Dr. Kai Martius

Chief Technology Officer – secunet

October 15th 2019

NIAS Workshop

How to achieve conscious competence in controlling & protecting your data

in a cloud infrastructure - A CTO’s view

15.10.2019 NIAS 2019 – secunet WorkshopPage 2

Cloud Infrastructure – Areas of impact

Chances

o Economic efficiency

o Sustainability

o Efficiency of resources

o Operating models

o Self Service

o Scalability

Risks

o Confidence and security

o Verifiability

o Dependency

o Data sovereignty

o Selection of applications

o Selection of suppliers / in-house operation

o Data security

15.10.2019 NIAS 2019 – secunet WorkshopPage 3

Motivation Example

Energy consumpt ion in da ta cen te rs

Source: Nature 561, 163-166 (2018)

BIG DATA

INTERNET OF THINGS

MACHINE LEARNING

CRYPTOCURRENCY

DEEP LEARNING

SMART CITIES

BLOCKCHAIN

DIGITAL ENERGY

VIRTUAL REALITY

5G

15.10.2019 NIAS 2019 – secunet WorkshopPage 4

To ensure:

Consistent encryption of data

End-to-end security

Cryptographic client separation

Potential approach

Prov id ing a secure , sus ta inab le and energy -e f f i c ien t c loud so lu t i on

15.10.2019 NIAS 2019 – secunet WorkshopPage 5

Potential solution

An OpenStack -based „C loud Opera t ing Sys tem“

15.10.2019 NIAS 2019 – secunet WorkshopPage 6

Stro

ng A

cce

ss C

ontro

l

Data

Sove

reig

nty

Defe

nse

-in-D

epth

Secure cloud solution - Layers of Improvement

Secured Access to Infrastructure

Isolation / Protection of Tenant-Networks

Control over Crypto Keys by Tenants

Encryption of User Data In Block Storage

Encryption and Signature of Images

Hardening and Protection of Infrastructure

15.10.2019 NIAS 2019 – secunet WorkshopPage 7

Hardening and Protection of Infrastructure

Risks

Weaknesses in OpenStack services

Misconfiguration

External attacks against the host (Linux) and OpenStack platform (REST services, databases, RPC services)

VM breakout leading to an „internal“ attack on host and OpenStack platform

Countermeasure 1: Encryption / Authentication / Policy Enforcement between OpenStack services

TLS-based authentication and encryption of REST-based services

Group-key based encryption of RPC-based services

Definition (and enforcement) of communication policies based on Use Cases

Countermeasure 2: classical hardening of the Linux-Platforms

IPtables, Minimization

Sandboxing of OpenStack Services

VM hardening

15.10.2019 NIAS 2019 – secunet WorkshopPage 8

Isolation of Tenant Networks

Risks

Eavesdropping user data on the network

Misconfiguration (mixing up different tenant’s data flows)

Attacking user workloads (VMs)

Countermeasure: Encryption / Authentication of Tenant’s network traffic

MacSec based Layer 2 encryption of Tenant networks throughout the Cloud infrastructure

Group-key management layer based on secunet’s SOLID technology

Integration in OpenStack Neutron machinery to setup keys on virtual MacSec network interfaces

15.10.2019 NIAS 2019 – secunet WorkshopPage 9

Encryption of User data in Block Storage

Risks

Manipulation of User Workload in Guest VMs at storage nodes

Eavesdropping of Data Blocks on the network while accessing storage nodes / Cinder Service

Countermeasure: (Re)Encryption of Images before copied into Volumes

Block-based file / storage encryption with Tenant-provided keys

Integration of Tenant-”Intervention” to provide Image / Volume key during creation of Volumes

15.10.2019 NIAS 2019 – secunet WorkshopPage 10

Encryption and Signature of Images

Risks

Manipulation of User Workload in Guest VMs at a central

place (Glance) even before VMs are created

Eavesdropping of Data Blocks on the network while

accessing storage nodes / Glance Service

Countermeasure:

Encryption / Signature of Images before upload

Block-based file / storage encryption and signature on

Tenant premises (hybrid encryption)

At that point, key can stay on Tenant premises

Encrypted image upload in Glance

At the time images are accessed and ported into volumes,

the User / Owner has to present the key

15.10.2019 NIAS 2019 – secunet WorkshopPage 11

Control over Crypto Keys by Tenants

Risks

Even if data is encrypted, unauthorized access to keys

could make encryption useless

Keys in a (central) storage (Barbican) or even HSMs in

the Cloud are more risky than keys staying on User’s

premisses

Countermeasure: Keys in User Hand

Hierarchical key management

Involving user within the access process to encrypted

data explicitly

“Call-back” / SmartCard based two factor key protection

possible by design

Integration in OpenStack processes (VM creation,

different storage types, Image / Volume / Ephemeral

Storage…)

15.10.2019 NIAS 2019 – secunet WorkshopPage 12

Secured Access to Cloud Infrastructure

Risks

Eavesdropping / Manipulation of Data on the network

through the Internet and inside the Cloud Infrastructure

Unauthorized access to User VMs

Risks on Client side due to weak network protection of

Client host platform

Countermeasure:

Strong Layer 3 VPN Encryption of Data

Client-side: IPsec VPN / SINA Workstation as a secure

endpoint to protect local data and access into Cloud

infrastructure

Cloud-side: Virtual SINA Box appliance connecting the

Cloud network infrastructure / Internet access to the

Tenant’s virtual network (which itself is protected by a

MacSec-encryption

Integration of SINA Box into the OpenStack Secure Router

concept

15.10.2019 NIAS 2019 – secunet WorkshopPage 13

The desired outcome

Prov id ing a secure , sus ta inab le and energy -e f f i c ien t c loud so lu t i on

Planning

Building

Operating

PKI

Key Management

Certification

Secure Clients

Secure networks

applications

virtual infrastructure

platform

applications

virtualization

compute storage network

physical infrastructure

15.10.2019 NIAS 2019 – secunet WorkshopPage 14