Cloud Security - Mundi Web Services · 2019. 3. 29. · [SOW] Copernicus Data and Information...

Mundi Web Services, Atos, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGrid are registered trademarks of Atos SA. July 2011. © Copyright 2019 Mundi Web Services All rights reserved. Reproduction in whole or in parts is prohibited without the written consent of the copyright owner.

AUTHOR(S) : Mundi Team REFERENCE : CWS-PAAS-MUT-064-EN VERSION : 1.1 STATUS : Final DOCUMENT DATE : 28/11/2018 NUMBER OF PAGES : 42

Cloud Security

Mundi Copernicus DIAS (Data and Information

Access Services)

https://mundiwebservices.com/https://mundiwebservices.com

Cloud Security

Version:1.1 Reference:CWS-PAAS-MUT-064-EN

© Copyright 2019 Mundi Web Services 28/11/2018 2 of 42

Identification

Contract number Programme N° OT

ITT ESA AO/1-8854/17/I-LG Copernicus Data and Information Access Services Operations

Name, Function Date Signature

Written by: Mundi Team 28/11/2018

Reviewed by:

Approval:

Resume: Keywords:

https://mundiwebservices.com/

Cloud Security



Document Change Log

Revision Date Description of the release Author

1.0 21/09/2018 Initial version of the document. Mundi Team

1.1 28/11/2018 A few feature description enhancements Mundi Team


Cloud Security



Contents

1 Introduction .............................................................................................................................................................................................................. 6

1.1 Scope of the document ............................................................................................................................................................................. 6 1.2 Reference Documents ................................................................................................................................................................................ 6 1.3 Acronyms and Abbreviations ............................................................................................................................................................ 6

2 Document organisation ............................................................................................................................................................................ 7

3 Data protection and data security for the cloud ...................................................................................................... 9

4 User Management ......................................................................................................................................................................................... 10

4.1 User hierarchy ...................................................................................................................................................................................................... 10 4.2 Identity and Access Management (IAM) .............................................................................................................................. 11 4.3 Password management ......................................................................................................................................................................... 12 4.4 Security keys management ............................................................................................................................................................... 12 4.4.1 Key Pair ......................................................................................................................................................................................................................... 12 4.4.2 Access Keys ............................................................................................................................................................................................................ 13 4.4.3 Key Management Service (KMS) ................................................................................................................................................... 13 4.4.4 Openstack API access ............................................................................................................................................................................... 14 4.5 OBS User Permissions .................................................................................................................................................................................. 14 4.6 Access review ...................................................................................................................................................................................................... 15

5 Network Management .............................................................................................................................................................................. 16

5.1 Perimeter security ........................................................................................................................................................................................... 16 5.1.1 Virtual Private Cloud .................................................................................................................................................................................... 16 5.1.2 Front-end and Back-end VPC ........................................................................................................................................................... 17 5.2 Environments segregation .................................................................................................................................................................. 19 5.3 ECS network management ................................................................................................................................................................. 19 5.4 OBS security ............................................................................................................................................................................................................ 19 5.5 Firewalls ..................................................................................................................................................................................................................... 20 5.6 Anti-DDoS ................................................................................................................................................................................................................ 20

6 IS development & maintenance .................................................................................................................................................. 22

6.1 Secure coding ..................................................................................................................................................................................................... 22 6.2 VM image update...........................................................................................................................................................................................23 6.3 EVS encryption .................................................................................................................................................................................................. 24 6.4 OBS Encryption .................................................................................................................................................................................................. 25 6.5 Cloud Trace Service (CTS) ................................................................................................................................................................... 25 6.6 Secure Data Deletion ................................................................................................................................................................................ 26

7 Availability Management ..................................................................................................................................................................... 27

7.1 Elastic Load Balancer ................................................................................................................................................................................. 27


Cloud Security



7.2 Availability Zone .............................................................................................................................................................................................. 28 7.3 Backup and recovery ............................................................................................................................................................................... 28 7.3.1 Volume Backup Service (VBS) ........................................................................................................................................................ 28 7.3.2 Cloud Server Backup Service (CSBS) ..................................................................................................................................... 29 7.3.3 Storage Disaster Recovery Service (SDRS) ..................................................................................................................... 29 7.3.4 EVS Snapshot ...................................................................................................................................................................................................... 30

8 Addendum - Create a technical User ................................................................................................................................... 31

8.1 Prerequisites .......................................................................................................................................................................................................... 31 8.2 Procedure .................................................................................................................................................................................................................. 31

9 Addendum - Create a Key Pair ..................................................................................................................................................... 36

9.1 Prerequisites ........................................................................................................................................................................................................ 36 9.2 Procedure ................................................................................................................................................................................................................ 36 9.3 Creating ssh keys on a Linux ECS ............................................................................................................................................... 38

10 Addendum - Configure a Virtual Private Cloud ....................................................................................................... 39

10.1 Prerequisites ........................................................................................................................................................................................................ 39 10.2 Procedure ................................................................................................................................................................................................................ 39

11 Addendum - Cloud Security recommendations ................................................................................................... 42


Cloud Security



1 Introduction

1.1 Scope of the document Provide users with cloud security configuration and setup guidelines. Target audience is 3PU users only, with enhanced network and system knowledge.

1.2 Reference Documents Abbreviation Document

[SOW] Copernicus Data and Information Access Services Operations - Statement of Work

Reference: ESA-EOPG-CSCOP-SOW-0015- V1.0 – 17/01/2016 [CB] Mundi Copernicus DIAS (Data and Information Access Services) –

Cloud Basics

Reference: CWS-PAAS-MUT-063-EN

1.3 Acronyms and Abbreviations Acronym or Abbreviation

Meaning

3PU Third-Party Users

ECS Elastic Cloud Server The generic virtual machine product of OTC

EVS Elastic Volume Service The generic virtual block and file storage product of OTC

KMS Key Management Service

OBS Object Storage Service The object storage product of OTC, compatible Amazon S3

OTC Open Telekom Cloud The cloud solution Mundi is based on

SSO Single Sign-On

VM Virtual Machines They are called ECS in the OTC environment

VPC Virtual Private Cloud


Cloud Security



2 Document organisation

This document proposes an overview, and some advises about cloud configuration in order for a 3PU to build a secured environment. Even if ISO 27001:2005 is obsolete now, the domains of this standard are a good start to classify security items to be applied. Those domains are: • A.5 Security Policy • A.6 Organisation of information Security • A.7 Asset Management • A.8 Human Resources • A.9 Physical and environmental security • A.10 Communications and operations management • A.11 Access Control • A.12 Information systems acquisition, development and maintenance • A.13 Information security incident management • A.14 Business continuity management Some of those domains are addressed in this document, and some others are left the 3PU own policies and organisation. The chapter in this document will point out the corresponding ISO 27001:2005 standard domains that have been addressed.

ISO 27001 chapter Status Chapter in this document

Security Policy Not addressed, shall be targeted by the 3PU company own security policy

N/A

Organisation of information Security

Not addressed, shall be targeted by the 3PU company own organisation

N/A

Asset Management

Human Resources Yes, partially User Management Physical and environmental security

Yes, partially Network Management

Communications and operations management

Image updates Backup/Recovery

IS development & maintenance

Access Control Yes, partially User Management Information systems acquisition, development and maintenance

Secure coding / OWASP

IS development & maintenance


Cloud Security



Information security incident management

Not addressed, shall be targeted by the 3PU company own incident management

N/A

Business continuity management

Yes, partially Availability Management IS development & maintenance


Cloud Security



3 Data protection and data security for the cloud

Mundi’s infrastructure is based on Open Telekom Cloud, the public cloud solution of T-Systems. Data protection and data security have top priority. Open Telekom Cloud infrastructure is operated in Deutsche Telekom´s highly secure twin-core data centres in Germany, as well as data backup. The data processing is strictly regulated by the federal data protection act. ). In addition, the Open Telekom Cloud is also certified in accordance with the Trusted Cloud Data Protection Profile (TCDP) 1.0. This certificate attests that the Open Telekom Cloud is currently one of the few cloud offerings on the market to provide companies with the technical prerequisites necessary to meet the future requirements of European data protection requirements (DSGVO). All services are strictly regulated and are regularly checked and certified by independent institutions, in order to meet the latest security and data protection requirements. The following certificates have been delivered to OTC: • Open Telekom Cloud ISO 27017 Certificate (Certified data protection management) • Open Telekom Cloud ISO 27018 Certificate (Certified data protection management) • Open Telekom Cloud CSA Star Level 2 Certificate (Security management system

according to CSA STAR) • Open Telekom Cloud TÜV Trusted Cloud • Open Telekom Cloud TCDP version 1.0 Certificate (Data privacy requirements for

commissioned data processing) • T-Systems ISO 27001 Certificate (Certified data protection management) • T-Systems ISO 20000 Certificate (Certified service management system) • T-Systems ISO 9001 Certificate (Certified quality management system) • T-Systems ISO 22301 Certificate (Certified business continuity management system) • T-Systems ISO 14001 Certificate (Globally recognized requirements placed on an eco-

management system.) Further information can be found on OTC website. https://cloud.telekom.de/en/infrastructure/open-telekom-cloud/more/compliance

https://mundiwebservices.com/https://cloud.telekom.de/en/infrastructure/open-telekom-cloud/more/compliance

Cloud Security



4 User Management

This chapter addresses parts of the domain A.8 Human Resources of ISO 27001:2005.

4.1 User hierarchy In Mundi’s environment, several users level are defined, corresponding to administrative and technical roles. They are cascaded through SSO or dedicated login features, and they correspond to different level of access and management rights to Mundi’s resources. In this chapter, we explain the different levels, the corresponding access possibilities, and we give some advises about a secured way to use them.

As soon as a user is registered on Mundi, he has a Mundi’s website user. When this user becomes a 3PU with its own processing environment, a dedicated Tenant is assigned to this user. You just have to login into Mundi’s website, and in My Account section, click on My Resources tab. If you click on the "Manage" button, you will be redirected and automatically logged-in to the Open Telekom Cloud console. The SSO access transform Mundi’s website user into a MUNDI sso user on the OTC console. The console is the place where you manage your Tenant. The MUNDI sso user is an administrative user. It has access to the Identity & Access Management (IAM) of the Tenant, and it is used to create and manage dedicated technical users. This user should not be used to create OTC resources.

Mundi’swebsite user

MUNDIsso user

IAMOTC user

« admin » group

OTC user« power-user » group

ECS « linux » VM user

dedicated VM user

sso

create

create

create


Cloud Security



You can define several user groups in the console. By default, two groups exist: the admin group that can access all the features of the console, including user management, and the power-user group that can access all features of the console, except user management. We advise you to create just one user in the admin group, the technical manager of the Tenant, and this user will create several users in the power-user group, for each technical administrator of the console. The console users then don’t have to access Mundi’s website and can log-in directly in the Tenant’s console. For all the console users, we advise you to pay attention to email and mobile phone number. Even if optional in some cases, that information shall be filled with attention in order to ease access recovery and to avoid any security breach. At this level, depending of your access management needs, other groups can be created. For example: • Guest group, with read only rights for example for Cloud Eye monitoring feature, • OBS group, with management rights limited to OBS if the storage management is

made by a dedicated user group. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0079496984.html The technical administrators will then create ECS, the virtual machines of the Tenant. By default, each Linux based ECS has a first root user named “linux”. This special user can create dedicated users, either with root access rights or not through the dedicated user management feature of the operating system. If the ECS contains sensitive data and processing, we advise you to remove the “linux” account or access rights, in order to manage the VM’s access only through its specific access rights. The VM users then don’t have to access OTC’s console and can log-in directly on the VM.

4.2 Identity and Access Management (IAM) Identity and Access Management (IAM) is an enterprise-level self-service cloud resource management system and provides user identity management and access control functions. With IAM, users can manage user accounts and control the operation rights of these accounts over the resources and modules in OTC. IAM also ensures account security and reduces security risks for enterprise information by allowing users to set login verification policies, password policies and access control lists (ACL). Additional to a standard login procedure with user and password there is a two-factor authentication available. This works like online banking. After submitting the user and password a TAN is send to the mobile aligned to the user. This function must be activated in the Identity and Access Management.

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0079496984.html

Cloud Security



Refer to the OTC documentation for more details about IAM: https://docs.otc.t-systems.com/en-us/iam/index.html

4.3 Password management For Mundi’s website access, a password must meet the following requirements: • It must be 6 to 20 characters long. • It must contain at least one upper character, one lower character, one digit, and one

special character. For the OTC console access, a password must meet the following requirements: • It must be 6 to 32 characters long. • It must contain at least 2 of the following character types: uppercase letters,

lowercase letters, digits, and special characters (!"#$%&'()*+,-./:;?@[]^`{_|}~ and spaces).

• It cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A or 54321a.

Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0075357584.html For the ECS access, the requirements are defined by the OS, and depending of this OS they can be adapted to your specific security needs.

4.4 Security keys management OTC provides several levels of security keys, each dedicated to a group of features.

4.4.1 Key Pair Key Pair are ssh keys used in the creation of ECS, in order to allow the initial access to the VM for the “linux” user. The feature can also be used to generate ssh keys for other subsequent users, or you can use the dedicated ssh key generation feature of the VM’s operating system. The Key Pair management can be found in the console, Computing section, Elastic Cloud Server tool, Key Pair menu. Please see “Create a Key Pair” addendum for detailed information.

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0075357584.html

Cloud Security



4.4.2 Access Keys Each console user can create two Access Keys. Those keys are dedicated to OBS secured access. They are managed separately, as OBS access can be done fully independently from any other access. The Access Key management can be found in the console, username on the homepage, My Credentials menu, Access Keys tab. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/ac/en-us_topic_0046783936.html https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0079496987.html

4.4.3 Key Management Service (KMS) Key Management Service (KMS) is a secure, reliable, and easy-to-use service that helps users centrally manage and safeguard their Customer Master Keys (CMKs). KMS uses a hardware security module (HSM) to protect keys, the HSM module helps you to create and control keys. All keys are protected by the root key in the HSM. KMS controls and monitors all activities on keys in logs which in turn, enables the supervision of any regulatory compliance requirements. It can be used for encryption (and decryption) of the different storage services offered by OTC: Elastic Volume Service and Object Storage Services, but also Image Management, Scalable File Service and Relational Database. KMS will handle all encryption requests. Depending on the mode of encryption the Hardware Security Module (HSM) will be used to store customer keys, or the customer will deliver the key for every transaction so that it does not need to be stored within the HSM. Key Management Service is a basic service in cloud data centers. It can meet the service requirements for encryption and also tenants’ requirement to encrypt their sensitive data. It uses static data encryption to eliminate users’ concerns about data leaks, which complies with laws and regulations in some countries and regions. Key Management Service integrates with the static storage service of tenants on the cloud platform and uses the international standard password algorithm AES to protect tenants’ data through encryption. KMS prevents illegal access and ensures tenants’ data security. EVS (Elastic Volume Service) encryption supports disk encryption and allows users to select proper encryption keys. EVS encryption will use the KMS Key ID and tenants’ token to get a data encryption key (DEK) from KMS and uses the DEK to encrypt and decrypt data in the EVS. EVS’s encryption feature relies on the KMS system which generates and manages encryption certificates. AES-XTS-256 is used for EVS data encryption, AES-CBC-256 is used for key wrapping. Only new created EVS can be encrypted and the CMK

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/ac/en-us_topic_0046783936.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0079496987.html

Cloud Security



(Customer Master Key) assigned to the EVS cannot be changed to another one. If the CMK is changed, the consistency of CMK and EVS will be destroyed. KMS also supports Bring Your Own License and Bring Your Own Key. The Key Management Service can be found in the console, Security section, Key Management Service tool. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/kms/en-us_topic_0035848362.html

4.4.4 Openstack API access The Openstack API access doesn’t require any security key. It can be done using user’s console credentials. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070405.html The Identity and Access Management (IAM) function of Open Telekom Cloud provides Access control lists (ACL) to restrict which IP addresses can access the console. In order to enhance the account’s security, these ACLs also apply to external users using cloud services via API. API users must be included in the ACL. ACL configuration can be done in IAM module: Open Telekom Cloud homepage > Identity and Access Management > Account Settings > ACL See https://docs.otc.t-systems.com/usermanual/iam/en-us_topic_0046611308.html for detailed operations.

4.5 OBS User Permissions OBS user permissions are defined as a combination of user groups and access control. User groups are defined in IAM, there are 2 predefined user groups: admin (can manage OBS resources and create users / user groups) and power_user (cannot create users / user groups). Access control grants user groups resource permissions. For OBS there 3 permissions levels: Tenant Administrator (can perform any operation on OBS resources), Tenant Guest (can only read OBS resources), OBS Bucket Viewer (can obtain the list, metadata, and location information of buckets).

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/kms/en-us_topic_0035848362.htmlhttps://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070405.htmlhttps://docs.otc.t-systems.com/usermanual/iam/en-us_topic_0046611308.html

Cloud Security



Further information is available in the OTC documentation: https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0045.html.

4.6 Access review Accessing the cloud resources is easy, as it can be done through internet from any workstation connected to the internet. In this way, there is no physical security constraints preventing the access to the resources. So, the main security control is done through the user management. We advise you to organise a monthly access review. It will review the following points: • The administrative manager has a Mundi’s website account with 3PU privileges and

can access OTC’s console through SSO. • The technical manager, and only him, have an OTC’s console account in the admin

group. • The technical administrators, and only them, have OTC’s console accounts in the

power-user group. The former technical administrators accounts have been deleted or revoked.

• There is a clear list of ECS holding sensitive data and/or processing. • For all ECS, the dedicated users with administrator or root access are identified. The

former root access accounts have been deleted or revoked. • For all ECS with sensitive data or processing, the dedicated users are identified. The

former user accounts have been deleted or revoked.


Cloud Security



5 Network Management

This chapter addresses parts of the domain A.9 Physical and environmental security of ISO 27001:2005.

5.1 Perimeter security The first network security layer that protect your platform assets is the perimeter security. It is built on dedicated OTC features and components, as Virtual Private Cloud, Subnet and Security Group.

5.1.1 Virtual Private Cloud The Virtual Private Cloud (VPC) service enables you to provision logically isolated, configurable, and manageable virtual networks for Elastic Cloud Servers (ECS), improving the security of resources in the cloud system and simplifying network deployment. You can create security groups and Virtual Private Networks (VPN), configure IP address segments, and specify bandwidth sizes in your VPC. With a VPC, you can manage and configure internal networks and change network configurations, simplifying network management. You can also enhance ECS security by customizing access rules within a single, or across multiple security groups. Specifically, a VPC enables you to: • Have full control over your virtual networks, for example, creating your own network. • Create security groups to improve your network security. • Assign elastic IP addresses (EIP) for use in a VPC and bind them to ECS in your VPC to

connect the ECS to the Internet. • Connect a VPC to your data centre using a VPN for smooth application migration to

the cloud. • Communicate with other VPCs using VPC peering connections.


Cloud Security



System Architecture – VPC and VPC Peering

A VPC peering connection is a network connection between two VPCs that enables you to route traffic between them using private IP addresses. A VPC peering connection can be setup between two VPCs inside a tenant or between a local VPC in the own tenant and a VPC in another tenant within the same region. VPC peering connections allow subnets to be peered only once with another subnet. Specific documentation for VPC peering can be found at https://docs.otc.t-systems.com/en-us/usermanual/vpc/en-us_topic_0046655035.html Further information on VPC can be found in Open Telekom Cloud documentation: https://docs.otc.t-systems.com/en-us/usermanual/vpc/en-us_topic_0013748729.html Further information on VPN can be found in OTC documentation: https://docs.otc.t-systems.com/en-us/vpn/index.html

5.1.2 Front-end and Back-end VPC In many processing configuration, there is a front-end / back-end configuration: • The front-end manages remote access from the Internet, the public data storage and

the website.

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/vpc/en-us_topic_0046655035.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/vpc/en-us_topic_0046655035.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/vpc/en-us_topic_0013748729.html

Cloud Security



• The back-end manages the processing, the private data storage and all the other stuff that doesn’t need to be exposed publicly.

We advise you build two different VPC, one for the front-end and one for the back-end. You assign EIP and give direct access from the Internet only to the front-end and use it as a gateway before accessing to the back-end. The two VPC are connected through a VPC peering with subnet routing. In the front-end VPC, the Security Group policy allows INBOUND traffic: • to an Elastic Load Balancer on TCP port 80 and 443 only for HTTP/HTTPS access, • to a gateway ECS on TCP port 22 only for remote ssh access. In the back-end VPC, the Security Group policy allows INBOUND traffic from the front-end Security Group on the required TCP ports. For OUTBOUND traffic, all ECS except the gateway ECS. Uses a NAT Gateway linked to the Front-end VPC.

System Architecture – NAT Gateway

Virtual Private Cloud, Security Group, VPC Peering and NAT Gateway can be found on the console, Network section. Further information in Open Telekom Cloud documentation for VPC peering. https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0046655035.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0046655035.html

Cloud Security



Further information in Open Telekom Cloud documentation for Security Group. https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0013748715.html Further information in Open Telekom Cloud documentation for NAT Gateway. https://docs.otc.t-systems.com/en-us/usermanual/nat/en-us_topic_0086739762.html

5.2 Environments segregation An IT platform is usually build on several environments with different roles during the IS lifecycle. You can have: • a development environment, holding the latest version of the IS, which is still being

build or continuously integrated, • a validation or a test environment, sometimes a complete copy of the production

environment, holding a finalised version of the IS that is being tested, but not yet ready deployed in production,

• and eventually a production environment, which holds the live version of the IS. In matter of security, those different environments have to be segregated, in order to avoid any mismatch either in access, deployment, operations, and changes. We advise you segregate those environments by building a dedicated VPC for each environment. The network flows between those VPC will be easily managed by VPC peering and Security Group rules.

5.3 ECS network management Depending on the Operating System installed on the ECS, virtual machine-based Firewall features can be activated. On top of the perimeter security provided by the VPC and the Security Group, you can also activate port access control in the ECS. This access control shall be done in coherence with the port access control provided by the Security Group to which the ECS is attached.

5.4 OBS security Object Storage Service can be used either for public storage or for private storage. In the case of a private storage, a few Permissions and Lifecycle Rule have to be configured in the corresponding bucket. By default, the universal bucket policy shall be set to Private. When a bucket is selected, Permissions in the left menu, Bucket Policy tab, select “Private” in the Universal Policy section. Then some dedicated rights can be granted to selected users.

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0013748715.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/nat/en-us_topic_0086739762.html

Cloud Security



Global permissions can be managed in the Bucket ACL tab, either for Anonymous User (anyone), Registered User (OTC users with their dedicated Access Keys), or a list of specific users. Advanced settings can be managed in the Bucket Policy tab, in the Advanced Settings section. Advanced settings enable you to have fine-grained permission control. If a conflict occurs between a universal bucket policy and a policy with advanced settings, the bucket policy with advanced settings prevails. You have control on allowing or denying in detail actions (S3 commands like for example GetObject of DeleteObject), on detailed objects of the bucket (for example folder of the bucket) for a specific user or list of users. Object Storage Service can be found on the console, Storage section, Object Storage Service tool. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/usermanual/obs/en-us_topic_0045853681.html

5.5 Firewalls A firewall consists of one or more ACLs and provides stateful access control services. It monitors and controls inbound and outbound network traffic based on preconfigured ACL rules. Based on inbound and outbound rules, the firewall determines whether data packets are allowed in or out of any associated subnet. You can create a custom firewall. By default, a newly created firewall is disabled. It does not have subnets associated with it nor does it have any inbound or outbound rules. Firewalls can be found in the console, Network section, Firewall tool. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0051746698.html

5.6 Anti-DDoS The Anti-DDoS traffic cleaning service accurately defends against distributed denial-of-service (DDoS) attacks initiated at Layers 4 to 7 in the OSI network model. This service protects instances from many types of DDoS attacks such as CC (challenge collapsar), SYN flood, and UDP flood and helps ensure service stability and reliability. It defends resources like Elastic Cloud Servers and Elastic Load Balance instances against network- and application-layer distributed denial of service (DDoS) attacks and sends

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/obs/en-us_topic_0045853681.htmlhttps://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0051746698.html

Cloud Security



alarms immediately when detecting an attack. In addition, it improves the utilization of bandwidth and ensures the stable running of users' services. Anti-DDoS can be found in the console, Security section, Anti-DDoS tool. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/antiddos/en-us_topic_0023977462.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/antiddos/en-us_topic_0023977462.html

Cloud Security



6 IS development & maintenance

This chapter addresses parts of the domains A.10 Communications and operations management, A.12 Information systems acquisition, development and maintenance, and A.14 Business continuity management of ISO 27001:2005.

6.1 Secure coding In order to ensure end-to-end security of the applications, we have to also take into account the way the applications are developed. A first step in secure coding is to implement the Open Web Application Security Project (OWASP) recommendations. OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. Please see https://www.owasp.org OWASP publishes and regularly updates a list of some of the most critical risks, which is called Top 10 application security risks. OWASP also publishes of Software Assurance Maturity Model, a Development Guide, a Code Review Guide and a few others useful IS security linked publications. The 2017’s OWASP Top 10 application security risks are: • A1:2017-Injection

• Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

• A2:2017-Broken Authentication • Application functions related to authentication and session management are often

implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

• A3:2017-Sensitive Data Exposure • Many web applications and APIs do not properly protect sensitive data, such as

financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

• A4:2017-XML External Entities (XXE) • Many older or poorly configured XML processors evaluate external entity references

within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

https://mundiwebservices.com/https://www.owasp.org/

Cloud Security



• A5:2017-Broken Access Control • Restrictions on what authenticated users are allowed to do are often not properly

enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

• A6:2017-Security Misconfiguration • Security misconfiguration is the most commonly seen issue. This is commonly a

result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

• A7:2017-Cross-Site Scripting (XSS) • XSS flaws occur whenever an application includes untrusted data in a new web

page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

• A8:2017-Insecure Deserialization • Insecure deserialization often leads to remote code execution. Even if

deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

• A9:2017-Using Components with Known Vulnerabilities • Components, such as libraries, frameworks, and other software modules, run with

the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.

• A10:2017-Insufficient Logging & Monitoring • Insufficient logging and monitoring, coupled with missing or ineffective integration

with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

6.2 VM image update OTC provides users with a large choice of VM public images, including the most used Linux distributions (CentOS, SUSE, RedHat, …) and also Microsoft Windows. Among those public images, several image types are available:


Cloud Security



• Community These are Freeware images, that come from the community as is. They have not undergone any modification (e.g. hardening) by T-Systems.

• Standard These are free self-managed Linux images, which have been built within the T-Systems OTC Image Factory. They have received some basic hardening and UVP tools injection.

• Enterprise These paid self-managed Linux or Windows images, which have been built within the T-Systems OTC Image Factory. They have received some basic hardening and UVP tools injection. Subscriptions, KMS and Patch Management infrastructure is available for these images.

Those images are regularly updated: • New images for Linux and Windows Enterprise and Linux standard images every

month (at the 14th) including the latest patches. • The new image name contains the build date, the previous image will not be deleted

but made invisible, and old images will be deleted after 2 years. • For Linux, there will be always an image with the name _latest, this image will be

updated as often as necessary (e.g. weekly), it includes the latest or emergency bug/security fixes, and it is replaced as soon as a new image is available.

• For Microsoft Windows, the security updates are provided via a local WSUS server and are installed automatically during the night.

Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/ims/index.html

6.3 EVS encryption In case your services require encryption for the data stored on EVS disks, EVS provides you with the encryption function. You can encrypt newly created EVS disks. Keys used by encrypted EVS disks are provided by the Key Management Service (KMS), which is secure and convenient (see Security keys management chapter in this document). Therefore, you do not need to establish and maintain the key management infrastructure. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/usermanual/evs/evs_01_0001.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/ims/index.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/evs/evs_01_0001.html

Cloud Security



6.4 OBS Encryption OBS allows users to encrypt objects using server-side encryption so that the objects can be securely stored on OBS. After server-side encryption is enabled, objects to be uploaded will be encrypted and stored on the server. When downloading the encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext to users. OBS Console supports server-side encryption with KMS-managed keys (SSE-KMS). In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. See 4.4.3 for more details on KMS. The objects to be uploaded can be encrypted using SSE-KMS. You need to create a key using KMS or use the default key provided by KMS. Then you can use the KMS key to perform server-side encryption when uploading objects on OBS. OBS supports both SSE-KMS and server-side encryption with customer-provided keys (SSE-C) by invoking APIs. In SSE-C mode, OBS uses the keys and MD5 values provided by customers for server-side encryption. For more details refer to https://docs.otc.t-systems.com/en-us/usermanual/obs/en-us_topic_0066036553.html

6.5 Cloud Trace Service (CTS) As best practice Cloud Trace Service (CTS) should be activated. CTS provides operation records for cloud service resources. The operation records include resource operation requests initiated from the public cloud management console or open APIs and responses to the requests. You can query, audit, and backtrack the operation records. In addition, you can use the Object Storage Service (OBS) to synchronize operation records to the OBS buckets. Cloud Trace Service (CTS) is a log audit service that is available for cloud security. It allows you to collect, store, and query resource operation records. You can use these records to perform security analyses, track resource changes, audit compliance, and locate faults. CTS provides the following functions:

- Trace recording: CTS records operations performed on the management console or by calling APIs, as well as operations triggered by each interconnected service.

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/obs/en-us_topic_0066036553.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/obs/en-us_topic_0066036553.html

Cloud Security



- Trace query: Operation records of the last seven days can be queried on the management console from multiple dimensions, such as the trace source, trace name, operation type, resource name, resource ID, and time.

- Trace dumping: Traces are delivered to Object Storage Service (OBS) buckets on a regular basis for long-term storage. In this process, traces are compressed into trace files by service.

- Key event notification: CTS works with Simple Message Notification (SMN) to send emails or SMS messages to notify you of some key operations.

Further information can be found in the OTC documentation: https://docs.otc.t-systems.com/en-us/cts/index.html

6.6 Secure Data Deletion For object storage (OBS), object’s metadata are deleted when the tenant deletes the object. Without metadata, it will be impossible to retrieve deleted objects or recover deleted data. For EVS, metadata will be deleted when the tenant discards the VM disk. Additionally, a specific mechanism is used to prevent remaining data from being accessed by another tenant. When a piece of disk space which had been discarded by tenant A is reassigned to tenant B, before tenant B writes data to this disk space, the storage management layer retrieves the disk metadata and find that this disk space is marked with ‘deleted’. The storage management layer returns ‘0’ to the ECS for this disk space. If the tenant writes data to this disk space, the whole disk space will be covered with new data with padding by ‘0’ and be marked with ‘used’.

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/cts/index.htmlhttps://docs.otc.t-systems.com/en-us/cts/index.html

Cloud Security



7 Availability Management

This chapter addresses parts of the domain A.14 Business continuity management of ISO 27001:2005. We propose to address Availability Management at three different levels: • At the network access level, using OTC’s Elastic Load Balancer tool, • At the level of the ECS, using OTC’s availability zones, • And at the software level, using the different backup and recovery tools proposed by

OTC.

7.1 Elastic Load Balancer Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple backend Elastic Cloud Servers (ECS) based on configured forwarding policies. This improves the fault tolerance and increases the availability of your applications. You can create a load balancer, configure a listening protocol and port, and add backend ECS to a load balancer. You can also check the running state of backend ECS to ensure that requests are sent only to healthy ECS. ELB provides two types of load balancers: classic load balancer and enhanced load balancer. You can select an appropriate type to better fit your scenarios and requirements. Both types of load balancers can work in a public or private network: • Classic Load Balancer

Classic load balancers are applicable to web services with low access traffic and simple application models.

• Enhanced Load Balancer Enhanced load balancers are applicable to web services with high access traffic. They forward the requests based on domain names or URLs, making request routing more flexible. Enhanced load balancers provide comprehensive Layer 7 load balancing capabilities and more powerful forwarding performance.

The Elastic Load Balancer tool can be found in the console, Network section, Elastic Load Balancer tool, Elastic Load Balancer menu. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/elb/en-us_topic_0015479966.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/elb/en-us_topic_0015479966.html

Cloud Security



7.2 Availability Zone ECS can be deployed in multiple availability zones (AZ). The AZ are connected with each other through an internal network. If an AZ becomes faulty, the ECS in another AZ will not be affected. The AZ paradigm also applies to some other OTC tool, including EVS (disks). Disks can only be attached to servers in the same AZ as the disks. You cannot change the AZ of a disk that has already been created. The AZ related to the ECS can be seen in the console, Computing section, Elastic Cloud Server tool, column AZ of the ECS list. The AZ can be chosen during the ECS creation but cannot be changed during the life of the ECS. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/ecs/en-us_topic_0013771112.html

7.3 Backup and recovery OTC proposed several backup tools, depending of the needs and the level of the backup operation.

7.3.1 Volume Backup Service (VBS) Volume Backup Service (VBS) performs backup and restoration of disks to safeguard your data. You can use a VBS backup to create a disk or restore an existing disk. To ensure data security, new backup data of encrypted disks will be encrypted for storage. Volume Backup Service (VBS) provides snapshot-based data protection for Elastic Volume Service (EVS) disks. VBS secures your data, even if an EVS disk is faulty or encounters a logical error (for example, mis-deletion, hacker attacks, and virus infection). It allows you to effortlessly create backups of your data, and these data backups can be used to restore data quickly. VBS supports both full and incremental backup modes. By default, the system performs a full backup initially, and then performs incremental backups. You can use a data backup generated in either backup mode to restore the source EVS disk to the state the EVS disk was in when the backup was created. Volume Backup Service can be found in the console, Storage section, Volume Backup Service tool, Volume Backup Service menu. Use Case for VBS: backup and restore EVS disks independently from each other.

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/ecs/en-us_topic_0013771112.html

Cloud Security



Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/usermanual/vbs/en-us_topic_0015667828.html

7.3.2 Cloud Server Backup Service (CSBS) Cloud Server Backup Service (CSBS) offers the backup protection service for Elastic Cloud Servers (ECSs). It works based on the consistent snapshot technology for Elastic Volume Service (EVS) disks. With CSBS, you can use backup data to restore ECS data. Cloud Server Backup Service (CSBS) offers the backup protection service for Elastic Cloud Servers (ECSs). It works based on the consistent snapshot technology for Elastic Volume Service (EVS) disks, meaning you can seamlessly use backup data to restore ECS data. CSBS enhances data integrity and service continuity. For example, if an ECS is faulty or a misoperation causes data loss, you can use data backups to restore data quickly. By default, CSBS executes a full backup for an ECS that has not been backed up using CSBS and performs incremental backups subsequently. Both full backup and incremental backup can restore an ECS to the state at the backup point in time. CSBS combines ECS and Object Storage Service (OBS) to back up ECS data to object storage, enhancing backup data security. Use Case for CSBS: backup and restore an entire ECS including system and data disks at once. For more details refer to OTC documentation: https://docs.otc.t-systems.com/en-us/csbs/index.html

7.3.3 Storage Disaster Recovery Service (SDRS) Storage Disaster Recovery Service (SDRS) provides disaster recovery (DR) services for many public cloud services, such as Elastic Cloud Server ECS) and Elastic Volume Service (EVS). SDRS uses multiple technologies, such as storage replication, data redundancy, and cache acceleration, to provide high data reliability and service continuity for users. SDRS protects service applications by replicating server data and specifications in a target AZ. It allows service applications to start in the target AZ in the event that servers in the source AZ stop. This improves service availability and continuity.

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/vbs/en-us_topic_0015667828.htmlhttps://docs.otc.t-systems.com/en-us/csbs/index.htmlhttps://docs.otc.t-systems.com/en-us/csbs/index.html

Cloud Security



For more details refer to OTC documentation: https://docs.otc.t-systems.com/en-us/sdrs/index.html

7.3.4 EVS Snapshot A snapshot is a copy of the data on a disk at a particular point in time. You can quickly back up critical service data on your disks by taking snapshots. EVS allows you to create snapshots for disks on the management console or by making API calls. An EVS snapshot is a complete copy or image of the disk data at a specific time point. As a major disaster recovery approach, you can use a snapshot to completely restore the data to the time point when the snapshot was created. You can create a snapshot so as to rapidly save the disk data at a specified time point. In addition, you can use snapshots to create new disks so that the created disks will contain the snapshot data in the beginning. Snapshot can be found in the console, Storage section, Elastic Volume Service tool, Shapshot menu. Further information in Open Telekom Cloud documentation. https://docs.otc.t-systems.com/en-us/usermanual/evs/en-us_topic_0066809008.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/evs/en-us_topic_0066809008.html

Cloud Security



8 Addendum - Create a technical User

Once you've become a 3PU and Mundi's service desk provided you with your Tenant, you can access the Cloud console. You just have to login into Mundi’s website, and in My Account section, click on My Resources tab. If you click on the "Manage" button, you will be redirected and automatically logged-in to the Open Telekom Cloud console. The console is the place where you manage your Tenant: setup new processing capabilities through Elastic Cloud Servers, define storage volume through Elastic Volume Service or Object Storage Service, enhance security and networking through Virtual Private Cloud. At this stage, the user you are logged-in with is a special user. Consider it as an administrative user that will be used to create technical users with the console. We advise you to use dedicated technical users to create and manage cloud items, as the administrative user could face some technical limitations.

8.1 Prerequisites None.

8.2 Procedure Once connected to the console’s homepage, in the Management & Deployment section, use the Identity & Access Management tool.


Cloud Security



You access the IAM. In the left panel, select User. Here is the list of the users of your Tenant. You will find also a few specific users that you can't manage. They are Mundi's administrative users for support.

Use the "+ Create User" button to create a new user. Define Username, set Credential Type to Password, add admin as User Groups (to get maximum access rights), then click the "Next" button.


Cloud Security



In the next screen, set Password Type to "Set at first login", and type your Email address. We advise you to add a Mobile Number, as it can ease some security processes using SMS validation codes.


Cloud Security



You will then get an email from Open Telekom Cloud with a link, click on the link, define your password (following the proposed policy), and finally connect to the Console with this new user.


Cloud Security



More info in OTC's documentation for IAM. https://docs.otc.t-systems.com/usermanual/iam/en-us_topic_0046611303.html For technical users, accessing the Cloud console can be done directly through the Multitenant connection screen: https://console.otc.t-systems.com/

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/iam/en-us_topic_0046611303.htmlhttps://console.otc.t-systems.com/

Cloud Security



9 Addendum - Create a Key Pair

Before using your first Elastic Cloud Server on the Open Telekom Cloud, you need to setup a few security settings. First, get an SSH key to connect to your VM. You will reference this Key Pair later, at the creation of the ECS.

9.1 Prerequisites A technical user has been created and logged-in.

9.2 Procedure Log into the management console. On the console homepage, under the section Computing, use the Elastic Cloud Server tool.

Scroll down the list in the left panel, and click Key Pair.


Cloud Security



Click the “+ Create Key Pair” button.

Enter a Name for the key, then click the “OK” button. The generated key is downloaded to your PC, and a warning notice is displayed. If necessary, copy the key to a more appropriate directory on your PC, to easily retrieve it later. You will need it to connect to your ECS. Click the “OK” button.


Cloud Security



More info in OTC's documentation for ECS. https://docs.otc.t-systems.com/usermanual/ecs/en-us_topic_0014250631.html

9.3 Creating ssh keys on a Linux ECS Apart from the initial ssh key used during the creation of an ECS, you can also manage your own keys directly in your Linux ECS. For each user, the ssh keys granted are stored in the file authorized_keys in the $home/.ssh directory. You can add in this file either ssh keys created with the Key Pair management tool, or with the dedicated Linux command ssh-keygen. It will create a public key file and a private key file, one to be used for the ssh connection, the other to be stored in the file.

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/ecs/en-us_topic_0014250631.html

Cloud Security



10 Addendum - Configure a Virtual Private Cloud

After creating your first Elastic Cloud Server on the Open Telekom Cloud, you need to setup a few security settings and tweak network rules to reach your VM from the Internet. You will reference the corresponding Security Group at the creation of each new ECS.

10.1 Prerequisites A technical user has been created and logged-in. A new VPC has been automatically created when the first ECS has been created. A default Security Group has been automatically created when the first ECS has been created.

10.2 Procedure Log into the management console. On the console homepage, under the section Computing, use the Virtual Private Cloud tool.


Cloud Security



You access the Network Console. In the left panel, select Security Group.

Here is the list of the security groups. There is a default one that has been created when the first ECS has been created.

For this default security group, click on "Fast-Add Rule", and then for Inbound traffic, allow SSH, RDP, HTTP and HTTPS, with default Source set to IP address 0.0.0.0/0 (all sources).


Cloud Security



SSH is mandatory for Linux VM. RDP is needed only for Microsoft Windows VM. HTTP and HTTPS are useful if you intend to run a website on your VM. Click the “OK” button. You will then be able to reach all the ECS connected to the default security group through those 4 protocols. When the configuration is finished, your default Security Group shall look like that:

The Inbound Any/Any/default rule grants full access between the ECS of this default Security Groupe. The Outbound Any/Any/Any rule grants full access to the Internet from this Security Group. If one of those rules is missing in your configuration, add them with the “Add Rule” button. More info in OTC's documentation for VPC. https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0013748715.html

https://mundiwebservices.com/https://docs.otc.t-systems.com/usermanual/vpc/en-us_topic_0013748715.html

Cloud Security



11 Addendum - Cloud Security recommendations

• Implement logging via CTS for each tenant and also on application logging. The actual CTS data are available on the platform and cannot be deleted for 7 days. The older CTS data is stored in OBS and can be downloaded.

• https://docs.otc.t-systems.com/en-us/usermanual/cts/cts_faq_003.html

• https://docs.otc.t-systems.com/en-us/usermanual/cts/cts_faq_006.html

• Activate Load Balancer logs.

• Move CTS privileges to Security Administrator Policy and remove it from Tenant Administrator Policy, so that a Power User with Tenant Administrator Policy has no permission to influence IAM and CTS.

• Activate CTS Key Event Notification, so that you get a message when someone disables CTS or the CTS Key Event Notification.

• Turn on 2-factor authentication (2FA) for your account on OTC Console.

• Work with minimal permissions on console and API.

• Backup data and configurations.

• Separate services / applications in different projects.

• Implement monitoring and alerting for critical services.

• Change initial ECS passwords immediately after creation.

• Limit access from the internet to the systems. Use security groups and console ACLs to restrict access to T-Systems outgoing proxies.
https://mundiwebservices.com/https://docs.otc.t-systems.com/en-us/usermanual/cts/cts_faq_003.htmlhttps://docs.otc.t-systems.com/en-us/usermanual/cts/cts_faq_006.html

Date post:	05-Feb-2021
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times