Security as a Strategy (SaaS)

Securing Cloud Infrastructure

The Cloud Security Alliance (CSA) came out with some new guidance this month on security issues you should consider when deploying or contracting with vendors for various cloud computing solutions.

The three main layers of cloud computing relevant to application security are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Each of these layers has the potential to add new threats to the application’s runtime environment.

The CSA states the questions you should start asking when considering these various scenarios include:

Infrastructure as a Service

• What mechanisms does the platform provide against DoS and DDoS attacks at the infrastructure and network layers?
• What threat models are addressed at the infrastructure and network layers?
• What mechanisms does the platform provide to validate the integrity of the virtual machine images?
• What protections are in place against BIOS and root kit level attacks? Are there detection and response plans in place if such attacks were to occur?

Platform as a Service

• Where is the line of responsibility drawn between security of the platform and application components?
• What facilities does the platform provide for application level logging?
• Is application log data integrated with other platform-provided logging and reporting?
• Are there any real time intrusion detection systems deployed for detecting issues related to security at the application layer?
• What mechanisms does the platform support for isolating message data on the client’s service bus?
• What mechanisms does the platform support for securing communication between two application components? What mechanisms does the platform support for isolating data at rest and in use?

Software as a Service

• What Web application security standards (input validation, encoding output, preventing request forgery and information disclosure) are being followed by the vendor?
• What application and infrastructure controls are in place to isolate the enterprise’s data from that of other tenants?
• Data at rest
• Data in transit
• Data in use

As interest heats up in Cloud computing and its related security challenges we’ll pass along relevant updates.

Microsoft Azure: Private Cloud for the Masses

Two weeks ago at its Worldwide Partners Conference, Microsoft announced that its Windows Azure Cloud computing platform would be made available in a hardware appliance form factor. This, they reasoned, will allow private enterprises, service providers and even government entities to create their own multi-tenant SaaS applications that can run in any data center.

While exciting news, especially for those companies that like the idea of software-as-a-service, but really want more privacy regarding their data access, this event also brings into focus the challenges of securing cloud applications.

 So as you evaluate this platform keep in mind these recommendations:

1. Define what the cloud means to your organization
2. Create awareness of cloud initiatives throughout the organization
3. Take a broad view when assessing cloud’s impact
4. Engage professionals from organizations with specific cloud security expertise

As with any IT initiative, early engagement of security professionals will yield a more cost-effective risk management approach than retroactive ones. Experienced professionals can identify security and other implementation issues and recommend appropriate solutions.

Awareness and trust are lacking even among professionals who are familiar with cloud and may be responsible for securing enterprise systems and information. While cloud adoption is expected to grow, customer inexperience with cloud computing, security concerns (and in some cases, lack of concern) and uncertainty about governance could make it difficult for organizations to effectively implement cloud computing or realize full value from it.

Google’s Government Cloud- A Sprinkling of Security Forecasted

The City of Los Angeles recently signed a deal with CSC, a systems integrator, to provide a hosted email solution from Google. L.A. was using an on premise email solution from Novell but found it less expensive and more functional to move to a hosted solution. However, what is important to note here is that is that the service being delivered to the city is more secure than the service Google currently provides to consumers and businesses.

The government cloud will constitute a "dedicated parallel environment" to Google's commercial Google Apps cloud for consumers and enterprises. Data created in this cloud by federal, state and local government agencies will be hosted on separate servers within existing Google data centers in the United States. Storing such data on separate servers makes sense, given all of the sensitive information the government generates.

However, the federal version boasts greater security, privacy and compliance to satisfy the stringent requirements of U.S. federal government agencies, related government contractors and others that require the utmost security.

Future capabilities and certifications for Google's government cloud will include two-factor authentication, enhanced encryption and the achievement of Federal Information Security Management Act (FISMA) certification.

In addition to including the certifications and security features, and dedicated infrastructure in secured facilities, the data center will be accessible only via biometric access controls by U.S. citizens who have undergone the necessary background checks to access the system.

Theoretically, this brings the offering in line with the needs of agencies and contractors who require extremely high levels of security protocols and features. Google aims to target the 300 million U.S. government users creating and sharing information on 10,000 IT systems.

So here we see the evolution of the concept of a "private cloud" from essentially a data center for a private institution, to a datacenter reserved for a certain class or type of customer. And within that datacenter, or cloud, is the need for security. And the security we find is usually being delivered by purpose built appliances that support the mix of multitenant or software-as-a-service application logic.

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

Top 7 Threats to Cloud Computing – Part 1

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we review the top 7 threats. In Part 2 we'll review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

IaaS (Infrastructure as a Service) providers offer their customers immediate access to cloud services. The anonymity afforded in registration has attracted spammers, malicious code authors, and other criminals. PaaS providers (Platform as a Service) have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well.

Threat #2: Insecure Interfaces and APIs

Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. Increased risk occurs as organizations may be required to relinquish their credentials to third parties in order to enable certain functionality.

Threat #3: Malicious Insiders

The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. The level of access granted could enable workers with malicious intent to operate with little or no risk of detection.

Threat #4: Shared Technology Issues

IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.

Threat #5: Data Loss or Leakage

The threat of data compromise increases in the cloud due to the number of interactions which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.

Threat #6: Account or Service Hijacking

Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.

Threat #7: Unknown Risk Profile

One of the tenets of cloud computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the hidden security posture of the provider. Security by obscurity may be low effort, but it can result in unknown exposures.

Cloudy Forecast for Government

The Lockheed Martin Cyber Security Alliance released a report this month that highlighted the growth and challenges of cloud computing within the U.S. federal government, defense/military and intelligence agencies. Today just 14 percent of respondents surveyed said their agencies have at least one cloud computing application, and 85 percent of these are using multiple applications in the cloud. Current adoption is virtually the same at federal civilian (13 percent) and defense/military (14 percent) agencies.

Cloud computing is currently one of the fastest growing trends in all of IT, in both the public and private sectors, and federal CIO Vivek Kundra has been a visible public advocate for cloud computing. The government market for cloud computing is projected to more than triple between 2009 and 2014.

Despite these adoption findings and projections, resistance to cloud adoption will remain. There are 14 percent of respondents who are aware of cloud computing, but are not using or discussing it at their agencies. Another 23 percent are unaware of what their agency is doing with cloud computing.

For all the attention and growth cloud computing has achieved, there is still widespread lack of awareness and misunderstanding. The percentage of respondents who are not familiar with cloud computing (34 percent) is two-and-a-half times as high as the percentage whose agencies are using it (14 percent). Respondents at civilian agencies are more aware of cloud computing than their defense/military counterparts (37 percent to 30 percent), but neither population has a high level of awareness. Surprisingly, a fifth (21 percent) of professionals involved in cyber security at their agencies are unaware of cloud computing.

Cyber security professionals ranked cloud computing last among their cyber security challenges of note. This may indicate an overly narrow view of cyber security, because many of the more highly rated challenges also apply to cloud computing. It could also indicate lack of depth of understanding about cloud computing architectures and under appreciation of what is required to secure cloud computing systems and their users.

Some of the distrust in cloud computing invariably comes from respondents' inexperience with it. Distrust may also result from uncertainty about how to secure applications and data in the cloud, including how security considerations change based on the specific cloud model (e.g. IaaS, PaaS, SaaS; public, private, community or hybrid cloud).

Data security is by far the top concern of note, and is the only one cited by a majority of respondents. The other leading issues are intrusion detection, securing data flows between data centers, clients, and applications, and security mandate compliance. While these are all legitimate issues, they are not unique to the cloud or inherently impossible to secure in the cloud.

Conversely, multi-tenancy, where different, non-related organizations may share infrastructure such as space on a server, is a cloud-specific security consideration, but it ranks near the bottom of respondents' concerns. The specific security concerns of overall respondents are extremely consistent with those of respondents who distrust the cloud, and with those who are involved in cyber security.

Despite all the attention cloud computing receives as one of the leading IT trends, a third of government IT decision makers surveyed were not familiar with cloud computing, and a similar percentage do not trust it.

Awareness and trust are lacking even among professionals who are familiar with it and may be responsible for securing enterprise systems and information. While cloud adoption is expected to grow, respondents' inexperience with cloud computing, security concerns (and in some cases, lack of concern) and uncertainty about governance could make it difficult for organizations to effectively implement cloud computing or realize full value from it.

Against this backdrop the Lockheed Martin Cyber Security Alliance made the following recommendations to government agencies:

• 1. Define what the cloud means to your organization
• 2. Create awareness of cloud initiatives throughout the organization
• 3. Take a broad view when assessing cloud's impact
• 4. Engage professionals from organizations with specific cloud security expertise

As with any IT initiative, early engagement of security professionals will yield a more cost-effective risk management approach than retroactive ones. Experienced professionals can identify security and other implementation issues and recommend appropriate solutions.

(The Alliance consists of the following technology companies: APC by Schneider Electric, CA, Cisco, Dell, EMC Corporation and its RSA Security Division, HP, Intel, Juniper Networks, McAfee, Microsoft, NetApp, Symantec and VMware)

 

Auditing Cloud Security

Security responsibilities of both the provider and the consumer greatly differ between cloud service models. Amazon's AWS EC2 infrastructure as a service offering, as an example, includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for security controls that relate to the IT system (instance) including the operating system, applications, and data.

The inverse is true for Salesforce.com's CRM SaaS offering. Because the entire "stack" is provided by Salesforce.com, the provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.

Cloud Security Alliance Recommendations

Assessment of third-party cloud service providers should specifically target the provider's incident management, business continuity and disaster recovery policies, and processes and procedures; and should include review of co-location and back-up facilities.

This should include review of the provider's internal assessments of conformance to its own policies and procedures, and assessment of the provider's metrics to provide reasonable information regarding the performance and effectiveness of its controls in these areas.

The user's business continuity and disaster recovery plan should include scenarios for loss of the provider's services, and for the provider's loss of third-party services and third-party-dependent capabilities. Testing of this part of the plan should be coordinated with the cloud provider.

The provider's information security governance, risk management, and compliance structures and processes should also be comprehensively assessed:

• Request clear documentation on how the facility and services are assessed for risk and audited for control weaknesses, the frequency of assessments, and how control weaknesses are mitigated in a timely manner
• Require definition of what the provider considers critical service and information security success factors, key performance indicators, and how these are measured relative to IT Service and Information Security Management
• Review the provider's legal, regulatory, industry, and contractual requirements capture, assessment, and communication processes for comprehensiveness
• Perform full contract or terms-of-use due diligence to determine roles, responsibilities, and accountability; ensure legal review, including an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions
• Determine whether due diligence requirements encompass all material aspects of the cloud provider relationship, such as the provider's financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities, and use of subcontractors

Even if your application is now in the cloud, your security should still be grounded in fundamental risk management principles.

Securing Virtualized Apps

To secure a virtualized environment you must first understand the nature of the problem. And the nature of the problem is information, content and applications are now mobile and not necessarily tethered to a fixed location. Traditional security looks at the infrastructure, via defined parameters such as firewalls, ACLs (access control lists) and VLANS (virtual local area networks).

However, in a world of mobility we must focus on the data itself - which can exist outside the defined infrastructure. And we have to think of security from a biological perspective. What I mean is think of how a human body, which is mobile, isolates and attacks bacteria that enters its body. So the data (the body in this example) must have attributes which help it remain healthy, even as it travels to strange and new locations.

Examples of mobility we see in virtual machines and appliances that can exist anywhere in the "cloud." Users of smartphones are both creators and consumers of information that move peer-to-peer as well as through centralized corporate and shared community networks.

Securing the data means that no matter where the data or application exists, at any point in time, there are rules that follow the data. Think of it like a passport issued for each data set.  Access, bandwidth, prioritization, compliance policies, permissions, restrictions and traffic patterns are dynamically assigned, persistent and understood within the contextual flow of that specific data set (i.e, who is using it and its purpose) - no matter where it resides. This allows provisioning of service as well as the ability to identify aberrant patterns and hence potential security threats.

I guess we can call this concept "portable security" because it crosses domains and networks governed by disparate owners. This is not a new concept in the world of flow-based network security. But we are seeing the emerging application of flow management in areas such as identity federation and management of virtual machines that may traverse various cloud providers and corporate data centers.

There is no one application provider or solution set that has all the pieces to portable security. We should approach each situation using the fundamental methodologies of risk assessment and mitigation. That is to understand the security challenge in terms of who, what, where, why and how. Then we can start to devise the solution set that best meets specific needs.

Virtualized Security: an Oxymoron

Virtualization technology has been making its way into IT departments for years. It started in the datacenter as a means to consolidate servers and has seen increasing viability in an appliance form factor (virtual appliance). Simply, an appliance software solution has everything in one integrated bundle needed to accomplish a singular function.

So the OS, database, web server and application logic are all integrated and cannot be split part for other uses (this is a quick and simplistic explanation). You have virtual appliances made using virtualization technology, hardware appliances that integrate software with the hardware, and software appliances that load on bare bones servers.

The one area virtual appliances have not made much headway is in network security. Network security is still dominated by hardware appliances which today offer superior performance, scalability and function. However, many vendors are starting to tout current or soon to be available virtual appliances for security.

Hmmm. Security that is virtualized... which means it's not really there. Makes one pause for a moment and wonder if this is a good thing or should "buyer beware." To make sure my views aren't biased I visited the blog of Chris Hoff, currently Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco System, and a security industry honcho.

His views seem to mirror what I've found in working with companies in both the security and the appliance solution space. Here are some issues per Chris Hoff:

• Most of the virtual network appliances, especially those "ported" from the versions that usually run on dedicated physical hardware (COTS or proprietary) do not provide feature, performance, scale or high-availability parity; most are hobbled or require per-platform customization or re-engineering in order to function
• The resilience and high availability options from today's off-the-shelf virtual connectivity does not pair well with the mobility and dynamism of de-coupled virtual machines; VMs are ultimately temporal and networks don't like topological instability due to key components moving or disappearing
• The performance and scale of virtual appliances still suffer when competing for I/O and resources on the same physical hosts as the guests they attempt to protect
• Virtual connectivity is generally a function of the VMM (virtual machine manager) (or a loadable module/domain therein.) The architecture of the VMM has dramatic impact upon the architecture of the software designed to provide the connectivity and vice versa.
• Security solutions are incredibly topology sensitive. Given the scenario in #1 when a VM moves or is distributed across the pooled infrastructure, unless the security capabilities are already present on the physical host or the connectivity and security layers share a control plane (or at least can exchange telemetry,) things will simply break .
• Many virtualization (and especially cloud) platforms do not support protocols or topologies that many connectivity and security virtual appliances require to function (such as multicast for load balancing)
• It's very difficult to mimic the in-line path requirements in virtual networking environments that would otherwise force traffic passing through the connectivity layers (layers 2 through 7) up through various policy-driven security layers (virtual appliances)
• There is no common methodology to express what security requirements the connectivity fabrics should ensure are available prior to allowing a VM (virtual machine) to spool up let alone move
• Much of the basic networking capabilities are being pushed lower into silicon (into the CPUs themselves) which makes virtual appliances even further removed from the guts that enable them

What does this mean?  If you want real security in an appliance form factor, you can't beat a hardware appliance. At least not today.