Cloud Security
Introduction
• Sam Quigley Principal at Emerose Advisory Services, a consultancy focused on helping both startups and enterprise customers think through web and cloud security issues.
http://emerose.com/ • Jake Kaldenbaugh
Principal & Founder of CloudStrategies – a consultancy helping both enterprise customers & vendors strategize on Cloud adoption:
Change Management, Vendor Selection, Market Mapping, Positioning & Business Development.
http://www.cloudstrategies.com/ • Mike Masnick, Moderator
CEO, Floor64, builder of insight platforms, editor of the Techdirt blog
Today’s Webinar
•
Introduction
•
No, not another definition
•
Real-World Approaches
•
Trends/Predictions
•
Three Topics: Control, the Perimeter, and APIs
•
Managing Risk in the Cloud
•
More Information
Yes, another Cloud Computing Definition!
•
Cloud is not a “what”, it’s a “how”:
…an architectural reformation of how
computing is acquired, provisioned,
consumed and owned (or not)…
…an abstraction of application load from
the physical infrastructure and the
utilization of the output…
The Cloud Spectrum
•
The flavors of Cloud define the “what”:
IaaS
PaaS
SaaS
• Amazon • GoGrid • Linode • Rackspace • Others… • AppEngine • Azure • EngineYard • Force.com • Heroku • Google Apps • Salesforce • Taleo, Workday,
many, many more…
Compute Compute Compute App Framework App Framework
Cloud Today = Two Markets
•
Cloud workloads are more about “what”:
Cloud
Forward
Vs.
Cloud
Backward
• “Sexy” stuff
• “New” web biz models • Enterprise: Mostly
Marketing
• Platforms: Ruby on Rails, RESTful, Python, PHP, AJAX, etc… • “Legacy” stuff • Incremental • Enterprise: IT Driven • Platforms: Microsoft, VMWare, Oracle, Citrix, etc…
Trends/Predictions
•
Pure cloud will dominate in the long term
Simple economies of scale “Utility” model for computing (commoditization) Full Enterprise adoption: Still a long way off
•
New companies and startups will adopt quickly
More agile, less constrained by legacy systems Can architect applications from scratch Smaller budgets, fewer non-cloud options Appirio stated mission: Serverless company
Real-World Approaches
•
“Private Clouds”
Deployment of virtualization, APIs internally
Respects investments recently made by enterprises in refreshed DCs (won’t be abandoned anytime soon) Security advantage in that leverages in-place security
paradigms
•
“Hybrid Clouds”
Some things stored/processed in (public/private) cloud Other things stored/processed internally
Three Problems in Cloud Security
•
Loss of Control
•
No More Boundaries
Loss of Control
•
Outsourced Management, not Responsibility
Cloud providers guarantee at most availability Confidentiality and integrity of data not covered Businesses still liable for breaches•
Complete Reliance on Providers
(Usually) Few technical details on provider security (Usually) No right to audit/test provider defenses Hard to leverage existing security infrastructure
Loss of Control
•
Scary, Not Necessarily Bad
Cloud providers’ scale can deliver better security more cheaply
•
Requires (Re-)Alignment of Risks with Business
As much an opportunity as a challenge•
“If your security practices suck in the physical realm,
you’ll be delighted by the surprising lack of change
when you move to Cloud.” – Christopher Hoff
De-Perimeterization
•
Traditional IT security: “Firewall It and Forget It”
No more separation between attackers & defenders•
Client-Side Security
Traditionally, endpoints were “inside” the firewall Now, employees want to use iPhones, iPads, home
computers …
•
Shift to Application/Web Security
Still a new field, not well understood Standards changing fastDe-Perimeterization
•
The Perimeter Was an Illusion Anyway
Laptops, WiFi, USB keys, etc.… Firewalls (almost) always allow HTTP Does nothing to stop insider threats
•
New Focus on What Matters
The Data The Application
•
New Areas of Research
“Self-defending data”API Security
•
APIs Used for Communication Service Providers
Integration with internal apps, other service providers Mashups, content syndication, etc•
New Surface Area for Attackers
What information does your API leak? New forms of attack
•
High-Profile Weaknesses
2008 MySpace / Paris Hilton photo hack Flickr and AWS v1 signatures
API Security
•
Emerging Standards
SAML, WS-* OAuth (and its variants)
•
No Silver Bullets
Fundamentally a question of business logic and application requirements
Compliance
•
Audit standards
Mismatch between auditor expectations and cloud realities
Audits are the pain of security when things aren't going wrong
The Law
•
Law might not seem like a security issue
But legal issues are a big deal for security these days “Legally” defensible, rather than just strategically
defensible
•
Legal issues:
4th Amendment questions – still unsettled
“Third party doctrine”
Standard for review
International regulations:
EU Privacy rules, US safe harbor
More Information
• Cloud Security Alliance Comprehensive guidance for deploying to the cloud
cloudsecurityalliance.org
• Cloud Audit
Standardized API for reporting audit results cloudaudit.org
• Additional resources
Whitepapers, this presentation
www.techdirt.com/iti/resources.php
Amazon’s Security Whitepaper:
http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf
Oracle Solaris Operating System — Optimized for the Intel® Xeon® Processor 5600 and 7500 series:
Discussion
Emerging Vendors
• VMWare Yes! Emerging! Have yet to launch vClouds
• Amazon
• PaaS Platform Providers • Point Technology Vendors
Unisys: Stealth
Barracuda: Purewire
HP: Cloud Assure
Qualys
Enstratus
• Note: Security delivered by SaaS is not in our discussion (i.e. AppRiver – secure email)
Amazon’s Security Profile
•
Completed SAS70 Type II – “audit of controls”
•
Customers have built HIPAA compliant applications
•
Security is designed in throughout: design > launch
Threat modeling, Risk assessments, Static code analysis,Recurring Penetration analysis
•
Physical Security:
Non-descript buildings, perimeter, ingress points Intrusion detection systems – not virtual!
2x2 authentication for Data Center floors Security escort at all times
Amazon’s Security Profile
•
Network Security
DDoS Attack Prevention: proprietary methods, multi-homing
Man in the Middle Attack Prevention: APIs available via SSL-protected endpoints
AMIs autogenerate new SSH host certifications on first boot
Port Scans prohibited, Packet Sniffing not possible
All inbound ports closed by default
Amazon’s Security Profile
• Virtual Private Cloud Enterprise can connect to a set of isolated AWS compute resources by VPN
Allows extension of existing management resources such as security
services, firewalls and intrusion detection services to include AWS
E2E network isolation thru IP address range & routing all traffic through industry-standard encrypted IPsec VPN.
• EC2 Security
Multiple levels: OS of host, virtual instance, firewall and signed API calls (X.509 cert or secret key, can SSL encrypt)
Highly customized Xen hypervisor: guest OS has no access to CPU