Security, Trust, Liability - nsrc.cse.psu.eduSecurity, Trust, Liability... "Foggy" Challenges for Cloud Computing Keynote –NSRC Industry Day 2009 Penn State University - Oct 13,

Security, Trust, Liability... "Foggy" Challenges for Cloud Computing

Keynote NSRC Industry Day 2009Penn State University - Oct 13, 2009

---

Frank [email protected]

Argonne National Laboratory / University of Chicago

Outline

Introduction

What is Cloud Computing?

Security Guidance for Cloud Deployment

Clouds float on Virtual Machines

VM Security Challenges

VM Security Opportunities

Conclusion

Oct 13, 2009 2"Foggy" Challenges for Cloud Computing @ Industry Day 2009

Whos Frank?

Oct 13, 2009 "Foggy" Challenges for Cloud Computing @ Industry Day 2009 3

Argonne National LaboratoryUniversity of Chicago

Earth System GridWebSSO, CAs

Standards, standardsWSS*, OGSA, XACML

DOE Cybersecurity R&D Grassroots

TeraGrid

EGEE

OSG

CDIGSCHI

CTSA

GridShib

Globus ProjectGSI, authZ

NIH/NCIs caBIG/caGridGAARDS

NIMBUS toolkitCloud Computing

Introducing Frank








TeraGrid

EGEEOSG

CDIGS CHI

CTSA

GridShib


Introducing Frank







TeraGrid

EGEE

OSG

CDIGS CHI

CTSA

GridShib



caBigCancer Research

Introducing Frank






TeraGrid

EGEE

OSG

CDIGS CHI

CTSA

GridShib




What is Cloud Computing?


Draft NIST Working Definition of Cloud Computing (CC)

Nice write-up by Peter Mell, Tim Grancehttp://csrc.nist.gov/groups/SNS/cloud-computing/index.html

Definition of Cloud Computing: Cloud computing is a model for enabling available,

convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five essential characteristics,three delivery models, and four deployment models.


http://csrc.nist.gov/groups/SNS/cloud-computing/index.htmlhttp://csrc.nist.gov/groups/SNS/cloud-computing/index.htmlhttp://csrc.nist.gov/groups/SNS/cloud-computing/index.html

CCs Essential Characteristics On-demand self-service.

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider.

Ubiquitous network access. Capabilities are available over the network and accessed through standard mechanisms that

promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Location independent resource pooling. The providers computing resources are pooled to serve all consumers using a multi-tenant model,

with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. The customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity. Capabilities can be rapidly and elastically provisioned to quickly scale up and rapidly released to

quickly scale down. To the consumer, the capabilities available for provisioning often appear to be infinite and can be purchased in any quantity at any time.

Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at

some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.


CCs Three Delivery Models(SPI-Model)

Cloud Software as a Service (SaaS).

The capability provided to the consumer is to use the providers applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS).

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created applications using programming languages and tools supported by the provider (e.g., java, python, .Net). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS).

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).


Cloud Computing

IaaSInfrastructure-as-a-Service

PaaSPlatform-as-a-Service

SaaSSoftware-as-a-Service

elasticity

computing on demand

capital expense

operational expense

Oct 13, 2009 12"Foggy" Challenges for Cloud Computing @ Industry Day 2009

CCs Four Deployment Models

Private cloud. The cloud infrastructure is operated solely for an organization. It may be

managed by the organization or a third party and may exist on premise or off premise.

Community cloud. The cloud infrastructure is shared by several organizations and supports a

specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations).

Public cloud. The cloud infrastructure is made available to the general public or a large

industry group and is owned by an organization selling cloud services.

Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private,

community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).



Source: OpenCrowd.com

Open Source IaaS Implementations

Nimbus

Toolkit to turn your cluster into an IaaS cloud, EC2, Xen, virtual clusters

UofChicago/ANL, K. Keahey & team, early 2008

Eucalyptus

Open source implementation of EC2, commercial funding 09

UCSB, R. Wolski & team, 06/2008

OpenNebula

Open source datacenter implementation

University of Madrid, I. Llorente & team, 03/2008

Cloud-enabled Nimrod-G

Open source implementation of EC2

Monash University, MeSsAGE Lab, 01/2009

Industry efforts

openQRM, Enomalism


GoGrid is a real cloud hosting company( http://www.GoGrid.com/ and http://NoHardware.com/ )


http://www.gogrid.com/http://NoHardware.com/

and Gartner likes GoGrid

Cool Vendors in Cloud Computing System and Application Infrastructure, 2009

http://mediaproducts.gartner.com/reprints/gogrid/article1/article1.html


Recent Cloud Computer Outages

Microsoft Danger SideKick recent outage Contacts, calendar entries, photographs and other personal information of T-Mobile Sidekick

users looks to be lost for good

Google Gmail Fails again string of outages for Googles cloud-based offerings, including Google search, Google News

and Google Apps over the past 18 months.

eBays PayPal crashes The PayPal online payments system failed a couple of times in August, leaving millions of

customers unable to complete transactions

Rackspace pays up Rackspace was forced to pay out between $2.5 million and $3.5 million in service credits to

customers in the wake of a power outage that hit its Dallas data center in late June.

Windows Azure test release goes down Early adopters of Microsofts cloud-computing network Windows Azure suffered an overnight

outage over a weekend in mid-March.

Amazon S3 storage service knocked out summer of 2008: last major Amazon S3 cloud network outage, which lasted for 7 to 8 hours

and followed another outage earlier last year caused by too many authentication requests


Source: NetworkWorld

Clouds great for many Small/Medium Businesses (SMBs)

Most small businesses, schools, organizations are unable to run a decent IT-shop Lack SW/OS patches, misconfiguration, bad secret-hygiene,

minimal physical security, etc., etc.

Most of those SMBs will benefit from SaaS/PaaS/SaaS Amazon/Google will always do a better operations-job Security/privacy concerns are exact opposite of Big

Businesses concerns No brainer (except for liability issues)

Absolute no-brainer for start-ups Many wouldnt exist without the operational vs capital

expense swap


Cloud Security Alliance (CSA)(http://cloudsecurityalliance.org/)

Recent initiative

Members: HP, Sun, Dell, VISA, Barclays, ING, Intuit, eBay, Qualcomm, DuPont, Northrop Grumman, Fox/Newsgroup, Rackspace, PGP, RSA, MacAfee,

Notable non-members: Amazon, Google, IBM, Microsoft,

Number of big end-users, though


Security Guidance for Critical Areas of Focus in Cloud Computing

Recent CSA publication from April 09 Good read! Points out many security related areas that are

easily/often/mostly overlooked Many issues are related to liability, legal requirements,

audit issues, Not really interesting for the scientists among us ;-)

As a bonus, it discusses a Cloud Computing Architectural Framework based on NISTs definitions

Very recent book: Cloud Security and Privacy - An Enterprise Perspective on Risks

and ComplianceBy Tim Mather, Subra Kumaraswamy, Shahed LatifPublisher: O'Reilly - ISBN:978-0-596-80276-9 (September 2009)


CSAs Guidance Summary (1)

Tradeoffs between extensibility (openness) and security responsibility: SaaS (Software as a Service): least extensibility and

greatest amount of security responsibility taken on by the cloud provider

IaaS (Infrastructure as a Service): greatest extensibility and least amount of security responsibility taken on by the cloud provider

PaaS (Platform as a Service): lies somewhere in the middle, with extensibility and security features which must be leveraged by the customer



Legal, Liability, Audit, Viability Concerns between customers and cloud providers Risk assessments

Outages, data loss/recovery, data center operations

Contracts and Audit Trust but Verify Often requirement related to legal or insurance

Privacy issues/assessment Legal requirements that data doesnt cross borders or jurisdiction

Consequences of leakage

Termination of relationship Portability, leave nothing behind

Lawsuits with discovery requirements



Application/Infrastructure Security Intrusion Detection Incident response/escalation Data encryption facilities Standardized secure protocols (WSS,SAML,TLS/) Federation Svcs (SSO,SAML,OpenID,WS-Federation,)

Hypervisor/VM Security Need trusted TCB/Hypervisor+VM-Manager Need trusted VM-images Securely manage/issue secret keys VM Monitoring VM compromise detection

More


AWS & HIPAA Compliance..

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.

pdf

Solutions: DiskAgent

Secure, encrypted data-storage on S3 of electronic private health information (EPHI)

TC3 Health We are utilizing Amazon S3, EC2, and SQS to enable our claim processing

system capacity to increase and decrease as required to satisfy our service level agreements (SLAs)

MedCommons We use Amazon S3, EC2, Elastic IP to store and host individual HealthURL

accounts

our BioMed Collaborators are nervous The big Q: who goes to jail when anything goes wrong?


http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdfhttp://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf

Cloud Service Provider Audit

Customers are nervous About CSPs operations, fail-over, outages, security,

logging, privacy, etc., etc.

IT Outsourcing not new CSC, IBM Global Services, Big Customers require external audit of SP

CSPs are touting their secure, robust operations Audit frameworks are evolving to meet new paradigm SAS70, SysTrust, ISO27001 This will be solved: higher standard => more $$$

(differentiating factor for cloud offerings)


Federal Cloud Computing Initiative

Government drank the Cloud Kool-Aid Cloud Computing plays a key role in the

Presidents initiative to modernize IT

The General Services Administration (GSA) is focusing on implementing projects for planning, acquiring, deploying and utilizing cloud computing solutions for the Federal Government

See Apps.gov All solutions are still TBD but there is a lot of

noise ;-)



http://App.gov


Coming Soonon a Government Cloud near You

Challenges and Opportunities for Virtualized Security


Clouds run on Virtual Machines

The previous part was kind of high-level, slightly boring for those interested in real technology and such

However, meeting the cloud security requirements is a dauntingly complex task

Clouds run on virtual machines

Virtual machine technologies are both a risk and an asset for security


DOE CyberSecurity Research Workshops

DOE cybersecurity researchers organized a number of workshops to discuss cybersecurity research needs for 3-5-10 years out

NSRCs Trent Jaeger participated

One clear conclusion was that Cloud computing and virtualization are pervasively in our future

Virtualization can help to make future IT more secure

Research opportunities



3/5/10 Year Prediction: VM Deployment Everywhere

Every Network Service runs on a VM 1 Service/VM if possible

10s-100s-1000s of VMs per physical Server 10s-100s of cores/CPU, multiple CPUs/board

All desktop/laptops/PDAs/cellphones/???everything runs their OSs/apps in VMs VMM/Hypervisor is pushed into the BIOS

Commercial IT-world, data centers, clusters, Clouds, all have fully adopted VM-technologies


VMs & VMM

Control Plane

VM-1 VM-2 VM-nManager

Hardware/Network/Memory/Disk

Hypervisor/VMMonitor / Reference Monitor

AppOS

VM-1

AppOS

VM-2

VM-Manager(Domain-0 orSvc Console)

Hardware/CPUs/Network/Memory/Disk

VM-n

PolicyEnforcement

Isolation

More Detailed VM Hosting


Trusted Computing Base (TCB)

VMs and Security

VM Insulation/Isolation/Compartmentalized VMs dont see each other Limited consequences of compromise (single VM)

Hypervisor/VMMonitor transparent control/monitoring Real-time policy enforcement of network/memory/disk/cpu access Monitor bandwidth/memory/disk/cpu usage Throttle bandwidth/memory/disk/cpu usage

Freeze, Migrate, Replicate VM-images Forensic evidence frozen Menu-svc to prepare commodity/custom-made configs

Security policy becomes part of the SLA between the VM-host and VM-owner Service Level Agreement about use of ports, network, libs, cpu, external

access, behavior, etc. (includes security components) Enforce Least Privilege Model

could limit bot-net/army capabilities



Challenges because of Virtualization

Challenge: Assurances about VMs Hosting Environment

The virtualization of resources introduces an additional abstraction that complicates the policy enforcement for a VM-user who requires assurances about the location, type, or kind of hardware that hosts the hypervisor

The use of secure hardware components, like integrated TPM, could help to attest the trust chain from the application service running on a VM running on a hypervisor running on a specific machine that has an embedded TPM


Where does my Service run?

Somehow I received an reference for a Service Through broker/discovery/directory svc

Policy: Only run on DOE-approved Compute Facilities Where and how do I get the assurance that my service-

appliance conforms? Virtualization adds additional level of

abstraction/indirection

How can we anchor the trust on the HW? Compute resource users have similar interest as the DRM-

folks of the movie/music industry Trusted Computing Platform (TCP) may/can help TCP-HW=>VMM=>VM-image=>OS=>app=>user


Challenge:Correctness of Hypervisor Security Execution

The overall protection of the VMs from the outside world as well as from the other hosted VMs relies on the integrity of the hosting system, i.e. the integrity of the hypervisor software and correctness of the policy enforced by its reference monitor.

In order to limit the number of bugs in the hypervisor code, the code base must remain as small as possible and must be formally proven secure where possible.

The correct and unambiguous enforcement of the policy by the reference monitor as it is derived from the SLAs and higher-level site-policies is another concern.


Privileged Domains/Partitions

The Hypervisor may be small Actually > 100k LoC for Xen 3.*

The VM-Manager (Dom-0) is not Equivalent of root Compromised Dom-0 => All VMs are Compromised

TCB = Hypervisor + DOM-0 VM-Manager often facing internet

Need ways for compartmentalize or split responsibilities among multiple privileged VMs

Not trivial weakest link



Source: RSA 2008 Presentation, Security Challenges in Virtualized Environments, Joanna Rutkowska, Invisible Things Lab


Opportunities to Improve Security


Virtual OTP Token


AppOS

VM-1

AppOS

VM-2



VM-n

PolicyEnforcement

Isolation

VirtualOne Time Password

Token

SecureChannel/Path

To User

Secure Inter-VM Communication

Inter-VM-Communication managed by Hypervisor

Connections and visibility of the communication are under Hypervisors control, i.e. are policy enforced.

Inter-VM-Communications can be authenticated, and privacy and integrity protected without the need for any higher-level protocols like ipsec or SSL/TLS.

Authentication on the VM-Id level

Similar to ipsec authN which is on the host-level


Trusted Security Token Service VM

Access to a VM can be restricted to only a single other VM managed by the same hypervisor and further restricted to a single communication mechanism and protocol.

Off-load the secrets and crypto processing from a network attached VM to a non-network-accessible VM. Use pkcs#11 interface

Equivalent of using a VM as a smartcard or secure hardware device.



Virtual Smart Card


AppOS

VM-1

AppOS

VM-2



VM-n

PolicyEnforcement

Isolation

VirtualKey-Chain/SmartCard

SecureChannel/Path

SecureChannel

Goal: Limit Chance and Limit Consequences of Compromise

State of networked clients & services: hacked or to be hacked soon

All systems will be hacked: not if but when and maybe already

Fact of Cybersecurity Life get over it - live with it

Goal: Limit Chance of Compromise

Goal: Limit Consequences of Compromise

Non-goal: make systems unhackable



SLA & Least Privilege Operation

Minimize VMs privileges to those required for correct operation and no more

Service Level Agreement (SLA) should determine the required use of resources (cpu/memory/disk/network)

More details in the SLA => Not per customer, but per VM-appliance Finer-grained enforcement of resource usage Increased ability to monitor for abnormalities Lesser chance for compromise to occur Lesser chance for compromise to spread

Fine-Grained SLA => $$$

Lock the sandbox down as much as possible Ports, network-addresses, cpu usage, app/library usage

patterns, files access, Deviation from normal behavior = deviation from SLA =>

reason for suspicion, for lockdown

Detailing SLA Automated, code scanning, observation/learning Human/warm-body domain/code-knowledge

Why go through the trouble of detailing the SLA? $$$: more detail => cheaper rates Tighter the sandbox => less chance for intrusion-damage

=> less potential monetary damage (for both CSP&Client) IaaS specific but PaaS/SaaS can benefit also


Fine-Grained SLA Enforcement

Fine-grained SLA enforcement requires: Fine-grained resource-access authZ in hypervisor Fine-grained resource-usage monitoring in hypervisor Ideally high-level, warm-body-friendly policy language Or better: higher-level SLA to low-level policy

translation Client specifies fine-grained SLA, which results in

equivalent fine-grained low-level hypervisor policy to be enforced Requires in-depth hypervisor policy knowledge there is a business case here



SLA & Fine-Grained Access Control

Translate high-level SLA statements into hypervisors low-level access control policy

XEN Security Modules (XSM) S/Hype MAC policies (IBM) Flask MAC-policies (NSA)

like SELinux policy grammar

Need an SLA-language with a translator such that warm-bodies wont have to write SELinux-like access rules


Limit Consequences of Compromise

Limit damage of possible compromise Least privilege operation

Detection of compromise Abnormal behavior

Limit damage of detected compromise Isolation

Investigation Forensic evidence

Determination of result integrity Provenance

Fast recovery Roll-back to well-known state

Conclusion

Cloud Computing: lots of promise but also lots of issues to address before general deployment Security-as-a-Service new hot area

Interesting challenges associated with VM-security (trust, identity, correctness)

VM-technologies could substantially improve the secure deployment of clients and services Isolation, resource usage policy enforcement, compromise

detection/recovery, secure VM-Svc, nested hypervisors, fine-grained SLA, etc.

Many exciting research & business opportunities! Many topics are researched now/already, but the field is still wide

open


Documents

Security, Trust, Liability - nsrc.cse.psu.eduSecurity, Trust, Liability... "Foggy" Challenges for Cloud Computing Keynote –NSRC Industry Day 2009 Penn State University - Oct 13,