Securing Cloud Infrastructures
with Elastic Security
White Paper
September 2012Core Business Objective in Cloud Security
3
New Security Challenges in Cloud Infrastructures
3
Characteristics of the Elastic Security Strategy
4
Elastic Security Technology
5
Elastic Vulnerability Assessment - EVA
5
Multi-Layer
5
Multi-Cloud
5
Auto-checks
6
Building Elastic Security on IaaS
6
Benefits of Elastic Security
7
Conclusion
7
Core Business Objective in Cloud Security
Cloud computing adoption is rising fast. Flexibility, pay-per-use and available resources on-demand with the promise of lower ownership costs are a very attractive value proposition. As expressed by Michael Heim, CIO of Eli Lilly, a big pharmaceutical company in an interview to Information Week on November 2010:
“We’ve had cases where it’s taken six to eight weeks to get a service up that was really needed when it was requested, and simply by having these capabilities and use cases in place now we’ve been able to go much more rapidly. Rather than six or eight weeks, we’re talking days. Guys can spin these things up in minutes, and the cost is trivial in many cases, for the work that they’re doing. For us, it’s pipeline, pipeline, pipeline. Anything we can do to further our knowledge, get products into the pipeline, and develop those more quickly, is crucial to us. It’s hard to underestimate the value of letting scientists work at their own pace.”
On the other hand, Infrastructure as a Service (IaaS) providers, such as Amazon Web Services (AWS), Rackspace, HP Cloud and traditional hosting companies, are being asked for flexible cloud offerings while needing to answer to the security demand of their customers.
CIOs and CSOs need to manage the security of the their own infrastructure. They must secure their services and their users’ data against configuration errors, as well as external and internal attacks. They must also be able to continuously monitor their environment in order to detect attacks and configuration issues as soon as possible, so they can take corrective actions. All this should be achieved without increasing IT administration costs.
Existing security solutions are not only time consuming for IT administrators, requiring advanced technical skills, but also were designed to implement static security perimeters for static infrastructures.Furthermore, security was handled by hardware appliances requiring time consuming deployments, configuration and maintenance of security software agents. At the time of elastic and programmable cloud IT infrastructure, a completely new approach to security is needed.
New Security Challenges in Cloud Infrastructures
Cloud Computing is transforming IT infrastructures. These transformations apply as well to the way we handle infrastructure security. Within the scope of the Cloud Security Alliance, security experts have done a
comprehensive analysis of the challenges ahead of us. There is a set of underlying problems that need to be addressed in order to meet the core business objective and meet the needs of CIOs and CSOs:
• Lack of visibility. IaaS is more dynamic than classical infrastructures, since servers, network and storage are launched for temporary usage and even launched automatically. This makes it difficult to keep track of the availability of each server, network and storage as well as their security status. Forgetting to stop servers that are not longer in use, or even stopped (dormant) servers are exposed to potential security threats.
• Security degradation over time. Modifications to an IaaS environment, such as temporary access, starting new services, tests and starting new machines, generally reduce the level of protection of a system over time, which increases the risk of external and internal attacks. On the other hand, even if some resources are temporary, they need to be protected even for short periods of time. Today, the time window between the discovery of a vulnerability and the widespread exploitation of it is getting narrower.
• Manual configuration errors. Today, IT administrators have to contribute to the increasing needs of deploying new applications faster, provisioning users and partners connections more rapidly and this within a more complex technological environment. IT administrators make mistakes, such as opening wrong firewall-ports or giving access to unauthorized users. Due to the complexity and dynamic nature of cloud computing infrastructures security in such environments can no longer be handled manually.
• New attack vectors and threats. The capabilities and the flexibility of IaaS brings as well new threats as the nefarious use of resources by malicious insiders or threats related to the virtualization and APIs technologies. Attackers can take advantage of the cloud as well, for example, for cracking passwords.
Characteristics of the Elastic Security Strategy
The goals of CSOs and CIOs are to reduce potential security threats to a minimum and keep operating costs under control. Benefiting from the advantages of IaaS while reducing security related risks is possible with Elastic Security. The characteristics of the Elastic Security strategy are:
• Full Automation. Keeping operating costs under control means being able to automate the whole or parts of their cloud computing security management by eliminating the majority of manual set up, security monitoring, and corrective actions.
• Agentless. IT administrators can no longer spend time deploying and maintaining agents in every machine on a dynamic infrastructure. Even if the deployment may be automated through automation tools, the
performance footprint of agents on servers and potential conflicts with applications are sources of problems. Moreover, agents are OS dependent and have vulnerabilities as well. Through the virtualization layer, and using APIs such as VMware vShield or Amazon EC2 security groups, security solutions can analyze resource information and enforce security with no agents.
• Comprehensive Security Assessment. The traditional layered approach, where each security component takes care of a specific layer such as the network, is not enough. IT administrators need comprehensive solutions but today no company or technology solves the entire cloud security challenge. It is vital to protect the computing infrastructure as part of a data protection goal. In order to establish trust with enterprise and business leaders, IT administrators need to deploy and show they are using tools that tackle the new security challenges brought by IaaS.
• No Lock-in. The ability to use different IaaS offerings for reliability, flexibility and being able to have full visibility through the same dashboards and metrics is important for CIOs and CSOs.
Elastic Security Technology
SecludIT’s Elastic Security technology is unique thanks to the following features: • Elastic Vulnerability Assessment - EVA
• Multi-Layer: network, cloud software stack, servers and data • Multi-Cloud Support
• Auto-Checks patented technology
Elastic Vulnerability Assessment - EVA
Traditionally you had to choose between agent based and agentless solutions. SecludIT has developed a new approach to vulnerability assessment by using the elasticity of IaaS: Elastic Vulnerability Assessment - EVA. Performing regular and intrusive tests on cloned servers, EVA brings the best of both worlds, no agents’ hurdles and no agentless’ false positives.
Cloning has almost no impact in your servers and applications and the cost of an additional machine for a limited time is low within IaaS infrastructures. Then, EVA performs deep and intrusive vulnerability testing so that you can really be sure of the strength of your security while eliminating false positives. Moreover, it avoids the performance impact and the risks of breaking applications and losing data.
Furthermore, new elastic and pay per use infrastructures bring higher percentages of stopped servers. These “dormant” servers constitute potential threats to the infrastructure as acknowledged by the Cloud Security Alliance. While stopped, the servers are not surveilled by agents or agentless solutions and they are not patched. They become weak links of your infrastructure when started. That’s why EVA tests and raises alerts in case of vulnerabilities in your dormant servers.
Multi-Layer
A comprehensive vulnerability assessment solution for cloud infrastructures needs to take into account not only the cloud servers (host and OS services configuration), but as well the network, the cloud software stack (the layer of software that makes the cloud and the cloud APIs, sometimes also called the cloud OS), the
applications and the data.
SecludIT’s products such as Elastic Detector analyse network configuration, such as firewall rules, open ports and VLANs and perform intrusive tests in servers and applications. Finally, they look for cloud critical data such as SSH keys and cloud API keys left unprotected on your IT infrastructure.
Multi-Cloud
Using multiple cloud IaaS providers or using hybrid deployments are a way to reduce risk, to optimize costs and to avoid lock-in. The complexity of managing the security of multiple clouds is reduced by using products that support several IaaS providers such as Elastic Detector.
SecludIT uses the cloud APIs in a regular basis in order to detect infrastructure changes and to detect vulnerabilities. The APIs and features of the different cloud stacks are different rising the complexity of the analysis.
SecludIT has developed algorithms in order to evaluate the security of different cloud implementations so that you have a consistent set of metrics, a comprehensive view and clear indicators while spanning your
infrastructure across several cloud providers.
Auto-checks
SecludIT has developed auto-checks that are automatically set in order to monitor your IT cloud infrastructure. This is mandatory on a continuously changing infrastructure. Therefore, while your IT infrastructure evolves to answer your business needs, the right security checks are automatically set. Contrarily to other security and monitoring tools, where you have to setup checks and alerts for each server, SecludIT auto-discovers your servers, networks, applications and data. The next step is to automatically set the checks and alerts for you. Additionally, you do have the possibility to fine tune the checks and alerts in order to respond to very specific needs, but as long as your infrastructure keeps evolving, Elastic Detector keeps up with the security through the auto-checks.
Therefore, Elastic Detector allows to keep full visibility on your cloud infrastructure with nearly zero
administration. The right checks are automatically deployed and in a continuous mode, adapting the security perimeter to your infrastructure without further administration.
Building Elastic Security on IaaS
SecludIT’s software helps CIOs and CSOs automate the security of virtual machines and virtual firewalls and provides full visibility of cloud infrastructures through detailed records. Furthermore, SecludIT detects malicious behaviour from external and internal users. Finally, SecludIT’s software also automatically implements corrective actions based on the results of the auto-checks and the Elastic Vulnerability Assessment (EVA). All this is done taking into account the infrastructure (cloud software stack, server VMs, network connections, applications and data) and not only VMs like traditional tools. The advantages of Elastic Security are:
Comprehensive visibility of cloud infrastructures by
• Providing a clear and complete view of machine usage through up-to-date detailed record logs in order to assure accountability
• Keeping system administrators and others who manage cloud environments always in control of security-related decisions
Increased overall security of cloud infrastructures by
• Enabling system administrators to detect configuration issues and detection of attacks as soon as possible
• Reducing configuration errors to a minimum and taking into account the dormant resources • Triggering corrective actions based on the results of detection automatically
• Reducing the time between the emergence of an IaaS threat and its full protection (vulnerability window)
Reduced time and cost for cloud administration by
• Significantly reducing or eliminating manual security set up of new machines • Automating detection, protection and compliance
Benefits of Elastic Security
The key benefits provided by SecludIT’s software are:
• Be resilient to attacks immediately therefore rising the service level of the IT infrastructure • Protection of intellectual property and brands
• Achieve compliance, re-assure corporate leaders and keep the security budget lean
Conclusion
Existing security standards do not take into account IaaS, but standards will emerge and compliance to these standards will be a vital need to CIOs and CSOs. For example, the PCI-DSS standard has included virtualization guidelines in June 2011. The Cloud Security Alliance has published a set of guidelines since 2009 and has now a partnership with ISO to working towards cloud security standards. SecludIT is developing solutions that will help CIOs and CSOs comply with the forthcoming standards.
SecludIT’s vision is that only a fully automated approach to security can cope with the elastic nature of new cloud infrastructures and their new threats. Therefore, in order to protect elastic infrastructures, security
administrators need elastic security, which allows to dynamically adapt the security perimeter to changing cloud infrastructures with no software agents and no false positives.
About SecludIT
SecludIT is a security startup founded by security experts, fully focused on cloud infrastructures (IaaS). With its strategic partner Institut Eurecom, SecludIT has performed security audits on public cloud infrastructures such as AWS EC2 and found vulnerabilities highlighted by Forbes (http://www.forbes.com/sites/andygreenberg/ 2011/11/08/researchers-find-amazon-cloud-servers-teeming-with-backdoors-and-other-peoples-data/) and published the results on the ACM SAC 2012 international conference. SecludIT is one of the authors of the Security Guidance for Critical Areas of Focus on Cloud Computing V2.1 (https://cloudsecurityalliance.org/ research/security-guidance/) from the Cloud Security Alliance (CSA) and a founding member of the CSA.
