Post on 31-Mar-2015
transcript
Cloud Security: Infrastructure, Data Security, and Access Control
Adapted from slides by Keke Chen
Suggested Readings• Reference book: “Cloud Security and Privacy: An
Enterprise Perspective on Risks and Compliance (Theory in Practice)”, Tim Mather et al. http://www.amazon.com/Cloud-Security-Privacy-Enterprise-Perspective/dp/0596802765
• Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf– Cloud Security Alliance
Outline
• Overview• Infrastructure Security• Data Security• Identity and access management• Audit, compliance and federation of clouds• Security and privacy concerns• Security as a service• Network security, policies (research)
• What makes Cloud Security different from Normal Cyber Security Systems?
How Does Cloud Security Differ?
Cloud Security Standards• Cloud Security Alliance
– Security Guidance for Critical Areas of Focus in Cloud Computing– Top Threats to Cloud Computing – Cloud Audit (A6Automated Audit,Assertion,Assessment,and
Assurance API)• NIST Cloud Security Initiative
– Guidelines on Security and Privacy in Public Cloud Computing • Military IASE standards from DISA-CSD • Federal Government
– FedRAMP(2011)– Evolved from NIST 800-053, from 2009– Assessment procedures
• OASIS Identity in the cloud– Open standards for identity deployment, provisioning and
management
Different Kinds of Clouds (NIST)
Private versus Public Cloud Security
Security and Who Owns a Cloud?
Dimensions of Security
Tradeoffs and Security Provisions
Cloud Alliance 7 ConcernsDomain GUIDANCE DEALING WITH SECURITY
Governance and Enterprise Risk Management
Govern and measure enterprise risk
Legal Issues: Contracts and Electronic Discovery
Protection requirements, security breach disclosure laws, regulatory requirements, privacy requirements, international laws
Compliance and Audit Proving compliance during audit
Information Management and Data Security
Identification and control of data in cloud. CAI
Portability and Interoperability Move data services from one provider to another, interoperability
Traditional Security, Business Continuity and Disaster Recovery
Security of operational processes and procedures (security, business continuity and disaster recovery
Data Center Operations Evaluation of Stability, On-going services
Domain GUIDANCE DEALING WITH SECURITY
Incident Response, Notification and Remediation
Provider and user levels to enable proper incident handling and forensics
Application Security +Application migration
Encryption and Key Management Appropriate encryption and scalable key management
Identity and Access Management Organization’s identity, access controls
Virtualization Multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities
Security as a Service Third part facilitated security assurance, incident management, compliance attestation, identity and access oversight
NIST
• Guidelines on Security and Privacy in Public Cloud Computing, Wayne Jansen and Timothy Grance, NIST, January 2011 http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
Security: Pros v Cons of Cloud
• Staff Specialization. • Platform Strength. • Resource Availability. • Backup and Recovery.• Mobile Endpoints.• Data Concentration.• Data Center Oriented.• Cloud Oriented.
• System Complexity. • Shared Multi-tenant
Environment. • Internet-facing Services• Loss of Control.• Botnets.• Mechanism Cracking
Overview
• Infrastructure – IaaS, PaaS, and SaaS
• Focus on public clouds – No special security problems with private
clouds – traditional security problems only
• Different levels– Network level– Host level– Application level
Infrastructure Security
• Confidentiality and integrity of data-in-transit– Amazon had security bugs with digital signature on
SimpleDB, EC2, and SQS accesses (in 2008)• Less or no system logging /monitoring
– Only cloud provider has this capability– Thus, difficult to trace attacks
• Reassigned IP address– Expose services unexpectedly – Spammers using EC2 are difficult to identify
• Availability of cloud resources – Some factors, such as DNS, controlled by the cloud
provider. • Physically separated tiers become logically
separated – E.g., 3 tier web applications
Network level
Private Cloud Network Security
• Hypervisor security– “zero-day vulnerability” in VM, if the
attacker controls hypervisor
• Virtual machine security– SSH private keys (if mode is not
appropriately set)– VM images (especially private VMs)– Vulnerable Services
Host level (IaaS)
• SaaS application security– Example: In an accident, Google Docs
access control failed. All users can access all documents
Application level
• Data-in-transit• Data-at-rest• Processing of data, including
multitenancy• Data lineage• Data provenance• Data remanence
Data Security
• Data-in-transit– Confidentiality and integrity
• Data-at-rest & processing data– Possibly encrypted for static storage– Cannot be encrypted for most PaaS and
SaaS (such as Google Apps) prevents indexing or searching
• Research on indexing/searching encrypted data
• Fully homomorphic encryption?
Data Security
• Definition: tracking and managing data• For audit or compliance purpose• Data flow or data path visualization
– E.g. data transferred to AWS on date x1 at time y1 and stored in a bucket on S3 example.s3.amazonaws.com, then processed on date x2 at time y2 on EC2 in ec2-67-202-51-223.compute-1.amazonaws.com, then stored in another bucket, example2.s3.amazonaws.com, then brought back locally on date x3 at time y3, …
• Time-consuming process even for inhouse data center– Not possible for a public cloud
Data lineage
• Origin/ownership of data– Verify the authority of data– Trace the responsibility – e.g., financial and medical data
• Difficult to prove data provenance in a cloud computing scenario
Data provenance
• Data left intact by a nominal delete operation– In many DBMSs and file systems, data is
deleted by flagging it.
• Lead to possible disclosure of sensitive information
• Department of Defense: National Industrial security program operating manual– Defines data clearing and sanitization
Data remanence
• The provider collects a huge amount of security-related data– Data possibly related to service users– If not managed well, it is a big threat to
users’ security
Provider’s data and its security
• What kinds of protocols and techniques are needed/used?
What Do You know about Identity and Access Management?
• Traditional trust boundary reinforced by network control – VPN, Intrusion detection, intrusion
prevention
• Loss of network control in cloud computing
• Have to rely on higher-level software controls– Application security– User access controls - IAM
Identity and Access Management
• IAM components– Authentication– Authorization– Auditing
• IAM processes– User management– Authentication management– Authorization management– Access management – access control– Propagation of identity to resources– Monitoring and auditing
Identity and Access Management
IAM functional architecture
Avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience SAML(Security Assertion Markup Lang).
http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
Automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning SPML (service provisioning markup lang).
http://www.oasis-open.org/standards#spmlv2.0
Provision user accounts with appropriate privileges and manage entitlements XACML (extensible access control markup lang).
Authorize cloud service X to access my data in cloud service Y without disclosing credentials Oauth (open authentication).
IAM standards and specifications
SAML Example
ACS: Assertion Consumer Service SSO : single sign-on
SPML example
XACML Example
PEP: policy enforcement point(app interface)PDP: policy decision point
OAuth example
• OpenID• Information Cards• Open Authentication (OATH)
• Issues for OpenID– Phishing – malicious relying party
forwards end-user to bogus identity provider authentication page
– Allows sniffing of certificate and replay
IAM standards/protocols
Difference Open ID versus Oauth (Thanks to Wikipedia)
• Dealing with heterogeneous, dynamic, loosely coupled trust relationships
• Enabling “Login once, access different systems within the trust boundary”– Single sign-on (SSO)– Centralized access control services– Yahoo! OpenID
IAM practice- Identity federation
Audit, compliance and federation of clouds
NIST: Interactions between Actors in Cloud Computing
40
Cloud Consumer
Cloud ProviderCloud Broker
Cloud Auditor
The communication path between a cloud provider & a cloud consumerThe communication paths for a cloud auditor to collect auditing informationThe communication paths for a cloud broker to provide service to a cloud consumer
Cloud Carri
er
41
The Combined Conceptual Reference Diagram
Cloud Carrier
Cloud Consumer
CloudAuditor
Cloud Broker
SecurityAudit
PrivacyImpact Audit
Performance Audit
Cloud Service
Management
Service Layer
Business Support
Pri
vacy
ServiceArbitrage
Service Aggregation
Service Intermediation
Sec
uri
ty
Provisioning/Configuration
Portability/Interoperability
Physical Resource Layer
IaaS
SaaS
PaaS
Resource Abstraction and Control Layer
Hardware
Facility
42
Cloud Provider: Service Orchestration
Service Layer
Physical Resource Layer
IaaS
SaaS
PaaS
Resource Abstraction and Control Layer
Hardware
Facility
Cloud Provider
Biz Process/Operations
App/SvcUsage
Scenarios
Software as a Service
Application Development
Develop, Test, Deploy and
Manage Usage
Scenarios
Platform as a Service
Infrastructure as a Service
IT Infrastructure& Operation
Develop, Test, Deploy and
Manage Usage
Scenarios
Federation of Clouds/Hybrid Clouds 1. • Using multiple clouds for different applications to
match needs (local cloud and cloud bursting) • Allocating components of an application to
different environments (e.g., compute vs database tiers), whether internal or external (“application stretching”)
• Moving an application to meet requirements at specific stages in its lifecycle, from early development through unit test, scale testing, pre-production and ultimately full production scenarios
Federation of Clouds/Hybrid Clouds 2. • Moving workloads closer to end users across geographic
locations, including user groups within the enterprise, partners and external customers
• Meeting peak demands efficiently in the cloud while the low steady-state is handled internally
• Keeping large data within country, geography or organization while allowing global distributed computation
• Maintaining confidential data on better protected clouds while allowing distributed computation on more computationally efficient ones.
Key Security and Privacy Issues
• Governance -- control and oversight over policies, procedures, and standards for application development, as well as the design, implementation, testing, and monitoring of deployed services.
Key Security and Privacy Issues
• Compliance -- conformance with an established specification, standard, regulation, or law. – Data location --- trans-border data flows include whether the
laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits
– Laws and Regulations --- OMB, Clinger-Cohen Act, FISMA, NARA (archives), HIPPA, PCI DSS (cards)
– Electronic Discovery --- FOIA, litigation
Key Security and Privacy Issues
• Trust– Insider Access --- (esp. DOS)– Data Ownership --- Privacy versus data ownership.– Composite Services --- Nesting and layering of
services, trust is not transitive, liability and performance guarantees
– Visibility --- detailed network and system level monitoring, oversight
– Risk Management
Security as a Service
• Origins: Email Spam• Today
– Email Filtering– Web Content Filtering– Vulnerability Management– Identity Management as a service– Etc.
• Naming: SaaS – NOT to be confused with Software as a Service!SecaaS: Security as a Service (Cloud Security Alliance)
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
SaaS Categorization by CSA
CSA: Cloud Security Alliance1. Identity and Access Management 2. Data Loss Prevention3. Web Security4. Email Security5. Security Assessments6. Intrusion Management7. Security Information and Event Management (SIEM)8. Encryption9. Business Continuity and Disaster Recovery10. Network Security
Identity and Access Management (IAM)
• SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS- Federation
• Commercial Cloud Examples– CA Arcot Webfort – CyberArk Software Privileged Identity Manager– Novell Cloud Security Services– ObjectSecurity OpenPMF (authorization policy automation, for private
cloud only)– Symplified
• Threats addressed– Identity theft, Unauthorized access, Privilege escalation, Insider threat,
Non-repudiation, Excess privileges / Excessive access, Delegation of authorizations / Entitlements, Fraud
Data Loss Prevention• Monitoring, protecting, and verifying the security of data• by running as a client on desktops / servers and running rules
– “No FTP” or “No uploads” to web sites– “No documents with numbers that look like credit cards can be emailed” – “Anything saved to USB storage is automatically encrypted and can only
be unencrypted on another office owned machine with a correctly installed DLP client”
– “Only clients with functioning DLP software can open files from the fileserver”
• Related to IAM • Threats Addressed
– Data loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines
Web Security
• Real-time protection – On-premise through software/appliance installation– Proxying or redirecting web traffic to the cloud provider
• Prevent malware from entering the enterprise via activities such as web browsing
• Mail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing
• Threats addressed– Keyloggers, Domain Content, Malware, Spyware, Bot Network,
Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam
Email Security
• Control over inbound and outbound email• Enforce corporate polices such as acceptable use and spam• Policy-based encryption of emails• Digital signatures enabling identification and non-
repudiation • Services
– Content security, Anti- virus/Anti-malware, Spam filtering, Email encryption, DLP for outbound email, Web mail, Anti-phishing
• Threats addressed– Phishing, Intrusion, Malware, Spam, Address spoofing
Security Assessments• Third-party audits of cloud services or assessments of local systems via
cloud-provided solutions• Well defined and supported by multiple standards such as NIST, ISO, and CIS• Additional Cloud Challenges
– Virtualization awareness of the tool– Support for common web frameworks in PaaS applications– Compliance Controls for IaaS, PaaS, and SaaS platforms
• Services– Internal and / or external penetration test, Application penetration test, Host and
guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment
• Threats addressed– Inaccurate inventory, Lack of continuous monitoring, Lack of correlation
information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed
Intrusion Management
• Using pattern recognition to detect and react to statistically unusual events
• IM tools are mature, however – virtualization and massive multi-tenancy is creating new
targets for intrusion– raises many questions about the implementation of the same
protection in cloud environments• Services
– Packet Inspection, Detection, Prevention• Threats addressed
– Intrusion, Malware
Security Information and Event Management (SIEM)
• Accept log and event information• Correlate and analyze to provide real-time reporting and
alerting on incidents / events• Services
– Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations)
• Threats addressed– Abuse, Insecure Interfaces and APIs, Malicious Insiders, Shared
Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud
Encryption
• The process of obfuscating/encoding data using cryptographic algorithms – Algorithm(s) that are computationally difficult to break
• Services– VPN services, Encryption Key Management, Virtual Storage
Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation
• Threats addressed– Failure to meet Regulatory Compliance requirements, Mitigating
insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross-border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government
Business Continuity and Disaster Recovery
• Ensure operational resiliency in the event of any service interruptions
• Flexible and reliable failover • Utilize cloud’s flexibility to minimize cost and maximize
benefits• Services
– File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressed
– Natural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard
Network Security• Services that allocate access, distribute, monitor, and protect the
underlying resource services– Address security controls at the network in aggregate, Or – Specifically address at the individual network of each underlying resource
• In Clouds, likely to be provided by virtual devices alongside traditional physical devices– Tight integration with the hypervisor to ensure full visibility of all traffic
on the virtual network layer is key• Services
– Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS
• Threats addressed– Data Threats, Access Control Threats, Application Vulnerabilities, Cloud
Platform Threats, Regulatory, Compliance & Law Enforcement
60
Network Security (Research)• Policies about the configurations of the infrastructure are used for specifying security and
availability requirements
• A critical device should be placed within a security perimeter• Unprotected devices should not communicate with machines running critical services• Computation on confidential data must performed on hosts under the control of DoD
• Policy-driven approach has been taken by FISMA, PCI-DSS, NERC
Scalability Real-time detection of violations
Monitoring itself needs to be secure
Information needs to be shared across cloud providers
Requirements
61
Policy Distribution
Reaction Agent
Reaction Agent
Odessa Agent
Odessa Agent
NetOdessa Agent
DORA Subsystem
Trustworthiness of W
orkflows
Trust Calculation Module
External Event
Aggregator
External Event
Aggregator
Formal Design and analysis of Assured
Mission Critical Computations
Evaluation on a distributed networked
test-bed
Middleware for Assured Clouds
Risk Assessment Modules
Distance from Compliance Calculation
62
Reaction Agents are part of the Middleware
When a policy violation is detected• Security, availability, or timeliness requirements might not be
satisfied • We need to reconfigure the system
We implemented a cloud-based OpenFlow reaction agent
OpenFlow controller Flow information
reconfigurationsReactionAgent
violation
To Read Further• Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for
Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf]• Kroske, E. ; Farivar, R. ; Montanari, M. ; Larson, K. ; Campbell, R.H.,
NetODESSA: Dynamic Policy Enforcement in Cloud Networks, 30th IEEE Symposium on Reliable Distributed Systems - Workshops (SRDSW), 2011
• Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept 2011. [pdf]
• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June 2011. [pdf]