View
669
Download
3
Embed Size (px)
DESCRIPTION
Presentation march 2013 Mike Chung KPMG about cloud assurance
Citation preview
Cloud Assurance Challenges, Developments and Practices
March 2013, Utrecht
drs. Mike Chung RE
Part 1
• Understanding the context of cloud computing from an
assurance point of view
• Addressing the perceived and real risks cloud computing
• Sharing good practices and control frameworks
• Any other expectations?
Objectives
Context
• We are re-imagining every part of our software empire to run
on and through the cloud
Steve Ballmer
• Cloud Computing is going to be one of things that enables
Hewlett Packard to recover its leadership role in the ICT
industry
Meg Whitman
‘Tectonic plate shifts in the industry’
• Gmail
• Dropbox
Volume and magnitude
• Gmail: 450 million users on more than 150,000 machines
• Dropbox: 100 million users; services worth 5 billion EUR
• Facebook: 1 billion users; 3 billion EUR turnover
Volume and magnitude
• Salesforce.com: 2012 turnover approaching 1.7 billion EUR
• Amazon EC2: 30% of profit from cloud services
• Office 365: Lowe, Shell, Nutreco, American Red Cross
• Google Apps: 66 of 100 largest universities in the US are
using Google Apps
Cloud as enterprise solution
• Zero
• One
• Infinity
• 1 to N
Mnemonic
• Virtualisation
• Web services
• Broadband internet
• Big data centres
• Services
Drivers to the cloud
Cloud market evolution
• Non-business critical • Commodity • Limited integration
2009 - 2010
• Storage • CRM • Additional computing
power
• Replacement of legacy • Flexibility • Moderate-level integration
2011 - 2012
• Datacentre • ‘Office’ • PaaS • HR
• Business critical • Strategic • High-level integration
2013 - 2014
• Cloud sourcing • Corporate mobile apps • ERP
• SME • Telcos • Universities
• Traditional production • Retail • Entertainment & media
• Government • Financial services • Healthcare
• Google launches new IaaS: Google Compute Engine
• Google Apps for small businesses no longer free
• Oracle increases its presence in the cloud market (Oracle
HCM)
• Major CSPs lower their prices up to 30%
• Cisco acquires Maraki (mobile device mgmt from the cloud)
• OpenStack foundation includes IBM, Dell, Cisco, HP
• PCI guidelines for the cloud
Recent developments
Profile of the cloud
Cloud computing vendors told me that my data at their
locations was just as safe as my money in the bank. Since
the credit crunch we all know how reliable the banks are.
CISO of a firm in the public services sector
Key differences
On-premisee Cloud
Internal data processing and storage
External data processing and storage
Dedicated IT environment Multi-tenancy
LAN, leased lines (Public) internet
On-premise versus cloud
Enterprise IT
Business user
External IT
Business user
Enterprise IT
Business user
External IT
Mobile user
On-premise Cloud Reality
• Key attribute/principle of cloud computing
• Single instance of software (single code-base on a common
infrastructure) serving multiple clients
• Different from virtualisation, yet using virtualisation
• Per tenant metadata
• Standardised instances and releases
Multi-tenancy
• Network of several millions of networks
• Based on TCP/IP protocol suite
• ICANN: IP addresses and DNS
• IETF: TCP/IP, standards
• Different layers: application, transport, internet, link
• Internet exchanges: AMS-IX, DE-CIX
• Heterogeneous
Internet
Internet
Own network Internet
providers network
‘Random’ networks
Internet providers network
CSP’s network
Internet
• Security risks
• Privacy/legal risks
• Operational risks
• Financial risks
• Vendor risks
• Assurance risks
Assignment
• Risk = probability * impact
Risk
• Per risk category
• Per dimension
• Threat/vulnerability-driven
Approach
Cloud computing risks: security
• Data may be stored in cloud without proper customer segregation allowing
possible accidental or malicious disclosure to third parties
• Loss of governance of critical areas, e.g., vulnerability management,
infrastructure hardening, or physical security
• Weak logical access controls due to cloud vendor’s IAM immaturity
• Cloud adoption opens the four Data Center walls to external IT Services
providers, creating new risks
Cloud computing risks: privacy/legal
• Data may be stored in cloud in a legal jurisdiction where the rights of data
subject are not protected
• Outdated laws and regulations create uncertainty when characterizing the
various cloud transactions
Cloud computing risks: operational
• Cloud adoption introduces rapid change in the organisation
• Cloud sourcing may impact existing organisational roles and could require
new skills or make others redundant
• Business resiliency/disaster recovery needs and plans will change and
require updating
• Risk of creating independent silos of information perpetuate the problem of
data integrity, quality, and insight
• Business can bypass the IT function to implement technology solutions,
posing challenges for IT governance
Cloud computing risks: financial
• Movement from CapEx to OpEx model impacts existing budgeting,
forecasting, and reporting processes
• CapEx to OpEx model and changes in the character and source of service
impacts tax considerations
• Cloud ROI and cost/benefit analysis are complicated by need for knowledge
of existing cost of delivery and future use of service
Cloud computing risks: vendor
• Lack of clarity of ownership responsibilities between cloud vendor and user
company
• No prevalent standards for vendor interoperability
• Extensive reliance on CSPs
• Cloud delivery models dramatically change how IT delivers technology
services to support business requirements
Cloud computing risks: assurance
• Lack of visibility into the Cloud Service Providers (CSPs) operations inhibits
analysis of its compliance with pertinent laws and regulations
• Complexity of records management/records retention creates challenges
• Lack of industry standards and certifications for cloud providers creates
risks
Risk dimensions: external IT operations
• Inadequate and/or insufficient data security measures at provider’s
location(s) compromising data integrity and confidentiality
• Issues with retracting data after termination of service
• Discontinuation of business critical services due to failing disaster recovery
at cloud service provider
• Unclearly defined SLAs leading to unsatisfactory services
• Compliance issues due to lack of assurance concerning the physical location
of data
• Location of data in different jurisdictions conflicting with local legislations
applicable to the customer
Risk dimensions: multi-tenancy
• Inadequate data segregation and process isolation leading to data
contamination and/or breach of confidentiality
• Inadequate Identity & Access controls causing illegitimate access to sensitive
data such as intellectual property
• Restricted/limited services due to insufficient allocation of resources and/or
capacity
• Standardized functionalities not meeting business requirements
• Complexity to ensure compliance due to ‘black box’ nature of shared
resources (monitoring & logging)
Risk dimensions: (public) internet
• Unencrypted data getting lost of stolen in transfer
• Clogged parts of the network causing unavailability of data
• Dependency on internet access and availability for all cloud services
• Uncontrolled access from unsecured/malware-infected client devices
affecting services
• Public internet is exceptionally hard to audit and to monitor
• Accountability and responsibilities on internet traffic are difficult to assign
and even more difficult to enforce
• Lack of possibilities to influence technology on the internet
• Governments can shut down parts of the internet (Egypt, China)
• Thousands of customers lost their data in the cloud due to the ‘Sidekick
disaster’ of Microsoft/T-Mobile (2009)
• Botnet incident at Amazon EC2 infected customer’s computers and
compromised their privacy (2009)
• Gmail was unavailable for several hours due to unspecified reasons (2010)
• Hyves was unavailable for an hour due to UPS failure at Evoswitch (2010)
• Linkup lost half of its customer data (2010)
• GoGrid’s network problems had major impact on service availability (2011)
• Salesforce.com was partly unavailable for 30 minutes (2011)
Incidents in the cloud: overview
• November/December 2010 – publicised during January 2010
• Vulnerabilities in IE, Adobe software exploited to get access
to Gmail accounts
• ‘Elderwood’ (Chinese government?) – Operation Aurora
• A number of Gmail accounts hacked
• Vulnerabilities fixed
Incidents in the cloud: Google
• December 2010
• WikiLeaks ‘kicked out’ by Amazon
• Cablegate data protected from DDOS attacks
• Pressure from Homeland Security
• Back to Bahnhof (Sweden)
• Data safely transferred
Incidents in the cloud: Amazon EC2
• April 2011 – users notified 7 days later
• Unpatched servers as entry point – database exploited via
SQL injection – passwords not hashed
• Anonymous or disgruntled former employee(s)?
• Exposed personal information of 77 million Playstation
network users – over 5 million USD direct damage
• Security technology updated, servers patched, increased
levels of encryption
Incidents in the cloud: Sony Playstation
• December 2012
• Maintenance error by developers in production environment
• Configuration error in access control system
• Elastic Load Balancing Service affected for US-East region
for almost 24 hours – performance degradation
• No permanent loss or corruption of data
• Amazon updated their procedures and access settings
Incidents in the cloud: Amazon WS
• December 2012
• Software bug
• Human error: node protection not turned on
• Failure of monitoring, alerts and escalation
• No failover in place
• 1.8% of Azure storage accounts impacted for 32 hours
• No permanent loss of data
Incidents in the cloud: Windows Azure I
• February 2013 – users notified 4 days later
• Evernote detected breaches in their infrastructure
themselves and suspicious activities on their network
• Suspects unknown
• 50 million password changes requested
• No evidence user content was accessed, changed or lost
• Two-factor authentication will be implemented (status Mar
2013)
Incidents in the cloud: Evernote
• February 2013
• Certificates for SSL expired
• Untimely renewal of certificates due to human error
• Failure of monitoring and alerts
• Azure Storage Blobs, Tables and Queues using HTTPS
impacted for 12 hours – worldwide
• No permanent loss of data
Incidents in the cloud: Windows Azure II
• February 2013
• Information on root cause as well as suspects not disclosed
by Zendesk
• Limited number of user data accessed by hackers
• Procedures improved and vulnerable systems patched
Incidents in the cloud: Zendesk
• Low number of incidents compared with on-premises IT
• Far better execution of security measures and architecture
• Security as key factor for cloud service providers
• Incidents are high impact and magnitude events
• Blurring demarcation of responsibilities between cloud
service providers, network providers and customers
• Importance of browsers
Incidents into perspective
• 10% of laptops with locally stored data gets stolen every year
• 99% of data is unencrypted
• 50% of business critical company data is unencrypted
• Almost all big CSP are ISO27001 certified – only 15% of
enterprises are able to match that
Also notice that..
Cloud versus on-premise
Source: AlertLogic
• FUD
• Security: cloud is far less secure than on-premise IT
• Privacy: everybody can access my data
• Maturity: cloud is for kids only
• Practice
• Integration: cloud-on-premise integration is complex and often
incompatible
• Performance: cloud services obey the laws of physics too
• Vendor lock-in: (open) standards are emerging, but it is a long road ahead
FUD and practice
• (Distributed) Denial of Service leading to obstruction of
communication
• Flood services: resource consumption, disruption of
configuration (e-mail bombs)
• Crash services: triggering errors in components
• Twitter, August 2009
• Better firewall/switch/routers configuration; application front-
end (data package analysis)
DDOS
• SQL query via the input data
• Meta character into an input query; the query placed in SQL
commands in the control plane
• SQL databases on websites common
• Sony PlayStation
• Input/output validation; static code analysis
SQL injection
• Exploiting vulnerabilities in hypervisors (VM separations)
• Hack VM A to attack VM B via VM A
• Some minor cases on AWS
• Segmentation, VM hardening
Guest-hopping
• Taking control of the hypervisor
• Directly obtaining control or running a rogue hypervisor
• Theoretical scenario, but potentially extremely damaging
• Cyclic redundancy check (CRC) – state value assigned by the
underlying hardware
Hyper-jacking
• Independent connections with the victims and relaying
messages between them
• Session hijacking; hostname lookup; web proxy
• Several internet banking applications
• Strong mutual authentication, latency examination, second
(secure) channel verification
Man-in-the-middle
• Stealing legitimate user’s session ID
• Often session IDs as cookies, form field or URL
• Not often with public cloud services
Session replay
• Sniffing networks; capturing network packages
• Easy when hubs are used
• Not often with public cloud services
• Encryption, network segmentation, network access
Eavesdropping
• Like guest-hopping – extracting information from the target
VM from the ‘rogue’ VM
• Amazon EC2, 2009 (Case study by MIT)
• Virtual firewall appliance
Side-channel
• IP, DNS, ARP spoofing attacks
• IP spoofing often used for DDOS; DNS spoofing often used to
spread viruses
• Vulnerable with trusts/federations
• Package filtering, spoofing detection software, secure
communication protocols (HTTPS, SSH, TLS)
Spoofing
• US Army is investing heavily in three areas: Special Forces,
drones and cyber security
• Physical systems can be attacked from cyberspace (Stuxnet)
• Transparency on cyber incidents and unintended
consequences (widespread vulnerabilities)
• The good guys are being outspent
• Predominance of two mobile systems (iOS and Android)
• Secure or prepare?
Cybercrime
• Organised cybercrime
• Online espionage
• Hactivism
• State-backed cyber attacks
• Internal computer fraud
Cybercrime types
• Lack of information and obscurity (suspects, alliances,
developments)
• Much more professional (phishing e-mails, sophisticated
attacks)
• Non-technical and technical (harvesting of social data for
targeted attacks)
• Jurisdictional barriers
Cybercrime challenges
• Cloud as partner in crime (botnets on Amazon)
• Collateral damage of attacks (attacks are being copied,
refined and used again: Stuxnet, FinFisher)
Cybercrime challenges
• Ecosystem and architecture
• Technology
• Frameworks and standards
• ‘Right-to-audit’
• IT auditors
Challenges
Sliding scale
Data processing and storage
On-premise
Resource use Single-tenant Multi-tenant
Primary network infrastructure
LAN (Public) internet
On-premise IT SSC Hosting Outsourcing Cloud computing
Off-premise
Layers of services
Business software
Middleware
OS
HW + network
Facilities
IT managem
ent IaaS PaaS
SaaS
Cloud ecosystem: enablers to integrators Cloud service vendors Cloud service integratorsCloud enablers
Examples
H/W and S/W vendors IT & Services players (HW & SW vendors / IT distributors)
Pure Cloud players (e-commerce, Internet giants, Hosting companies)
Telcos
Integrators
Telcos
Value added
Provide the actual cloud services, spanning SaaS, PaaS and IaaS, to customers
Provide cloud focused technology services such as system integration, cloud migration and maintenance
Provide the technology, infrastructure, platforms and Middleware to enable provision of cloud services
Cloud ecosystem: niches and providers
Hardware
Operating System
Virtualization Software
Application Development Platform
Applications
Infrastructure Platform Software
System Integrators
Different niches and service providers
• Increasing number of third party providers
• Service providers
• Co-operators and partners
• Aggregators and brokers
• Examples:
• Twitter, DropBox and many mobile apps on Amazon
• Salesforce on Equinix
• Cloud services via Capgemini
Third party providers
• Acquisitions
• Google acquires Writely
• Salesforce acquires Heroku
• Wolters Kluwer acquires Twinfield
• Bankruptcy (Cassatt)
• Change of Strategy (Iron Mountain, Google Wave, Google
Notebook)
Dynamic market place
• Essential element of cloud computing
• VMware (market leader: VM Server, vSphere), MS Hyper-V,
Cirtrix Xen)
• Already on mainframes since 1960s
Virtualisation 1/3
OS
Hardware
OS OS OS
Virtualisation
OS
Hardware
Virtualisation
Virtualisation 2/3
Large shared storage Large shared database Shared network
Res
ourc
e vi
rtua
lisat
ion
Software
This layer provides many virtual resources but on itself also consist of many components, potentially spread around the World or for example obtained from other Cloud vendors
Software This layer provides many virtual servers or software services but on itself also runs on an intelligent balanced pool of real (physical) servers, utilising the virtualised resources
Virt
ualiz
atio
n la
yer
• More systems ‘virtually’ on one physical machine
• Managed via the Hypervisor
Virtualisation 3/3
• Single point of failure
• Performance degradation (HW, network)
• Licence conditions
• Some applications’s performance degrade significantly
• Unsecure deployment and configuration of VMs
• No firewall between VMs (VM-to-VM undetected by network
protection mechanisms)
Virtualisation risks
• Desktop virtualisation (e.g.. via Citrix and Hyper-V): Shell GID
• Storage virtualisation
• Application virtualisation for legacy apps: de-coupling of OS
and HW – not always possible
Other types of virtualisation
• Based on access from external/third parties, not on access to
cloud services
• Based on management of internally stored data (eventually
managed by externals), not on externally stored data
• Irrelevant and insufficient
Off-premise nature
• Marginal attention on (technical) architecture
• Multi-tenancy virtually unobserved/unexposed
• Mere focus on segregation of duties, facilities and networks
Multi-tenancy
• Financial and legal issues (accountability, ownership) outside
the domain of IT audits
• Exceptionally difficult to audit
• Only few existing principles and practices for e-mail usage
and internet security applicable
(Public) internet
• Given the position of cloud computing, the future mode will be
a hybrid environment
• At large corporations, this hybrid environment will consist of
on-premise IT, outsourced parts, parts on hosting providers,
and parts in the cloud
• The key risk resides in the organization’s inability to
orchestrate the new paradigm of automation
Hybrid environment
• Define scope of services
• Define scope of CSP and other (third) party providers
• Identify components (physical, network, HW, SW, services)
• Agree demarcation of responsibilities/accountabilities
Practices: cloud ecosystem
Conceptual architecture of the cloud
Customer organisation
Cloud service provider
Third party (cloud) provider Data centre
Mobile use Online identities
Network
• Identify data
• Assign ownership
• Classify data (value, legal, sensitivity, importance)
• Devise and implement procedures for data processing
Practices: data classification
• http://www.youtube.com/watch?v=ZwLJ4x7rhzU
• http://www.economist.com/topics/cloud-computing
• http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/c
om_cloud.pdf
• http://www.alertlogic.com/wp-content/uploads/alert-logic-fall2012-cloud-
security-DIGITAL.pdf
• http://www.dataliberation.org
Links
• 06 – 1455 9916
• Laan van Langerhuize 1, KPMG Amstelveen
• Follow me on Twitter @MikeChung_KPMG
Contact