Cloud Security Challenges and Guidelines

(1)

Template Version 1.2BT Assure. Security that matters

Theo Dimitrakos

Chief Security Researcher, BT Research & Technology Professor of Computer Science, University of Kent Contact: [email protected]

(2)

Physical Security

Protect BT

Cyber SOC

Global Threat

Monitoring

Cable Theft

Visual Analytics

Virtualisation and

application security

Malware Evolution

Enabling

technologies

AI

Application

areas

Future Home

Security

_Protection

Intelligent

Network Alarm

_Correlation

….

Secure Cloud

Storage

(3)

Change factors in a networked world

Cloud Computing

• Disappearing perimeters

• Business services distributed over the network • Global operations

• Big data at rest on the network / exposed via the network

Network Virtualisation • Virtualisation of networks and network devices

• New ways of operating network infrastructures

Internet of Things

• Massive interconnection of cloud services and smart devices

• Global distribution (Smart Cities, Smart Health, Smart Energy, etc.) • Fusion of services with nw areas that did not rely on IT networks

Content Networks & New Media

• New and more complex content

• Complex content and media delivery schemes

Mobile Network Evolution • 4G evolution and deployment

• BOYD proliferation

Social Networks • Complex interleaving communication channels

• New socio-technical models

Cyber Crime • Fusion of traditional and internet crime

• Reputation damage and attacks

Cyber Terrorism

• Network increasingly a theatre of state, group and activist terrorism • Complex supply chains

(4)

Example:

Commonly referenced cloud security incidents

Amazon: Hey Spammers, Get Off My Cloud! (2008)

Megaupload US prosecutor investigation

(2012)

Bad co-hosts

Bitbucket's Amazon DDoS - what went wrong (2009)

AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursquare

Service

Availability

Diginotar (June 2011) RSA SecureID (March2011)

Risk communication

& Response

Security issues with Google Docs

Security Issues with Sony User Network

Entitlement

Management

An Empirical Study into the Security Exposure to Hosts of Hostile

Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf

Blue Pillhttp://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html

Cloudburst: Arbitrary code execution vulnerability for VMWare

http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf

Hypervisor &

Virtual Machine

Vulnerabilities

Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine

Crypto Ops

in VM

In-cloud federated

Identity Management

Lack of Standards

Data Provanence

Where did the data come from?

Data Remanence

You can check out but can’t leave

Location & Privacy

Who looks at/after your data? And where? Jurisdictions?

(5)

Cloud Security: the challenges

Network

Virtualisation

Network

Virtualisation

Virtualized network governance Virtualized network governance Virtualisation / Hypervisor Security threats Virtualisation / Hypervisor Security threats Packet processing on a virtualized infrastructure Packet processing on a virtualized infrastructure Security processing impact Security processing impact

• Improperly configured virtual

firewalls or networking

• Inspection of intra-VM traffic

on virtual networks

• Data leakage through

offline images

• Improperly configured

hypervisor

• Hypervisor

vulnerabilities &

malware

• Virtual machine

images / virtual

appliances containing

malicious code

(pre-built)

• Confidentiality

efficient data encryption process & encrypted processing function

• Integrity

integrity monitoring: virtual image, network traffic & protocol processing ; accountability

• Resource isolation

bandwidth slicing ; virtual to physical mapping ; network processor scheduling

• Shared processor and memory

among virtual appliances

• Overhead on packet processing

• Overhead on forwarding rate

(6)

Cloud Security: the challenges

Robust at system level (modulo kernel bugs)

Issues at management plane Memory hijacking

Cloud & Virtual

Infrastructure

Security

Cloud & Virtual

Infrastructure

Security

Active Shielding Active Shielding

Isolation

(Inter-VM & Hypervisor)

Isolation

(Inter-VM & Hypervisor) VM Security VM Security Hypervisor Security Hypervisor Security Physical -to- Virtual Mapping Physical -to- Virtual Mapping End-to-end Virtualisati on End-to-end Virtualisati on Data Leakage Prevention Data Leakage Prevention

Near real-time virtual patching

Intrusion Prevention at Hypervisor level – below Guest OS Malware prevention / detection at Hypervisor level

Hypervisor / trusted VM: • the best place to secure • Limited compute resources • Security API standards

Difficult to exploit but high-impact Do you trust Microsoft?

Do you trust VMWare?

Guest OS needs security protection Resilient VM lifecycle • dynamic

• at massive scale

Crypto doesn’t like virtual Current algorithms set to optimise resource pooling Can’t always use specialised HW Encryption key management Co-ordinate security

policies & provisioning for network & server virtualisation Location/resource optimisation

CSPs don’t: • allow clients to classify data • offer different levels of security based upon data sensitivity • offer DLP services

(7)

Cloud Security: the challenges

Cloud Data &

Services

Security

Cloud Data &

Services

Security

Law & Compliance Law & Compliance Data Location & Mobility Data Location & Mobility Resilience & Availability Resilience & Availability Security in Depth Security in Depth Data Comingling Data Comingling Multi-tenancy Multi-tenancy Cloud Platform Lock-in Cloud Platform Lock-in

VMs provided by IaaS provider Platform stack by PaaS provider

IaaS, PaaS issues + application security Lack of standards

Lack of interoperability Limited service portability Incompatible management processes

Provider & resource / data location Cross-border data movement

PII and privacy obligations (HIPAA, GLBA) Auditing and compliance (PCI, ISO 27001) Poor quality of evidence

EU vs. US vs. China (Gov. access) Differences in data protection Cost of keeping data hosting in EU Audit data legally owned by CSP

refusal to ‘hand over audit logs? Difficult to involve law enforcement with CSP activities

Latency sensitive applications Enforcement of SLA obligations Insufficient capabilities to cater for managing critical data

In-cloud segregation of data: difficult Accidental seizure of customer data during forensic investigations

Security of shared resources Process isolation Data segregation “Data sharding” (fragment across images)

Entitlement & Access Mgmt (policy issuing authority)

(8)

Cloud Security: the challenges

Provisioning Identity Integration User Management Credential Management Entitlement Management Device Credentials, PKI Infrastructure

Active Directory/LDAP -Attributes, Credentials and Groups for Edge servers

Cloud

Application

Security

Cloud

Application

Security

Distributed

Access

Management

Distributed

Access

Management

Virtual

Service

Integration

Application

Service

Integration

Identity

Lifecycle

Management

Identity

Lifecycle

Management Credential Mapping

Authorization with Constrained Delegation (Policy Integrity & Recognition of Authority) Trust & Federation

Security Auditing

Federation and Edge Server Security –

Secure Application Integration Fabric (Secure ESB Gateway)

(9)

Example:

Cloud

Computing Technology

Innovation –vs– Cyber Security Challenges

Commoditised virtualisation

• Security API for hypervisor • Virtual Data Centre

Service Management Layer

• Commoditised elasticity • Commoditised data

abstraction & data federation Cloud islands • User-defined hosting • On-demand Elasticity • Flexible charging model • Rapid provisioning / de-provisioning • Customer defined standalone cloud applications • Cloud

island-specific security in-depth

• Pre-customer isolation & multi-tenancy Common capabilities • Cloud –vs.– managed service delivery model • Reusable and customisable enabling services offered via a cloud service delivery model:

• Identity & access, • Data & system

security, • Data federation , • Performance monitoring, • Intelligent reporting • Auditing • Usage control, • Licensing, • Optimisation Virtual Private Clouds • Customer defined security and QoS • Customer-centric

identity & access federation • Customer-aware

process & data isolation • Customer-defined

process and data federation • Secure private

network overlay offered as a service over the internet • customer-centric loud application composition Community Clouds • Community-specific virtual private clouds • In-cloud collaboration, community management & identity federation services • Vertical integration of hosting and community-specific cloud applications • Shared Cloud aware applications • Commoditisation of cloud application stores • Commoditisation of SDK for cloud applications • Take advantage of

cloud IaaS or PaaS to develop SaaS • Ability deploy your

cloud SaaS over a targeted SaaS / PaaS • SDK methods for on-demand elasticity, in-cloud hosting and dynamic resource provisioning Cloud service assembly • Standardisation of cloud service management interfaces • Commoditisation of cloud assembly processes & tools • Vertical value

chain specific federation • Ability to

mix-and-match cloud infrastructure & in-cloud common capabilities when producing cloud applications • Ability to specify and rapidly provision mixed delivery models: eg. SaaS on 3rd

party PaaS; PaaS on 3rd_{party IaaS} Open cloud federation • Standardisation of • cloud common capabilities • cloud service management interfaces • cloud access management & federated identity models • cloud service monitoring & reporting • cloud license management services • Virtual Private “Local” Network over the Internet • User defined Virtual Private Cloud Cloud Aggregation Ecosystem • Standardised cloud charging models including auctions • Standardisation of cloud service assembly processes • Virtual Data Centres assembled over multiple IaaS clouds by different providers • PaaS over

federated IaaS with integrated common capabilities by multiple 3rd_parties

• Commoditisation of “Make your own Cloud” capability

(10)

Slide 10

Example:

Cloud security innovation roadmap

at BT Research & Technology

Secure Cloud Service Broker Virtual hosing on federated clouds

Accountable Entitlement Management (in-cloud)

Virtual Patching

Cloud SaaS security-confidentiality enhancements Application aware Behavioural Malware detection (in-cloud) In-cloud malware scanning Secure cloud storage service Cloud information assurance metrics Cloud security analytics Hypervisor level Malware Detection

Hypervisor level Intrusion

Prevention Hypervisor level Data Leak Prevention

Use of trusted hardware in Virtual Data Centres & Cloud Technical innovation

challenges & solutions

Cloud Security Innovation Strategy Market evolution

analysis

Recommendations for High-level Secure Cloud Architecture for Government (IaaS) In-cloud security

cost-benefit analysis Cloud information

assurance metrics

Cloud security risk assessment (eGov)

Recommendations for High-level Secure Cloud Architecture for Government (SaaS) Cloud ecosystem security

value network Market analysis revision Cloud security Cloud security value network revision Strategic Foresight Cloud federation Cloud Security services Cloud Security infrastructure Secure Virtualisation

SSO & Identity Management as a Cloud Service

Multi-Cloud

Intelligent Protection Secure StorageMulti-Cloud

Cloud Federation Fabric Cloud Aggregation Environment

Cloud Federation Management Cloud CERT

Cloud Cyber-Incident Management

BT core technology innovation activity

Research Collaboration

Long term research

Strategy / Guidelines

(11)

Slide 11

• Hypervisor vulnerabilities.

• Lack of cloud specific security solutions

• Defence in depth is complex to achieve in the Cloud

Technology Risks

• Resource sharing

• Poor Process isolation /Data Segregation

• Data Sharding, remanance (erasure), Co-mingling

Multi-tenancy

(shared infrastructure)

• Virtual image provided by IaaS provider • Platform stack provided by PaaS • SaaS application security

Protection in depth &

Security at multiple layers

• Latency controls for sensitive applications • Inability to enforce high-assurance SLAs

• CSP unable to provide QoS for sensitive applications

Resilience & Availability

• EU vs. US vs. China regulations (Government access) • Differences in data protection between EU regions • Examples of CSP refusing to ‘hand over audit logs’

Data Location & Mobility

•Cross-border data movement

•Privacy obligations ( DPA, HIPAA, GLBA) •Auditing and compliance (PCI, ISO 27001)

Information Assurance

& Compliance

• Lack of standards / interoperability • Limited service portability

• Incompatible management processes

Cloud vendor lock in

• Lack of transparency • Limited audit ability

• Global CSP - Regulatory compliance.

Corporate Risks

Direct

Innovation

downstream

to BT MFUs

/ Platforms

Direct

Innovation

downstream

to BT MFUs

/ Platforms

Influence

EU / UK

policy

(via expert

advisory

groups /

agencies)

Influence

EU / UK

policy

(via expert

advisory

groups /

agencies)

Influence

industry

via CSA

and ISF

Influence

industry

via CSA

and ISF

(12)

Slide 12

Examples of Collaborative Research Impact & Value Generation: overview

Cloud Computing: Benefits, Risks Recommendations Security and Resilience of Governmental Clouds Procure Secure: security levels in cloud contracts Governmental Clouds: Good Practice Guide Incident Reporting in the Cloud

Influence Strategy & Policy at EU

and National Level:

Contributors to ENISA advisory reports on Cloud Security

Intelligent Protection Secure Cloud Storage Multi-cloud VPN overlay Trust Assessment Cloud Compliance Assessment Governmental Cloud Store Capabilities Intelligent Protection for Governmental Applications Cloud Data Protection Services Federated Identity as a Service for PSN and G-Cloud Trials •Central Government •Greek Ministry of Finance •Municipalities •London, UK •Genova, Italy •Belgrade, Serbia

2010-2013

EU collaboration

Cloud Technology

Development

2014-2017

Cloud Technology

Trials & Validation

(13)

Slide 13

Examples of Collaborative Research Impact &

Value Generation: illustrative case

CIP

STRATEGIC

Secure cloud service store

EIT HII Trusted Cloud

Secure cloud platform

FP6 TrustCoM – IP 2004-7

Security policy management automation

FP6 BEinGRID – IP 2006-9

Common Capabilities for Cloud,

Cloud Architecture Security Patterns

FP6 OPTIMIS– IP 2010-13

Secure Cloud Broker,

Common capabilities for Cloud Data & Application Protection

FP7 FED4FIRE experiments 2014

Multi-cloud Data & Application

Protection at large scale

BT Cloud

Compute

- Platform, Application, Data Security - Identity Federation

BT Security

- Cloud Security Services - Identity as a Service Research, Development & Experimentation Technology & Business Validation BT customisation & productisation

(14)

Slide 14

Cloud security research

In-Cloud Security Services

Secure Community Clouds

Protecting BT’s Cloud Platforms

Protect BT’s use of cloud

infrastructure, platform and

application services

Cloud security research

Identity &

Federation

Application & Virtual Server

Protection

Storage & Data Protection

Platform & Infrastructure

Security

Governance, Standards, Compliance, Assurance

(15)

One capability multiple cloud security service

models

Multi-cloud

protection

• One • Security dashboard • Security policy management interface • Governance process • Many • Control points • Cloud platforms

• Applications & servers

Cloud store

Marketplace

• Horizontal / reusable capability

• Fully integrated with cloud application deployment • Automated policy derivation (security intelligence) • Automated security patching per application • Customisable

self-management interface • Multi-cloud

• One click to buy

Cloud platform

enhancement

• Horizontal / reusable capability • Configurable security options

• Fully integrated with cloud application deployment • Automated policy derivation (security intelligence) • Automated security patching per application • One click to buy

• Inflight-provisioning • Inventory sync

Cross-cloud

application defined

security policy

• Multi-cloud deployment • Application defined

virtual network overlay • Application defined

security policy group

Cloud-based

_On-premise

Fully managed

(16)

Slide 16

BT Cloud Security Services Incubator - Enabling Open Innovation

• Working with customers

to trial new innovations • Obtain early market

feedback and test commercial

attractiveness and commercial viability

• Define community, qualify and prioritise opportunities • Research prototype to refine concept in partnership with community • Validate candidate technologies/software

• Ideas for new products and services

• Ideas for changing commercial models and value propositions

• Ideas to make things faster

• When concepts have been proven with customers then they will be down-streamed to product platforms Idea generation Strategic collaboration Customer trials New products & propositions

Research

Alpha

Beta

Platform

• Alpha at Adastral Park run by R&T • Supports ISV

integration, hot houses, etc.

• Beta at London GS2 run by GS, tactical ops from IP Soft • Targeting LatAm, US,

(17)

Slide 17

Thought-leadership:

Innovation Demonstrators

Cloud Broker

& Federation

• Secure Cloud

Service Broker

• Cloud community

management

• Cloud Identity and

Federation

managemnt

Cloud Application

Security

• Intelligent Application

Protection

• Accountable Entitlement

Management

• Confidentiality/Compliance

for Cloud SaaS

Cloud System

Security

• GRC Assessor

• Secure data

storage & sharing

• Intelligent System

Protection

• Virtual Security

Patching

Secure

Virtualisation

• Hypervisor level

Malware Detection

• Hypervisor level

Intrusion Prevention

• Hypervisor level Data

(18)

Slide 18

(19)

Slide 19

BT thought-leadership:

Overview of external collaborations

• Co-authors ofENISAexpert advisory report onCloud Security Risk Analysis

• Contributors toCSA security guidelines and lead ofVirtualisation Securitywork stream

• Co-authors of theBT Cloud Security standard.

• Contributors toENISAexpert group onGovernment use of Cloud computing

• LeadingGovernmental Cloud Services Store & Clooud Securityactivities onSTRATEGICa €5 million innovation validation project

• LedCloud Brokerage & Federationuse case at OPTIMISa €10.5 million collaborative R&D project

• LedBEinGRID (Chief scientist / technical director) the largest R&D investment (€25 million) on

next generation SOAin Europe

• Invited speakersat events: InfoSec, CloudSecurity, RSA, e-Crime, Intellect, ISF, CSO Summit, etc.

(20)

Protection in the Cloud: BT Intelligent Protection

Theo Dimitrakos

(21)

Protection of Systems & Apps in the Cloud

What is it?

• A cloud security service that has ben designed and developed to address customer demand for protecting virtual servers and hosted applications on cloud infrastructures.

• Supports multiple cloud service providers, including BT Cloud Compute, Amazon EC2, vCloud etc.

• Comprehensive security solution: Virtual firewall, Intrusion Prevention/Detection, Security Patch management, Anti-malware.

• Deploy security patching & intrusion prevention with no down time.

• Central Security Portal to manage protection in Multiple Cloud Platforms.

• Automatically Protect deployed applications / systems in Virtual Environment.

• Flexible delivery of protection:

• At Hypervisor / virtualisation management level. • By self-installing agents on 3rd_{party environments.}

• Automatically integrate with Application Deployment via Service Store.

Current status

About to go live in the next release of BT Cloud Compute.

Market place and intelligent protection service can be used to auto-provision on most popular cloud infrastructure / platform providers

Benefits

• Reduction of complexity through integration with the cloud environment for automatic capability provisioning, life-cycle management and inventory synchronisation.

• Provides vulnerability protection.

• Eliminates the cost and risk of deployment, integration and management of complex security software or appliances.

Next steps

• Inclusion in BT Compute product roadmap • BT Wholesale Proposition

Intelligent Protection Service

Security is secretly out of control

(22)

Important elements of cyber security strategy & innovation

Protection life-cycle

Other important elements

• Think global

• Understand the societal, business &

technology evolution

• Share intelligence with care

• Carefully attribute responsibility: think

of the whole supply-chain

• Design for change & adaptation

• Understand the impact of change

Learn from own and others mistakes

• Centralise visibility & control

• Distribute ability to enforce &

self-adapt within policy & context

Intelligence Prevention & Protection Continuous Assessment Remediation planning & Impact Analysis Adapt & Respond

(23)

Slide 23

Cloud portal

Intelligent Protection

Security Dashboard

Core strengths & innovative features

• In flight intrusion prevention, no down time

• Comprehensive security solution: Virtual firewall, IPS, Security Patch management, Anti-malware

• 360

o

_{Protection of customer applications}

• Build for Cloud/VDC- hypervisor level security, more effective, easier to integrate into the cloud

(24)

Automatic Application Protection

24 • During Application Provisioning, Customers / Tenants:

• Purchase intelligent protection License for the required

Security Modules (Firewall, Anti-Malware, Intrusion Detection,

Integrity Monitoring, Log Inspection)

• Select an Application from the Application Market Place.

• Automatic Protect deployed Application with selected Security

Options.

(25)

Automatic Application Protection

(26)

Automatic Application Protection

(27)

Automatic Application Protection

(28)

Cloud Security Services – protection of data in the cloud

Security is secretly out of control

Secure cloud data protection service

What is it?

• Not just another cloud (i.e. network accessible) storage service

• A cloud security service enabling customers to manage data protection across many cloud infrastructures • Virtual “hard-disk” volume encryption offered ‘as a

service’

• Decryption only possible in “safe” environments following policy-based approval

• Protected data mobility across servers and across clouds

• Customer in control of compliance with data-protection policies across many clouds and regions • Faults & security breaches visible across clouds • Seamless integration with Cloud Service stores and

interoperability with most cloud platforms

Current status

About to go live on BT Cloud Compute.

Market place and intelligent protection service can be used to auto-provision on most popular cloud IaaS/PaaS BT Intellectual Property (2 core and 9 related patents) Estimated impact of protecting revenue > £30M p.a. Selected for trial with Municipalities UK, Italy, Serbia) and Central Government services (Lithuania, Greece)

How it works

• Customer is in control of connection, protection, access to secure virtual storage.

• Decryption only possible when data is used in a specific ‘safe’ environment following policy-based approval.

Policy-driven key management

• Uses identity and integrity based enforcement to ensure only authorised virtual machine receive keys and access to secure storage.

• Automates key release and virtual machine authorisation for rapid operation.

• Enables the use of policies to determine when and where keys were used.

Advanced Encryption techniques

• Features FIPS 140-2 certification and FIPS approved AES encryption.

• Encrypts and decrypts information in real time, so that data is always protected.

• Applies whole volume encryption to secure all data, metadata, and associated structures.

Robust auditing, reporting, and Alerting

• Logs actions in the management console for audit purposes.

• Provides detailed reporting and alerting features with incident-based and interval-based notifications