1. TA3901 Security and the Cloud Ahmed Sallam, Senior Technologist, Software Architecture & Strategy, Chief Software Architect, McAfee Ken Owens, Vice President Security and Virtualization Technology, Savvis

2. Security and Virtualization What The Risks and Opportunities Are Ahmed Sallam Senior Technologist, Software Architecture & Strategy Chief Software Architect 3. What The Session Is About This secession examines two things: Virtualization as a new system architecture layer: Is it secured? Is there malware targeting virtual environments? Is it bad for security? Can it be good for system security and how? Quick look into VMsafe: More focus on VMsafe CPU/Memory Securing the virtual infrastructure Security consideration for cloud environment Reference Architecture How to define a SLA for Cloud Security? How to evaluate the security offerings by cloud providers?Confidential McAfee Internal Use Only 4. Part 1:V12N SECURITY FROM A SYSTEM ARCHITECTURE PERSPECTIVE Confidential McAfee Internal Use Only 5. What Is Systems & Applications Virtualization? Decoupling of operating systems from the hardware via a VMM The hardware being: CPU, memory, I/O (network, storage, graphics, audio, etc.) Operating systems run concurrently on top of the same hardware Core virtualization support in the processor CPUs support I/O and memory virtualization Reducing the functionality and size of the hypervisor (VMM) Control access to CPU, memory and I/O resources from underneath the OS Virtual images: Entire computing environment in a file: memory, OS, applications, etc. Hypervisor provisioning: (a) on the fly (b) persisted (c) TXT & TPM Applications virtualization: Decoupling of OS from applications via virtual application images OS and applications in separate virtual image files Virtual application and OS delivered on the fly Virtual machines management, single unit of operations: Snapshot, cloning, migration, powering on/off Does any of the above impose newer security risks and/or challenges? Confidential McAfee Internal Use Only 6. Risk of New Security Attacks (1) Malicious hypervisors (hyperjackers) attacks TXT not present (older systems) and/or disabled Malicious hypervisor injected on the fly (web surfing, exploitation, local) Worse if hyperjacker boots first & support nesting of hypervisors Malware attacking virtual environment from within Malware can detect the virtual environment: Vendors in-guest modules (processes, services, device drivers) Changes to processor tables and behavior when virtualization is on Attacking in-guest virtualization code Infecting VM memory, registry and files to survive VM operations Malicious hyper calls Attacking the hypervisor (Virtual Machine Monitor): Remote exploitations Attacking the hypervisor host operating system Confidential McAfee Internal Use Only 7. Risk of New Security Attacks (2) Attacking the management console application Exploiting the management console Tampering with management commands, reporting data (VM Rootkit),user interface, VM configuration, etc. Malicious use of VM management and configuration APIs Infecting VM file and memory images on disk Virtual disk format is documented and public Virtual disks files may not be protected: Data is not encrypted No access control policy The host is infected with malware Insider attacks: Data theft and leakage of virtual memory and disk image files Tampering with VM configuration and operations Attacking the VM memory from the host: DMA attacksConfidential McAfee Internal Use Only 8. Virtualization Challenges Traditional Security Security solutions not ready to a hierarchy of mobile and dynamic VMs belonging to the same parent: VM OS security software machine identifier no longer unique Multiple identical reporting and requests to the security cloud Enterprise management console loosing track of VMs Misclassification of VM security state: History of infections (when, wheat, how, etc.) History of patches deployment Deployment of local AV signatures Worse with proactive behavioral protection systems Mobility of VMs allows malware to cross network boundaries Isolation from physical network: Cross VM network traffic not leaving the virtual switch Network identity of the VM is not present IPS & Firewall missing routed VMs network traffic Confidential McAfee Internal Use Only 9. Virtualization Opens New Avenues to Security Hypervisor controls physical resources underneath the OS Extending hypervisor to allow security software to control & secure: Memory: read, write and execute CPU: context switching, memory mapping, debugging I/O devices: Network, Graphics, Disk, Removable Devices Security software living outside the OS away from its enemy Securing VM image files: Encryption, access control, offline AV scanning, patches Security as an extension to virtualization infrastructure: Leveraging virtual storage to support black and white listing Leveraging virtual network switch to add IPS / Firewall capabilities Case example: VMSafe Presenter privileged to be co-designer of VMSafe CPU / Memory Two flavors: (Covered in next slides) Memory & CPU security Network securityConfidential McAfee Internal Use Only 10. VMsafe CPU/Memory Dedicated Security VM Protection of memory and processor operations Confidential McAfee Internal Use Only 11. VMSafe Network Filtering Enterprise Virtual Firewall / NIPSThe Virtual World The Virtual World VMWARE ESX VMWARE ESX Web ServersDatabase Servers Web ServersDatabase Servers LAN 1LAN 2 LAN 1LAN 2Vswitch vSwitch1vSwitch2 VswitchvNic 1vNic2 All Traffic Entering/Leaving Secure Firewall Physicalthe Virutal Environment goesVirtual AppliancePhysicalNIC1 through the firewall as well NIC2 as Inter-LAN traffic vSwitch0PhysicalNICPhysical Server Physical Server Physical Network FirewallNetwork Firewallinspects Inter-lan traffic as well(Virtualized or Not Virtualized) as inbound/outbound traffic Other Networks Other Networks Confidential McAfee Internal Use Only 12. Expected Growth of VMSafe Protection over all virtualized devicesConfidential McAfee Internal Use Only 13. VMsafe CPU/Memory Has Its Own Challenges Performance due to VM context switching Stability of guest OS due to triggers processing latency Loss of guest OS context Potential solution: using in-guest kernel mode security agent VMsafe can protect the agent code Agent relies on OS for event tracking & control Malware may attack OS components used by the agent Only Linux is supported as the OS inside protecting VMConfidential McAfee Internal Use Only 14. Short Note on Virtual Applications Security Known challenges: Application Virtualization Layer hiding applications operations entirely AV/HIPS does not see virtual application file activities Proactive behavioral analysis misses application operations Mobility of applications virtual images allows malware to extend its reach New opportunities for security: Security deeply integrated into apps virtualization layer Enforcing security policy aside from the OS Confidential McAfee Internal Use Only 15. Part 1 Conclusions Virtualization imposes new security risks and challenges New avenues for malware to infect corporate networks and infrastructure Mobility of virtual images is a major security issue Configuration and auditing of VMs is problematic Challenges to legacy security systems Virtualization provides new opportunities to security Security underneath and on top of the OS Security away from the enemy Security controlling CPU and Memory Security controlling I/O resources: storage, network, audio and graphics Virtualizations and security: both need each other Confidential McAfee Internal Use Only 16. Ken OwensVice President Security and Security and the Cloud Virtualization TechnologySeptember 2009Confidential McAfee Internal Use Only 17. Part 2SECURING THE VIRTUAL INFRASTRUCTURESavvis Proprietary & Confidential INTERNAL USE ONLY 18 18. Be Careful Up There! Concerns about cloud computing security abound: The cloud is fraught with security risks InfoWorld Analysts warn that the cloud is becoming particularly attractiveto cyber crooks. ComputerWeekly Corporate use of cloud services slowed by concerns about datasecurity, reliability Computerworld Privacy, security issues darken cloud computing plans IDG "Cloud computing sounds so sweet and wonderful and safe...we should just be aware of the terminology, if we go aroundfor a week calling it swamp computing I think you mighthave the right mindset." Ron Rivest, co-founder, RSA It is a security nightmare and it can't be handled in traditionalways." John Chambers, CEO, Cisco Savvis Proprietary & Confidential INTERNAL USE ONLY 19 19. Security Tops Cloud Concerns Source: IDC, 2009 Savvis Proprietary & Confidential INTERNAL USE ONLY 20 20. Not All Clouds are the Same Multiple models. Multiple vendors. Multiple policies Each cloud provider takes a different approach to security No official security industry-standard has been ratified Most cloud providers (including Amazon EC2) do not allowvulnerability scanning Many cloud providers are not forthcoming about their securityarchitectures and policies Compliance auditors are wary of the cloud, and are awaitingguidelines on audit testing procedures Savvis Proprietary & Confidential INTERNAL USE ONLY21 21. What the Industry Is Doing Several initiatives are underwayDMTFThe Distributed Management Task Force (DMTF), the organization bringing the IT industry together to collaborate on systems management standards development, validation, promotion and adoption, today announced that it has formed a group dedicated to addressing the need for open management standards for cloud computing. The "Open Cloud Standards Incubator" will work to develop a set of informational specifications for cloud resource managementCloud Security Alliance A non-profit organization formed to promote the use of standardized practices for providing security assurance within cloud computingCenter for Internet Security A non-profit enterprise whose mission is to help organizations reduce risk resulting from inadequate technical security controlsPCI Security Standards Council Has created a special interest group (SIG) to help shape requirements for virtual- and cloud-based cardholder-data environmentsNIST The National Institute of Standards and Technology has created a new team to determine the best way to provide security for agencies that want to adopt the emerging technology called cloud computing. Publication to be issued in 2009.VMware Has issued guidelines for security VM configurations Savvis Proprietary & Confidential INTERNAL USE ONLY 22 22. Security Design Considerations Integrated Cloud Security Cloud environments provide limited visibility to inter-VM traffic flows Specific architecture and configuration decisions Physical Segmentation Integrated (vmSafe) Security Cloud Burst Security Security Policies Baseline information Compliance Concerns Auditing events VM Mobility Defense in Depth Continue to leverage proven security strategies Savvis Proprietary & Confidential INTERNAL USE ONLY23 23. Reference Architecture Savvis Proprietary & Confidential INTERNAL USE ONLY 24 24. Reference Architecture1. Security profile per compute profile Corporate security policy and server tier firewall rules that are definedwithin a vApp need to be communicated to the service provider This should include corporate server security patch levels, anti-virusstatus, and file level access restrictions2. Security DMZ for vApp The service provider needs to validate the patch level and security levelprior to bringing into a vApp into their production environment3. OS Management It is important to understand security hardening the service providerperforms around their library of OS and their patching policies VMs that are not at the correct patch level need to be updated to thecorrect path level through a DMZ for example.4. Resource Management The service provider needs to separate and isolate the resourceseach customer VM uses from other customers VM resources to preventDDOS attacks Savvis Proprietary & Confidential INTERNAL USE ONLY25 25. Reference Architecture5. Security Authentication, Authorization, and Auditing Cloud service provider environments should provide tight integrationwith enterprise policies around individual and group access,authentication, and auditing (AAA) policies This involves integration of corporate directories and group policies withthe service providers to ensure adequate access policies are enforced.Service providers should offer stronger authentication methods, 2-factorhard or soft tokens or certificates to enterprises that are leveraging acloud provider6. Identity Management (SSO, Entitlements) Cloud environments should require control over user access Cloud providers must define a VM identity that ties each VM to a assetidentity within the service provider infrastructure Based upon this identity, service providers are able to assign user, role,and privilege access within the extended infrastructure to provide role-based access controls Enterprises also want to prevent unauthorized cloning or copying of thedata on a VM to a USB device or CD. Service providers can prevent theVM from being cloned or copied by utilizing a combination of the VMidentity and server configuration management policiesSavvis Proprietary & Confidential INTERNAL USE ONLY 26 26. Reference Architecture7. Security profile per network In addition to the vApp having a compute security profile, there shouldalso be a network security profile to ensure perimeter and web accesssecurity functionality Enterprises need to ensure that service providers implement separatemanagement networks and data networks per customer Service providers should have a separate network for vMotiion andvmSafe. Enterprises should request service providers to encrypt allmanagement traffic, including vMotion events Enterprises should require encryption of their data packets via SSL/IPSecor management connectivity via SSL or SSH8. Data Security Enterprises should request service providers to provide assess paths toonly the physical servers that must have access to maintain the desiredfunctionality Service providers should accomplish this through the use of zoning viaSAN N-Port ID virtualization (NPIV), LUN masking, access lists, andpermission configurationsSavvis Proprietary & Confidential INTERNAL USE ONLY27 27. How to Define SLA for Security? Security Policy SLAs Firewall Rule Auditing Firewall Change Request implementation SLA Firewall log availability SLA Patch Level SLAs Time to patch SLAs Remediation SLAs Threat Management SLAs Vulnerabilities against VM Asset Auditing Threats detected and prevented SLAs Availability SLAsSavvis Proprietary & Confidential INTERNAL USE ONLY 28 28. How to Evaluate the Security Offering by a Cloud Partner? The evaluation should be performed based on the following criteria: Security profile per compute profile Security DMZ per vApp OS Management Resource Management Security profile per network Data Security Security Authentication, Authorization, and Auditing Identity Management Savvis Proprietary & Confidential INTERNAL USE ONLY 29 29. Part 2 Conclusions1. Security tops the list of cloud concerns2. Not all cloud providers security capabilities are the same3. Define an acceptable level of risk4. Define measurable parameters that enable monitoring andassessment of the level of risk5. Evaluate cloud providers security offerings and controls Security Capabilities Measurable parameters (SLAs) Reference ArchitectureSavvis Proprietary & Confidential INTERNAL USE ONLY 30 30. Thank You. Savvis Proprietary & Confidential INTERNAL USE ONLY 2009 Savvis, Inc. All rights reserved. Savvis is the registered trademark of Savvis Communications Corporation. 31