Virtualization Security is NOT Cloud Security!

Privacy, Security and Trust Issues arising from Cloud

Computing

Flash Talk

Who Am I?Marcelo Grebois

grebois@gmail.com

www.linkedin.com/grebois@Grebois

General Idea and Agenda

• Understanding the difference between Cloud and Virtualization

• Definition of Cloud computing

• The problem of the cloud

• The common risks

• The real risks

• Possible solutions

• Deeper concerns

Not Focusing on any vendor

Intended Audience

This presentation is more theorical than technical so its main audience is;

-All Sysadmins-Security Auditors- Infrastructure designers-Virtualization professionals

“Cloud computing is a model for enabling convenient, on-demand

network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly provisioned and released with minimal management effort or service

provider interaction.”

NIST definition of Cloud Computing

NIST does not include virtualization as part of their cloud description so;

CLOUD COMPUTING IS NOT VIRTUALIZATION

Cloud Computing is a new paradigm that offers a number of new features.

Any new paradigm has weaknesses characteristic to its very design.

What is NOT cloud computing

The Power Grid Analogy

What they want us to believe

-Totally secure

-Management Free

-Pay-as-you-go

-No Downtime

The Problem

Organizational Ownership?

Who owns the Virtual network?

VMServiceProcess

VMServiceProcess

VMServiceProcessVMService

Process

VMServiceProcessVMService

ProcessVM

VMServiceProcessVMService

ProcessVMServiceProcess

Management

VMVM

Ph

ys

ica

l NIC

s

Physical Network Virtual Network

Traditional Security Who’s Watching?

Network Admin

Server Admin

Application Owners

Data Custodians

?

Data becomes part of an abstraction model

People only care about data

So what are the common threats?

As in any model, you just have to find the gaps

More Virtual = More Gaps

Downtimes

Phishing“hey! check out this funny blog about you...”

19

Password Cracking

Botnets and Malware

But what are the real threats?

• Ring -3 – User mode rootkits• Ring -0 – Kernel mode rootkits

• Ring -1 – Hypervisor rootkits• Ring -2 – SMM rootkits• Ring -3 – AMT rootkits

Lord of the Rings

• Threat #1: Abuse and Nefarious Use of Cloud

• Threat #2: Insecure Interfaces and APIs

• Threat #3: Malicious Insiders

• Threat #4: Shared Technology Issues

• Threat #5: Data Loss or Leakage

• Threat #6: Account or Service Hijacking

• Threat #7: Unknown Risk Profile

The usual suspects

What should we do about this?

Don’t let one person managing all the devices • Enforce Separation of Duties (SOD)

SOD makes sure that one individual cannot complete a critical task by himself.

Avoid the same person can manage the hosts and the Virtual Machine

Use Role Based Access Control

• RBAC is the model used in Virtual Center

FOCUS ON DATA

Network Access Control grants access to enterprise network resources is granted based upon authentication

of the user and device as well as only if compliat with policy

Authentication

Authorization

Follow best practices

Security Principle

Implementation in VI

Least Privileges

Roles with only required privileges

Separation of Duties

Roles applied only to required objects

Administrator

Operator

UserAnne

Harry

Joe

Enforce Strong Access Controls

• Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)• Secure your VMs as you would physical machines

• Secure the Network• Use Separate Private backup and SAN network• Use Separate Private Management Console network

• Favor Type 1 Hypervisors for Production and Testing Servers• VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.

• Favor Type 2 use in Security applications• Disable Hardware Acceleration• Use QEmu (full emulation mode w/out kqemu) • Disable all sharing features

• Favor Type 2 for Development environments• Run different security zones VMs on separate physical hosts

• Use separate physical switches or VLANs in physical switches• Run different Management stations

• Disable/remove unnecessary virtual hardware

Keep follow best practices

So that’s it?

Software-as-a-service Problems

Platform-as-a-service Problems

Infrastructure-as-a-service Problems

What about forensics?

• Most CSP does not provide incident analysis

• Access to log is restricted to the customers

• Forensics become almost impossible

• CSP force you to trust in their security

Incident Analysis

God please save me!

• Possible solutions are;• HIDS• Virtual Firewalls• Catbird Security• Vshield

• Of course the old ones;• Data encryption• Data integrity check ( during VMs

transfer )

Is not that bad!