Lecture 6 – Building a CloudPiotr T. Zbiegiel

Cloud and Virtualization Security

Introduction

•Recall that a private cloud deployment means that a company has built a cloud system contained entirely within the company and is not utilizing a third-party CSP.

•These types of system can range in size from massive datacenter size systems to a tiny cluster used for virtualizing a few servers within the company.

•Since definitions of cloud are fluid we will accept a range of possibilities here.

What is a Private Cloud?

•Most of the time these types of systems are built using server virtualization to gain efficiency.

•But a company can still choose to deliver all three types of service models. (IaaS, PaaS, or SaaS).

•The systems within the cloud may be used for internal customers only, external customers only, or a combination of systems.

What is a Private Cloud? cont’d

•Comparing the cost of a private cloud infrastructure with a similar infrastructure utilizing a public CSP the public CSP will win out in almost all cases.

•There may be other advantages too.▫The public CSP may provide greater elasticity for absorbing traffic or other

workload spikes.

•But as with all things in life there is more to this decision.

Why a Private Cloud?

•Many concerns center around data security issues.•A company may want to retain control of their data, keep it within their

borders.•There may be legal or regulatory requirements that prevent you from

moving information assets to a third-party CSP even if you can adequately secure them.

Why a Private Cloud? cont’d

•A private cloud system is a marriage of flexibility and control of information assets.

•But companies should tread carefully because the benefits of private cloud will be realized based on the scale of the system and how it is utilized within the company.

Why a Private Cloud? cont’d

•Some CSPs offer the ability to create a “private cloud” within their service offering. (e.g. Amazon Virtual Private Cloud (VPC))

•Carefully consider whether there is still adequate cost-benefit with this option.

• In the end, even if this type of service is more cost effective, other factors may still make building a private cloud within the company the preferred option.

What about CSPs with “Private Cloud” offerings?

•As mentioned before they cost savings are likely not as great as going public.

•But a private cloud will still save money over traditional IT architecture.▫Less equipment▫Less staff▫Lower DC costs (power, cooling, etc.)▫Lower lifecycle costs (realized through repeated patterns in infrastructure.)

Cost Savings of Private Cloud

Shared resources vs more traditional dedicated resources lead to more than cost savings.•Consolidation of servers into a private cloud system can simplify and

streamline management of the systems.• It can also allow for more effective application of security controls

including identity management, centralized logging, network monitoring, etc.

Private Clouds Can Benefit Security

•A private cloud can be flexible in delivering customized cloud services to different parts of the organization.

•The pull to provide customized solutions will be especially strong when consolidating existing IT resources to a private cloud.

•When virtualizing existing servers there will be a natural temptation to replicate the existing infrastructure in its entirety.

Customization in Private Cloud

•Remember that one of the effects of customizing an environment is reduced operational efficiency.

•Customization can lead to variations in cloud components.•Too much customization can a negate cost savings.•The larger the system scale the more careful and organization must be

about customization.

Customization in Private Cloud cont’d

•Much of the cost savings of cloud systems comes from managing identical systems.

•Supporting specialized server hardware or storage can spoil those cost savings.

•Not to mention muddling security effectiveness.▫Configuration management▫Patching▫Monitoring▫Etc.

Customization – Hardware Variation

•Cost savings and operational efficiency are affected by network variation as well.

•There may be significant reason to segregate some users of departments due to data classification or sensitivity of data processing that will be occurring.

• If that is the case it is better to attempt segregation on natural physical boundaries such as between individual racks or groups of racks within a cloud infrastructure.

Customization – Network Variation

•Virtualization makes it much easier to handle multiple OSes and customized systems.

•Supporting such systems may be a necessity when moving existing physical infrastructure to a virtualized system.

•But in most cases users should be steered toward a subset of operating systems which the cloud operations team maintains.

Customization – Software Platform Variation

•These systems can be built from “golden” images that have been reviewed for configuration security.

•Having limited variation in VM operating systems and configurations simplifies management, security testing, auditing, etc.

Customization – Software Platform Variation cont’d

•A group of users or a department may need to have their VMs isolated from others.

•The cloud system may be configured to only allow their VMs to run on a specified set of hardware.

•This type of variation does not result in the same kind of isolation as separating networks but may make sense in some cases.

Customization – Allocation Boundaries

Customization and Variation on Magellan

•More variation in allocated resources increases the chance of mistakes▫Having different storage pools could result in data being stored in a storage

area with improper controls.▫A misconfiguration could cause network traffic to flow over the wrong

segments.

Risks of Customizing

•Elasticity and resilience of a cloud system relies on the system having unutilized capacity that can be used when necessary.

•Creating numerous pools of resources means more need for unutilized capacity unique to each pool.▫This can mean less elasticity for each individual pool (or higher costs for

buying and maintaining additional hardware)•And, of course, too much customization can also cause security controls

to be less effective.

Risks of Customizing cont’d

•The cloud’s use of architectural and operational patterns can enable security▫Cookie-cutter infrastructure can make audit, vulnerability scans, anomaly

detection, and other security controls easier to manage.•Centralizing resources in a cloud lets you justify buying bigger security

tools.▫Centralized logging and SIEM▫Centralized auth▫Bigger vulnerability scanners and IDS systems

Cost Advantages for Security in Private Cloud

•There are several areas of security criteria to consider when designing a private cloud.▫Network ▫Datacenter▫Operational

Security Criteria for Private Cloud

•First and foremost you must decide whether the private cloud will talk to the Internet, internal networks, or both

•This should be documented in the security policy for the system.•After that you can consider various issues of isolation:▫Ingress and Egress Filtering▫Network Isolation▫Physical Isolation▫Logical Isolation

Network Considerations

• Ingress and Egress filtering should be defined at the cloud border.•Whitelist or blacklist? (Whitelist preferred, of course).• If security needs are more serious the system could require

authenticated ingress. (Using VPN, for instance.)•Don’t forget about filtering egress traffic.▫Servers usually don’t need access to the whole Internet.▫Egress filtering could thwart a back-channel or reverse shell connection

should one of the VMs get compromised▫Blocked outbound connections could be an indication of trouble.

Ingress and Egress Filtering

• It can be very dangerous to use the same network to move internal and external traffic in a private cloud.

•Effort should be made to keep the two communication channels separate to prevent any potential exposure of enterprise data to a public user.

•This should include data storage and data processing instances that may handle enterprise data vs user data.

A Few Words about Network Isolation and Routing

•When considering network isolation for private cloud we need to go beyond internal vs external.

•The sensitivity of functional areas may drive segmentation and isolation decisions.

•There are numerous ways to achieve segmentation▫Physical network segregation▫VLANs

Network Isolation

•Will traffic be routed between network segments?• Ingress point for a network segment can have access controls.▫Firewall▫VPN

•Remember to test network isolation regularly to make sure it is configured as expected.▫Configuration changes over time can potentially introduce mistakes or

simply lead away from the original planned intended plan for isolating networks within the cloud system.

Network Isolation cont’d

•Parts of a system may need to be physically isolated from one another.•There may be many reasons that this may be needed.•For example, if data processing for internal users cannot (due to the

Security Policy) occur on the same storage and VMs as external user data then it makes sense to physically isolation portions of the cloud system.

•Physical isolation may be easiest to accomplish by dividing the system at the rack level.

Physical Isolation

• It may make sense to logically divide portions of the cloud.▫Dev -> Test -> Prod▫Departmental

•This allows the application of differing security policies and controls depending on the requirements.

•This allows establishing an SOA (Service-oriented Architecture)

Logical Isolation

Service-oriented Architecture

•A service-oriented architecture allows us to define how cross-boundary sharing of data will be accomplished between differing logically isolated segments of a cloud.

•Rules and policies are defined to govern the transfer of data between departments.

•Data transfer rules use the concept of least-privilege to strictly define the data that will be released to other departments.

Logical Isolation and SOA

•A physically separate management network is a key design element•A separate network allows whitelisting of administrator traffic to

physical cloud systems.•Physical isolation guarantees management traffic does not travel over

the same networks and regular user or customer traffic.• It also allows additional security controls to be applied specifically to the

management network. (such as two-factor authentication)

Management Network

•There are numerous considerations to keep mind when preparing the physical space for a private cloud system.

•Many of these are the same you may consider for more traditional IT infrastructure.

•But given the server consolidation within a cloud system there is even more riding on a well designed space for the system.

Datacenter Considerations

Geographic Disparity

•Server consolidation in the cloud increases the risk that hardware failure could impact multiple services instead of being confined to a single server.

•Virtualization and the flexibility of the cloud can actually play a crucial role in business continuity planning

•However, that is only the case if plans were made ahead of time on how to recover effectively.

Business Continuity and Disaster Recovery

Business Impact Analysis

Physical Security

Video Surveillance

Datacenter should contain numerous sensor networks to monitor conditions within the space.•Fire and smoke sensors.•Humidity and temperature sensors.•Sensors should be monitored by a NOC for deviation from the norm.• In some cases it may make sense to have the systems monitor

environmental readings and take action to lower the thermal load if conditions in the datacenter become critical.

Environmental Sensors

•Smaller cloud installs may simply be tied to existing fire suppression systems in an office building.

• Larger systems would benefit from a dedicated from a gaseous fire suppression system.

Fire Suppression

•Redundant power feeds to the datacenter▫Less chance of disruption due to weather, construction, etc.▫Can allow power work with less disruption of operations.

•UPS Power•Standby generators and adequate fuel•Cooling capacity

Power and Cooling

Operational Security Considerations

Conclusion