PCTY 2012, Cloud security (real life) v. Ulf Feger
-
Upload
ibm-danmark -
Category
Technology
-
view
505 -
download
2
description
Transcript of PCTY 2012, Cloud security (real life) v. Ulf Feger
Cloud Security
Ulf FegerSecurity Architect, CISSP, COBIT Practitioner (ISACA)Cloud Security & Security Solutions IBM Security Systems Division
Member of the Board, Cloud Security Alliance, German Chapter
Abstract:Cloud security or security for the cloud is neither a „big bang” nor is it something completely new. It’s a transformation process of taking existing methodologies and technologies and adapting them depending on the cloud business road you are taking.
This is not limited to just technology assets but also includes policies, processes, and of course the handling of (business) expectations.
What might such a roadmap look like and is it then limited to security only?
2
Cloud & Security
Customer Expectations and Experiences Healing bei Touching – or Cloud is a devil The Cloud – yes, of course with Security – solves all our Security challenges, we will have no
problems anymore Open discussions: I know what I know and to be honest tell me what I should know What you tell me is not Cloud security that‘s security The roadmap to Cloud & Security
Customer expectations towards IBM– Understand their environment (on given information)– Understand their security concepts & architecture (on the given information)– Be able to talk to network people, sw architects, security architects– Provide inside, give feedback
What we do:– All of the stuff above– Open discussions in highly political environment– Offered more input based on existing material like BSI MindMap– Fed people with news ideas like VSP, Cloud Security is more than some techie stuff only
3
Cloud & Security
The Fortress
Transformation of Security, of Security Awareness, of the Need for Security
4
Cloud & Security
Who is attacking our networks?
5
Cloud & Security
Zeus Crimeware Service
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
FUD = Full Undetectable,
6
Cloud & Security
The Fortress The User
Transformation of Security, of Security Awareness, of the Need for Security
7
Cloud & Security
8
Cloud & Security
9
Cloud & Security
- Ernst & Young- Daimler- Deutsche Bank- wecon-it consulting- TU Darmstadtt- Siemens- Fraunhofer AISEC- Verizon- Suse/Novell- Vodafone- Siemens Communications- NetApp- T-Systems- Detecon- IBM- more coming soon
10
Cloud & Security
Cloud Reference Architecture
for Enterprise Architects
12
Cloud & Security
Risik versus Potential
Risk is doing something and
Risk is doing it not.from CISM© Review Manual 2012
13
Cloud & Security
IBM Cloud Computing Reference Architecture
The IBM CC RA represents the aggregate experience across hundreds of cloud client engagements and the implementation of IBM-hosted clouds
– Based on knowledge of IBM’s services,software & system experiences, including IBM Research
The IBM Cloud Computing Reference Architecture (CC RA) is reflected in the design of
– IBM-hosted cloud services– Clouds IBM implements for clients– IBM cloud appliances– IBM cloud service management products
The CC RA focuses on cloud specifics such as radical cost reduction while achieving high degrees of security, reliability, scalability and control
The CC RA consists of 21 detailed documents representing best-of-industry knowledge and insight on how to architect, design and implement clouds
Governance
Security, Resiliency, Performance & Consumability
Cloud ServiceCreator
Cloud ServiceConsumer
Cloud Service Provider
Common CloudManagement Platform (CCMP)
Operational Support Services
(OSS)
Cloud Services
Inf rastructure-as-a-Service
Platform-as-a-Service
Software-as-a-Service
Business-Process-as-a-Service
Business Support Services
(BSS)
Cloud Service
IntegrationTools
ConsumerIn-house IT
Service Creation
Tools
Infrastructure
Existing & 3rd party services, Partner
Ecosystems
OpenGroup submission: http://www.opengroup.org/cloudcomputing/uploads/40/23840/CCRA.IBMSubmission.02282011.docCCRA Whitepaper on ibm.com: http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&appname=GTSE_CI_CI_USEN&htmlfid=CIW03078USEN&attachment=CIW03078USEN.PDF
14
Cloud & Security
Cloud Computing Reference Architecture (CC RA) – Security, Resiliency, Performance & Consumability drill-down
Governance
Security, Resiliency, Performance & Consumability
Cloud Service Provider Cloud ServiceCreator
Cloud ServiceConsumer
Cloud Service Integration
Tools
ConsumerIn-house IT
Service Creation Tools
Common Cloud Management Platform
Operational Support Services
(OSS)
Cloud Services
Infrastructure-as-a-Service
Platform-as-a-Service
Software-as-a-Service
Business-Process-as-a-Service
Business Support
Services (BSS)
Infrastructure
Existing & 3rd party services, Partner
Ecosystems
Security Resiliency
Security Policy
Threat & Vulnerability Management
Software, System & Service Assurance
Security Entitlement
Access & Identity Lifecycle
Management
Governance
Data policy enforcement
Data Resiliency
Configuration for Resiliency
Resiliency Monitoring /
Analysis
Resiliency Compliance Assessment
Resiliency Policy Management
Availability & Continuity
Management
ConsumabilityEase of Doing
Business
Positive First Use Experience
Rapidly Integrates
Readily Adapts
Simplified Operations
Security Event Management
Data and Information Protection
© 2011 IBM Corporation
15
Cloud & Security
Architecture Principles
IBM Security Framework: Business Security Reference Model
Application and Process
People and Identity
IT Infrastructure: Network, Server, End
PointPhysical Infrastructure
Data and InformationGovernance, Risk, Compliance (GRC)
Foundational Security Management
Identity, Access and Entitlement Management
Threat and Vulnerability Management
Data and Information Protection Management
Software, System and Service Assurance
Security Policy Management
Risk and Compliance Assessment
Command and Control Management
Physical Asset Management
IT Service Management
Security Services and Infrastructure
Security Policy Infrastructure
Identity, Access and Entitlement Infrastructure
Security Info and Event Infrastructure
Host and End-point SecurityStorage Security Network SecurityApplication Security Physical Security
Service Management Infrastructure
Designs Config Info and Registry
Data Repositories and Classification
Code and Images Policies Identities and
Attributes
Operational Context
IT Security Knowledge
Events and Logs
SecurityService Levels
Crypto, Key and Certificate Infrastructure
Cloud Governance - GRC
.. hey .. and what else ?
.. and what’s the meaning of G R C ?
17
Cloud & Security
The majority of corporations avoid the use of Cloud Computing because of Security and Goverance risks and the lack of trust in to the service provider1)
1) „Cloud Computing in Germany“ – Survey Results from Deloitte and BITKOM, January 2011
Question: „Do you use cloud computing solutions already or do you plan the use them in near future? “
Frage: „Because of which reasons do you decided not to use cloud computing solutions (multiple answers are possible)?
Yes: 46%No: 54%Doubts in regard to the long term
availability of the offering
Risk of loss of Governance / and Control
Inadequate Data Security / Availability
Open Compliance or Legal issues
Risik of a Vendor-Lock-In
No commercial benefit
Licence issues
0% 10% 20% 30% 40% 50% 60%
Obstacles for Cloud-ProjectsObstacles for Cloud-Projects
18
Cloud & Security
Requirements – Cloud Computing & Security (plus GRC + ..)
Security topics – technical & process related
Data Security & Data Privacy
Access Management & Identity Management - IAM
Application and Service Provisioning incl. Removal
Application and Systems test incl. Data Pro- and De-Provisioning
Service Level Agreement – SLA Management
Vulnerability Management – Detection, Scoring, Removal
Threat Analysis
Service Availability incl. local/national load balancing
Auditability & Governance (GRC – Governance, Risk & Compliance)
Cross-border law.abiding, e.g. person related data & processes
Cross-border IC & export laws / export regulations
Billing and Accounting data –information basis for your business & business relationship
Exit-Management
Cloud Services
Cloud ComputingModel
19
Cloud & Security
Cloud from the viewpoint of Export Regulations (ER)
An Export takes place when ..
Cross border Clouds – the data crosses the border
Distributed service offerings means
The server and data stay in the local country
Who gets which kind or type of root access to/for what ?
What kind of entitlements does this user have or got granted ?
Technology and Source Code
Who is the initiator / exporter ?
The entity who decides that technology and/or source code is being transmitted ?
It is not the cloud service provider but the cloud user
Root Access
Cross Border Cloud Computing
20
Cloud & Security
21
Cloud & Security
Understand Compliance requirements – Data Privacy – Data SecurityExpectation
Goal
Improvement in Security Reduction in Cost Load Optimization
1 Inner Security Outer Securitty Operational Security
2„How do I prove?“
4
Focus:„What do I really need?“
3traceability & verifiability & auditability
5
Security Compliance Management
understand business risks and threats
security guidelines, rules, policies
monitoring & detection
awareness, implementation &
automization
Risk – Appetite ?Cloud - Workload -> Risk Assessment / Analysis / Accreditation / Certification
Risk
22
Cloud & Security
impossible(0)
insignificant(1)
low(2)
i4-ii7-a
medium(3) i1-c i2-c
i3-ci3-i
i1-a
high(4)
I5-ci5-ii5-a
i2-ai2-c
low(2)
medium(3)
high(4)
very high(4)
Business processes, use cases, assetsMatrix items to evaluate:
- authentication (item1)- data transfer (item2)- ..
• C – Confidentiality• I – Integrity• A – AvailabilityPotential Damage
Probability
The Roadmap towards Cloud Security -
a Transformation Process
Concepts, Processes, Tools
24
Cloud & Security
Cloud transformation phases to your own cloud.Where‘s your Security ? Does it fit to your risk appetite ?
Target
1
2
3
4
Transition
Transition
Transition
IT processes
IT processes
IT processes
IT processes
IT processes
BusPro
BusPro
BusPro
BusPro
BusPro
GRCBaselineSecurityApproval
VSPSIEM
Compliance rules,
Workflows
ApprovalReporting
Exp:
1 2 3 4 5
Consolidation
Virtualization
Standardization
Automatization
Cloud(ization)
Elimination
The Roadmap to where ?
25
Cloud & Security
4 (simple) examples of underestimated threats
Power VM, VMware, KVM…Virtualisierung
RessourcenPower VM, VMware, KVM…Virtualisierung
Ressourcen Power VM, VMware, KVM…Virtualisierung
Ressourcen Power VM, VMware, KVM…Virtualisierung
Ressourcen
x
Requirements and Challenges to cover and solve
27
Cloud & Security
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Minimum_information/SecurityRecommendationsCloudComputingProviders.html
28
Cloud & Security
Eckpunktepapier- Sicherheitsempfehlungen für Cloud Computing Anbieter
More sources:
• IT-Grundschutz• BSI-Standard 100-2/100-4• ISO 27001/2• Cloud Security Alliance – German Chapter, cloudsecurityalliance.org• ISF – Information Security Forum, www.securityforum.org• TMForum – TeleManagement Forum, www.tmfourm.org• Euro Cloud e.V. en.eurocloud.de/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile
Security Recommendation for Cloud Computing Providers
30
Cloud & Security
WindowsApps
WindowsApps
WebApp
WebApp
WebApp
Po
rta
l
HT
TP
Se
rve
r
Internet
EnterpriseDir
Security Policy Repository
Identity Repository(Person & Account)
WindowsApps
Other Apps
WS Gateway
Consumer
Business
HTTP (incl. SOAP/HTTP) Connection
Web Services Connection
User
HR System
Employee/Staff
Po
rta
l
HT
TP
Se
rve
r
Desktop/Client Connection
We
b A
uth
en
tica
tion
an
d
Au
tho
riza
tion
ESB (SOA)
We
b A
uth
en
tica
tion
an
d
Au
tho
riza
tion
En
terp
rise
Sin
gle
Sig
no
n
Use
r A
uth
en
tica
tion
We
b S
ing
le S
ign
on
We
b S
ing
le S
ign
on
IdentitySynchronisation
Pro
visi
on
ing
Re
con
cilia
tion
Workflow & Lifecycle
Entitlement Policy
User Self-service
IdentityStoreR
ep
ort
ing
Provisioning Engine
Admin.
Admin
Auditor
FedSSO A&A FedSSO
A&A
IdentityMapping
Audit Log Consolidation
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Lo
gC
olle
ct
Audit Policy Compliance Reporting
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)
Tivoli Compliance Insight Manager (TCIM)
Policy Enforce
Tivoli Security Policy Manager (TSPM)Management Domain
Web Policy Mgmt
FedSSOConf.
WS Policy Mgmt
Admin(s)
Auditor Auditor
SSOPolicyMgmt
Policy Enforce
Supporting Security landscape – What is the aim of my security ?
Cloud Services
BSS
OSS
Common Cloud Management Platform
dynam
ic a
daptio
n
31
Cloud & Security
Supporting Security landscape – What is the aim of my security ?
Cloud Services
BSS
OSS
Cloud Platform
Cloud Services
BSS
OSS
Cloud Services
BSS
OSS
Cloud ServicesCloud Services
BSSBSS
OSSOSS
Cloud Platform
WindowsApps
WindowsApps
WebApp
WebApp
WebApp
Por
tal
HT
TP
Ser
ver
Internet
EnterpriseDir
Security Policy Repository
Identity Repository(Person & Account)
WindowsApps
Other Apps
WS Gateway
Consumer
Business
HTTP (incl. SOAP/HTTP) Connection
Web Services Connection
User
HR System
Employee/Staff
Por
tal
HT
TP
Ser
ver
Desktop/Client Connection
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
ESB (SOA)
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
Ent
erpr
ise
Sin
gle
Sig
non
Use
r A
uthe
ntic
atio
n
Web
Sin
gle
Sig
non
Web
Sin
gle
Sig
non
IdentitySynchronisation
Pro
visi
onin
g
Rec
onci
liatio
n
Workflow & Lifecycle
Entitlement Policy
User Self-service
IdentityStoreR
epor
ting
Provisioning Engine
Admin.
Admin
Auditor
FedSSO A&A FedSSO
A&A
IdentityMapping
Audit Log Consolidation
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Audit Policy Compliance Reporting
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)
Tivoli Compliance Insight Manager (TCIM)
Policy Enforce
Tivoli Security Policy Manager (TSPM)Management Domain
Web Policy Mgmt
FedSSOConf.
WS Policy Mgmt
Admin(s)
Auditor Auditor
SSOPolicyMgmt
Policy Enforce
Cloud Services
BSS
OSS
Cloud Platform
Cloud Services
BSS
OSS
Cloud Services
BSS
OSS
Cloud ServicesCloud Services
BSSBSS
OSSOSS
Cloud Platform
32
Cloud & Security
Cloud Services
BSS
OSS
Common Cloud Management Platform
WindowsApps
WindowsApps
WebApp
WebApp
WebApp
Por
tal
HT
TP
Ser
ver
Internet
EnterpriseDir
WindowsApps
Other Apps
WS Gateway
Consumer
Business
User
HR System
Employee/Staff
Por
tal
HT
TP
Ser
ver
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
ESB (SOA)
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
Ent
erpr
ise
Sin
gle
Sig
non
Use
r A
uthe
ntic
atio
n
Web
Sin
gle
Sig
non
Web
Sin
gle
Sig
non
IdentitySynchronisation
Pro
visi
onin
g
Rec
onci
liatio
n
Workflow & Lifecycle
Entitlement Policy
User Self-service
IdentityStoreR
epor
ting
Provisioning Engine
Admin.
Admin
Auditor
FedSSO A&A FedSSO
A&A
IdentityMapping
Audit Log Consolidation
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Audit Policy Compliance Reporting
Policy Enforce
Management Domain
Web Policy Mgmt
FedSSOConf.
WS Policy Mgmt
Admin(s)
Auditor Auditor
SSOPolicyMgmt
Policy Enforce
33
Cloud & Security
Cloud Services
BSS
OSS
Common Cloud Management Platform
WindowsApps
WindowsApps
WebApp
WebApp
WebApp
Por
tal
HT
TP
Ser
ver
Internet
EnterpriseDir
WindowsApps
Other Apps
WS Gateway
Consumer
Business
User
HR System
Employee/Staff
Por
tal
HT
TP
Ser
ver
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
ESB (SOA)
Web
Aut
hent
icat
ion
and
Aut
horiz
atio
n
Ent
erpr
ise
Sin
gle
Sig
non
Use
r A
uthe
ntic
atio
n
Web
Sin
gle
Sig
non
Web
Sin
gle
Sig
non
IdentitySynchronisation
Pro
visi
onin
g
Rec
onci
liatio
n
Workflow & Lifecycle
Entitlement Policy
User Self-service
IdentityStoreR
epor
ting
Provisioning Engine
Admin.
Admin
Auditor
FedSSO A&A FedSSO
A&A
IdentityMapping
Audit Log Consolidation
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Log
Col
lect
Audit Policy Compliance Reporting
Policy Enforce
Management Domain
Web Policy Mgmt
FedSSOConf.
WS Policy Mgmt
Admin(s)
Auditor Auditor
SSOPolicyMgmt
Policy Enforce
34
Cloud & Security
IT - “traditionell”
• Access control incl. rule based policy managment
• User and entitlement management incl. processes mngment and p.-automation
• Role based separation of duties
• Security policy management
• Security monitoring, auditing, compliance reporting
• SOD for multi tenancy
• Reporting (SoD based) - Security infor- mation and Event Management
• Compliance audit & reporting across the IT infrastructure and processes
• Protection and security for the virtualized environment (network / hosts / VMs)
• Protection and compliance tool for server verification
• Configuration and change management
• Connectivity / linkage with YOUR accoun-ting model (Metering & Rating)
Cloud – (Service) ProviderCloud – Service User
User:• Service Offering
Duties:
- Authentication- Authorization- del. Administration- pay the bill
Expectations:
-SLA Fulfillment-Compliance-Detailed Reporting
Which challenges have to be solved – a long list, a new list ?
Cloud – (Service) Provider
• Access control incl. rule based policy managment
• User and entitlement management incl. processes mngment and p.-automation
• Role bases separation of duties
• Security policy management
• Security monitoring, auditing, compliance reporting
• SoD for multi tenancy
• Reporting (SoD based) - Security infor- mation and Event Management
• Compliance audit & reporting across the IT infrastructure and processes
• Protection and security for the virtualized environment (network / hosts / VMs)
• Protection and compliance tool for server verification
• Configuration and change management
• Connectivity / linkage with YOUR accoun-ting model (Metering & Rating)
Cloud Dynamics
35
Cloud & Security
IBM Cloud Components – more than Virtualization only
2. integration with Service Desk und IT Asset Management + Processes
1. Ordering / booking from a
service catalogue
3. Provisioning of the service
4. Integration with Storage Area Network (SAN) and netzwork(poo) AND the Security Managment
8. Collect, Analyze, and Report -> Acounting based on usage / costs / licence model
6. Monitoring- Service Monitoring-Platform Monitoring
- Performance- Security Alerts- PUMA- …
5. Service Discovery, Change & Configuration Management: - Service - Platform
7. Realtime ManagementEvent Consolidation rgd. the Business Services
9. Visualization of the services related to business targets and Service agreements
10. Management Service LevelAgreements (SLAs)
Service = Software, Platform, Infrastructure (i.e. Composite Application, Physical / Virtual OS, Middleware, Network, Storage
Not in all cases will all steps exist in a client engagement
Cloud Services
BSS
OSS
Common Cloud Management Platform
11. Exit-Management
36
Cloud & Security
Distributed Cloud Setup
37
Cloud & Security
“Cloud”
Standardization3
The Cloud – Layers
Standardization / Service Catalogue / Image Catalogue
Ressource Planing (Request / Quota ..)Request Approval Workflow
RemovalProvisioning / Usage /Accounting / Billing
Training ApplikationenTest/Dev ...
Power VM, VMware, KVM… Virtualization
Monitoring High Availability
Security Secure virt. env. Identity & Access Mgmt.
Repository
Process Automation Engine
Resources
DynamicProvisioning
Automization4
Secure and highly availabe private cloud
5
Virtualization2
Consolidation1
38
Cloud & Security
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
Power VM, VMware, KVM…Virtualisierung
Ressourcen
The Cloud – Layers
Standardization / Service Catalogue / Image Catalogue
Ressource Planing (Request / Quota ..)Request Approval Workflow
RemovalProvisioning / Usage /Accounting / Billing
Process Automation Engine
FranceHungary
China
Brazil
Germany
39
Cloud & Security
http://www.ibm.com/security/cloud-security.html
IBM Cloud Computing: ibm.com/cloudcomputingibm.com/de/cloud/
Trustworthy Cloud tclouds-project.eu/IBM Enterprise Security: ibm.com/securityIBM Internet Security Systems: ibm.com/services/security
IBM X-Force® Security Alerts and Advisories: xforce.iss.netCloud Standards Customer Council cloud-council.org/
Ulf Feger
Security Architect, CISSP, CPIBM Security Systems
Gustav-Heinemann Ufer 12050968 Köln, DeutschlandMobile.: +49-171-22 619 22E-Mail: [email protected]
Q&A