, right?
10
2011 Spire Security. All rights reserved.

Measuring the impact on risk

Always a relative measure
o Compared to what?
Existing architecture A th alternative Another lt ti

Involves reviewing administrative procedures and technical architecture Take basic principles and apply to p g cloud computing
11
2011 Spire Security. All rights reserved.

Control Objectives

Data/Informatio on

Confidentiality Integrity Availability Productivity propriety o

12

2011 Spire Security. All rights reserved.

Resources s

Applied to Technology
Inbound (In-Transit) Stored (At-Rest) Outbound (In-Transit)

Data/Informatio on

Confidentiality Integrity Availability Productivity propriety o

13

2011 Spire Security. All rights reserved.

Resources s

Attacks and Compromises

Attacks
Inbound (In-Transit)

Compromises
Stored (At-Rest) Outbound (In-Transit)

Confidentiality
Data/Informatio on

Sniff

Copy (steal) ( steal ) Integrity Modify Delete Productivity Distract propriety Abuse Ab se (illegal)

Leak Redirect Overload Consume Propagate

14

Spoof, Replay, Insert

Availability Overload

Resources s

Overload Relay/Bounce Rela /Bo nce

2011 Spire Security. All rights reserved.

Fundamental Risk Questions

What are the changes to the technical architecture (vulnerability)? How do the user/source populations change with the new technologies (threat)? How does the value to the attacker change with the new technologies (threat)? How does the value to the owner change with the new technologies (impact)? How does the control environment change with the new technologies?
15
2011 Spire Security. All rights reserved.

Change in Consequences
A Control Objective Approach
o Information centric Compromise Information-centric
Modified data (Integrity) Deleted data (Availability - Data) Copied data (Confidentiality)

o System/App-centric Compromise
Resource Availability (Use Control) R Resource Mi Misuse (A (Accountability) t bilit )

This exercise is highly variable and left up to the responsible parties (well hold consequences (we ll constant)

16
2011 Spire Security. All rights reserved.

Cloud Architecture

2011 Spire Security. All rights reserved.

NIST Cloud Model

18
2011 Spire Security. All rights reserved.

Traditional Network
cloudy
DB App Server DB App Server DB App Server

DATA CENTER
DB App DB App Server DB App Server

Server

Switch

Switch

Switch

Switch

Router

Router

Servers Users
Router Switch Client App User Client App User Router Switch Client App User

PUBLIC ACCESS
2011 Spire Security. All rights reserved.

BRANCH OFFICE

INTERNAL NETWORK
19

Server Cloud
SOMEBODY ELSE
DB App Server DB App Server DB App Server

DATA CENTER
DB App Server DB App Server DB App Server

Switch

Switch

Switch

Switch

Servers Users

Router

Router

Router Switch Client App User Client App User

Router Switch Client App User

PUBLIC ACCESS
2011 Spire Security. All rights reserved.

BRANCH OFFICE

INTERNAL NETWORK
20

Client Side Client-Side Cloud

DATA CENTER
SOMEBODY ELSE DB App Server DB App Server DB App Server

DB App Server
App Client App Client

DB App Server

DB App Server

Switch

Switch

Switch

Switch

Router

Servers Users

Router

Router Switch Client App User Client App User

Router Switch Client App User

PUBLIC ACCESS
2011 Spire Security. All rights reserved.

BRANCH OFFICE

INTERNAL NETWORK
21

The CLOUD
may incorporate or leverage Web 2.0, SaaS, virtualization, grid, etc will provide p p platforms but ( yp (typically) not y) people can eliminate the need for redundant can services in multiple data centers can host data and/or applications can can be client- or server-oriented
22
2011 Spire Security. All rights reserved.

Cloud computing
aggregates resources of multiple parties (multi-tenancy) requires a new level of administrator q
o super-superuser

changes connection/integration points changes makes every user external minimizes the notion of network-based security
23
2011 Spire Security. All rights reserved.

Cloud Risk Cheat Sheet

Threat often increases with accessibility of services. Resources are aggregated/shared and often of higher value to attackers. attackers Risk associated with neighbors is g transitive to the negative.
o Collateral damage g
24
2011 Spire Security. All rights reserved.

Cloud Impact on Threats

2011 Spire Security. All rights reserved.

Change in Threat
Value to attacker increases
o Potential gain from shared resources

New attacks
o Side-channel attacks direct from bad guys or via more risk tolerant risk-tolerant, compromised neighbors

Indirect activity may make you collateral damage

26
2011 Spire Security. All rights reserved.

Attacker s Attackers Benefits

The question you have to ask yourself is Do I feel lucky Do lucky Scenario: if an attacker compromises your cloud environment will she gain environment, more or less than if she compromises your existing environment? Compare the value of your ancillary systems to that of your cloud neighbors systems, f i hb t from th the attackers perspective.
27
2011 Spire Security. All rights reserved.

Basic Questions to be Answered

Can one determine where in the cloud infrastructure an instance is located? Can one easily determine if two instances are co resident on the same co-resident physical machine? Can an adversary launch instances that will be co-resident with other users instances? Can an adversary exploit cross-VM information leakage once co-resident?
Source: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds

28
2011 Spire Security. All rights reserved.

From random to targeted

We find that in some natural attack scenarios, just a few dollars invested in launching VMs can produce a 40% chance of placing a malicious VM on the same physical server as a target customer. Using the same platform we also demonstrate the existence of simple, low-overhead, coresidence checks to determine when such an advantageous placement has taken place.
Source: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds

29
2011 Spire Security. All rights reserved.

Cloud Impact on Vulnerabilities

2011 Spire Security. All rights reserved.

Change in Vulnerability
Change in technical architecture g
o These are attack points g g o E.g. virtualizing non-virtualized assets o Cant ignore your neighbors resources

Change in security control environment

o What happens when everyone is outside the firewall?
31
2011 Spire Security. All rights reserved.

In Other Words

If this is you you do you trust this?

32
2011 Spire Security. All rights reserved.

What about virtualization?

Five Immutable Laws of Virtualization Security 1. All existing attacks still work. 2. Hypervisor risk is additive. 3. Separating applications / processes / content decreases risk. 4. Aggregating applications / processes / content increases risk. t ti i k 5. The lower (in the stack) the better.
33
2011 Spire Security. All rights reserved.

Food for Thought

Phrases and/or concepts with p (security) meaning:
o o o o Loosely coupled y p Multi-tenancy Shared resources Multiple hops

M More attack points with more tt k i t ith opportunities to connect, all other things equal thi l
34
2011 Spire Security. All rights reserved.

Applying Controls to the Cloud

2011 Spire Security. All rights reserved.

Distinction: Security as a Service Security Service

Security functionality that leverages cloud y y g benefits for reputation and location independence. Can be inline and/or passive (like a span port tap) E Excellent opportunities f higher effectiveness ll t t iti for hi h ff ti / lower cost antimalware, content monitoring, authentication, etc However, this is NOT securing the cloud from an architectural perspective
36
2011 Spire Security. All rights reserved.

The Four Disciplines

Identity Mgt: Managing Users M i U and other sources 2 Trust Mgt: Designing g g security policy and process 3

1 Threat Mgt: Monitoring activities and events Vuln. Mgt: Hardening the systems

37
2011 Spire Security. All rights reserved.

First order of business business

Whowillperformyoursecurityfunctions?
Identity Management Id tit M t
Creating user accounts Modifying user accounts Disabling/deleting user accounts Resetting passwords R tti d Authenticating users to resources Granting access to specific resources Restricting access to specific resources

Vulnerability Management V l bilit M t

Reviewing technology platforms for weaknesses (operating systems, COTS applications, custom applications) R Remediating weaknesses ( di ti k (applying l i patches, rewriting code) Shielding weaknesses (limiting access to resources)

Threat M Th t Management t
Identifying attacks and compromises Blocking attacks and fixing compromises Responding to incidents Conducting forensic analyses C d ti f i l

Trust M T t Management t
Training users Testing users Defining policies and technical baselines Applying li i A l i policies and t h i l b d technical baselines li Audits and assessments

38
2011 Spire Security. All rights reserved.

Identity Management Issues

User account management almost g always remains with organization Remote access models VPN in the cloud, federated model, singleservice model Strong authentication depends on g architecture and offerings

39
2011 Spire Security. All rights reserved.

Vulnerability Management Issues

Who will patch? p
o SaaS: usually service provider y p o IaaS: usually enterprise

Responsibilities vary significantly Application/Host layer focus (bye, y y) bye network security)

40
2011 Spire Security. All rights reserved.

Threat Management Issues

Monitoring moves to host-based g Requires forethought on how to integrated activity
o Where is your log consolidation tool?

Forensics responsibilities must be y clearly defined

41
2011 Spire Security. All rights reserved.

Trust Management Issues

Confidentiality and integrity of data y g y is crucial IaaS/PaaS: expect to encrypt SaaS: depends on service p p provider

42
2011 Spire Security. All rights reserved.

Recommendations

2011 Spire Security. All rights reserved.

First, a Generic Summary

Cloud Scenario(s)

Threat

Typically increases due to attacker attractiveness and availability of resources Typically increases due to complexity of architecture; but may decrease based on application of stronger controls Up to you to decide

Vulnerability

Consequences

Small to midsize companies business units, and companies, units departments that are performing non-core functions are prime candidates for cloud computing. ti
44
2011 Spire Security. All rights reserved.

Recommendations
Move special-purpose (and non-core) functions with mobile users in the cloud first
o o o o o Its probably already there ;-) Customize everything! CPU cycles Network bandwidth You should assume you are on your own

Get ironclad guarantees on availability issues

Make no assumptions about compliance Factor in performance/cost impact of security solutions

45
2011 Spire Security. All rights reserved.

Recommendations
Think positive (as in default deny)
o I Increased need f authentication d d for th ti ti o Increased need for defined data/program paths with verified integrity o I Increased need f encryption d d for i

Rethink perimeters / zones Fortify the integration points Encryption is your friend
o There isnt really an encrypt/monitor tension here

46
2011 Spire Security. All rights reserved.

The Big Three

Three Important Cloud Security Documents
o ENISA
Cloud Computing Security Risk Cloud Assessment

o Cloud Security Alliance

Security Guidance for Critical Areas of Focus In Cloud Computing

o NIST
Guidelines on Security and Privacy in Public Cloud Computing

47
2011 Spire Security. All rights reserved.

Yourfeedbackisessential!
Pete Lindstrom petelind@spiresecurity.com li d@ i i www.spiresecurity.com Im a Twit! @SpireSec
2011 Spire Security. All rights reserved.