Gaps in the Clouds by Robert Fritz

Transcript

1. Cloud Computing Security Robert Fritz(VP), Cloud Security Practice Lead

2. 2 Welcome  Morgan Stanley Welcome and Acknowledgements  Morgan

   Stanley Canada Services Lead: Alan Vesprini(ED)  Out of Town Guests:  Reuben Wells(MD), John Panzica(ED), William Ma  Material Contributors:  Rares Pateneau(ED), David Mirza-Ahmad, Guillaume Ross, Mickael Emirkanian–Bouchard, Oscar Isasmendi-Gallo(VP), Mia Kilborn, John Otterson(VP)  Event Contributors  Andrew Graham, Guillaume Ross, Siddharth Kashyap, Levon Petros, Mathias Sofer, Rob Ierfino, Vanessa Houle, Mehdi Bennani  OWASP Welcome and Acknowledgements :  Jonathan Marcil, Chapter President Represented by Michael Robillard, and Marius Popescu

3. 3 About Me  Local Security Architecture Lead  Global

   Lead for Strategic Consulting , driving control agenda for:  Cloud, Social Media, Mobile Computing, and Pioneer  Security work for 15+ years,  US Air Force, Hewlett-Packard, now Morgan Stanley  Patents Pending:  Including part of HP’s Threat Analysis Methodology  Lead Editor of Two Center for Internet Security Hardening Benchmarks  HP-UX and Android  Contributor to NIST IR7502:  Metrics For Software Security Configuration Vulnerabilities

4. 4 What is “Cloud?”

5. How Much Cloud?: a Delivery Model

6. Where is the Cloud?: An Access Model HOW? WHAT? WHO?

7. • Ability to assign a cost to a unit of

   resource and charge by amount of resources used Metered • Ability to provision resources in real time in response to workload runtime events Automated Provisioning • Ability to add and remove resources for a workload without the workload being aware of it Dynamic Provisioning • Ability to add and remove resources to the pool without Interruption of service to active workloads Elastic Internet Technology Foundation

8. Cloud Vendor Landscape • Who will own the new infrastructure

   and the new customers – Operationally: Keys and Management – Technology: Abstraction and Hardware – Data: e.g. Uploading to Amazon is free, getting it back costs $$ – Expertise: Who will be the new “experts” 8

9. Cloud Vendor Landscape: Examples 9 Azure IaaS Azure PaaS Office

   365 Google Compute Google App Engine Google Enterprise / Apps Traditional (But Future Speculation) PaaS: Force.com Salesforce / AppExchange Amazon AWS Heroku Elastic Beanstalk Private IaaS: OpenStack, CloudStack, Citrix Cloud Platform Private PaaS: OpenShift, Cloud Foundry SaaS PaaS IaaS Private Cloud: Mix n Match |Dedicated Public Cloud Offerings---------------------------------------|

10. Security Layers Assuming Commercial IaaS / Custom PaaS 10 Traditional

    Application Security Cloud Provisioning Broker Host Access Broker Multi-Tenancy Container OS or Platform Layer •“No IT Work” / Patch •Snapshot Proliferation •Pre-Pwned Marketplace Images Application Administrator End User Provisioning Administrator (Owns Firewall / Deployment) OS/Platform Troubleshooting Internet Mid-Talk Quiz: Any Guesses on the Most Common Firewall Rules/ SGs?

11. Security Challenges: Hidden Costs • Hidden Costs – Adding missing

    security infrastructure and services – Managing conflicting assumptions of security responsibility – Managing external change – Lock-In • Cloud Offerings often don’t include: – Consistent authentication standards to and amongst cloud service vendors – Access and entitlements management – Data security – Application and infrastructure audit and reporting – Attack detection/monitoring • Cloud security still maturing; existing solutions may not address all gaps 11

12. Stop the Bleeding: PaaS/SaaS Data Exposure • Data Exfiltration from

    Infrastructure we Don’t Control – Encryption Brokers (eg: CipherCloud) • Encrypt Data, and you don’t “Care” • BUT: You can’t process cipher text • Easy: Cold Storage (Panzura/ RiverBed) • Tricky: PaaS/SaaS Applications – Identify and Baseline Secret Data: What really is secret? – Identify which operations *must* cloud executed » Preserve Search and Sort in Some cases » Search / Sort Locally for others • Data Exfiltration from Infrastructure we Do control: – Adapt DLP-classic to HTTP(s) or consume compliance-mail Feeds – Monitor Perimeter (look for undercover cloud adoption: eg: SkyHigh) 12

13. 13 Case Study in AWS IaaS: Who’s Job is Security?

    Their Job • Have NIDS for their Network • Scan their apps • Separate their tenants / users NOT Their Job • OS and Up • Manage Entitlements and Identity • Entitlements are inconsistent and overbroad • Amazon Says “Buy a Broker”

14. 14 Case Study in AWS IaaS: What you get with

    Amazon IAM • Recent Enterprise Offering Authentication • In-GUI :“Global root” permissions per service • Granular Entitlement Requires Dozens of pages of hand-crafted JSON • “All or Nothing” Permissions Model the Norm • AMI, Network, IP, and resource permissions new Entitlements: • Cloud Trail: Raw Dump to S3 Bucket Audit

15. 15 Case Study in Force.com/SalesForce: What you get with SFDC

    • Username / Password Default • SAML Optional Authentication • API and UI- based Entitlements Provisioning • Very Little Entitlement Hierarchy but very Inter- Dependent • Easy to Overprovision Entitlements: • Inconsistent Coverage • Only some via API • Some require screen scraping • Missing Authorization Failures Entirely • direct path access Audit

16. 16 Case Study in SaaS:  SaaS Vendors Want to

    Share Data  Box: Fishing-Friendly Invites from Outside Firm-Created User  Box Doesn’t Limit or Audit Sharing of Materials from Non-Firm Folders  Google Apps: allows In-Document Code that Can Create External-Facing Data Flow  Doing Business on Social Vendors’ Sites:  Poor validation of participants’ identity or business affiliation  Attacks from and propagated by multiple sources; insecure laptops or network (e.g. open Wi-Fi) via social networking platforms  Sites want to grow content volume; firms like us want to know who they are talking to  Security barriers that increase confidence but decrease volume often removed by sites (OAUTH 2.0)

17. 17 Questions?