1、CloudComputingSecurityConsiderationsJoeStSauver,Ph.D.SecurityProgramsManager,Internet2internet2.eduInternet2JointTechsSaltLakeCity,Utah4:10-4:30PM,Tuesday,2/2/2010Disclaimer:allopinionsstrictlymyown.Introduction3Some Cautions About Todays Talk/Topic As you likely already know, theres a LOT of hype a
2、ssociated with cloud computing. Im sorry about that (but I cant fix that) Cloud computing is a huge topic. It encompasses diverse models and technologies, even though users and the trade press tend to lump them under a common name. Covering all potential security issues in 20 minutes is simply impos
3、sible. For that matter, please note that were still discovering many of the security issues which will challenge cloud computing! Why? In part, thats because cloud computing is still a work-in-progress. Because it is rapidly evolving, what I tell today you may quickly become irrelevant or obsolete.
4、Nonetheless, theres so much thrust behind cloud computing that we simply dont have the option of sitting back and waiting to understand address cloud computing security issues.4Whats Driving Cloud Computing? Drivers Include Thought leaders: Amazon, Google, Microsoft and many other Internet thought l
5、eaders have all aligned behind the cloud The economy: Because cloud computing should theoretically help sites avoid major new capital expenditures (capex) while also controlling some ongoing operational expenses (opex), cloud computing is potentially a lifesaver for financially strapped businesses,
6、including many major universities. The Feds: Cloud computing has substantial momentum in Washington DC: it was featured in the just-released federal IT budget; Vivek Kundra, the federal CIO, has championed creation of , a “one-stop shop” for cloud computing services for federal agencies; DISA has cr
7、eated a very successful cloud computing project called RACE; and Howard Schmidt, the new federal cyber security coordinator, has said that securing cloud computing will be a top priority.56Apps.Gov (Currently a Bit of A Work In Progress)7DISAs RACE8Our Community Is Also Pressing Ahead Cloud computin
8、g seem to be turning up on pretty much every networking and security mailing list Im on Youve heard/will be hearing a number of cloud computing talks during this weeks meeting, which is probably not surprising since cloud computing was one of Joint Techs explicit focus areas. But Im seeing clouds ev
9、erywhere, not just here at Joint Techs. Heck, Im even seeing clouds (with frequent references to security!) appear in things like the last Internet2 Member Meeting Introduction to Internet2 talk9Cyberinfrastructure Visualized:A Cloud, With Lots of Security References10Why Is Security Everywhere on T
10、hat Slide? Security is generally perceived as a huge issue for the cloud:During a keynote speech to the Brookings Institution policy forum, “Cloud Computing for Business and Society,” Microsoft General Counsel Brad Smith also highlighted data from a survey commissioned by Microsoft measuring attitud
11、es on cloud computing among business leaders and the general population.The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the sec
12、urity, access and privacy of their own data in the cloud. 11Source: at slide 17Another Data Point for Clouds and Security12Cloud Computing Is Many Different Things to Many Different People All of the following have been mentioned from time to time as examples of “cloud computing:”- Amazon Web Servic
13、es including the Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), etc.)- Rackspace Cloud (formerly Mosso)- Googles App Engine- Windows Azure Platform (production/for-fee as of today!)- the OGF (including its Open Cloud Computing Interface)- SETIHome, FoldingHome, , etc.- outsourced c
14、ampus email service (to Gmail or L), or outsourced spam filtering (e.g., to Postini or Ironport)- use of virtualization (e.g., VMware) to host departmental systems either on local servers, or on outsourced VPS In reality, some of those activities are not (strictly speaking) whats usually defined as
15、cloud computing, 13Some Generally Accepted Characteristics Most people would agree that true cloud computing- usually has low or zero up front capital costs- largely eliminates operational responsibilities (e.g., if a disk fails or a switch loses connectivity, you dont need to fix it)- for the most
16、part, cloud computing eliminates knowledge of WHERE ones computational work is being done; your job is being run “somewhere” out there in the “cloud”- offers substantial elasticity and scalability: if you initially need one CPU, thats fine, but if you suddenly need 999 more, you can get them, too (a
17、nd with very little delay!) If/when demand drops, you can scale your usage back, too- cloud computing leverages economies of scale (running mega data centers with tens of thousands of computers is far less expensive (per computer) than running a small machine room with just a modest cluster of syste
18、ms)14Some Clouds Wont Necessarily Have All of Those Characteristics For instance, if your site is running a local private cloud:- there WILL be capital expenditures up front,- you (or someone at your site) WILL still care about things like hardware failures, and - you likely WONT have the illusion o
19、f a seemingly infinite inventory of processors (or memory or disk) Nonetheless, a local private cloud service may functionally work the same way as a public cloud service, and hybrid cloud models may even combine private and public cloud services in a fairly seamless way. Ubuntus enterprise cloud of
20、fering is a nice example of this.1516Will Your Campus Offer Private Cloud Services? If you havent been thinking about offering private cloud services, I would suggest that you might want to, including thinking hard about any potential security issues associated with doing so.So What About Security i
21、n the Cloud?For the remainder of this talk, well outline some of the security issues you might run into when using cloud computing18In Some Ways, Cloud Computing SecurityIs No Different Than Regular Security For example, many applications interface with end users via the web. All the normal OWASP we
22、b security vulnerabilities - things like SQL injection, cross site scripting, cross site request forgeries, etc., - all of those vulnerabilities are just as relevant to applications running on the cloud as they are to applications running on conventional hosting. Similarly, consider physical securit
23、y. A data center full of servers supporting cloud computing is internally and externally indistinguishable from a data center full of regular servers. In each case, it will be important for the data center to be physically secure against unauthorized access or potential natural disasters, but there
24、are no special new physical security requirements which suddenly appear simply because one of those facilities is supporting cloud computing19There Are Some Unique Cloud-Related Areas Which Were NOT Going To Worry About Today Contracting for Cloud Services: Even though contractual terms (including t
25、hings like SLAs) can be used to mitigate some risks, Im not a lawyer, and Im not going to pretend to be one, so were not going to cover issues related to contracting for cloud services. Fortunately, NACUA did a great job discussing this topic in a recent seminar, see www.nacua.org/meetings/VirtualSE
26、minars/december2009/home.html Compliance, Auditing and eDiscovery: Because this meeting is primarily about research and education, not business processes and university administration, we will not consider the potential need for cloud computing to be compliant with Payment Card Industry security sta
27、ndards, FERPA, HIPAA, GLBA, or other related compliance mandates. So what are some cloud-related security issues?20The A in The Security C-I-A Objectives Computer and network security is fundamentally about three goals/objectives: - confidentiality (C) - integrity (I), and - availability (A). Availa
28、bility is the area where cloud based infrastructure appears to have had its largest (or at least most highly publicized) challenges to date. For example, consider some of the cloud-related outages which have been widely reported21Bitbucket, DDoSd Off The Air22Maintenance Induced Cascading Failures23
29、Its Not Just The Network: Storage Is Key, TooSee However, see also: Microsoft Confirms Data Recovery for Sidekick Users24And Lets Not Forget About Power Issues25Mitigating Cloud Computing Availability Issues Risk analysts will tell you that when you confront a risk, you can try to eliminate the risk
30、, you can mitigate/minimize the impact of the risk, or you can simply accept the risk. If you truly require non-stop availability, you can try using multiple cloud providers, or you could use public and private cloud nodes to improve redundancy. Some cloud computing services also offer service divid
31、ed into multiple regions. By deploying infrastructure in multiple regions, isolation from single-region-only events (such as the power outage mentioned previously) can be obtained. Availability issues may also be able to be at least partially mitigated at the application level by things like local c
32、aching. Sometimes, though, it may simply make financial sense for you to just accept the risk of a rare and brief outage. (Remember, 99.99 availability= 52+ minutes downtime/yr)26Mitigating Data Loss Risks The risk of data loss (as in the T-Mobile Sidekick case) is an exception to the availability d
33、iscussion on the preceding slide. Users may be able to tolerate an occasional service interrup-tion, but non-recoverable data losses can kill a business. Most cloud computing services use distributed and replicated global file systems which are designed to insure that hardware failures (or even loss
34、 of an entire data center) will not result in any permanent data loss, but I believe there is still value in doing a traditional off site backup of ones data, whether that data is in use by traditional servers or cloud computing servers. When looking for solutions, make sure you find ones that backs
35、 up data FROM the cloud (many backup solutions are meant to backup local data TO the cloud!)27Cloud Computing And Perimeter Security While Im not a huge fan of firewalls (as Ive previously discussed at the Spring 2008 I2MM in Cyberinfrastructure Architectures, Security and Advanced Applications, see
36、 ), at least some sites do find value in sheltering at least some parts of their infrastructure behind a firewall. There may be a misconception that cloud computing resources cant be sheltered behind a firewall (see for example HPs Hurd: Cloud computing has its limits (especially when you face 1,000
37、 attacks a day), Oct 20th, 2009, ) Contrast that with Amazon Web Services: Overview of Security Processes (see the refs at the back). AWS has a mandatory inbound firewall configured in a default deny mode, and customers must explicitly open ports inbound.28Cloud Computing & Host-Based Intrusion Dete
38、ction While Im not very enthusiastic about firewalls, I am a big fan of well-instrumented/well-monitored systems and networks. Choosing cloud computing does not necessarily mean forgoing your ability to monitor systems for hostile activity. One example of a tool that can help with this task is OSSEC
39、 (the Open Source Host-Based Intrusion Detection System), an IDS which supports virtualized environments:29Cloud Computing Also Relies on the Security of Virtualization Because cloud computing is built on top of virtualization, if there are security issues with virtualization, then there will also s
40、ecurity issues with cloud computing. For example, could someone escape from a guest virtual machine instance to the host OS? While the community has traditionally been somewhat skeptical of this possibility, that changed with Blackhat USA 2009, where Kostya Kortchinsky of Immunity Inc. presented Clo
41、udburst: A VMware Guest to Host Escape Story, see BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Kostya opined: VMware isnt an additional security layer, its just another layer to find bugs in put another way, running a virtualization product increases the attack surface30Choice of Cloud Provider Cloud c
42、omputing is a form of outsourcing, and you need a high level of trust in the entities youll be partnering with. It may seem daunting at first to realize that your application depends (critically!) on the trustworthiness of your cloud providers, but this is not really anything new - today, even if yo
43、ure not using the cloud, you already rely on and trust:- network service providers,- hardware vendors,- software vendors,- service providers,- data sources, etc.Your cloud provider will be just one more entity on that list.31Cloud Provider Location You actually want to know (roughly) where your clou
44、d lives. For example, one of the ways that cloud computing companies keep their costs low is by locating their mega data centers in locations where labor, electricity and real estate costs are low, and network connectivity is good. Thus, your cloud provider could be working someplace you may never h
45、ave heard of, such as The Dalles, Oregon, where power is cheap and fiber is plentiful, or just as easily someplace overseas. If your application and data do end up at an international site, those systems will be subject to the laws and policies of that jurisdiction. Are you comfortable with that fra
46、mework? Are you also confident that international connectivity will remain up and uncongested? Can you live with the latencies involved? 32Cloud Provider Employees If youre like most sites, youre probably pretty careful about the employees you hire for critical roles (such as sysadmins and network e
47、nginers). But what about your cloud provider? If your cloud provider has careless or untrustworthy system administrators, the integrity/privacy of your datas at risk. How can you tell if your cloud provider has careful and trustworthy employees? Ask them!- Do backgrounds get checked before people ge
48、t hired? - Do employees receive extensive in-house training?- Do employees hold relevant certifications? - Do checklists get used for critical operations?- Are system administrator actions tracked and auditable on a post hoc basis if theres an anomalous event?- Do administrative privileges get promp
49、tly removed when employees leave or change their responsibilities?33Cloud Provider Transparency You will only be able to assess the sufficiency of cloud provider security practices if the cloud provider is willing to disclose its security practices to you. If your provider treats security practices
50、as a confidential or business proprietary thing, and wont disclose their security practices to you, youll have a hard time assessing the sufficiency of their security practices. Unfortunately, you may need to consider using a different provider. Remember: Trust, but verify. A proverb frequently quot
