The Day After Yesterday
or: How I Learned to Stop Worrying About Securing the Cloud
Start at the Beginning
•
Virtualization Security is easy once you understand how hard it is•
Cloud Security is a topic almost ascontroversial as the Healthcare Bill, but much more widely debated
•
With all this topic encompasses, I’m going to focus only on the practical, and leavetheorizing and pontificating about “the future of cloud” to other pundits
The Next 54 Minutes
•
My focus is on the enterprise•
My focus is largely on virtualization•
I’m only going to talk specifics with regards to the most “popular” solutions•
My focus is on what can you do todayTopics
•
Practical VirtSec•
Resources•
Hypervisor•
Management Interface•
Virtual Machines•
Virtual Networks•
Practical CloudSec•
Risks•
Mitigation•
EC2 Basics•
VPC•
Third-partyVirtualization is...
•
Broad term, many uses•
Abstraction of characteristics of physical compute resources from systems, users, applications•
Typically:•
Resource (virtual memory, RAID, SAN)•
Platform (virtual machines)Cloud is...
•
A nebulous term ;)•
A collection of _____, comprised of _____, that can be rapidly _____•
Resources hosted _____•
Not a new technology!Cloud is...
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider
interaction.
VirtSec is...
•
Security of virtual infrastructure and the virtual machines running within it•
Many considerations the same in virtual and physical infrastructure, however•
Virtualization does introduce uniquearchitecture and a few unique challenges
CloudSec is...
•
Defined by individual interpretation and implementation of “cloud”•
More process than technology•
Subject to the same advantages and disadvantaged inherent in cloudVirtSec in Practice
Simpler is Better
•
Keep It Simple, Stupid (KISS)•
Make Your Architecture Simpler to Secure!•
More moving pieces means more time, effort and money required to implement security completely and effectively•
Don’t let the capabilities of your platform fool you into believing you need all of them(MYASS)
Where the Wild Things Are
•
Five primary [sub]systems:•
Compute, network and storage resources•
Hypervisor / VMM / vmkernel•
Virtual machines (guest OS)•
Service console (COS, dom0)•
Networking [layer]Secure Your Resources
•
Your virtual infrastructure is only as secure as the resources that comprise it!•
Securing your compute, network andstorage infrastructure is as important as securing the hypervisor and guests
Storage and Network
•
Zoning and masking•
Isolated [dedicated] IP storage networks•
Mutual CHAP for iSCSI, restrict NFS by IP•
Firewalls throughout, forward and reverse proxies where possible•
Consider physical log and monitoring servers, IDS/IPS, load balancersSecure Your Hypervisor
•
Not generally user-serviceable•
Small(ish) attack surface•
Area of least control (and concern)•
See hyperjacking•
See redpill / bluepill•
The future? Hardware Root of TrustService Console
•
In ESX, COS is based on RHEL/CentOS•
Moderately secure out of the box (only authenticated and encryptedmanagement services on by default)
•
Still, needs additional hardening to be considered secure•
ESXi has BusyBox, no real COS•
XenServer dom0 is also CentOSESX Minimum Required
Hardening
•
Limit use of su to members of wheel group•
Enforce use of sudo and use aliases•
Configure TCP wrappers (hosts.deny)•
Authenticate via AD or LDAP•
Replace the default self-signed SSL certs•
Configure NTP and remote loggingFurther COS
Hardening
•
VMware’s Hardening Guides (VI3, vSphere)•
CIS ESX server benchmark•
Tripwire’s ConfigCheck, OpsCheck•
XenSource wikiConfigure
NTP & remote logging
•
Configure host to sync time via NTP•
Configure remote logging (consider Syslog- NG, Splunk, Mitre’s CEE)•
Configure alarms and alerts via SNMP•
Archive logs to RO medium daily•
Keep your COS/dom0 patched!Virtual Machines
•
VMs are highly mobile and often short-lived•
“VM sprawl” results from creation of new VMs to suit every whim•
Most organizations have poor changecontrol and/or patch management systems for virtual infrastructure
•
Introspection mechanisms not widely available, deployedThe Malignant OS
•
Needs to be hardened / secured just like on physical machines•
Principles of minimization will lead to smaller, faster, more secure vm’sPower. Respect. JEOS.
How far will you go to get it?
•
Just Enough Operating System•
Most effective way to ensure security of virtual infrastructure•
Difficult to achieve today, not impossible•
nLite, vLite, LitePC•
Ubuntu VM Builder, SuSE Studio, Rpath,See the service guides at http://blackviper.com
http://nliteos.com
Guest OS Hardening
•
Consider automated assessment tools, checklists and/or hardening scripts•
nmap, Nessus, Metasploit, CANVAS•
“15 Steps to Hardening WS2003”•
Microsoft Baseline Security Analyzer•
Bastille LinuxVM Introspection
•
Examine and understand internal state of a running VM•
VMSafe•
XenAccess•
Virtual Introspection for XenVirtual Networking
•
Built-in vSwitches provide some protection•
Limit promisc mode•
Prevent mac changes / forgery•
Basic VLAN tagging, trunking•
No native ACLs or firewallingEnhanced Virtual
Networking
•
New vSwitches provide greatly enhanced functionality and security (Open vSwitch, Cisco Nexus 1000v)•
You can also do a fairly effective job with:•
Vyatta, LRP, FreeSCO•
m0n0wall, pfsense, OpenBSD•
Astaro, IPcop, UntangleImportant
Considerations
•
Isolated, OOB management network•
Isolated, OOB ip storage networks•
Redundant NICs in NIC teams across redundant switches•
Physical separation between prod and dev•
Physical interfaces always preferred over VLANs for segmentationUTM-in-a-VM?
•
In addition to firewalls, consider that you may need to provide VM-based IDS / IPS, authentication, NAC, and/or malwareprotection and content filtering within your virtual networks
•
Astaro and Untangle provide much of this functionality alreadyConfiguration
Management
•
Configuration management and change control are two of the most criticalelements in an effective security policy
•
Also the two most frequently overlooked, and/or shoddily implemented processes•
There are tools available to help, you just have to use them!http://veeam.com
http://racktables.org
http://opennetadmin.com/
CloudSec in Practice
"Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. "
From the CSA’s Security Guidance for
Critical Areas of Focus in Cloud Computing
Fundamentals
•
K.I.S.S. (M.Y.A.S.S.)•
Define assets, understand trust models•
Understanding cloud key to securing cloud•
5 cloud characteristics•
3 service models•
4 deployment models4 8 15 16 23 42
•
Five characteristics•
On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service•
Three service models•
SaaS, PaaS, IaaS•
Four deployment models•
Public, Community, Private, HybridCloud Security Alliance
What Do We Mean By
Cloud Security?
•
Infrastructure security?•
Virtualization security?•
Application security?•
Compliance?•
It’s all about the assetsWhat Do You Mean
What Do I Mean?
•
Infrastructure, virtualization, applicationsecurity no less important than before, but managed differently
•
Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?)•
Compliance doesn’t fully address governance, residency, access“The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible
attack at several different points;”
Sun Tzu
Predominant Risks
•
Loss of governance•
[Lack oftransparency]
•
Lock-in•
Isolation failure•
•
Management interface compromise•
Data protection•
Incomplete orinsecure data deletion
•
Malicious insiderFrom ENISA’s Benefits, Risks and
Recommendations for Information Security
Barriers
•
Largely questions of governance, residency and compliancy•
Where is your data?•
Who has access?•
Who controls and manages it?•
How is the data accessed?Mitigation
•
Encrypt locally before storing in the cloud•
Ensure external key storage and management•
Keep private data out of cloud•
Build protection mechanisms directly into your resources in the cloud•
Host private cloudEncourage Adoption of
Open Standards
•
Will help with transparency•
Will help avoid lock-in•
Will help in understanding governance•
Will help in achieving compliancyRequired Reading
•
CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing•
ENISA’s Benefits, Risks andRecommendations for Information Security
•
CloudSecurity.org•
RationalSurvivability.com/blogEC2 Security Basics
•
Automate, orchestrate, standardize using RightScale, Puppet, Chef, etc•
Firewall rules / security groups•
SSH keys, AWS multi-factor auth•
Use modern, trusted AMI’s, patch regularly•
Know what you’re doing? Roll your ownVirtual Private Clouds
•
Connect existing datacenter infrastructure to isolated cloud resources•
Private, overlay network•
Extend existing datacenter security and monitoring controls into the cloud•
Amazon VPC•
CohesiveFT VPN-Cubed•
CloudSwitchMore CloudSec
•
EnStratus•
Extra-cloud key and credential storage and management•
PerspecSys•
Apps in the cloud, data at home•
More solutions coming every day, and I interested in hearing about those Ineglected to include or mention!
In Conclusion
•
VirtSec and CloudSec follow the same rules that the rest of our infrastructure follows, thoughthey do introduce new surfaces, forms of
exposure, and questions about governance and responsibility
•
Secure your resources first, then focus onhardening your guests and instances -- the most likely sources of compromise and/or data loss / theft / manipulation