Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques

1.Dave Asprey VP Cloud Security
[email protected]
@daveasprey (cloud + virtual security tweets)
Encryption in the public cloud: 16 Bits of Advice for Security techniques

2. Trend Micro Confidential3/23/2011
2
Adapted from an original presentation delivered to
Members of the SDforum, Jan. 2011
By Dave Asprey, VP of Cloud Security, Trend Micro
3. Your speaker
Dave Asprey
VP, Cloud Security
Cloud & Virtualization Evangelist
[email protected]@daveasprey
cloudsecurity.trendmicro.comLinkedin.com/in/asprey
Background
Blue Coat - VP Technology
Citrix - Strategic Planning, Virtualization Business
Netscaler Dir PM
Exodus/Savvis Dir PM & Strategy exec
Speedera/Akamai Sr. Dir PM
3Com Web IT guy
UC Santa Cruz Ran Web & Internet Engineering Program
Author, PWC Tech Forecast: Systems & Network Mgt + Scaling
Trend Micro Confidential3/23/2011
3
4. Data Privacy Concerns in the Cloud
Data is stored in plain text
Virtual volumes can move without the owners knowledge
Little ability to audit or monitor access to resources or data
Hypervisorsand storage are shared with other users
Storage devices contain residual data
5. Amazon Web Services Customer Agreement
5
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
Translation: If it gets hacked, its your fault.
http://aws.amazon.com/agreement/#7(23 November 2010)
6. 6
Security: the #1 Cloud Challenge
Security and privacy higher than
Sum (performance, immaturity, regulatory compliance)
Gartner (April 2010)
Classification 3/23/2011
7. Use encrypted, self-defending hosts
Classification 3/23/2011
7
Multiple customers on one physical server potential for attacks via the hypervisor
Shared network inside the firewall
Doesnt matter the edge of my virtualmachine is protected
Doesnt matter treat the LAN as public
Internet
Shared Storage
Shared Firewall
Shared firewall Lowest common denominator less fine grained control
Easily copied machine images who else has your server?
Shared storage is customer segmentation secure against attack?
Virtual Servers
Doesnt matter They can start my server but only I can unlock my data
Doesnt matter My data is encrypted
Doesnt matter treat the LAN as public
8. Advice
1. Encryptnetwork traffic
2. Use only encrypted file systems for block devices
3. Encrypt everything in shared storage
4. Only allow decryption keys to enter the cloud during decryption
5. Only authentication credential in VMs = key to decryptfile system key
8
9. More advice
6. At instance startup, fetch encrypted file system key
7. No password-based authentication for shell access
8. No allowed passwords for sudo access (!)
9. Make regular backups off-cloud
9
10. Even more advice
10. Minimize # of services per VM instance (goal = 1)
11. Only open ports you need
12. Specify source addresses & only allow HTTP global access
13. Keep sensitive data in a separate database
10
11. Final advice
14. Use host-based intrusion detection system
15. Use system hardening tools
16. Write better applications!
11
12. Thank You.
Dave Asprey
VP Cloud Security
[email protected]
@daveasprey
cloudsecurity.trendmicro.com
Props to: George Reese & OReilly Blog
12

Documents

Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques