1. TA3901 – Security and the Cloud
Ahmed Sallam, Senior Technologist,
Software Architecture & Strategy,
Chief Software Architect, McAfee
Ken Owens, Vice President Security
and Virtualization Technology, Savvis
2. Security and Virtualization
What The Risks and Opportunities Are
Ahmed Sallam
Senior Technologist, Software Architecture & Strategy
Chief Software Architect
3. What The Session Is About
• This secession examines two things:
– Virtualization as a new system architecture layer:
• Is it secured?
• Is there malware targeting virtual environments?
• Is it bad for security?
• Can it be good for system security and how?
• Quick look into VMsafe: More focus on VMsafe CPU/Memory
– Securing the virtual infrastructure
• Security consideration for cloud environment
• Reference Architecture
• How to define a SLA for Cloud Security?
• How to evaluate the security offerings by cloud providers?
Confidential McAfee Internal Use Only
4. Part 1:
V12N SECURITY FROM A SYSTEM
ARCHITECTURE PERSPECTIVE
Confidential McAfee Internal Use Only
5. What Is Systems & Applications Virtualization?
• Decoupling of operating systems from the hardware via a VMM
• The hardware being:
– CPU, memory, I/O (network, storage, graphics, audio, etc.)
• Operating systems run concurrently on top of the same hardware
• Core virtualization support in the processor
– CPUs support I/O and memory virtualization
– Reducing the functionality and size of the hypervisor (VMM)
– Control access to CPU, memory and I/O resources from underneath the OS
• Virtual images:
– Entire computing environment in a file: memory, OS, applications, etc.
• Hypervisor provisioning: (a) on the fly (b) persisted (c) TXT & TPM
• Applications virtualization:
– Decoupling of OS from applications via virtual application images
– OS and applications in separate virtual image files
– Virtual application and OS delivered on the fly
• Virtual machines management, single unit of operations:
– Snapshot, cloning, migration, powering on/off
• Does any of the above impose newer security risks and/or challenges? Confidential McAfee Internal Use Only
6. Risk of New Security Attacks (1)
• Malicious hypervisors (hyperjackers) attacks
– TXT not present (older systems) and/or disabled
– Malicious hypervisor injected on the fly (web surfing, exploitation, local)
– Worse if hyperjacker boots first & support nesting of hypervisors
• Malware attacking virtual environment from within
– Malware can detect the virtual environment:
• Vendor’s in-guest modules (processes, services, device drivers)
• Changes to processor tables and behavior when virtualization is on
– Attacking in-guest virtualization code
– Infecting VM memory, registry and files to survive VM operations
– Malicious hyper calls
• Attacking the hypervisor (Virtual Machine Monitor):
– Remote exploitations
– Attacking the hypervisor host operating system
Confidential McAfee Internal Use Only
7. Risk of New Security Attacks (2)
• Attacking the management console application
– Exploiting the management console
– Tampering with management commands, reporting data (VM Rootkit),
user interface, VM configuration, etc.
• Malicious use of VM management and configuration APIs
• Infecting VM file and memory images on disk
– Virtual disk format is documented and public
– Virtual disks files may not be protected:
• Data is not encrypted
• No access control policy
• The host is infected with malware
• Insider attacks:
– Data theft and leakage of virtual memory and disk image files
– Tampering with VM configuration and operations
• Attacking the VM memory from the host: DMA attacks
Confidential McAfee Internal Use Only
8. Virtualization Challenges Traditional Security
• Security solutions not ready to a hierarchy of mobile and dynamic VMs
belonging to the same parent:
– VM OS security software machine identifier no longer unique
– Multiple identical reporting and requests to the security cloud
– Enterprise management console loosing track of VMs
– Misclassification of VM security state:
• History of infections (when, wheat, how, etc.)
• History of patches deployment
• Deployment of local AV signatures
– Worse with proactive behavioral protection systems
• Mobility of VMs allows malware to cross network boundaries
• Isolation from physical network:
– Cross VM network traffic not leaving the virtual switch
– Network identity of the VM is not present
– IPS & Firewall missing routed VMs network traffic
Confidential McAfee Internal Use Only
9. Virtualization Opens New Avenues to Security
• Hypervisor controls physical resources underneath the OS
• Extending hypervisor to allow security software to control & secure:
– Memory: read, write and execute
– CPU: context switching, memory mapping, debugging
– I/O devices: Network, Graphics, Disk, Removable Devices
• Security software living outside the OS away from its enemy
• Securing VM image files:
– Encryption, access control, offline AV scanning, patches
• Security as an extension to virtualization infrastructure:
– Leveraging virtual storage to support black and white listing
– Leveraging virtual network switch to add IPS / Firewall capabilities
• Case example: VMSafe
– Presenter privileged to be co-designer of VMSafe CPU / Memory
– Two flavors: (Covered in next slides)
• Memory & CPU security
• Network security Confidential McAfee Internal Use Only
10. VMsafe CPU/Memory Dedicated Security VM
• Protection of memory and processor operations
Confidential McAfee Internal Use Only
11. VMSafe Network Filtering
Enterprise Virtual Firewall / NIPS
The “Virtual World” The “Virtual World”
VMWARE ESX VMWARE ESX
Web Servers Database Servers Web Servers Database Servers
LAN 1 LAN 2 LAN 1 LAN 2
Vswitch vSwitch1 vSwitch2
Vswitch
vNic 1 vNic2
All Traffic Entering/Leaving Secure Firewall
Physical the Virutal Environment goes Virtual Appliance
Physical
NIC1 through the firewall as well
NIC2
as Inter-LAN traffic
vSwitch0
Physical
NIC
Physical Server
Physical Server
Physical Network Firewall
Network Firewall
inspects Inter-lan traffic as well
(Virtualized or Not Virtualized)
as inbound/outbound traffic Other Networks
Other Networks
Confidential McAfee Internal Use Only
12. Expected Growth of VMSafe
• Protection over all virtualized devices
Confidential McAfee Internal Use Only
13. VMsafe CPU/Memory Has Its Own Challenges
• Performance due to VM context switching
• Stability of guest OS due to triggers processing latency
• Loss of guest OS context
• Potential solution: using in-guest kernel mode security agent
– VMsafe can protect the agent code
– Agent relies on OS for event tracking & control
– Malware may attack OS components used by the agent
• Only Linux is supported as the OS inside protecting VM
Confidential McAfee Internal Use Only
14. Short Note on Virtual Applications Security
• Known challenges:
– Application Virtualization Layer hiding applications’ operations entirely
– AV/HIPS does not see virtual application file activities
– Proactive behavioral analysis misses application operations
– Mobility of applications virtual images allows malware to extend its reach
• New opportunities for security:
– Security deeply integrated into apps virtualization layer
– Enforcing security policy aside from the OS
Confidential McAfee Internal Use Only
15. Part 1 Conclusions
• Virtualization imposes new security risks and challenges
– New avenues for malware to infect corporate networks and infrastructure
– Mobility of virtual images is a major security issue
– Configuration and auditing of VMs is problematic
– Challenges to legacy security systems
• Virtualization provides new opportunities to security
– Security underneath and on top of the OS
– Security away from the enemy
– Security controlling CPU and Memory
– Security controlling I/O resources: storage, network, audio and graphics
• Virtualizations and security: both need each other
Confidential McAfee Internal Use Only
16.
17. Ken Owens
Vice President Security and
Security and the Cloud Virtualization Technology
September 2009
Confidential McAfee Internal Use Only
18. Part 2
SECURING THE VIRTUAL
INFRASTRUCTURE
Savvis Proprietary & Confidential – INTERNAL USE ONLY 18
19. “Be Careful Up There!”
• Concerns about cloud computing security abound:
– “The cloud is fraught with security risks…” InfoWorld
– “Analysts warn that the cloud is becoming particularly attractive
to cyber crooks.” – ComputerWeekly
– “Corporate use of cloud services slowed by concerns about data
security, reliability” – Computerworld
– “Privacy, security issues darken cloud computing plans” – IDG
– "Cloud computing sounds so sweet and wonderful and safe...
we should just be aware of the terminology, if we go around
for a week calling it swamp computing I think you might
have the right mindset." – Ron Rivest, co-founder, RSA
– “It is a security nightmare and it can't be handled in traditional
ways." – John Chambers, CEO, Cisco
Savvis Proprietary & Confidential – INTERNAL USE ONLY 19
20. Security Tops Cloud Concerns
Source: IDC, 2009
Savvis Proprietary & Confidential – INTERNAL USE ONLY 20
21. Not All Clouds are the Same
• Multiple models. Multiple vendors. Multiple policies
– Each cloud provider takes a different approach to security
– No official security industry-standard has been ratified
– Most cloud providers (including Amazon EC2) do not allow
vulnerability scanning
– Many cloud providers are not forthcoming about their security
architectures and policies
– Compliance auditors are wary of the cloud, and are awaiting
guidelines on audit testing procedures
Savvis Proprietary & Confidential – INTERNAL USE ONLY 21
22. What the Industry Is Doing
• Several initiatives are underway
– DMTF
◦ The Distributed Management Task Force (DMTF), the organization bringing the IT industry
together to collaborate on systems management standards development, validation,
promotion and adoption, today announced that it has formed a group dedicated to
addressing the need for open management standards for cloud computing.
The "Open Cloud Standards Incubator" will work to develop a set of informational
specifications for cloud resource management
– Cloud Security Alliance
◦ A non-profit organization formed to promote the use of standardized practices for providing
security assurance within cloud computing
– Center for Internet Security
◦ A non-profit enterprise whose mission is to help organizations reduce risk resulting from
inadequate technical security controls
– PCI Security Standards Council
◦ Has created a special interest group (SIG) to help shape requirements for virtual-
and cloud-based cardholder-data environments
– NIST
◦ The National Institute of Standards and Technology has created a new team to determine
the best way to provide security for agencies that want to adopt the emerging technology
called cloud computing. Publication to be issued in 2009.
– VMware
◦ Has issued guidelines for security VM configurations
Savvis Proprietary & Confidential – INTERNAL USE ONLY 22
23. Security Design Considerations
• Integrated Cloud Security
– Cloud environments provide limited visibility to inter-VM traffic flows
– Specific architecture and configuration decisions
◦ Physical Segmentation
◦ Integrated (vmSafe) Security
• Cloud Burst Security
– Security Policies
– Baseline information
• Compliance Concerns
– Auditing events
– VM Mobility
• Defense in Depth
– Continue to leverage proven security strategies
Savvis Proprietary & Confidential – INTERNAL USE ONLY 23
25. Reference Architecture
1. Security profile per compute profile
– Corporate security policy and server tier firewall rules that are defined
within a vApp need to be communicated to the service provider
– This should include corporate server security patch levels, anti-virus
status, and file level access restrictions
2. Security DMZ for vApp
– The service provider needs to validate the patch level and security level
prior to bringing into a vApp into their production environment
3. OS Management
– It is important to understand security hardening the service provider
performs around their library of OS’ and their patching policies
– VM’s that are not at the correct patch level need to be updated to the
correct path level through a DMZ for example.
4. Resource Management
– The service provider needs to separate and isolate the resources
each customer VM uses from other customers VM resources to prevent
DDOS attacks
Savvis Proprietary & Confidential – INTERNAL USE ONLY 25
26. Reference Architecture
5. Security Authentication, Authorization, and Auditing
– Cloud service provider environments should provide tight integration
with enterprise policies around individual and group access,
authentication, and auditing (AAA) policies
– This involves integration of corporate directories and group policies with
the service providers to ensure adequate access policies are enforced.
Service providers should offer stronger authentication methods, 2-factor
hard or soft tokens or certificates to enterprises that are leveraging a
cloud provider
6. Identity Management (SSO, Entitlements)
– Cloud environments’ should require control over user access
– Cloud providers must define a VM identity that ties each VM to a asset
identity within the service provider infrastructure
– Based upon this identity, service providers are able to assign user, role,
and privilege access within the extended infrastructure to provide role-
based access controls
– Enterprises also want to prevent unauthorized cloning or copying of the
data on a VM to a USB device or CD. Service providers can prevent the
VM from being cloned or copied by utilizing a combination of the VM
identity and server configuration management policies
Savvis Proprietary & Confidential – INTERNAL USE ONLY 26
27. Reference Architecture
7. Security profile per network
– In addition to the vApp having a compute security profile, there should
also be a network security profile to ensure perimeter and web access
security functionality
– Enterprises need to ensure that service providers implement separate
management networks and data networks per customer
– Service providers should have a separate network for vMotiion and
vmSafe. Enterprises should request service providers to encrypt all
management traffic, including vMotion events
– Enterprises should require encryption of their data packets via SSL/IPSec
or management connectivity via SSL or SSH
8. Data Security
– Enterprises should request service providers to provide assess paths to
only the physical servers that must have access to maintain the desired
functionality
– Service providers should accomplish this through the use of zoning via
SAN N-Port ID virtualization (NPIV), LUN masking, access lists, and
permission configurations
Savvis Proprietary & Confidential – INTERNAL USE ONLY 27
28. How to Define SLA for Security?
• Security Policy SLAs
– Firewall Rule Auditing
– Firewall Change Request implementation SLA
– Firewall log availability SLA
• Patch Level SLAs
– Time to patch SLAs
– Remediation SLAs
• Threat Management SLAs
– Vulnerabilities against VM Asset Auditing
– Threats detected and prevented SLAs
• Availability SLAs
Savvis Proprietary & Confidential – INTERNAL USE ONLY 28
29. How to Evaluate the Security Offering
by a Cloud Partner?
• The evaluation should be performed based on the
following criteria:
– Security profile per compute profile
– Security DMZ per vApp
– OS Management
– Resource Management
– Security profile per network
– Data Security
– Security Authentication, Authorization, and Auditing
– Identity Management
Savvis Proprietary & Confidential – INTERNAL USE ONLY 29
30. Part 2 Conclusions
1. Security tops the list of cloud concerns
2. Not all cloud providers security capabilities are the same
3. Define an acceptable level of risk
4. Define measurable parameters that enable monitoring and
assessment of the level of risk
5. Evaluate cloud providers security offerings and controls
– Security Capabilities
– Measurable parameters (SLAs)
– Reference Architecture
Savvis Proprietary & Confidential – INTERNAL USE ONLY 30