Csa about-threats-june-2010-ibm

Cloud Security Alliance: Assuring the future of

Cloud Computing

Sergio Loureiro, CSA founding [email protected]

IBM La Gaude, 23rd June 2010

www.cloudsecurityalliance.orgCopyright © 2010 Cloud Security Alliance

About the Cloud Security Alliance• Global, not-for-profit organization

• Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…

• We believe Cloud Computing has a robust future, we want to make it better

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education

on the uses of Cloud Computing to help secure all other forms of computing.”

http://www.cloudsecurityalliance.org/


Membership

• 50+ Corporate Members• 12 non-profit affiliations• 10,000 individual members growing

by 300/week• Broad Geographical Distribution• Working Group activities performed

through individual membership class



Corporate Members


http://www.absolute.com/

http://www.arcsight.com/

http://www.arbor.net/

http://www.att.com/

http://www.beyondtrust.com/

http://www.casecentral.com/

http://www.ca.com/

http://www.cisco.com/

http://www.clearpointmetrics.com/

http://www.dell.com/

http://www.fiberlink.com/

http://www.fortify.com/

http://www.forumsys.com/

http://www.google.com/

http://www.hcl.in/

http://www.hp.com/

http://www.intel.com/

http://www.intralinks.com/

http://www.ironmountain.com/

http://www.leadsec.com.cn/

http://www.liveoffice.com/

http://www.loglogic.com/

http://www.mcafee.com/

http://www.microsoft.com/

http://www.navisite.com/

http://www.netwitness.com/

http://www.nsfocus.com/

http://www.novell.com/

http://www.oracle.com/

http://www.pgp.com/

http://www.pingidentity.com/

http://www.qualys.com/

http://www.rackspace.com/

http://www.rsasecurity.com/

http://www.safenet-inc.com/

http://www.solutionary.com/

http://www.sonoasystems.com/

http://www.symantec.com/

http://terremark.com/

http://trendmicro.com/

http://trustwave.com/

http://veracode.com/

http://verisign.com/

http://verizonbusiness.com/

http://www.vmware.com/

http://www.vordel.com/

http://www.websense.com/

http://www.whitehatsec.com/

http://www.zscaler.com/

http://www.3par.com/


S-P-I Framework

IaaSInfrastructure as a Service

You buildsecurity in

You “RFP”security in

PaaSPlatform as a Service

SaaSSoftware as a Service



Top Threats to Cloud Computing

Cloud Security Risks / Threats•Shared Technology Vulnerabilities •Data Loss/Data Leakage•Malicious Insiders •Account Service or Hijacking of Traffic• Insecure APIs •Nefarious Use of Service •Unknown Risk Profile



Shared Technology Vulnerabilities

• Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities

Description

• Successful exploitation could impact multiple customers

Impact

• Cloudburst - Kostya Kortchinksy (Blackhat 2009)• Arbitrary code execution vulnerability identified in VMware

SVGA II device, a virtualized PCI Display Adapter• Vulnerable component present on VMware Workstation,

VMware Player, VMware Server and VMware ESX

Example



Data Loss / Data Leakage

• Data compromise due to improper access controls or weak encryption

• Poorly secured data is at greater risk due to the multi-tenant architecture

Description

• Data integrity and confidentiality

Impact

• Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT)• Research detailing techniques to ensure that images are

deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage

Example



Malicious Insiders

• Employees of the cloud vendor may abuse privileges to access customer data/functionality

• Reduced visibility into internal processes may inhibit detection of the breach

Description

• Data confidentiality and integrity• Reputational damage• Legal repercussions

Impact

• Google Investigates Insider Threat After China Hack (eWeek)• “Google is investigating whether some of its own staff are behind

the repeated attempts to hack into the Gmail accounts of Chinese human rights activists”

Example



Interception or Hijacking of Traffic

• Intercept and/or redirect traffic destined for the clients or cloud

• Steal credentials to eavesdrop or manipulate account information / services

Description

• Confidentiality and integrity of data• Damage to reputation• Consequences (legal) from malicious use of resources

Impact

• Twitter DNS account compromise• Zeus botnet C&Cs on compromised Amazon EC2 accounts

Example



Insecure APIs

• APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack

Description

• Data confidentiality and integrity• Denial of service

Impact

• P0wning the Programmable Web (Websense – AusCERT 2009_• 80% of tested applications not using available security in

APIs (e.g. unencrypted traffic and basic authentication)• Demonstrated CSRF, MITM and data leakage attacks

Example



Nefarious Use of Service

• Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost

Description

• Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc.

Impact

• Current search of MalwareDomainList.com for ‘amazonaws.com’ returns 21 results

• “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog

• Amazon's EC2 Having Problems With Spam and Malware - Slashdot

Example



Unknown Risk Profile

• A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk.

Description

• Significant data breaches could occur, possibly without the knowledge of the cloud consumer.

Impact

• Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html

Example



Top Threats - Status

• Top threats list will be updated 2x per year

Revisions

• Recommended changes will be solicited from CSA participants

• Panel of judges will be established with representation from the security community, solution providers and cloud consumers

• Recommendations will be summarized and solicited to judges for review

• Judges will vote on any recommended changes• Contact project team to recommend judges

Process



CSA Research Projects

Go to www.cloudsecurityalliance.org/Research.html for Research dashboard and Working Group signup


http://www.cloudsecurityalliance.org/Research.html


CSA Guidance Research

Guidance > 100k downloads: cloudsecurityalliance.org/guidance

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Op

erat

ing

in

th

e C

lou

d

Go

vernin

g th

e C

lou

d

• Popular best practices for securing cloud computing

• 13 Domains of concern – governing & operating groupings

• Foundation for CSA research


http://cloudsecurityalliance.org/guidance


CSA Guidance Research - Status

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Op

erat

ing

in

th

e C

lou

d

Go

vernin

g th

e C

lou

d

• Ver 2.1 released Dec 2009

• Ver 3 mid-2011

• 2010 focus

• Translations

• Wiki format

• Per domain whitepapers (not official guidance)



Guidance Highlights - Governance• Best opportunity to secure cloud engagement

is before procurement – contracts, SLAs, architecture

• Know provider’s third parties, BCM/DR, financial viability, employee vetting

• Identify data location when possible

• Plan for provider termination & return of assets

• Preserve right to audit

• Reinvest provider cost savings into due diligence



Guidance Highlights - Operating• Encrypt data when possible, segregate key

mgt from cloud provider

• Adapt secure software development lifecycle

• Understand provider’s patching, provisioning, protection

• Logging, data exfiltration, granular customer segregation

• Hardened VM images

• Assess provider IdM integration, e.g. SAML, OpenID



CSA Research Projects

• Cloud Controls Matrix Tool

• Trusted Cloud Initiative

• Consensus Assessments Initiative

• Cloud Metrics Research



Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• [email protected]

• LinkedIn: www.linkedin.com/groups?gid=1864210

• Twitter: @cloudsa



http://www.linkedin.com/groups?gid=1864210


Summary• Cloud Computing is real and transformational

• Challenges for People, Process, Technology, Organizations and Countries

• Broad governance approach needed

• Tactical fixes needed

• Combination of updating existing best practices and creating completely new best practices

• Adapting controls into “all virtual” environment


www.cloudsecurityalliance.org

Thank [email protected]

Blog elastic-security.com, Twitter @elasticsecurity


mailto:[email protected]

Csa about-threats-june-2010-ibm

Technology

enterprise

specific operational

auditinformation

access managementvirtualizationcloud

cloud security

research projects

key managementidentity

flagship research