5. Intended Audience
This presentation is more theorical than
technical so its main audience is;
- All Sysadmins
- Security Auditors
- Infrastructure designers
- Virtualization professionals
6. NIST definition of Cloud Computing
“Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources
(e.g., networks, servers, storage, applications
, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.”
7. What is NOT cloud computing
NIST does not include virtualization as part of
their cloud description so;
CLOUD COMPUTING IS NOT VIRTUALIZATION
Cloud Computing is a new paradigm that offers a
number of new features.
Any new paradigm has weaknesses characteristic
to its very design.
9. What they want us to believe
- Totally secure
- Management Free
- Pay-as-you-go
- No Downtime
10.
11. network
Network Admin
Server Admin
Application Owners ?
Data Custodians
Traditional Security Who’s Watching?
VM Process
Service
VM Process
Service VM Process
Service
VM Process
Service VM Process
Service
Physical NICs
VM Process
Service VM
VM
VM Process
Service
VM Process
Service
Management VM Process
Service
VM
Physical Network Virtual Network
12. Virtualization & Cloud Security
What is so scary about “the cloud”?
Today’s ata Center
D Tomorrow’s ublic Cloud
P
? ?
?
? ?
We Have Control
? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?
13.
14.
15.
16. Market Analysis
Gmail
Google Apps
SaaS – Software as a Service
(Platform , Scaling and Hardware transparent)
Live workspace Salesforce.com
Increasing Virtualization Microsoft
Force.com
Sun Caroline
PaaS – Platform as a Service Google app Microsoft Azure
(Hardware Provisioning Hidden – Automatic Scaling)
engine
Amazon
Simple DB
Amazon
HaaS – Hardware as a Service EC2/S3
Programmatic Interface for Hardware Provisioning
In house hosted
Bare Metal servers
People Process based hardware provisioning
EDS (Infrastructure
Outsourcing)
Flexibility of Offering
25. FOCUS ON DATA
Don’t let one person managing all the devices
• Enforce Separation of Duties (SOD)
SOD makes sure that one individual cannot
complete a critical task by himself.
Avoid the same person can manage the hosts and the
Virtual Machine
Use Role Based Access Control
• RBAC is the model used in Virtual Center
26. Authentication
Network Access Control grants access to enterprise network
resources is granted based upon authentication of the user and
device as well as only if compliat with policy
27. Authorization
Complexity in the Cloud
overnance/Risk
orkload
Risk
EC2
App Virt
Web Service
Policy
App
Guidance OS
OS
Best
Practices Hypervisor
BLADE
SAN
Coherence
Security Posture and Behavior Coupling
29. Enforce Strong Access Controls
Security Implementation in
Principle VI
Least Roles with only
Joe Privileges required privileges
Separation of Roles applied only
Harry
Duties to required objects
Administrator
Operator
User
Anne
32. Virtualization & Cloud Security
Layers of a typical Cloud Service
Application as a service
SAAS
PAAS
IAAS
Application software licensed for use as a
Cloud Delivered
service provided to customers on demand
Services
Platform as a service
Optimized middleware – application servers,
database servers, portal servers
Infrastructure as a service
Virtualized servers, storage,
networking
Business Support Services
Cloud Platform
Offering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Operational Support Services
Infrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Virtualized Resources
Virtual Network, Server, Storage
System Resources
Network, Server, Storage
Physical System and Environment
33. Virtualization & Cloud Security
Cloud Security
Application as a service
Application software licensed for use as a
Cloud Delivered
service provided to customers on demand
Secure integration with existing
Services
Platform as a service enterprise security infrastructure
Optimized middleware – application servers,
database servers, portal servers Federated identity / identity as a service
Authorization, entitlements
Infrastructure as a service Log, audit and compliance reporting
Virtualized servers, storage,
networking Intrusion prevention
Business Support Services
Cloud Platform
Offering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Process isolation, data segregation
Operational Support Services Control of privileged user access
Infrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Provisioning w/ security and location
constraints
Virtualized Resources
Image provenance, image & VM integrity
Virtual Network, Server, Storage Multi-tenant security services (identity,
compliance reporting, etc.)
System Resources
Network, Server, Storage Multi-tenant intrusion prevention
Consistency top-to-bottom
Physical System and Environment
34. Virtualization & Cloud Security
Cloud Security = SOA Security + Virtualization Security
Application as a service
Application software licensed for use as a
Cloud Delivered
service provided to customers on demand
Services
Platform as a service
Optimized middleware – application servers, Service Oriented Architecture (SOA)
database servers, portal servers
Security
Infrastructure as a service
Virtualized servers, storage,
networking
Business Support Services
Cloud Platform
Offering Mgmt, Customer Mgmt, Ordering
Mgmt, Billing
Operational Support Services
Infrastructure Provisioning
Instance, Image, Resource / Asset Mgmt
Virtualization Security
Virtualized Resources
Virtual Network, Server, Storage
System Resources
Network, Server, Storage
Physical System and Environment
35.
36. Incident Analysis
• Most CSP does not provide incident analysis
• Access to log is restricted to the customers
• Forensics become almost impossible
• CSP force you to trust in their security
37.
38. Is not that bad!
• Possible solutions are;
• HIDS
• Virtual Firewalls
• Catbird Security
• Vshield
• Of course the old ones;
• Data encryption
• Data integrity check ( during VMs transfer )