Insert sponsor logo here

Cloud Security Delivery Models: Security Risks & Recommendations

Ben Feinstein Director of CTU Operations & Analysis Counter Threat Unit (CTU) Dell SecureWorks
2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

NIST Working Definition of Cloud Computing: Visual Model

Lets attack here !

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Security is the Major Issue

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Statistics on Adoption of Virtualization & Cloud

96% of respondents had virtualized at some portion of their infrastructure. 52% had moved data and applications into a Cloud environment, and of those that had not, 46% planned to within 12 months. 58% believed their Cloud environment was not adequately secured.

* Results based on customer survey at SecureWorks Enterprise Security Summit 2010

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Results of CA / Ponemon Study

Security of Cloud Computing Providers Study released April 2011
Surveyed 103 cloud service providers in US and 24 in six EU countries Cloud Deployment Models Type of Cloud Adoption

11% 34% 55% SaaS IaaS PaaS 18%

18%
Public

64%

Private Hybrid

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Results of CA / Ponemon Study

Majority of cloud providers surveyed do not believe their

organization views the security of their cloud services as a competitive advantage.

Majo rity o f c lo ud pro vide rs believe it is their customers

responsibility to secure the cloud and not their responsibility.

Ado ptio n o f c lo ud se rvic e s is be ing large ly drive n by lo we r c o st and faste r de plo ym e nt o f applic atio ns, not by improved security of

compliance with regulations.

Providers of private cloud resources appear to attach more

importance and have a higher level of confidence in their organizations ability to meet security objectives than providers of public and hybrid cloud solutions.

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Virtualization Security (VirtSec)

Some risks similar to those of multi- tenancy / SaaS solutions Hyper- escalation vulnerabilities
Guest VM breaks out Guest VM escalates privileges with regard to other Guests Guest VM escalates privileges with regard to Host
Could go so far as to fully compromise Host

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Virtualization Security (VirtSec)

Blue Pill / Red Pill attacks
Attacker inserts their own hypervisor beneath legitimate one How to detect if your hypervisor is virtualized?

Virtualized Desktops / Workstations have some promise of security ROI

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Real World Attacks on Hypervisors

Poll Question: In whic h ye ar was the first public ly disc lo se d hype rviso r e xplo it?

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Real World Attacks on Hypervisors

Correct Answer: No ve m be r o f 20 0 6!

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Real World Attacks of Hypervisors: Microsoft Xbox 360

Microsoft Xbox 360 has embedded hypervisor
Games and Apps must be signed by MS Games and Apps run in non- privileged, virtualized mode

Oct 31, 2006 Buffer overflow vulnerability introduced in 4532 kernel Nov 16, 2006 Anonymous Hacker completes Proof of Concept Jan 3, 2007 Vulnerability disclosed to Microsoft Jan 9, 2007 MS releases patch Feb 28, 2007 Responsible public disclosure

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Hyper Escalation in Microsoft Xbox 360

Buffer overflow exploit allowed privilege escalation into hypervisor Combined w/ method to inject data into non- privileged memory
Attacker can run arbitrary code with full privileges and full access to HW e.g., run an alternate operating system

Requires physical access to Xbox 360 device

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Real World Attacks of Hypervisors VMware Device Driver

CLOUDBURST attack on VMware Workstation
April 2009, Immunity (makers of CANVAS) Exploits vuln in VMware Display functions
3D display driver (frame buffer)

Allows code to be executed in Host from within Guest VM Exploit tunnels MOSDEF connection over Frame Buffer of the Guest VM to communicate with VMware Host Defeats DEP/ ASLR on Vista and reliable on Linux

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

US DoD Performing VMware Vulnerability Discovery Work?

Old news (2008), but shows threat is real .
Critical memory corruption in virtual device hardware (CVE- 2008- 4917) Reported by Andrew Honig of US DoD
Non- Secure Internet Protocol Router Network (NIPRNet) Secure Internet Protocol Router Network (SIPRNet) NSAs High Assurance Platform (HAP) Program

Guest OS sends request to virtual hardware Can cause virtual HW to write to uncontrolled physical memory Affected Products
ESX and ESXi Workstation, Player, Server, and Fusion ACE

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Risks in Virtualized & Cloud Environments

Based on Threat Intelligence data and IDS data collected over last year
vulnerabilities reported in virtualized technologies nearly doubled. IDS events detecting these attacks increased by more than 500%

Risk due to vulnerabilities in virtualization- related tech is amplified within the Cloud

Alerts

Vulns

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Threats From/To Cloud Computing

Malicious Insiders Data Loss or Leakage Account or Service Hijacking Abuse and Nefarious use of Cloud Computing Insecure Interfaces and APIs Shared Technology Issues Unknown Risk Profile

Cloud Security Alliance Top Threats to Cloud Computing

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Shared Technology Issues

Consolidated databases Shared network infrastructure Shared compute, memory, disk resources Hypervisor vulnerabilities Blue Pill / Red Pill

Drives Aggregate Risk

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Abuse and Nefarious use of Cloud Computing

Zeus uses Amazon EC2 for command and control

Spammers use Amazons Web Services platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Prediction: Malware Targets the Cloud

Target and steal credentials related to Cloud providers
AWS
Amazon username/ password Certificate and private key SSH key pairs Access Secret Key

Automate exploitation of Cloud provider APIs New, advanced malware capabilities

Attack multi- tenancy Bypass processor- level isolation and/ or hyper escalation Exploit vulnerabilities in Virtual OS controls

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Other Predictions
Phishing targets Cloud provider credentials Incident Response is slowed by involvement of 3rd parties Post- compromise forensic analysis made more difficult in Cloud Time to Remediate vulnerabilities may increase
Lower priority for Cloud provider? Use of canned VM Images impact to vulnerability management

Insider Threat
e.g., provider has their own Pfc. Bradley Manning employed as sysadmin

Physical breach / loss of device may be more damaging

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Multi-Tenancy

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

In the Cloud, Anyone Can Move in Next Door

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Neighbors Drawing Attention

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Virtualization / Cloud: The End of the Security Perimeter?

No, not really. Actually, cloud deployment models brings about a proliferation of perimeters. Each virtual instance essentially represents its own perimeter Put another way, way VM must be defended in isolation Why? Because traditional perimeter defenses not easily mapped to Virtualization / Cloud.

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Loss of Governance: Malicious Insiders

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Insecure Interfaces and APIS

There are thousands of web based APIs with 10- 15 new APIs being created per week (source: programmable web) Man- in- the- middle (MitM) attacks Message alteration Message replay attacks Identity spoofing Denial of Service attacks Confidentiality issues

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Monitoring, monitoring, monitoring

Monitoring of virtualized infrastructure
Host
Hypervisor

Guests
Operating system / applications

Other security services

Unified view is important

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Dont Build Your House On A Poor Foundation!

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Simple Model of IT Stack

Users Applications Platform Infrastructure

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Simple Model of Cloud Stack

L E S S M O R E

Customer Has Less Direct Operational Control

Customer Has More Shared Exposure

SaaS
Control Exposure

PaaS
M O R E

Customer Has More Direct Operational Control

IaaS
Customer Has Less Shared Exposure
L E S S

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: SaaS

In addition to shared virtualized infrastructure, shared Guest OS, and shared Platform Stack, Software Application Stack and Software Application are shared with Neighbor Potential for exploitation of vulnerabilities in Software Application Stack and Software Application expose Organizations using SaaS to some risk from Neighbor What You Share w/ Your Neighbor
Your Orgs Userbase Neighbors Userbase Your Organization Your Neighbor

Software Application Software Application Stack

Platform Stack Guest OS Hypervisor
Hardware Network Storage

SaaS Provider Platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: PaaS

In addition to shared virtualized infrastructure, Guest OS and Platform Stack are shared with Neighbor Potential for exploitation of vulnerabilities in Platform and Guest OS expose Organizations using PaaS to some risk from Neighbor

Your Orgs Userbase

Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

What You Share w/ Your Neighbor

Your Organization Your Neighbor

Your Orgs App Stack

Neighbors App Stack

Platform Stack Guest OS Hypervisor

Hardware Network Storage

PaaS Provider Platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: IaaS

Virtualized infrastructure shared with Neighbor
from concrete to Hypervisor Your Orgs Userbase
Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

What You Share w/ Your Neighbor

Your Organization Your Neighbor

Potential for exploitation of vulnerabilities in the shared virtual infrastructure expose Organizations using IaaS to some level of risk from Neighbor Exploitation of shared physical infrastructure also a consideration

Your Orgs App Stack

Your Orgs Platform Stack Your Orgs Guest OS

Neighbors App Stack

Neighbors Platform Stack Neighbors Guest OS

Hypervisor
Hardware Network Storage

IaaS Provider Platform

33

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

PCI Goes to the (IaaS) Cloud

Challenge of migrating data and applications to Cloud while maintaining significant investments in regulatory compliance
Can Cloud provider provide evidence of compliance with relevant requirements? Does Cloud provider permit audits by relevant certifying bodies?

Dec 5, Amazon Web Service (AWS) announces Level 1 PCI DSS certification
AWS certified from concrete to hypervisor AWS customer must certify their in- scope elements on top of IaaS
Guest OS, Application Stack, Apps, Controls, Operational Processes

Merchants and other service providers can now run their applications on AWS PCI- compliant technology infrastructure to store, process and transmit credit card information in the cloud.

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: IaaS, PaaS and SaaS

What You Share w/ Your Neighbor
Your Orgs Userbase
Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

Your Organization Your Neighbor

Your Orgs App Stack

Your Orgs Platform Stack Your Orgs Guest OS

Neighbors App Stack

Neighbors Platform Stack Neighbors Guest OS

Hypervisor
Hardware Network Storage

IaaS Provider Platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: IaaS, PaaS and SaaS

What You Share w/ Your Neighbor
Your Orgs Userbase
Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

Your Orgs Userbase

Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

Your Organization Your Neighbor

Your Orgs App Stack

Your Orgs Platform Stack Your Orgs Guest OS

Neighbors App Stack

Neighbors Platform Stack Neighbors Guest OS

Your Orgs App Stack

Neighbors App Stack

Platform Stack Hypervisor Guest OS

Hardware Network Storage

Hypervisor
Hardware Network Storage

IaaS Provider Platform

PaaS Provider Platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Your Neighbors and You: IaaS, PaaS and SaaS

Your Orgs Userbase

Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

Your Orgs Userbase

Your Orgs App 1 Your Orgs App 2

Neighbors Userbase
Neighb ors App 1 Neighb ors App 2

Your Orgs Userbase

Neighbors Userbase

Software Application Software Application Stack

Platform Stack Guest OS Hypervisor

Your Orgs App Stack

Your Orgs Platform Stack Your Orgs Guest OS

Neighbors App Stack

Neighbors Platform Stack Neighbors Guest OS

Your Orgs App Stack

Neighbors App Stack

Platform Stack Guest OS Hypervisor

Hypervisor
Hardware Network Storage Hardware

Network

Storage

Hardware

Network

Storage

IaaS Provider Platform

PaaS Provider Platform

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

SaaS Provider Platform

Simple Model of Cloud Stack

Customer Has More Shared Exposure
M O R E

L E S S

Customer Has Less Direct Operational Control

SaaS
Control

PaaS IaaS

Exposure

M O R E

Customer Has More Direct Operational Control

Customer Has E Less Shared S Exposure S

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Cloud and Virtualization Realities

Cloud
Old problems in a new context
Collapsing perimeter means they take on a new edge

Vendor management problem

Ask the right questions in RFPs

Virtualization
Is with us
Traditional security techniques have limited effect Guest to Host hacks have existed and will exist

Security solutions maturing

Leverage virtual security devices & services OS minimization and host based security will bring benefit

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Some Recommendations
Assess the security of your cloud services providers Consider the impact that a violation of isolation would have at various layers / in various components Evaluate security trade- offs between Public, Private and Hybrid cloud service delivery models Tightly manage cloud providers network access controls Assess security of any 3rd party virtual appliance images (e.g., AMIs) to be used Investigate new cloud- based security solutions from both established and upstart vendors Monitor logs from cloud deployments
Trade- off of direct operational control vs. need to increase visibility and transparency

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.

Q&A

Any Questions?

2011 ISACA Webinar Program. 2011 ISACA. All rights reserved.