Cloud Security Challenges and Solutions
- Balraj S Boparai, CISSP
Worldwide Tivoli Security SWAT Team
1
Outline
• • • • • • Introduction to Cloud computing Security Challenges in the Cloud Cloud security concerns IBM’s Point of View on Cloud Security IBM solutions for securing cloud Assessing the Security Risks of Cloud Computing • Security as a Service
2
Introduction to Cloud Computing
3
What is Cloud Computing?
“Cloud” is a new consumption and delivery model for many IT-based services, in which the user sees only the service, and has no need to know anything about the technology or implementation Attributes
Standardized, consumable web-delivered services
Flexible pricing
Elastic scaling
Service Catalog Ordering
Metering & Billing
Rapid provisioning Advanced virtualization
VISIBILITY
CONTROL
AUTOMATION
....service oriented and service managed
4
Features of Cloud
5
The Layers of IT-as-a-Service
Collaboration Business Processes Industry Applications CRM/ERP/HR
Public …
• Service provider owned and managed • Access by subscription • Delivers select set of standardized business process, application and/or infrastructure services on a flexible price per use basis.
Cloud Services Cloud Computing Model
Private …
• Privately owned and managed. • Access limited to client and its partner network. • Drives efficiency, standardization and best practices while retaining greater customization and control
Hybrid …
• Access to client, partner network, and third party resources
.…Standardization, capital preservation, flexibility and time to deploy
ORGANIZATION
.… Customization, efficiency, availability, resiliency, security and privacy___
CULTURE
GOVERNANCE
...service sourcing and service value
8
Security and Cloud Computing
Cloud-onomics…
CLOUD COMPUTING
VIRTUALIZATION
+ +
ENERGY EFFICIENCY
+ +
STANDARDIZATION
+ +
AUTOMATION
= =
Reduced Cost
….leverages virtualization, standardization and service management to free up operational budget for new investment
AGILITY
BUSINESS & IT ALIGNMENT
SERVICE FLEXIBILITY
INDUSTRY STANDARDS
OPTIMIZED BUSINESS
…allowing you to optimize new investments
for direct business benefits
9
Security Challenges in the Cloud
10
Security and Cloud Computing
What is Cloud Security?
Confidentiality, integrity, availability of business-critical IT assets Stored or processed on a cloud computing platform
Software as a Service Utility Computing Grid Computing Cloud Computing
There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary
11
Security and Cloud Computing
Security and the building blocks of Cloud Computing
Strategic Outsourcing Global Outsourcing Grid Computing Service Oriented Architecture Web 2.0 Collaboration Virtualization
Cloud Computing is a natural evolution of the evolving IT paradigms listed above.
A variety of security technologies, processes, procedures, laws, and trust models are required to secure the cloud. There is no silver bullet!
12
Security and Cloud Computing
Cloud Security: Simple Example
Today’s Data Center Tomorrow’s Public Cloud
? ? ?
We Have Control It’s located at X. It’s stored in server’s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.
? ? ?
Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage?
13
13
Security and Cloud Computing
Everybody is Concerned about the Security in New technologies always introduce (Public) Clouds
new threat vectors and new risks. “External” aspects of public clouds exacerbate concerns:
●
●
●
●
“Black box” sharing in clouds reduces visibility and control, increases risk of unauthorized access and disclosures. Limited compatibility with existing enterprise security infrastructure limits adoption for mission-critical apps. Limited experience and low assurance raise doubts over cloud reliability (operational availability, long-term perspective). Privacy and accountability regulations may prevent cloud adoption for certain data and in certain geographies.
14
Security and Cloud Computing
Different Clouds, Different Responsibilities
Collaboration Business Processes Industry Applications CRM/ERP/HR
The Cloud Curtain
Software as a Service
Web 2.0 Application Runtime Middleware Database
Java Runtime Development Tooling
The Cloud Curtain
Platform as a Service
Servers
Data Center Fabric Storage
Curtain
Networking
Infrastructure as a Service 15
Security and Cloud Computing
Recent Analyst Reports Confirm General Concerns – But also Highlight Security as a Potential Market Differentiator
• “Securing your applications or data when they live in a cloud provider’s infrastructure is a complicated issue because you lack visibility and control over how things are being done inside someone else’s network.”
Forrester, 5/09
• Gartner’s 7/09 “Hype Curve for Cloud Computing” positions Cloud Security Concerns into the early phase (technology trigger, will raise), and gives it a time horizon of 5-10 years
• “Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term.“ Burton, 7/09 • “Cloud approaches offer a unique opportunity to shift a substantial burden for keeping up with threats to a provider for whom security may well be part of the value proposition.”
EMA, 2/09
• “Highly regulated or sensitive proprietary information should not be stored or processed in an external public cloud-based service without appropriate visibility into the provider's technology and processes and/or the use of encryption and other security mechanisms to ensure the appropriate level of information protection.” Gartner 7/09
16
Security and Cloud Computing
Security as a Potential Market Differentiator: Different Workloads have Different Risk Profiles
High Mission-critical workloads, personal information High value / high risk workloads need ● Quality of protection adapted to risk ● Direct visibility and control ● Significant level of assurance
Private
Need for Security Assurance
Analysis & simulation with public data
Hybrid
Training, testing with nonsensitive data Low Low-risk
Public
Mid-risk High-risk
Today’s clouds are primarily here: ● Lower risk workloads ● One-size-fits-all approach to data protection ● No significant assurance ● Price is key
Business Risk
17
Cloud Security Concerns
18
Data exposure and Compromise
• Organizations uncomfortable with idea of data located on external systems • Hosted providers cannot ensure absolute security • Authentication and access technology becomes increasingly important • Data segregation also becomes key in cloud
19
• Reliability of service
• Reliability is core advantage in cloud. It is very scalable and capable of meeting wide variations in processing power and users • High Availability is still a concern. Many cloud based offerings do not offer SLAs • Any (cloud) offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure • Even if offerer refuses to tell you where will it store your data. It should tell you what would happen to your data and service if one of its site succumbs to a disaster.
20
Reduced ability to demonstrate compliance with regulations, standards and SLA’s
• Public clouds are mostly by definition “A black Box” • Complying with SOX, HIPAA etc. regulations may prohibit clouds for some applications • Geographical requirements • A ‘Private’ and ‘Hybrid’ cloud can be configured to meet these requirements
21
• Ability to manage the security environment
• CSPs must supply easy visual controls to manage and monitor firewall and other security settings for applications and runtime environments in the cloud • No Granularity of access (SaaS). Usually only roles available are ‘Admin’ and ‘Normal User’
22
IBM’s Point of View on Cloud Security
23
Security and Cloud Computing
Layers of a typical Cloud Service
Application as a service Cloud Delivered Services
Application software licensed for use as a service provided to customers on demand
Platform as a service
Optimized middleware – application servers, database servers, portal servers
Infrastructure as a service
Virtualized servers, storage, networking
Cloud Platform
Business Support Services
Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing
IBM’s Architectural Model for Cloud Computing
Service Request & Operations End Users, Operators Service Provider Service Creation Service Planning
Cloud Services
Application/Software as a Service
Standards Based Interfaces
Platform as a Service
Role-based Access
Service Definition Tools
Infrastructure as a Service
Cloud Management Platform
Business Support Systems (BSS)
Service Publishing Tools
Service Catalog
Operational Console
Service Delivery Platform “Operational Support Systems (OSS)”
Service Reporting & Analytics
25
Security and Cloud Computing
Cloud Security = SOA Security + Secure “New” Runtime
Service Request & Operations
Service Oriented Architecture
End Users, Operators Application / Software as a Service Platform as a Service
Service Provider
Service Creation Service Planning
Cloud Services
Application/Software as a Service
Identity & Role-based Security as a Service Access
Secure Runtime for Virtual Images and Virtual Storage Cloud Management Platform
Business Support Services
Service Catalog Operational
Standards Based Interfaces
Infrastructure as a Service
Secure integration with existing enterprise security infrastructure Service Federated identity / identity as a serviceDefinition Platform as a Service Tools Authorization, entitlements Log, audit and compliance reporting Infrastructure as a Service Intrusion prevention
Support Services
Virtualized Resources
Operational Console
System Resources
Physical System / Environment
26
9/15/2009
Service Process isolation, data segregation Publishing Business Support Systems (BSS) Control of privileged user access Tools Provisioning w/ security and location constraints Service Delivery Platform Service “Operational Support Systems (OSS)” Image provenance, image & VM integrity Reporting & Analytics Multi-tenant security services (identity, compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom 26
IBM Security Framework
• It’s clear to IBM that a variety of security technologies, processes, procedures, laws, and trust models are required to secure the cloud. There is no silver bullet for securing the cloud
•
World class solutions – software, hardware and services 3rd-party audit (SAS 70(2), ISO27001, PCI)
•
27
IBM solutions for securing cloud
28
People and Identity
Businesses need to make sure people across their organization and supply chain have access to the data and tools that they need, when they need it, while blocking those who do not need or should not have access
• Tivoli Identity Manager • Tivoli Federated Identity Manager
– Offers a single access method for users into cloud and traditional applications – Cloud computing infrastructures involve enormous pools of external users constantly logging in to leverage shared IT services and this product’s authentication management features can help deliver significant business value
• Tivoli Access Manager for Operating Systems
– It can help protect individual application, network, data, and operating system resources – Single security model
29
Information and Data
– Earlier data can be protected with perimeter. Now data needs to be secured where ever it resides and when it is in motion. Capabilities for monitoring, access management and encryption – IBM’s Systems, Storage, and Network Segmentation Solutions
» offer application isolation, OS containers, encrypted storage, VLANs and other isolation technologies for a secure multitenant infrastructure
– Tivoli Key Lifecycle Manager – IBM Data Encryption for IMS and DB2 Databases – IBM Database Encryption Expert » Transparently protect any file on the file system » Transparently encrypt DB2 backup files » Protects information in Online, offline environments
• Backup and recovery of data stored remotely in the cloud
– IBM Information Protection Services
30
Process and Application
– Enterprises need to preemptively and proactively protect their business-critical applications – Focus is more on Web applications • Rational AppScan
– Provides automated Web application scanning and testing for all common Web application vulnerabilities, including WASC threat classification - such as SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligent fix recommendations to ease remediation
• Rational Policy Tester
– ensure site privacy by scanning web content and producing actionable reports to identify issues that may impact compliance
• ISS Professional Security Services • IBM Optim Data Privacy Solutions
– de-identify confidential information to protect privacy and support compliance initiatives by applying a range of masking and fictionalized substitution techniques
• IBM Tivoli Security Information and Event Manager
31
Optim’s data masking techniques
32
• Network, Server and Endpoint
• Proactive threat and vulnerability monitoring • Security of Virtualization stack
– ISS Virtualization Security » Proventia Virtualized Network Security Platform (VNSP) » IBM Proventia® Server Intrusion Prevention System (IPS) » IBM RealSecure® Server Sensor
33
34
• Physical Infrastructure
– Effective physical security requires a centralized management system that allows the monitoring of property, employees, customers and the general public
35
Security and Cloud Computing
Physical Infrastructure
BCRS Resilient Cloud Validation Program
Summary: IBM Business Continuity and Resiliency Services (BCRS) plans to offer a validation program for cloud service providers to ensure the resiliency of their business. Cloud Use Case: By using proven BCRS resiliency consulting methodology, combined with traditional shared and dedicated asset business and resiliency managed services, IBM is positioning BCRS as the premier resiliency provider to Cloud service providers.
Disaster Recovery
Restoration and availability of cloud computing resources
Public or Private Cloud
Resilient Cloud
High Performance On Demand Solutions (HiPODS) + IBM ISS Security Operations Centers
Summary: HiPODS is a group of specialists within IBM's Software Strategy group, with seven cloud computing locations around the world. IBM also has eight Security Operations Centers (SOCs) with a global reach to serve clients with international capabilities and a local presence. Cloud Use Case: The HiPODS team can create a project team anywhere in the world in minutes and assign servers / storage for a project in less than an hour. IBM SOCs monitor more than 17,000 security devices on behalf of 3,700 customers.
Data Location
Ability to process data in specific jurisdictions according to local requirements
36
36
36
Security and Cloud Computing
IBM Security has all the Capabilities and Credentials to Provide Enterprise-grade Security for Cloud Computing
Smart Planet Dynamic Infrastructure
G
GTS
ITS
GBS
IBM Research
37
9/15/2009
37
37
Security and Cloud Computing
Cloud computing also provides the opportunity to simplify security controls and defenses
Cloud Enabled Control(s) Benefit • Reduced risk of user access to unrelated resources.
People and Identity
• Defined set of cloud interfaces • Centralized repository of Identity and Access Control policies
• Computing services running in isolated domains as defined in service catalogs
• Improved accountability, Reduced risk of data leakage / loss • Reduced attack surface and threat window • Less likelihood that an attack would propagate
Information and Data
• Default encryption of data in motion & at rest • Virtualized storage providing better inventory, control, tracking of master data
• Autonomous security policies and procedures
Process & Application
• Personnel and tools with specialized knowledge of the cloud ecosystem • SLA-backed availability and confidentiality
• Improved protection of assets and increased accountability of business and IT users
Network Server and Endpoint Physical infrastructure
38 9/15/2009
• Automated provisioning and reclamation of hardened runtime images • Dynamic allocation of pooled resources to mission-oriented ensembles
• Reduced attack surface • Improved forensics with ensemble snapshots
• Closer coupling of systems to manage physical and logical identity / access.
• Improved ability to enforce access policy and manage compliance
38
38
Assessing the Security Risks of Cloud Computing
39
Key Findings
• • The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it. Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks
40
•
•
Recommendations
• Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used Demand transparency from CSP. Don't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs Develop a strategy for the controlled and secure use of alternative delivery mechanisms, so that business managers know when they are appropriate to use and have a recognized approval process to follow
41
•
•
•
What to Evaluate
• • • Privileged User Access
• Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access
Compliance
• Cloud computing provider should be willing to submit to external audits and security certifications
Data Location
• Need to meet National privacy regulations • Is the provider willing to give a contractual commitment to obey the law on your behalf?
•
Data Segregation
• Ask for evidence that the encryption implementation was designed and tested by experienced specialists • Encryption accidents can make data totally unusable, and even normal encryption can complicate availability. • Who has access to the decryption keys?
42
What to Evaluate (Cont.)
• Availability
• Does cloud-based offerings provides service level commitments?
• Recovery
• How cloud offerings will recover from total disaster? • May not tell where data is stored. But does it have the ability to do a complete restoration, and how long will it take?
• Investigative Support
• Cloud services are especially difficult to investigate • Contractual commitment to support specific forms of investigation , Electronic Discovery
• Viability
• long-term viability of any external service provider
• Support in Reducing Risk
• CSPs to inform how safely and reliably use their product
43
How to Assess
• • • Evaluate the service provider in person. Use a neutral third party to perform a security assessment Accept whatever assurances the service provider offers
Ultimately, your ability to assess the risk of using a particular service provider comes down to its degree of transparency