Virtual Security in Cloud Networks
-
Upload
marcelo-grebois -
Category
Technology
-
view
199 -
download
1
description
Transcript of Virtual Security in Cloud Networks
Virtualization Security is NOT Cloud Security!
Privacy, Security and Trust Issues arising from Cloud
Computing
Flash Talk
General Idea and Agenda
• Understanding the difference between Cloud and Virtualization
• Definition of Cloud computing
• The problem of the cloud
• The common risks
• The real risks
• Possible solutions
• Deeper concerns
Not Focusing on any vendor
Intended Audience
This presentation is more theorical than technical so its main audience is;
-All Sysadmins-Security Auditors- Infrastructure designers-Virtualization professionals
“Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.”
NIST definition of Cloud Computing
NIST does not include virtualization as part of their cloud description so;
CLOUD COMPUTING IS NOT VIRTUALIZATION
Cloud Computing is a new paradigm that offers a number of new features.
Any new paradigm has weaknesses characteristic to its very design.
What is NOT cloud computing
The Power Grid Analogy
What they want us to believe
-Totally secure
-Management Free
-Pay-as-you-go
-No Downtime
The Problem
Organizational Ownership?
Who owns the Virtual network?
VMServiceProcess
VMServiceProcess
VMServiceProcessVMService
Process
VMServiceProcessVMService
ProcessVM
VMServiceProcessVMService
ProcessVMServiceProcess
Management
VMVM
Ph
ys
ica
l NIC
s
Physical Network Virtual Network
Traditional Security Who’s Watching?
Network Admin
Server Admin
Application Owners
Data Custodians
?
Data becomes part of an abstraction model
People only care about data
So what are the common threats?
As in any model, you just have to find the gaps
More Virtual = More Gaps
Downtimes
Phishing“hey! check out this funny blog about you...”
19
Password Cracking
Botnets and Malware
But what are the real threats?
• Ring -3 – User mode rootkits• Ring -0 – Kernel mode rootkits
• Ring -1 – Hypervisor rootkits• Ring -2 – SMM rootkits• Ring -3 – AMT rootkits
Lord of the Rings
• Threat #1: Abuse and Nefarious Use of Cloud
• Threat #2: Insecure Interfaces and APIs
• Threat #3: Malicious Insiders
• Threat #4: Shared Technology Issues
• Threat #5: Data Loss or Leakage
• Threat #6: Account or Service Hijacking
• Threat #7: Unknown Risk Profile
The usual suspects
What should we do about this?
Don’t let one person managing all the devices • Enforce Separation of Duties (SOD)
SOD makes sure that one individual cannot complete a critical task by himself.
Avoid the same person can manage the hosts and the Virtual Machine
Use Role Based Access Control
• RBAC is the model used in Virtual Center
FOCUS ON DATA
Network Access Control grants access to enterprise network resources is granted based upon authentication
of the user and device as well as only if compliat with policy
Authentication
Authorization
Follow best practices
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
Administrator
Operator
UserAnne
Harry
Joe
Enforce Strong Access Controls
• Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)• Secure your VMs as you would physical machines
• Secure the Network• Use Separate Private backup and SAN network• Use Separate Private Management Console network
• Favor Type 1 Hypervisors for Production and Testing Servers• VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.
• Favor Type 2 use in Security applications• Disable Hardware Acceleration• Use QEmu (full emulation mode w/out kqemu) • Disable all sharing features
• Favor Type 2 for Development environments• Run different security zones VMs on separate physical hosts
• Use separate physical switches or VLANs in physical switches• Run different Management stations
• Disable/remove unnecessary virtual hardware
Keep follow best practices
So that’s it?
Software-as-a-service Problems
Platform-as-a-service Problems
Infrastructure-as-a-service Problems
What about forensics?
• Most CSP does not provide incident analysis
• Access to log is restricted to the customers
• Forensics become almost impossible
• CSP force you to trust in their security
Incident Analysis
God please save me!
• Possible solutions are;• HIDS• Virtual Firewalls• Catbird Security• Vshield
• Of course the old ones;• Data encryption• Data integrity check ( during VMs
transfer )
Is not that bad!