Swan(sea) Song – personal research during my six years at Swansea ... and bey...
AWS Security Challenges
1.
2. W
e
b
A
p
p
asasa
WS Cloud Security
From the Point of View of the Compliance
Clouds are finding increased use in core enterprise systems, which
mean auditing is the cornerstone expectation. Cloud vendors announce
new cloud services, offer new security solutions and refer to the global
security standards among of them the requirements look like quite
similar. This is series of articles about AWS Cloud Security from the point
of view of the compliance to highlight technical requirements of the
top Worldwide and Russian security standards for key AWS services,
describe how technically prepare to audit and configure AWS services.
C
loud Computing has been one of the top
security topics for the last several years, for
enterprise IT departments, as well as other businesses. Cloud Computing offers unlimited
storage and other resources with flexibility. The
basic idea of the cloud is centralized IT services,
with on-demand services, network access, rapid
elasticity, scalability and resource pooling. There
are known are three models: SaaS, PaaS and
IaaS. Each of them can be deployed as a Cloud,
Community Cloud, Public Cloud, or Hybrid Cloud.
Some security questions about clouds are: how is
it implemented, how are data or communication
channels secured, how are the cloud and application environments secure, etc. The cloud simply uses well-known protocols like SMTP, HTTP,
SSL, TCP/IP etc. to communicate, send email, file
handling and other activity. The methods that are
compliant as a part of the RFC should indicate that
they are OK. Standards like the ISO 27001 series
still provide a measure on information security, but
as minimum set of security only. Third party organizations like the Cloud Security Alliance (CSA)
promote their best practices for cloud security and
have a registry of cloud vendors' security controls
to help users to make right choice.
Cloud security vendors claim that the end-user
companies sometimes prefer cost reduction over
10/2012(10)
increased security to reduce the operation complexity of their cloud. This eventually ends with a
lower amount of cloud security that the end-user
will accept. For example, as VM instances are often visible you should configure the server or firewall “somehow” to protect this flow. Another example talks that the term “physical security” does
not exist anymore since cloud has come. Nevertheless, it was this way as it had been when
the hosting service arrived. Even the new technology is only another way to perform well-known
actions; customer must make any improvements
than by-default configuration to face cyber-attacks and will eventually succeed. Phishing or
SQL injection is not a real concern, because they
have been in existence too long and patches have
been made available. If the virtual OS is a Windows Server or an Ubuntu server, then the OS
has the same security and patch management
state as Desktop/Server OS. The virtual server
can easily be updated and patched, or even reconfigured. This is acceptable, except in the situation where the cloud vendor notifies you that a
patch or update cannot be applied. In addition, it
is mere trust than you download or buy on disk.
Eventually, they offer solution, e.g. buy & sell suitable security solution (third party solution should
be more trustable, than cloud vendor, oh really?),
Page 50
http://pentestmag.com
3. W
e
b
A
p
p
note that logs should be analyzed from time to
time, you should use IDS, find popular software
to protect network ports but such software often
cannot be applied to this case. Someone believes
that if classic network object like server can be
physical near the company then it is more secure
than virtual but it is not true. Significant example
is thinking about cloud like the one about home/
work PC connected to internet that directly or via
router. When you need protect this PC you do not
talk about why is DNS gates are public, if they are
trusted and more. You can keep you hosts file as
a DNS; several clouds provide end user with the
same feature not through the host, but their own
DNS routing service.
General Cloud and Security Points
Security in the cloud is just like traditional security:
network security, authentication, authorization, auditing, and identity management. This is not anything new or revolutionary.
There are several points about security that are
often discussed:
• Perimeter network role and location:
• Location (city/country) where is the data located/stored in the cloud?
• What are the compliance with standards
and country regulations?
• What type of firewall (guest, mandatory,
VPN, other) is used?
• Identity and Access Management:
• What is the authentication/authorization and
role-based access control?
• What is the existence of privileged users, or
user access for the cloud services?
• Are there different access types per each
user, application and role?
• Data Privacy:
• How is data separated from other cloud users?
• What type of encryption is used?
• Logging and Auditing
• Endpoint protection Client security
• Misusing as it was shown at the BlackHat Conference like breaking into Wi-Fi network or
password brute-forcing
The virtualization refers primarily to the hypervisor, while a virtual machine works with a configured and snapshot of an OS image and usually includes virtual disk storage. As all virtual machines require memory, storage, or network, a
10/2012(10)
4. W
e
b
A
p
p
asasa
hypervisor supports these virtual machines and
presents the hardware pool that it can work with.
Hypervisors isolate the memory and computing
resources and allows performing actions without affecting other instances. There are security issues when you are using virtualization in the
cloud, no doubt. Each OS running in virtual environment should be patched and monitored like
any non-virtual OS. You may use a gateway device that provides the applicable security configuration to the devices connected. You still have
to use host-based firewalls and IDS to capture,
stop and filter non-allowed activity from applications, network attacks, disable or enable communication between others virtual machines, or to
extend the logging system.
Like a classic datacentrewhere you have to
maintain stability and security by constant monitoring, alerting and reporting about what the customers are doing with the resources, what geographic
locations they are coming from, how many users
connect at certain times of the day, also, the cloud
infrastructure should report misuse or other out-ofpolicy activity taking place. Auditing needs to log
and report on all activities taking place in the cloud
(elastic computing, storage, VPN, etc.). It really
simplifies increasing complex of the clouds. Sometimes, security design failure a single poorly secured service that can easily be compromised to
lead to the risk of stealing valuable data, making
the services unavailable by DDoS or other interruptions.
Accessing solution known as IAM is an important method to authenticate connections and authorizations of the cloud resources. Your IT policy
should take into account the broad range of access
rights, because it often divides access into all, to
owner, and somewhere in between these. Not all
clients should have the right to access all data, but
staff rights need to be set up so that everyone who
is responsible should be approved similar to rolebased access in traditional offices where the end
users can have access to the services, and sometimes the controls, while administrators have access to the controls and managed the functionality
and performance of the workloads.
In the cloud, you will need to think about how
you handle inbound connections to the resources
required to any services, hosting, and client devices and how they will connect. DMZ and firewalls
are a good solution, but belong to different security
zones to prevent access to the whole cloud servic10/2012(10)
es by attacking gateway. The common network IDS
does not necessarily work as well here; it might not
work even as it is on classic network. But, it may
work to monitor suspicious traffic between virtual
machines if the IDS allows network gate or traffic to be moved thought VPN to/from your corporate network where the IDS exists. Another point
is performance that may lead to resource allocation problems and open the service to DoS/DDoS
attacks. Another filtering method for limiting traffic
is firewalling by physical location that isolates different security zones. Network traffic between virtual machines should be encrypted to protect data
while in transit.
Of course, as the hypervisor has access to all
guest OS, and if it is compromised itself, it will
have broad impact to the network isolation, but
the probability of that is low since all hypervisors
very custom. The cloud infrastructure administrator will need to depend on new tools that are
cloud aware, and may not be defined by the current IT department.
Another security issue deals with the (de-)allocating of resources. If data is written to the storage and was not wiped before, or crashed before
reallocation, then there is a data leakage problem
on the HDD. It means the IT department needs
to rely on reallocation feature and perform clean
operations instead of relying on the cloud service. It may need special DOD-tools to run manually, or running processes until OS fires it off
(terminates). This may increases operational expenses. In other words, no sensitive information
should be stored in the plain text. Using whole
volume encryption will protect the physical storage, prevent access to a virtual environment, and
finally reduce the risk of exposure. Also, applications may encrypt data in storage, data in RAM,
and data during processing to make it more difficult for someone gain access to.
Security Overview: Windows Azure vs.
Amazon Web Services
These two platforms differ by the decision made by
each vendor's vision on how the end-users should
access their cloud services. Windows Azure
makes a data spreading to the cornerstone, via
neither storage nor web-server. AWS makes many
services more accessibility that are important with
merging to the cloud. These different goals have a
huge influence on not only the IT policy, but also
the API. Both AWS and Azure services were built
Page 52
http://pentestmag.com
5. W
e
b
A
p
p
in accordance with security best practices, and the
security features are well documented to make it
clear how to use them to design strong protection.
Below I examine the security features offered each
vendor:
Compliance
Azure
Microsoft complies with the data protection and privacy laws, but only customers are responsible for
determining if Windows Azure complies with the
country laws and regulations. For example, ISO for
Azure covers cloud services (web and VM), storage, and networking.
AWS
AWS offers compliance with FISMA to allow the
government and federal agencies implement AWS
solutions and security configurations at their security system. In addition, VPN (Virtual Private
Cloud), GovCloud and SSL mechanism sustain a
FIPS 140-2. AWS has validated with Level 1 PCI
DSS physical infrastructure and such services like
EC2, S3, EBS, VPC, RDS, and IAM that allows
to the end customers perform storing, processing,
transmitting credit card information with properly
security. EC2, S3, and VPC as well as AWS datacentres are covered by a global security standard
ISO 27001 too.
Physical Security
Azure
Azure designed to be available 24 x 7; their datacentres are managed, monitored, administered by
Microsoft and, of course, compliant with applicable
industry standards for physical security. Azure staff
is limited by the number of operations, and must
regularly change access passwords (if performed
by administrators). All administrative actions are
audited to determine the history of changes. Finally, you can know what services are affected through
the Health Dashboard (https://www.windowsazure.
com/ru-ru/support/service-dashboard/).
AWS
AWS datacentres are located throughout the
world (US, EU, and Asia) and available 24 x 7 x
365. Actual location is known by those that have
a legitimate business need. Amazon datacentres are secured to prevent unauthorized access;
the access tickets will immediately be destroyed
when someone leaves the company or when they
10/2012(10)
continue to be an Amazon employee but promoted to another position.
A standard employee, or a third-party contractor,
has a minimum set of privileges and can be disabled by the hiring manager. All types of access
to any resources logged, as well as its changes,
it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because
of explicitly approving type to the resource. Every
access grant will revoked since 90 days as it was
approved too. Access to services, resources and
devices relies on user IDs, passwords and Kerberos. In addition, Amazon mentioned about expiration intervals for passwords.
"Physical access is logged and audited and
is strictly controlled both at the perimeter and at
building ingress points by professional security
staff utilizing video surveillance, intrusion detection
systems, and other electronic means". Staff uses a
two-factor authentication while third party contractors escorted by authorized staff have to present
signed IDs.
Also, Amazon describes important things like fire
detection, power or climate control by mentioning
UPS to keep services functional 24 hours per day
while Microsoft just tells that is. Finally, you can
know what services is affected through the AWS
Service Health Dashboard (http://status.aws.amazon.com/).
Data Privacy
Azure
Azure runs in multiple datacentres around the
world and offers to the customer deploy redundancy and backup features.
AWS
AWS offers data encryption, backup and redundancy features. For example, services that store
data in S3, EBS use redundancy in different physical locations but inside one “Available Zone” except you set-up backup services to duplicate data.
This way (not across multiple zones) works EBS,
while S3 provide durability across multiple Availability Zones. To extend and fix EBS redundancy
users enabled to backup AMI images stored on
EBS to the S3. Object deletion executes un-mapping process to prevent remote access. When a
storage device has reached the end of its useful life, AWS initiates destroying procedures within DOD 5220.22-M ("National Industrial Securi-
Page 53
http://pentestmag.com
6. W
e
b
A
p
p
asasa
ty Program Operating Manual ") or NIST 800-88
("Guidelines for Media Sanitization"). AWS allows
encryption of sensitive data and perform actions
before uploads it in S3; additionally, there is no
permission to use own and commercial encryption tools.
Network Security
Azure
Microsoft uses a variety of technologies to
keep customers away from unauthorized traffic
through the firewalls, NAT boxes (load balancers), and filtering routers. Azure relies on 128-
Table 1. Cloud security features
Type
Compliance
Cloud Vendor
AWS
Azure
+
N/A
+
N/A
+
N/A
FIPS 140-2
+
N/A
HIPAA
+
+
Actions & events logging
+
+
Logs audit
+
+
Minimum access rights
+
+
Auto revocation access after N days
+
N/A
Auto revocation access after role changed
+
N/A
Two-factor authentication
+
N/A
Escort
+
N/A
Backup
+
+
Redundancy inside one GeoLocation
+
N/A
Redundancy across several GeoLocation
+
+
Encryption
+
N/A
DoD/NIST Destruction
+
N/A
MITM Protection
+
+
DDoS Protection
+
N/A
Host-Based Firewall (ip,port,mac)
+
+
Mandatory Firewall
+
+
Extended Firewall (Geo, date’n’time)
+
N/A
Hypervisor protection from promiscuous
+
+
Pentesting offer
+
+
Login and Passwords
+
+
SSL
+
+
Cross account IAM
+
N/A
MFA hardware
+
N/A
MFA software
+
N/A
Key-Rotation
10/2012(10)
N/A
CSA
Credentials
+
NIST
Network Security
+
FISMA
Data Privacy
+
PCI DSS
Physical Security
ISO 27001
+
N/A
Page 54
http://pentestmag.com
7. W
e
b
A
p
p
bit TLS protection for communications inside datacentres and between end users and customer
VMs. Filtering routers reject all non-allowed attempts, i.e. addresses and ports that prevent attacks that use "drones" or "zombies" searching
for vulnerable servers as the most popular way
to break into network.
Filtering routers also support configuring back
end services to be accessible only from their corresponding front ends. Firewalls restrict incoming and outgoing communication with known
IP addresses, ports, protocols. Microsoft offers an authorized penetration testing for customers applications hosted in Windows Azure
if requests for it submitted 7 days beforehand
at least.
AWS
AWS forces MITM protection by SSL-protected endpoints for example EC2 generates new
SSH host certificates on first boot and log them
to the instance's console. EC2 instances designed to be non-spoofed by host-based firewall
that restricts traffic with a source IP or MAC address other than its own and block non-allowed
traffic (IP, port, geo location, date and time and
more). Despite of instance running in promiscuous mode the hypervisor will not deliver any traffic relies on explicit restrictions that protect from
traffic capturing on the same physical host on
neither EC2 nor VPC. Unauthorized port scans
are a violation of the AWS Acceptable Use Policy, however customers permit to Pentest their
AWS services that should be proved by IP, port,
date and time and login and contact before pentesting with AWS support. Violations may lead to
revocation of AWS accounts after investigation
by Amazon. Moreover, if illegal activity will AWS
customers should inform AWS about that. In addition, AWS has a proprietary DDoS mitigation
technique but does not describe any key features
of it.
AWS
IAM enables to manage multiple users, their permissions, password and password policy under
one AWS account or among several AWS accounts as unique security credentials. New IAM
users as well entire IAM and EC2 has no (“deny”
access type) access to all resources by default
and deals with explicitly granted permissions only. AWS Multi-Factor Authentication is an additional security to the basic credentials providing by a
six-digit single-use code. This code usually generates by an authentication device or similar applications like Google Authenticator. It works very
well for AWS account or user accounts within IAM.
AWS offers key and certificate rotation on a regular basis to mitigate compromising risk from lost
or compromised access keys or certificates. It is
available for AWS account or user accounts within
IAM too (Table 1).
How is AWS Services Secure
Access and Credentials
An access to applications and services within AWS
cloud is protected in multiple ways and it requires
special credentials:
• Access Credentials:
• Access Keys to manage with REST or Query protocol requests to any AWS service
API, and S3. The possible states:
• Active – Can be used.
• Inactive – Cannot be used, but can be
moved back to the Active state.
• Deleted – Can never be used again
• X.509 Certificates to manage SOAP protocol
requests to AWS service APIs, except S3
• Key Pairs to manage with CloudFront
Credentials
Azure
Azure provides virtual machines to customers, giving them access to most of the same security options available in Windows Server. Customers use
SSL client certificates to control up-dates to their
software and configuration. The basic credentials
like username and password are common within
Azure resources.
10/2012(10)
Figure 1. AWS Access Credentials I
Figure 2. AWS Access Credentials II
Page 55
http://pentestmag.com
8. W
e
b
A
p
p
asasa
• Sign-In Credentials:
• E-mail Address, and Password to sign in
to AWS web sites, the AWS Management
Console, the AWS Discussion Forums, and
the AWS Premium Support site,
• AWS Multi-Factor Authentication Device as
an optional credential that increases the security level to manage with the AWS web
site and the AWS Management Console.
• Account Identifiers:
• AWS Account ID to manage with all AWS
service resources except Amazon S3 and
looks like 8xxx-xxxx-xxx8
• Canonical User ID to manage with for Amazon S3 resources such as buckets or files
only and looks like 64 bytes length string
“7xbxxxxxxcdxcxbbxcxxxxxe08xxxxx44xxxaaxdx0xxbxxxxxeaxed8xxxbxd4x”
The purpose of the access keys is a management of requests to the AWS product REST, Query APIs, or third-party product with Access Key
ID; the Access Key ID is not a secret. EC2 is enabled to use access keys, usually known as SSH
key pair and/or X.509 certificates, to interact with
the services. The secret/private part of access
key is used to retrieve an administrator password,
REST and Query APIs, while the X.509 certificate
is used with command line operations and SOAP
APIs, except S3, which is managed with access
keys. When AWS receives a request, the Access
Key ID is checked to its own Secret Access Key
to validate the signature and confirm that the request sender is legitimate. The key rotation is
manually at current moment and looks like:
• Make second active credentials.
• Update applications and services with new credential.
• Move first credential to Inactive.
• Check that working with the new credential is
OK
• Delete the first credential.
To add an extra layer of security, use AWS MFA
feature that provide a six-digit, single-use code in
addition to the email and password. All details, activation hardware or software MFA and more is
on link http://aws.amazon.com/mfa. (Figure 1 nad
Figure 2, Table 2)
Additionally, AWS offers so-called Identity and
Access Management that easy integrates with almost of all AWS services, e.g. EC2, S3 and more.
IAM provides the following:
• Create users and groups under your organization's AWS account
• Easily share your AWS account resources between the users in the account
• Assign unique security credentials to each user
• Granular control user's access to services and
resources
Table 2. Resource credentials
Resource
Access type
REST or Query API request to an AWS, S3
Access Keys
SOAP API request to an AWS
X.509 Certificates (except for Amazon)
Access to the secure pages or AWS Management Console
Amazon E-mail Address and Password with optional AWS
Multi-Factor Authentication
Manage to EC2 command line tools
Your X.509 Certificates
Launch or connect to an EC2
Your Amazon EC2 Key Pairs
Bundle an Amazon EC2 AMI
For Linux/UNIX AMIs: your X.509 Certificates and AWS Account ID to bundle the AMI, and your Access Keys to upload it to Amazon S3.
For Windows AMIs: your Access Keys for both bundling
and uploading the AMI.
Share an EC2 AMI or EBS snapshot
The AWS Account ID of the account you want to share
with (without the hyphens)
Send email by using the Amazon SES SMTP endpoint
Your Amazon SES SMTP user name and password
Access to the AWS Discussion Forums or AWS Premium
Support site
Your Amazon E-mail Address and Password
10/2012(10)
Page 56
http://pentestmag.com
9. W
e
b
A
p
p
Virtual Instances (Amazon Elastic Compute
Cloud)
EC2 is a web service that provides resizable compute capacity in the cloud that allows paying for capacity only and supports OS's like Windows Server,
RedHat, OpenSuSE Linux, and more. EC2 allows
setting up everything according to OS. Moreover,
you are enabled to export preconfigured OS's from
VMware, through the AWS console commands,
AWS API, or special VMware Connector. It helps
to leverage the configuration management or compliance requirements. VM Import/Export is available for use in all Amazon EC2 regions and with
VPC even.
The final goal is protection from interception and
unauthorized actions and EC2 security is designed
to protect several attack vectors.
• Host OS protection usually includes event logging, multi-factor authentication, regular ac-
cess revocation (this case is talking about
AWS that manages with host OS set)
• Guest OS protection usually includes native
firewall (Windows Firewall, IPTables, etc.), basic credentials, such login/email and password,
as well as extended by multi-factor authentication based on SSH Version 2 access, EC2
keys that should unique per each virtual instance.
• Firewall protection includes pre-configured in a
default deny-all mode mandatory inbound firewall that allows the following restriction
by protocol
by service port
by source IP address
• This firewall is not controlled through the Guest
OS without X.509 certificate and key to authorize changes. Additionally, customers may use
and guest OS firewall to filter inbound and outbound traffic.
Table 3. Requirements of the Russian Federal Law about Personal Data
Requirements
AWS Solution
Access management Users require using alphanumeric
Native AWS solution implemented in IAM and MFA in adpassword long six characters at least dition
and special code in addition.
All devices (incl. external), instances, Canonical name developed for users and resources and
network nodes require identification enabled mainly through IAM, EC2 identifies by tags
by logical name
Access event logging
Login and logout events
Date and time of login and logout
events
Not yet released for IAM and come to EC2 OS solution
(Windows, *nix)
Credentials used to login
Access to the file events
Date and time of access to the file
events
Not yet released for IAM
and come to EC2 OS solution (Windows, *nix)
User ID/equivalent used to access to
the file events
Native solution implemented in S3 that provides canonical user id and IP address accessed to the file,
date and time or more
Allocated drive wiping
Additional
Physical security, control access
management, restriction of employee or third contractor
AWS solution described above at physical security and
compliance on physical security
Backup and restore for protection
solution
Integrity
Native AWS solution on un-mapping, termination, etc.
Depend on designed; generally AMI image stored on EBS
and backed up into S3
Network packet filtering by date and Native solution implemented in EC2 mandatory firewall
time
that includes IP, port, protocol, additional solutions of
EC2 OS (Windows and *nix), additional IAM solution to
Network packet filtering by IP adthe resources enabled geo filtering and date and time fildress
tering.
Network packet filtering by date and
time
Network packet filtering by protocol
10/2012(10)
Page 57
http://pentestmag.com
10. W
e
b
A
p
p
asasa
• API calls signed by X509 certificates is a kind
of protection that helps to the Xen keep the different instances isolated from each other.
Moreover, EC2 designed to prevent a mass
spam distribution by limitations of sending
email. Any wishes about mass email are available through the request by URL (https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request).
The main concept of cloud security is visibility by guest OS firewall, mandatory firewall and
geo availability (Regions and Availability Zones)
because such zone managed with physically independent infrastructure. Different areas of the
world .i.e. USA or EU are known as region in-
side of which there several physically independent zones. Each zone is isolated from failures
in other; some AWS services is allowed to move
data between zones to keep away from failure,
some not, but moving across regions is manually only.
Virtual Storage (Amazon Simple Storage
Service and Elastic Block Store volume)
S3 is a simple storage for the Internet with several interfaces (for example, web service and API
calls) to store and retrieve data from anywhere.
EBS provides so-called block-level storage; in
other words, it equals to the physical and logical
hard disks. The multiple volumes can be attached
to an instance while the same volume cannot
Table 4. Requirements of CSA CAI Questionnaire
Requirements
Data Governance
AWS Solution
Do you provide a capability to identiAWS provides the ability to tag EC2 resources. A form
fy virtual machines via policy tags/meta- of metadata, EC2 tags can be used to create userdata (ex. Tags can be used to limit guest friendly names
operating systems from booting/instantiating/transporting data in the wrong
country, etc.)?
Do you provide a capability to identify
hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?
Do you have a capability to use system
geographic location as an authentication factor?
Native solution implemented in EC2 mandatory firewall that includes IP, port, protocol, additional solutions of EC2 OS (Windows and *nix), additional IAM
solution to the resources enabled geo filtering and
date and time filtering.
Can you provide the physical location/
geography of storage of a tenant’s data
upon request?
AWS currently offers six regions which customer data and servers will be located designated by customers: US East (Northern Virginia), US West (Northern California and Oregon), GovCloud (US) (Oregon), South America (Sao Paulo), EU (Ireland), Asia
Pacific(Singapore) and Asia Pacific (Tokyo).
Do you allow tenants to define acceptable geographical locations for data
routing or resource instantiation?
Do you support secure deletion (ex. degaussing / cryptographic wiping) of archived data as determined by the tenant?
Native AWS solution on un-mapping, termination, etc.
as well as DoD 5220.22-M / NIST 800-88 to destroy data discussed above.
Facility Security
Are physical security perimeters (fences,
walls, barriers, guards, gates, electronic surveillance, physical authentication
mechanisms, reception desks and security patrols) implemented?
Physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means; compliance with
AWS SOC 1 Type 2 and ISO 27001 standard, Annex A,
domain 9.1.
Information Security
Do you encrypt tenant data at rest (on
disk/storage) within your environment?
Encryption mechanisms for almost of all the services,
including S3, EBS, SimpleDB and EC2 and VPC sessions
as well as Amazon S3 Server Side Encryption.
Do you leverage encryption to protect
data and virtual machine images during
transport across and between networks
and hypervisor instances?
10/2012(10)
Page 58
http://pentestmag.com
11. W
e
b
A
p
p
be attached to different instance. EBS provides
backup feature through the S3. S3 is “unlimited”
storage while customers size EBS. S3 APIs provide both bucket- and object-level access controls, with defaults that only permit authenticated
access by the bucket and/or object creator. As
opposed to EC2 where all activity restricted by
default, S3 starts with open for all access under
current AWS account only that means all buckets
and other folders and files should controlled by
IAM and canonical user ID that finally authenticates with an HMAC-SHA1 signature of the request using the user's private key. S3 provides
Read, List and Write permissions in an own ACL
at the bucket level or IAM permissions list those
independent and supplements each other. S3
provides file versioning as a kind of protection to
restore any version of every object on the bucket.
Additionally, “S3 versioning's MFA Delete” feature
will request typing the six-digit code and serial
number from MFA device. Also, a valuable feature
for audit and forensics case is logging S3 events
that can be configured per bucket on initialization.
These logs will contain information about each
access request and include
• request type,
• the requested resource,
• the requestor's IP,
• the time and date of the request.
EBS restriction access looks similar to the S3; resources are accessible under current AWS Account only, and to the users those granted with
AWS IAM (this case may be affected cross AWS
Accounts as well if it is explicitly allowed. Snapshots backed up to the S3 and shared enable indirect access (only read permission, not alteration, deletion or another modification) to the EBS.
There is an interesting point suitable for forensics that snapshot stored on S3 will keep all deleted data from EBS volume, they were not altered,
or DOD wiped. Talking about secure wiping, AWS
provides “destroying” data feature via a specific
method, such as those detailed in DoD 5220.22M ("National Industrial Security Program Operating Manual") or NIST 800-88 ("Guidelines for Media Sanitization"); AWS perform these actions for
S3 and EBS. In case, it is impossible to wipe data
after storage disk lifetime such disk will be physically destroyed.
Gross Inspection on AWS Compliance
from customer side
As it is first part of series of articles, I briefly examine several standards and order documents re-
On the Net
• http://www.windowsecurity.com/articles/Cloud-computing-can-we-trust-how-can-be-used-whilst-being-secure.html
– Cloud computing, can we trust it and how can it be used whilst being secure, Ricky M. Magalhaes
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part1.html – Security Considerations for Cloud Computing (Part 1) – Virtualization Platform, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part2.html – Security Considerations for Cloud Computing (Part 2), Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part3.html – Security Considerations for Cloud Computing (Part 3) – Broad Network Access, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part4.html – Security Considerations for Cloud Computing (Part 4) – Resource Pooling, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part5.html – Security Considerations for Cloud Computing (Part 5) – Rapid Elasticity, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part6.html – Security Considerations for Cloud Computing (Part 6) – Metered Services, Deb Shinder
• https://www.windowsazure.com/en-us/support/legal/security-overview/ – Technical Overview of the Security Features in the Windows Azure Platform, April 2011
• http://www.baselinemag.com/c/a/Security/Securing-Data-in-the-Cloud/ – Securing Data in the Cloud, Eric Friedberg
• http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf – AWS Security Best Practices,
January 2011
• http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf – Amazon Web Services: Overview of Security Processes, May 2011
• https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Trust Center Home, Compliance
• http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Datat
10/2012(10)
Page 59
http://pentestmag.com
12. W
e
b
A
p
p
asasa
ferred to security on compliance; some of them is
worldwide and some is Russian. In further articles,
I will provide a detail AWS services’ examination
with the most known documents to explain and
show if cloud services (mainly AWS and Azure)
are so insecure, if configuring with compliance is
so complex and if compliance makes a sense for
end customers on security. Some requirements
and entire documents are going to be discussed
will deliberately be used as outdated to highlight
comparison. One of them, the Russian Federal
Law about Personal Data refers to the “Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data” that was
confirmed in 2006. This reference allows storing
data out Russia and 1C Company has already offer a cloud solution in accordance with Chapter
III about “Transborder data flows” and Article 12
about “Transborder flows of personal data and domestic law”.
• The following provisions shall apply to the
transfer across national borders, by whatever
medium, of personal data undergoing automatic processing or collected with a view to their
being automatically processed.
• A Party shall not, for the sole purpose of the
protection of privacy, prohibit or subject to special authorization transborder flows of personal
data going to the another territory.
• Nevertheless, each Party shall be entitled to
derogate from the provisions of paragraph 2:
• insofar as its legislation includes specific
regulations for certain categories of personal data or of automated personal data files,
because of the nature of those data or those
files, except where the regulations of the
other Party provide an equivalent protection;
• when the transfer is made from its territory to the territory of a non-ing State through
the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of
the Party referred to at the beginning of this
paragraph.
The Russian law refers to another documents provided several requirements to protection some of
them I will examine right now. These requirements
divide into three categories based on which data is processed (medical, religion, nationality, etc.)
(Table 3).
10/2012(10)
Some non-profit organizations try to unify best
practices for clouds, help the vendors to improve
their security features and provide customers with
best choice of solution they need. One of them is
CSA that offers range of industry security practitioners, corporations, and associations participate in
this organization to achieve its mission. They create so-called “CSA Consensus Assessments Initiative Questionnaire” that provides a set of questions the CSA anticipates a cloud consumer and/or
a cloud auditor would ask of a cloud provider. AWS
announced that they has completed the CSA CAI
(Table 4).
Conclusion
Some companies have to manage with regulations because of legal proceedings to how the data should be handled, where they should be stored
and how the consumer data are protected. On another hand, security audit may uncover the vulnerabilities. Whether audit makes sense or not, there
is case when you or someone else have to validate with standard. In these articles, I briefly analyze security features of WS with several requirements. In further articles, I will provide a detail AWS
services' examination with the most known documents to explain and show if cloud services (mainly AWS and Azure) are so insecure, if configuring
with compliance is so complex and if compliance
makes a sense for end customers on security.
Yury Chemerkin
Yury Chemerkin graduated from RSUH in 2010 (http://
rggu.com/) on the BlackBerry diploma thesis. Currently
in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research,
Documentation, and as a contributing Security Writer.
Also, researching Cloud Security and Social Privacy. The
last several years, I have worked on mobile social security, cloud security and compliance, mobile security and
forensics; additionally develops solutions based on exploiting, not only OS vulnerabilities, but also third-party products and solutions.
Regular
blog:
http://security-through-obscurity.
blogspot.com.
Regular Email: yury.chemerkin@gmail.com
Skype: yury.chemerkin
Page 60
http://pentestmag.com