Virtualization, Cloud and Data Security (and the occasional intersection of the three) as presented at the Cloud Security Alliance Q2-2012 Atlanta Meeting on Friday, April 6, 2012.
I do #security. I advocate for #privacy. ‣ I build virtual datacenters and cloud infrastructure. ‣ I keep my data in the cloud. 2 Friday, April 6, 2012
is about gracefully losing control while maintaining accountability even if the!operational responsibility falls upon one or more third parties. " From the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing Wednesday, March 10, 2010 Friday, April 6, 2012
Virtualization Unique architectures present unique challenges Data in the Cloud Public or private, understanding your data is the key to securing it 1 2 3 Friday, April 6, 2012
detriment of effective categorization. Categorization vs. Sensitivity 13 Classification (Categorization) Classification (Sensitivity) The purpose of classification is to protect information from being used to damage or endanger organizational security. Simply possessing a clearance should not automatically authorize an individual to view all data classified at or below that level. Friday, April 6, 2012
in Motion 17 Data at Rest Data in Motion “On the Internet, communications security is much less important than the security of the endpoints.” - Bruce Schneier However, anyone can read what’s going across the wire when it is sent unencrypted. Friday, April 6, 2012
information (EPHI). 18 CA Office of HIPAA Implementation ‣ DATA AT REST • Data at rest should be protected by one of the following: - Encryption, or - Firewalls with strict access controls that authenticate the identity of those individuals accessing _____ [system/data]. • The use of password protection instead of encryption is not an acceptable alternative to protecting EPHI. • Systems that store or transmit personal information must have proper security protection, such as antivirus software, with unneeded services or ports turned off and subject to needed applications being properly configured. Friday, April 6, 2012
information (EPHI). 19 CA Office of HIPAA Implementation ‣ TRANSMISSION SECURITY • All emails with EPHI transmitted outside of State (or county) departments’ networks must be encrypted. • Any EPHI transmitted through a public network to and from vendors, customers, or entities doing business with ___ [name of the org in the State of California, or a county] must be encrypted or be transmitted through an encrypted tunnel. EPHI must be transmitted through a tunnel encrypted with ___ [specify type of encryption to be used, such as virtual private networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells (SSH) and secure socket layers (SSL)]. • Transmitting EPHI through the use of web email programs is not allowed. • Using chat programs or peer-to-peer file sharing programs is not allowed. • Wireless (Wi-fi) transmissions must be encrypted using ___. Friday, April 6, 2012
the effectiveness of pre-existing security policies. On-premise vs. Off-premise 20 On-premise Off-premise You need only trust those vetted, hired and managed by your organization, and according to your own security policies. Trust model now includes external entities, plus potential additional considerations around governance, regulations and compliance. Friday, April 6, 2012
Virtualization Unique architectures present unique challenges Data in the Cloud Public or private, understanding your data is the key to securing it 1 2 3 Friday, April 6, 2012
machines running therein. ‣ While many security considerations are the same within physical and virtual, ... ‣ Virtualization does introduce unique architectures & a few unique challenges Friday, April 6, 2012
often short-lived ‣ VM sprawl vs. VM stall ‣ Most orgs have poor change control & patch management systems for virtual ‣ Introspection mechanisms available, but not widely deployed Friday, April 6, 2012
Resources • Your virtual infrastructure is only as secure as the resources that comprise it! • Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests Wednesday, March 10, 2010 Friday, April 6, 2012
OS • Needs to be hardened / secured just like on physical machines • Principles of minimization will lead to smaller, faster, more secure vm’s Wednesday, March 10, 2010 Friday, April 6, 2012
of the hypervisor) for the purpose of analyzing [its behavior] 30 VM Introspection ‣ Introspective firewalling ‣ Introspective malware detection ‣ Introspective DLP ‣ Traditionally, distinct products • Catbird, Hytrust, Juniper, Reflex Systems,Trend Micro, VMware, etc. Friday, April 6, 2012
Virtualization Unique architectures present unique challenges Data in the Cloud Public or private, understanding your data is the key to securing it 1 2 3 Friday, April 6, 2012
your data; consider trust models ‣ Understanding what your org means by ‘cloud’ is key to securing data in the cloud: • 5 characteristics • 3 service models • 4 deployment models Friday, April 6, 2012
‣ Abuse and Nefarious Use of Cloud Computing ‣ Insecure Interfaces and APIs ‣ Malicious Insiders ‣ Shared Technology Issues ‣ Data Loss or Leakage ‣ Account or Service Hijacking ‣ Unknown Risk Profile 36 Friday, April 6, 2012
Encrypt locally before storing in the cloud • Ensure external key storage and management • Keep private data out of cloud • Build protection mechanisms directly into your resources in the cloud • Host private cloud Wednesday, March 10, 2010 Friday, April 6, 2012
security are no less important than before ‣ Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?) ‣ Compliance doesn’t fully address governance, residency or access Friday, April 6, 2012
multiple jurisdictions, tossing data around like a doublewide.) 40 Avoiding the Data Tornado ‣ Deep knowledge of your data ‣ Data flow and threat modeling ‣ AAA, IAM & RBAC FTW ‣ Effective security policies ‣ Tested security procedures ‣ Proven security controls Friday, April 6, 2012
Focus in Cloud Computing ‣ ENISA’s Cloud Computing: Benefits, Risks and Recommendations for Information Security ‣ CSA’s Cloud Controls Matrix ‣ ENISA’s Procure Secure: A guide to monitoring of security service levels in cloud contracts ‣ NIST SP 800-145 Definition of Cloud Computing and 800-137 on Information Security Continuous Monitoring 41 Friday, April 6, 2012