27
Hardware security & the cloud services Gabriel Labrada April 2015

Hardware security & the cloud services

Embed Size (px)

Citation preview

Page 1: Hardware security & the cloud services

Hardware security & the cloud services

Gabriel LabradaApril 2015

Page 2: Hardware security & the cloud services

About Me

• Gabriel LabradaElectronic and communications engineer (IPN Mexico)MsC Computer Science CINVESTAV on ECC Crypto, parallell computing and multicore algorithms.Security Researcher at Intel.Security validation of PCH, Servers, uServers and some security technologies like trusted execution technology.

[email protected]

Logo

Page 3: Hardware security & the cloud services

The HW and FW are the next line of defense on the evolving role of computer security.

•Antivirus•Network hardening•Server hardening•Secure App/Code Development•End user endpoint hardening•HW/FW hardening

Page 4: Hardware security & the cloud services

Security Evolution

Antivirus

Network hardening Server hardening

Secure App/Code Development End user endpoint hardening

1st Gen

2nd Gen

3rd Gen

4th Gen

HW/FW hardening

Page 5: Hardware security & the cloud services
Page 6: Hardware security & the cloud services

Lets take a look at this interesting estimation on the

Internet-connected devices vs world population

Source: http://share.cisco.com/internet-of-things.html

2003 2010 2015 2020

50 billion

8 billion

Page 7: Hardware security & the cloud services

What does that mean for security?

Money is becoming digital

110101011010100101010110101

Page 8: Hardware security & the cloud services

What does that mean for security?•All kind of information is being migrated to its digital form.

Ecommerce - Banking - Financial - Contracts - Health - Traffic control - Intellectual Property - Books – Entertainment – Music – Movies – News – Money – Videos – Photos – Social relations – Financial records – Tax payment – evoting – advertising – network sensors, phone calls, etc.

Page 9: Hardware security & the cloud services

So, how to protect the data & services?

CIA

Page 10: Hardware security & the cloud services

Computing: Physical VS Cloud

Page 11: Hardware security & the cloud services

Computing: Physical VS Virtual

Hardware

OS

App1 App2 AppN…

Page 12: Hardware security & the cloud services

Computing: Physical VS Virtual

Hardware

Hypervisor

VM1 VM2 VMn…OS1 OS2 OSnApps . Apps . Apps .

OS

Page 13: Hardware security & the cloud services

Computing: Physical VS Virtual

Hardware

Hypervisor

VM1 VM2 VMn…OS1 OS2 OSnApps . Apps . Apps .

Page 14: Hardware security & the cloud services

Cloud pros.

• Lower cost• High availability• Cloud Companies have security

professional configuring and monitoring

• Efficiency savings in terms of power• Savings in terms of cooling and floor

space

Page 15: Hardware security & the cloud services

Cloud downside.

• New infrastructure• Virtual Networking• Many eggs into one huge

basket• Hypervisor becomes a key

player

Page 16: Hardware security & the cloud services

Two general scenarios for virtualization

compromise

Hyperjacking

Hyper Jumping

Page 17: Hardware security & the cloud services

• Both: Physical and Virtual services require protection

Network hardening

Server hardening

Secure App/Code

Development

User endpoint

hardening

HW hardening

Page 18: Hardware security & the cloud services

• Network hardening– Keep your network devices upgraded– Periodically re-verify the file hash of the running firmware– Shut down unused physical interfaces– Configure restrictive policies– Change default passwords/keys immediately– Protect the network device configuration file from unauthorized

disclosure.– Configure alerts when changes or reboot events detected. – Shut down unneeded services on network devices. – Monitor Logs on a regular basis– Only use secure protocol standards (SSHv2; IKEv2/IPsec; TLS

v1.0+) when performing remote management of network devices.– Restrict remote management connectivity to only controlled

machines

Network hardening

Page 19: Hardware security & the cloud services

Server Hardening•Use Data Encryption for your Communications•Avoid using insecure protocols that send your information or passwords in plain text.•Minimize unnecessary software on your servers.•Keep your operating system up to date, especially security patches.•Change passwords on a regular basis and do not reuse them•Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.•Do not permit easy/empty passwords.•Disable unused binaries•Maintain server logs; mirror logs to a separate log server•Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.•Use brute force and intrusion detection systemsLimit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.•Maintain proper backups•Don't forget about physical server security

Server hardening

Page 20: Hardware security & the cloud services

Secure App/Code Development1 - Injection2 - Broken Authentication and Session management3 - Cross-Site Scripting (XSS)4 - Insecure Direct Object References5 - Security Misconfiguration6 - Sensitive data exposure7 - Missing Function Level Access Control8 - Cross-Site Request Forgery (CSRF)9 - Using Components with known Vulnerabilities10 - Invalidated Redirects and Forwards

Source: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

Secure App/Code

Development

Page 21: Hardware security & the cloud services

• Multi-layered, defense-in-depth security architecture.

HW

RING 3

RING 0

RING -1

Secure App/Code

Development

Page 22: Hardware security & the cloud services

User endpoint hardening•Use strong auth/passwords•Prefer multifactor authentication (MFA)•Update firmware and patches•Separate work devices from entertainment•Review security for your Network devices•Change default access configuration•Disable unused ports/protocols

User endpoint

hardening

Page 23: Hardware security & the cloud services

Hardware hardening• Control registers• Memory Range registers and their protections• Address translation logic• System fuses and straps• Module interfaces and buses• State flows and error handling• Debug Features (DFX), Design For Test (DFT)• Error injection• Crypto modules• Firmware and patches

HW hardening

Page 24: Hardware security & the cloud services

CHIPSEC: Platform Security Assessment FrameworkCHIPSEC is a framework for analyzing security of PC platforms including hardware, system firmware including BIOS/UEFI and the configuration of platform components. It allows creating security test suite, security assessment tools for various low level components and interfaces as well as forensic capabilities for firmware

CHIPSEC can run on any of these environments:•Windows (client and server)•Linux•UEFI Shell

NOTE: This software is for security testing purposes.

Source https://github.com/chipsec/chipsec

HW hardening

Page 25: Hardware security & the cloud services

Virtual environments

If possible isolate VMs network traffic.

At least security management of

hypervisor must be kept separate from

regular traffic.

Don’t manage hypervisor from guest

operating systems.

Monitoring/Management tools should not be

installed or used from guest OS.

Regular patch the hypervisor

Regular patch BIOS/FW/ucode.

Page 26: Hardware security & the cloud services

Wrap up

HW security will play an important role on cloud computing

Hypervisors will become a very attractive target for hackers due to the number of potential guest machines that can be compromised and also the

computing power of virtualization servers.

Use Automated testing tools to validate recommended configuration on HW

Page 27: Hardware security & the cloud services

Questions?

Answer

Answer


2021 Cloud Security Report - Fortinet

2021 Cloud Security Report - Fortinet

Documents
A security analysis of amazon's elastic compute cloud service

A security analysis of amazon's elastic compute cloud service

Documents
A New Hybrid Automated Security Framework to Cloud ... - MDPI

A New Hybrid Automated Security Framework to Cloud ... - MDPI

Documents
Novel Security Models for IoT–Fog–Cloud Architectures in a

Novel Security Models for IoT–Fog–Cloud Architectures in a

Documents
Data Security in the Cloud

Data Security in the Cloud

Documents
A new model to ensure security in cloud computing services

A new model to ensure security in cloud computing services

Documents
Cloud Computing: Security Issues and Challenges - Semantic

Cloud Computing: Security Issues and Challenges - Semantic

Documents
Hardware Attack Surface: JTAG, SWD - IoT Security - Payatu

Hardware Attack Surface: JTAG, SWD - IoT Security - Payatu

Documents
THÈSE DE DOCTORAT Security and Trust in Mobile Cloud

THÈSE DE DOCTORAT Security and Trust in Mobile Cloud

Documents
Cloud Security in southern Railways in India

Cloud Security in southern Railways in India

Documents
SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES

SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES

Documents
Security Trade-Offs in Cloud Storage Systems - DepositOnce

Security Trade-Offs in Cloud Storage Systems - DepositOnce

Documents
UNC500 Hardware Manual - ARAS Security

UNC500 Hardware Manual - ARAS Security

Documents
Forcepoint Cloud Security Gateway Integration Guide

Forcepoint Cloud Security Gateway Integration Guide

Documents
Management of Privacy and Security in Cloud Computing

Management of Privacy and Security in Cloud Computing

Documents
ON THE SECURITY OF CLOUD STORAGE SERVICES

ON THE SECURITY OF CLOUD STORAGE SERVICES

Documents
A Review on Security Issues in Cloud Computing

A Review on Security Issues in Cloud Computing

Documents
Mitigating Cloud Computing security risks using a self-monitoring defensive scheme

Mitigating Cloud Computing security risks using a self-monitoring defensive scheme

Documents
Qualys Cloud Security Lab Tutorial Supplement

Qualys Cloud Security Lab Tutorial Supplement

Documents
CLOUD COMPUTING SECURITY IN BUSINESS ... - arXiv

CLOUD COMPUTING SECURITY IN BUSINESS ... - arXiv

Documents
Security Analysis of Cloud Computing

Security Analysis of Cloud Computing

Documents
Cloud computing solutions and security of EU remote

Cloud computing solutions and security of EU remote

Documents
SECURITY ISSUES IN CLOUD COMPUTING AND THEIR COUNTERMEASURES

SECURITY ISSUES IN CLOUD COMPUTING AND THEIR COUNTERMEASURES

Documents
A Framework for Multi-cloud Cooperation with Hardware Reconfiguration Support

A Framework for Multi-cloud Cooperation with Hardware Reconfiguration Support

Documents
Virtualization \u0026 Cloud Security: Part 1

Virtualization \u0026 Cloud Security: Part 1

Documents
Operation, Management, Security and Sustainability for Cloud Computing

Operation, Management, Security and Sustainability for Cloud Computing

Documents
MPA Content Security Best Practices - Google Cloud

MPA Content Security Best Practices - Google Cloud

Documents
5G Cloud Infrastructure Security Guidance Part II - Defense.gov

5G Cloud Infrastructure Security Guidance Part II - Defense.gov

Documents
Security and Data De-Duplication Using Hybrid Cloud

Security and Data De-Duplication Using Hybrid Cloud

Documents
Trust Enhanced Security for Tenant Transactions in the Cloud Environment

Trust Enhanced Security for Tenant Transactions in the Cloud Environment

Documents