Cатсн²² (in)sесuяitу / ChrisJohnRiley

Craig Balding – The Belgian beer lovers guide to Cloud Security

High-level talk covering cloud security with the goal to get people thinking about whats possible.

The CFO view on cloud computing purely bottom line. The less things appear on the balance sheet the better for the company. This isn’t always better for security.

Speed of provisioning makes it an easy sell to the CEO.

Not everyone is happy – IT Security people are cynical people. Same problems in a different guise. From a security standpoint though, we as security professionals need to know about it. The business wants the cloud, so we have to work with it.

Cloud is painting a vision that doesn’t yet exist. Marketing is out of sync with their engineering department. Easy to write it off, but it shouldn’t be that way.

Talking about the cloud is hard. There are so many different kinds. It’s like walking into a Belgian pub and asking  for a beer. Sure, but what kind of beer do you want ?

Cloud properties .:

• Abstraction of Resources
• On Demand
• Elastic
• Scalable
• API
• as a Service (aaS)

Virtualisation != Cloud != Virtualisation

Dynamic resources meet static security – The systems you have to secure as flexible, constantly growing and changing, so how does your security measures adapt to those issues.

Cloud != Outsourcing

You can visit an outsourcing company to check them out. Any large cloud company won’t be willing to show you around the data-center. Cloud is more of a black box solution, with an API interface.

Cloud Platforms are often stitched together open-source software with an API. These combinations and uses are all new. New doesn’t mean secure. Untested combinations are dangerous.

• Infrastructure as a service (i.e. Virtual servers)
• Platform as a service (i.e. Google AppEngine,…)
• Software as a service (i.e. Salesforce.com,…)

Software as a service is no longer a dedicated machine or environment for your software. Shared platform amongst many companies.

Cloud Taxonomy and Ontology ==> More details can be found HERE
Jericho Cloud Cube ==> More details can be found HERE

Cloud can be public or private. Virtual private cloud solutions using VPNs to connect you to the cloud. The level of sharing here opens up attack vectors where moving from the public cloud to the private cloud could be possible. VPN driver vulnerabilities ?

Government clouds — Apps.gov offering cloud storage, software development, virtual machines for government use

Cloud specific security concerns .:

• What are they hiding in the basement – Where is your data stored ?
• Uptime – Is 99.9% enough ?
• Lock-in – Can you get your VMs out if you need to ? What format are they in ? Apps coded to a specific API ?
• Multi Tenancy – Shared systems with mixed security. Shared Databases with mixed customer data
• Change Control – What did they change and when ? Do Google have change logs ? Are they public ?
• Visibility – What logs do you have ? Can you see if somebody is brute-forcing your account ?
• Cloud Layers – Services layered on-top of services. Subcontractors. What risk level do these dependencies introduce ?
• Identity – Multiple accounts. Problems in-house, worse on the internet. SSO for the cloud ? Using your AD to authenticate in the cloud ?
• SLAs – Have you read them ? How often are they changed ? Can you negotiate better SLAs ?
• Terms of Service – If they screw up you get service credit ? is that ok if you’re down a week or more ?
• Legal Issues – (Search & Seize) – What if the FBI takes the servers out of the datacenter ?
• Auditor – They’ve only just learnt about virtualization, do they know what cloud is ?
• Pay As You Go – Paying with a credit card. Where are your payment details stored ? Do they have anti-fraud systems ? Attackers driving up your CPU usage or bandwidth may cost you more. Can you set a limit?
• Data Wiping – Can’t do it. You can delete them, but there’s no REALLYDELETETHIS API call.
• Distributed Programming – Developers have to code to the API, are they experienced with distributed environments ? Race conditions.
• Cloud APIs – Protected through SSL. Other options

How can a tester (PCI, PenTester,..) verify your security. Will the systems be the same today as they are tomorrow. It’s like changing a tyre at 70mph.

The cloud is like the wild-wild-west right now.

More researchers are needed to rally shed light on these security issues.

Cloud Security Aliance – Shape the future of Cloud

Cloudsecurity.org – Craig Baldings Blog