Challenges in Cloud Security Public vs Private Clouds

Sergio Loureiroelastic-security.com

Outline

• Definitions• State of the art of cloud attacks • Roots of security threats • Challenges ahead• Conclusion

Public vs Private

• Public"The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services."

• Private"The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise." Source : NIST cloud definition

Public vs Private

• Security requirements o What? CIA, e.g. confidentiality, integrity and availabilityo Where? Data at rest AND data in transit o When? During the lifecycle

• From whom? o Public cloud surface of attack

Cloud provider(s) Co-tenants Users

o Private cloud surface of attack Cloud provider (if managed) Users

SPI Model

• Software as a Service (salesforce.com, Google docs)• Platform as a Service (Google apps engine, force.com, MS

Azure)• Infrastructure as a Service (Amazon EC2, Rackspace)

Service model has impact in security

State of the art attacks in SaaS/PaaS

• Nothing New: Web-Service threats are well-understood • Typical Web-Site attacks (OWASP)

o SQL injectiono Cross Site Scripting (XSS)o Request Forgery (CSRF)

Bottom line: Audit your provider and check the SLAs

State of the art attacks in IaaS

• People run tampered images• Easy and instant access to many machines• Auto-Scaling: DoS Attacks paid by the customer• Side Channel Attacks• Attack based on lack of entropy for random numbers• Bugs in virtualization software • Storage data of terminated instance reconstructable• Single key-pair for EC2 API• Poor Audit Logs for EC2 API

Bottom line: Higher flexibility but bigger attack surface

Root Causes

• Outsourcing• Virtualization• Multi-tenancy• Dynamic Infrastucture

Root cause 1 - Outsourcing

Challenges• Responsibility lies with the data owner • The line between data owner and data custodian must be

drawn: need for clear contracts • Service Level Agreements must match• Physical access to the infrastructure• Compliance

Bottom line: • Least impact in traditional outsourcing businesses (for

example payroll) • Monitoring and audits are needed

Root cause 2 - Virtualization

Challenges • More complexity and new attack surface• Entropy needed• Administration consoles have privileged access

Bottom line: We need to integrate virtualization updates in our vulnerability management systems

Root cause 3 - Multi-tenancy

Challenges • Side channel attacks• Eavesdropping• Fairness in resource allocation / utilization• Data reminiscence• Compliance

Bottom line: • Need for isolation (VPN, encryption and access control)• Need for transparency

Root cause 4 - Dynamic Infrastructure

Challenges • Automation is mandatory, allocation algorithms should be

transparent• Auto scaling may cost you money (DoS)• VM Sprawl• Compliance

Bottom line: Control is needed (discovery and logs)

Security challenges

• Trust establishment in a dynamic way (brokers?)• Transparency / Visibility• Isolation between environments • Security automation and monitoring• Compliance

Conclusion

• New challenges• Security depends on the delivery model (SPI)• Security depends on the deployment model

o Public presents more challenges to cope witho Enhancements from public providers needed

Resources

• Cloud Security Alliance • OWASP• Blog elastic-security.com• ENISA risk management study• NIST definitions• "Cloud Security and Privacy" by Mather, Kumaraswamy and

Latif

Questions?

Sergio Loureiro loureiro_sergio@yahoo.com

elastic-security.com