Presented at the (ISC)2 Twin Cities Area Chapter 2013 Annual Meeting on June 18, 2013 by Matthew J. Harmon, Security Researcher and Consultant at IT Risk Limited, LLC (CISSP, GSEC, GCIH). Harmon brought 20 years of information security experience and 13 years of virtualization experience to the topic, along with his roles as a SANS Institute Mentor and Community Instructor for SEC 401 (Security Essentials Bootcamp), SEC 504 (Incident Handling, Exploits and Hacking Techniques), and SEC 464 (Hacker Guard for Systems Administrators). He also served on the Upper Midwest Security Alliance (UMSA) Board of Directors and as Education Sub-Committee Co-Chair.
Why We Are Here
The goal of this presentation was to raise awareness of the risks and benefits involved with “Cloud Computing” – otherwise known as outsourced computing, third party services, and third party database hosting. At its core, cloud computing is virtualization, and these used to be called mainframes.
This is not a complete course in cloud security. For deeper study, Harmon recommended:
- Dave Shackleford’s six-day class SANS SEC 579: Virtualization and Private Cloud Security (sans.org/course/virtualization-private-cloud-security)
- Dave Shackleford’s two-day fundamentals class SANS SEC 542: Cloud Security Fundamentals (sans.org/course/cloud-security-fundamentals)
- The Cloud Security Alliance’s CCSK (Certificate of Cloud Security Knowledge) (cloudsecurityalliance.org/education/ccsk/)
Cloud Security Alliance CCSK
The CCSK covers 15 domains: Cloud Architecture, Governance and Enterprise Risk, Legal and Electronic Discovery, Compliance and Audit, Information Lifecycle Management, Portability and Interoperability, Traditional Security, Business Continuity and Disaster Recovery, Data Center Operations, Incident Response, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization, and Security-as-a-Service.
Terms and Definitions
Hypervisor: A piece of computer software, firmware or hardware that runs virtual machines. Type 1 hypervisors are native or bare metal. Type 2 hypervisors are hosted, running within another operating system. Guest: A virtual machine running on top of a hypervisor. (Reference: Gerald J. Popek and Robert P. Goldberg, 1974, “Formal Requirements for Virtualizable Third Generation Architectures,” Communications of the ACM 17.)
Threat (or threat agent): Anything that is capable of acting against an asset in a manner that can result in harm (FAIR). The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest (NIATEC). A threat agent has Capability, Intent and History (OWASP).
Vulnerability: A weakness that could be exploited by a threat. The presence of a vulnerability does not in itself cause harm (NIATEC).
References: National Information Assurance Training and Education Center (NIATEC) at niatec.info; Factor Analysis of Information Risk (FAIR) at fairwiki.riskmanagementinsight.com; Open Web Application Security Project (OWASP) at owasp.org/index.php/Category:Threat_Agent.
Virtualization Basics
The presentation covered virtualization architecture through diagrams (credited to Miguel Santos Ribeiro, 2009), illustrating Type 1 full virtualization with hardware/processor acceleration (VT-x, etc.). The big players in virtualization at the time were Microsoft, VMWare, Xen, Citrix, and OpenStack.
Benefits of Virtualization
Server consolidation is a primary benefit. Old 1U hardware reaching end-of-life can be consolidated, making better use of data center rack space – 20 blades fit in the same space as a single 3U rack mount server.
Benefits of Cloud Computing
Software as a Service delivers auto-patching, silent upgrades, and flexibility. Infrastructure as a Service reduces operational overhead and makes issues become “somebody else’s problem” – you get what you need, when you need it, as you need it, with the option of rapid build-outs and rapid decommissioning. [Anything] as a Service offers an easier requisition process, since buying a service in most organizations is easier than buying and deploying hardware.
Cloud computing also enables security shims and encryption services. Shims include technologies like McAfee Move AV and TrendMicro (Amazon). Encryption as a Service providers include Cipher Cloud and Perspecsys.
Cloud Security Risks
If you’re not paying (a premium) for a product, you’re the product that is being sold.
Confidentiality and Privacy: Multi-tenant (low cost) systems co-mingle data from multiple customers. Few (if any) cloud providers encrypt your data.
Availability: A Terms of Service violation means your data is locked away. If internet access goes down, you have no access to your data.
Integrity: There is a lack of visibility into cloud provider operations and the ever-present insider threat at the cloud vendor.
Threats in the Media
Intel Corporation’s Threat Agent Library references several actor categories relevant to cloud security: Civil Activist, Data Miner, Sensationalist, Disgruntled Employee, Government Cyberwarrior, Radical Activist, and (possibly) Corrupt Government Officials. Harmon urged the audience to assume worst-case scenarios, asking: “Who here has been or is a systems administrator? What access did you have? Root? Domain Admin? Physical?”
Privacy as Standard Operating Procedure
Worst case scenarios were coming true. Data was being collected from Microsoft, Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple. The types of data collected included e-mail, chat (video and voice), videos, photos, stored data, VoIP interception, file transfers, video conferencing, notifications of activity (login, logout), online social networking details, and other “Special Requests.” Not too long ago these were called “paranoid fantasies” – by 2013, they were reality being featured in the popular media.
To protect yourself: control your data by encrypting end-to-end (in transit, during processing, and at rest). Encryption at rest is a good first step. Audit your vendors and third parties. Don’t be afraid to walk away if they don’t meet your requirements. Clearly state your needs and desires in your contract. Trust – but verify. Be careful with any personal data or regulated data such as HIPAA or PCI.
Final Comments
“The Cloud,” or virtualization, gives us many opportunities to harvest significant processing power at a low cost. However there are trade-offs: your data is being hosted with someone else and you lose control of that data. Do not assume that your price point includes any privacy of your data, and frequently security is an afterthought for vendors. You can transfer a lot of risk, but you cannot transfer the impact of a customer data breach.
Presented by Matthew J. Harmon, IT Risk Limited, LLC. matthew@itriskltd.com, @mjharmon, +1 612.987.0115. IT Risk Ltd. performs IT risk assessments, advanced security testing, incident response, IT Security Training, forensics, International Standards Development and security team building. Presentation available at github.com/itriskltd. Licensed under Creative Commons Attribution-NonCommercial 3.0 Unported License.