Felix Mohan
CISO, Bharti Airtel Ltd
NASSCOM-DSCI Information Security Summit 2009
November 24, 2009
Virtualization & Cloud Computing –
Strategic Technologies with Significant Impact
Top 10 Strategic Technologies, which will make significant impact on
enterprises in next 3 years:
2008
5. Virtualization
2009
1. Virtualization
2. Cloud Computing
2010
1. Cloud Computing
2. Virtualization & Availability
Virtualization
78% of organizations will have implemented virtualization by end of 2010
Only 19% indicated that virtualization security was a priority
“It is alarming that though virtualization security should be a concern, majority
of organizations & security leaders are ignoring its implication…”
E&Y 12
thAnnual Global Information Security Survey, November 2009
(Conducted across 60 countries, 1900 companies)
The biggest security problem in Virtualization & Cloud Computing, analysts say, is not
the security issue itself , rather the
inability to recognize security concerns…
Virtualization – Risks
VM Change & Configuration Management-Related
Exponential VM Sprawl
•Admins can create, clone, delete, move or roll-back the execution state of a VM • Difficult to audit and apply security policies
• By 2010, VM Sprawl will reach the same level of concern as unmanaged endpoints in 2007 –
Gartner
Patch Management
•Regular Patches for online & offline VMs required - VMware buys Blue Lane Technologies in 2008
VM Mobility
• VMs can be moved literally with the click of a button – VMware vMotion • Should pass through NAC before getting into production systems
Virtual Appliances Download
• The downloaded virtual appliances may be malicious or misconfigured/unpatched –VMware
marketplace has over 1000 virtual appliances many free uploaded by partners
• With ‘client hypervisors’ to be available from 2010, virtual appliance downloads will grow exponentially
Hypervisor-Related
Lucrative target for Attack
• Hypervisor manages all VMs and virtual processes – is a single point of failure • Though hardened with extremely thin OS, it can have vulnerabilities
• VMware issued patches for its ESX hypervisor in Sep 2008 for Buffer Overflow vulnerability Hypervisor Attack Surface
• Direct console access to hypervisor UI – requires physical access to hypervisor host • Network access to hypervisor UI interface
• VM ‘breakout’ through subversion of hypervisor through manipulation of shared memory Attack Demonstrated
• July 2009 - Black Hat meet, researcher Kostya Kortchinsky demonstrated how to attack the hypervisor from a VM through a memory leak exploit -(Cloudburst)
Trusted Boot
• Tampered Hypervisor should be prevented from booting
• Root trust in hardware - Trusted Platform Module (TPM) with checksums/hash values
Virtualization – Risks
Virtual Networks-Related
Composed of virtual routers, switches and I/O channels within the memory backplane of the hypervisor
Non-virtualized tools are Blind
• Virtual networks run inside the physical host, handling traffic which is invisible to anything outside of that host
•Non-virtualized security tools (firewalls, IPS, Vulnerability scanners) cannot see or validate what is happening in a virtual network
•This opens up risks of malicious activities going unnoticed
• Lack of visibility is a major security issue - Vmware bought Determina in 2007
• VMware VMSafe APIs (released in 2008) can be used by security vendors to gain visibility into
VMs’ memory, network traffic etc
Lack of Network Segmentation
• Virtual networks flattens the infrastructure – there is no network segregation based on ‘Trust Levels’ or security policies - Vmware vShield Zones released in 2009
Administrator activities
Virtualization – Risks
Virtual Administrator-Related
Loss of Separation of Duties
• Virtual centre administrator does the role of procurement, system admin, network admin, and security administrator all rolled into one
• A single administrator has the ‘keys to the kingdom’ Abuse of Privilege
• Collapse of roles can lead to escalation of privilege, & Abuse of Privilege Fraud
• Admin can make unauthorized changes to the hypervisor, decrypt network traffic, peek into physical memory, take snap shots of data – all without any fear of detection
• 22% of data breaches are due to Admin Privilege Abuse – Verizon Business Data Breach
“Two Thirds of Firms Are Using Cloud Computing, Despite Risks”
Computerweekly.com, Nov 2008 • Cloud computing is a new way of delivering computing resources, not a new technology
• Virtualization + Web 2.0 + Distributed parallel computing (Hadoop & MapReduce) • Infinite pool of additional capacity available on demand – payable by the usage
• Capex to Opex
• Quicker provisioning
“ 58% organizations are examining cloud computing for adoption”
Shavlik Technologies Survey at VMWorld, Sep 2009 Worldwide forecast for cloud services in 2009 = $17.4bn; The estimation for 2013 = $44.2bn
IDC Analysis
Cloud Computing – Risks
Organization-Related
Lock-in
• Extremely difficult to migrate from one provider to another • SaaS - Customer data in custom database schemas
• PaaS – Code developed using custom API offered by provider • IaaS – VM and software non-portability
• Sep 2008, Open Virtual Machine Format specification (OVF 1.0) – by Microsoft, VMware, Citrix, HP, IBM & Dell
Provider & Supply Chain-Related
• Possibility of provider going out of business, or restructuring offer of services etc • Provider may have outsourced their ‘production’ chain to 3rdparties.
• Non-extension of contractual obligations, or control, on 3rd party
Governance & Compliance-Related
• The control is with the provider, however the accountability is with the Customer
• Providers don’t permit audits – & when permitted is complex due to distributed nature of cloud • Compliance requirements such as segregation of duties, audit, separation of customer data etc required by regulations/standards like PCI DSS cannot be met by cloud providers
Cloud Computing – Risks
Legal-Related
Location & Jurisdictions
• Distribution of data over multiple jurisdictions; lack of transparency on where the data is located Forensics & e-discovery
• Little control on forensics, e-discovery, and provision of evidentiary data to law enforcement • Inadequate proof of non-tampering of log data
Confiscation of servers by law enforcement
• Confiscation of physical servers may mean loss of confidentiality/privacy of all tenants’ data
Privacy-Related
• Privacy of customer data held at provider’s cloud cannot be guaranteed.
• Though provider is data processor, the customer is data controller, and legally liable for privacy Secondary usage of data
• Contractual enforcement to limit usage of customer data by provider Response to privacy breach
• Provider may not monitor for breach, which may affect ‘data breach notification’ compliance requirements, and make Customer legally liable
Cloud Computing – Risks
Virtualization Technology -Related
Loss of Separation amongst customers
• Failure of mechanisms to isolate compute capacity, storage or network between multiple customers
• Guest-hopping attacks and SQL injection attacks exposing multiple customers’ data stored in same file
Attacks on Hypervisor
• Exploit un-patched hypervisor vulnerabilities or from within VM (VM outbreaks) • Can lead to complete & anonymous control of data in all customer environments • Can be used to reduce resources assigned to customers leading to DOS
People-Related
Malicious insiders
• Malicious activities or abuse of root privilege by cloud administrators can lead to loss of data confidentiality/privacy
• Like call centre agents associated with financial industry are targeted, cloud provider administrators will also be targeted by criminal gangs
Cloud Computing – Risks
Data-Related
Interception
•Interception of data in transit can occur during:
•Data synchronization amongst distributed images within provider cloud, or • Data upload/ download between customer and provider
• Sniffing, spoofing, man-in-middle attacks, and replay attacks are possible threats Deletion
• Extremely difficult to ensure data deletion in the cloud
