Frans van Leuven - The security aspects of Cloud Services

Atos, Atos and fish symbol, Atos Origin and fish symbol, Atos Consulting, and the fish itself are registered trademarks of Atos Origin SA. August 2006

© 2006 Atos Origin. Confidential information owned by Atos Origin, to be used by the recipient only. This document or any part of it, may not be reproduced, copied,

circulated and/or distributed nor quoted without prior written approval from Atos Origin.

Cloud Computing and Security

Frans van Leuven

Storage Expo: 03-10-2010

Not a trivial aspect

Cloud Computing and Security Risks

Intro

What is cloud computing?» Working Cloud Definitions

» What’s new

Risk Assessments

» Change or roles

Cloud Computing and Security Risks – Slide 2

» Change or roles» Methods

Cloud related Security Issues & Risks

» Cloud Security Risk Assessment, and Risk Management Methodologies

» Threat Vector » Identity Management (IAAA)

» Federated Identity Management

» The need for Data Classification

Short Intro

Atos Origin

Systems

Integration

Consulting

8%

Utilities &Public Sector

27%

Retail

10%

Telecoms Managed

France

31%

AP 3%Americas 4%

Italy 5%

Spain 6%

Atos Origin in a nutshellCompany Profile


Integration

42%

(*)

Others (incl. Transport) 6%

27%

Financial

Services

21%Manufacturing

19%

Telecoms

& Media

21%

(*) of which 16% recurringactivities in Application Management

ManagedOperations

50%11%

UK

19%

31%

Benelux

21%

Germany& CE

What is cloud computing?

Working Definitions

Cloud Is not a new technology but rather a new delivery model

Definition 1: NIST

“Cloud describes the use of a collection of services, applications, information, and infrastructure comprised of pools of compute, network, information, and storage resources. These components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down; providing for an on-demand utility-like model of allocation and consumption


allocation and consumption

Definition 2: Gartner

The set of disciplines, technologies, and business models used to deliver IT capabilities (software, platforms, hardware) as an on-demand, scalable, elastic service

Definition 3: Atos Origin

» Cloud as a general concept, sometimes described as Cloud Culture, encompasses all sorts

of recent business and social phenomena, many of which are triggered and enabled by the

advent of the internet, the World Wide Web and pervasive computing

NIST Visual Model of Cloud Computing Definition


Source: NIST

Cloud Deployment Models

Various deployment models exist

– Public • Available to the general public or a large industry group and is owned by an

organization selling cloud services

– Private • Operated solely for a single organization. It may be managed by the organization or

a third party, and may exist on-premises or off premises


a third party, and may exist on-premises or off premises

– Community (Partner) • Cloud infrastructure is shared by several organizations and supports a specific

community that has shared concerns (e.g., mission, security requirements, policy, or

compliance considerations) for example Health care Industry

– Hybrid • Any combination of the above with a components or functionality closing the model

boundaries (private cloud (order processing) with public cloud ( product catalogue

presentation)

Cloud Essential and common Characteristics

» Five essential Characteristics:

» On-demand self-service. - Consumer can self provision computing automatically

» Broad network access.- Available over the network accessed by any client

» Resource pooling


» Resource pooling - Resources are pooled to serve multiple consumers

» Rapid elasticity.- Resources and their capabilities can be rapidly made available and decommissioned

after usage

» Measured service.- Cloud systems automatically control and optimize resource usage by measuring use

– monitor, control and report in a transparent manner

» Not essential NIST characteristic but an important one from a supplier perspective- Virtualization- Multi-tenancy

What is needed to run an application today!How is this model affected by cloud?

WAN

and

Internet

IPSFW L3-R

L2-SLB / ADCR

Single Data Center


Internet

SAN-SSAN-D

All other NL DC’sTo other Data Center(s)

� Traditional Services

� Technology Silos inclusive Tooling

� Optimized / Standardized per Silo

� Cloud Services

� Optimized per application type

� Dedicated chains are not uncommon

Cloud Security Issues

&

Risk Assessments

Risk Assessment Definition of terms

» Risk - a risk is a possible event which could cause a loss » Risk is a function of the likelihood of a given threat-source’s exercising a particular

potential vulnerability, and the resulting impact of that adverse event on the organization

(NIST)

» “The potential that a given threat will exploit vulnerabilities of an asset or group of assets

and thereby cause harm to the organization” (ISO 27005)

» Threat - a threat is a method of triggering a risk event that is dangerous


» Threat - a threat is a method of triggering a risk event that is dangerous

» Vulnerability - a weakness in a target that can potentially be exploited by a threat

» Exploit - a vulnerability that has been triggered by a threat

» Countermeasure - a countermeasure is a way to stop a threat from triggering a risk event

» Assurance - assurance is the level of guarantee that a security system will behave as expected

Cloud Services Risk Assessments

» The boundary of responsibility shift with the stack» SaaS

- Provider is responsible for the whole cloud service stack

- Customer is both liable and accountable for the changes in the software interfaces and

functionality

» PaaS

- Provider is responsible for the underlying infrastructure and the platform API’s for the

PaaS offering

- Customer assumes the risk for all the software developments that occur


- Customer assumes the risk for all the software developments that occur

- Customer retains accountability and is liable for the output of developments

» IaaS

- Provider is responsible for the underlying infrastructure

- Customer is liable and accountable for the platform and software infrastructure

- Customer assumes most of the cloud risks , management of operating systems

applications and content

» Essential characteristics of cloud computing require a replacement , redesign or reorientation of perimeter security

Cloud Risks Assessment and Management

» Next we will see that moving in to cloud services entails:- Reorienting our security postures

- Assessing cloud security risks and threats

- Mitigating them by:

- Transferring Risk to the provider but retaining accountability

- Implement or put in place mitigating controls by applying countermeasures

yourself

» Businesses may not adopt cloud services despite the benefits that they can realize


» Businesses may not adopt cloud services despite the benefits that they can realize due to:

- Lack of trust that cloud providers will meet their security needs

- Lack of trust that cloud service providers are ready to assume the risks that

enterprises would encounter in the cloud

- Provider lock-in through proprietary standards

- Standards not mature enough to mitigate issues of data portability

- Lack of uniform cloud standards in respective regulatory domains

Risk AssessmentsA far from trivial job when deploying cloud

» Threat Assessment - Identify the threats

- Analyze and evaluate these threats

- Determine the vulnerabilities related to each threat

- The likelihood of happening

- Understand and measure the impact of the risk involved

- Decide on the appropriate measures and controls to manage them.

» Determine the probability of a future adverse event occurrence (likelihood)


» Determine the probability of a future adverse event occurrence (likelihood)

» Determine the impact/magnitude to the business and the commensurate

response- Analyze threats and scrutinize potential vulnerabilities

- The controls in place to reduce or mitigate the impact

- Impact here refers to the magnitude of harm that could be caused by a threats

source exploiting the vulnerability

- Impact in turn is directly proportional to the business impact

Risk Assessment Methodologies

» Several industry IT risk management standards and methodologies with varying

efficacy» Some have tools to automate the risk scoring methods

» Can be quantitative (subjective) relying on the collective knowledge within the

organization; output indicates degrees. High Medium Low

» Can be qualitative relying on a large data set that is then taken through an algorithm

that provides a criticality score (numerical minimum - maximum ranges)


» Some well-known examples» NIST 800-30 (superseded by 800-53a)

» ISO 27005

» Information Risk Analysis Methodology (IRAM)

» ISACA - RISK IT

Cloud Security Issues

and

What is New and what to Do

Specific Risks Related to the Cloud

» Examine the risk factors changed by using cloud infrastructure replacing the

traditional infrastructure» Customer perspective – All current risks remain, new ones are added

- Breach of confidence, reputation, Competitive advantage, Legal/ Regulatory

- Loss of control - governance

» Cloud Service Provider perspective – Will try to limit liability as much as possible

- Exploits with Cloud service have a considerably larger impact as they affect all


- Exploits with Cloud service have a considerably larger impact as they affect all

customers concurrently

» SLA’s and Contracts only cover some type of Cloud related risks» They typically cover Risks with High Likelihood and Low impact

» Often liability is limited to the contract value or even the duration of the outage

» Match enterprise risk analysis findings with the vendor offering – discuss your

risk concerns within the contract – evaluate cloud services offering against

established controls/mitigation

Specific New Risks Related to the Cloud

Essential characteristics and cloud impeding conditions.» Internet Centric communication for most or all communication instances

- Some dependencies may be well hidden

- Major outages on the Internet will have a disastrous impact (DDOS etc)

- Insufficient network controls –ubiquitous (omnipresent) network availability

- Network quality is much harder to monitor and predict

» Virtualization and Multi-tenancy have new weaknesses resulting in potential exploits

- Require new countermeasures just being developed


- Require new countermeasures just being developed

- ILM – data deletion – remanance, degaussing (electronic file shredding)

» Cloud Services are often Global Resource based

- Off-shoring support and remote help desk –natural or technical issues

- Multi-level sub contracting invisible to the Service Involved

» Shadow IT may result in undermining Governance

- Units contracting their own ICT facilities

» Countermeasures may be outdated (for profit or other reasons)

- Session Riding & Session Hijacking –Stateless HTTP

- Insecure / Obsolete Cryptography & Weak Authentication mechanisms

» Complexity of Identity Provisioning and de-provisioning increases

- Who controls resources as required by AAA processes?

Cloud Governance Issues

» Cloud Provider problems» Going out of business

» Provider not achieving SLA’s or Contracts

» Provider having poor business continuity planning/Disaster Recovery

» Data Centers in countries with unfriendly laws or undesired political/economical conditions» Cheap countries are cost wise attractive but typically have higher risks of multiple natures

»


» Cheap countries are cost wise attractive but typically have higher risks of multiple natures

» Conditions may literally change overnight

» Doing Risk assessments and impact analysis is a far from trivial job » Increasingly complex to cope with Disasters

- More types, more places, increased likelihood etc

» The number of parties involved increases, many will have no relation/compassion with the

organization impacted by mayhem

» Many eggs go into one basket. Domino effects not to be excluded

Identification, Authentication, Authorizationand Accounting (IAAA)

» Identification, Authentication, Authorization and Accounting (Access Control)- A particular challenge in cloud service offerings

- IAAA infrastructure in most enterprises is evolving and will not fulfill the demands of

cloud services

» Asks for some type of Federated Identity (single source for Identity)


» Asks for some type of Federated Identity (single source for Identity)» Governments are reluctant to play this role

» Increasingly becomes yet another Cloud Services

» Data Classification is almost becoming a mandatory strategy!» Which type of Cloud Service meets regulations and contractual obligations?

» Which application may be run under various degrees of sharing?

» Which data may be stored over the border?

» The one security approach fits all services may soon become very expensive (as it must

meet the hardest conditions)

Digital Rights Management

» Controlling DRM aspects never have been easy» A whole new dimension is being added making it more complex

- Varies with SAAS, PAAS, IAAS» How do audits work with these models?

» Where is your data stored and how is it protected?


» Where is your data stored and how is it protected?

» In-transit and stationary conditions» What is the decision process to change these conditions?

» Who has access to your data» This includes access at the database as a whole

» Where are these people located

» What is reported to you?

Current Enterprise IAAA Infrastructure


Federated Identity management within clouds


Cloud Services Data Classification and Security

» Organizations will need to classify data based on:

» Importance of data to the organization - Business Impact–

- High - Authenticate and Encrypt (at rest, in motion and during compute)

- Medium – Watermark and Proxy Ids

- Low – In-house, Internal, local use (Leverage enterprise directory services)» Accessibility by whom and why – Authentication, Authorization Access Control

- Secret ? , Confidential?, Public?


- Secret ? , Confidential?, Public?

» Network Zoning – Virtual instances with IP range IDs and VLANS containers authentication Proxies deployed at the perimeter

» Organization control- Identity creation and validation

- Identity provisioning and de-provisioning

- Identity validation and traceability –Organization HR

- Identity proxy validation – Partner HR

- Identity self creation -internet customers

Identity and Access Management (IAM)

» Identity provisioning/de-provisioning » Secure and timely management of provisioning & de-provisioning of users in the cloud

Identity profiles » Guaranteed – HR (enterprise directory services)

» Trusted Validity can be assured (partners, suppliers etc)

» Untrusted Self created online customers (lowest trust)


» Authentication» Enterprise Authenticate with local AD and establish trust with IdP through federation –

secure exchange of user attributes

» Users authenticating themselves – un-trusted – but can consider yahoo, hotmail or gmail

ID’s (initiate a discussion on this with the attendants)

» Authorization & user profile management

» Federation

Data Classification essential in the Cloud

» Data Classification impacts the total ICT-Chain» How Data is stored

» How Data is transported

» How Data is marked according its class

» Conditions of applications accessing the data

» Conditions of applications used for transfer

» Rights of the owner

» Authorizations of Users


» Authorizations of Users

» The potential impact of compromised Data must be mitigated by matching

Countermeasures» As complexity grows this becomes a big cost item

» The volume of Data almost doubles yearly

» Network Zoning often helps to simplify countermeasures

Sources & References

» Live Link» MOD-GPM-1822 - Security Classification and Network Zoning v0.1.pdf

» NIST CLOUD RISK Assessment sp800-30.pdf» http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf» http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

» ENISA_RM-Deliverable1-Final-version-v1.0-2006-03-30.pdf


» ENISA_RM-Deliverable1-Final-version-v1.0-2006-03-30.pdf

» http://www.enisa.europa.eu/act/rm/files/deliverables/inventory-of-risk-assessment-and-risk-management-methods

» Security Guidance for Critical Areas of Focus in Cloud Computing

» http://www.cloudsecurityalliance.org/csaguide.pdf

» http://srmsblog.burtongroup.com/2009/06/cloud-computing-who-is-in-control.html

» http://www.27000.org/iso-27005.htm

» http://srmsblog.burtongroup.com/cloud-security/

Atos, Atos and fish symbol, Atos Origin and fish symbol, Atos Consulting, and the fish itself are registered trademarks of Atos Origin SA. August 2006

© 2006 Atos Origin. Confidential information owned by Atos Origin, to be used by the recipient only. This document or any part of it, may not be reproduced, copied,

circulated and/or distributed nor quoted without prior written approval from Atos Origin.

For more information please [email protected]

+31 (0) 630439248

[email protected]

+31 (0) 882656477

Atos Origin Netherlands BVHTC 51

5656 AB Eindhovenwww.atosorigin.com