Cloud Security Alliance - International Cyber Center
Download
Report
Transcript Cloud Security Alliance - International Cyber Center
Cloud Security:
Critical Threats and
Global Initiatives
Jim Reavis, Executive Director
July, 2010
What is Cloud Computing?
• Compute as a utility: third major era of computing
• Mainframe
• PC Client/Server
• Cloud computing: On demand model for allocation and
consumption of computing
•
Cloud enabled by
• Moore’s Law: Costs of compute & storage approaching zero
• Hyperconnectivity: Robust bandwidth from dotcom
•
•
investments
Service Oriented Architecture (SOA)
Scale: Major providers create massive IT capabilities
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Top Threats to Cloud Computing
Cloud Security Risks / Threats
• Shared Technology Vulnerabilities
• Data Loss/Data Leakage
• Malicious Insiders
• Account Service or Hijacking of Traffic
• Insecure APIs
• Nefarious Use of Service
• Unknown Risk Profile
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Shared Technology Vulnerabilities
Description
• Exposed hardware, operating systems, middleware, application stacks and
network components may posses known vulnerabilities
Impact
• Successful exploitation could impact multiple customers
Example
• Cloudburst - Kostya Kortchinksy (Blackhat 2009)
• Arbitrary code execution vulnerability identified in VMware SVGA II device, a
virtualized PCI Display Adapter
• Vulnerable component present on VMware Workstation, VMware Player,
VMware Server and VMware ESX
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Data Loss / Data Leakage
Description
• Data compromise due to improper access controls or weak encryption
• Poorly secured data is at greater risk due to the multi-tenant
architecture
Impact
• Data integrity and confidentiality
Example
• Hey, You, Get Off of My Cloud: Exploring Information Leakage in ThirdParty Compute Clouds (UCSD/MIT)
• Research detailing techniques to ensure that images are deployed on
the same physical hardware as a victim and then leveraging crossVM attacks to identify data leakage
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Malicious Insiders
Description
• Employees of the cloud vendor may abuse privileges to access customer
data/functionality
• Reduced visibility into internal processes may inhibit detection of the breach
Impact
• Data confidentiality and integrity
• Reputational damage
• Legal repercussions
Example
• Google Investigates Insider Threat After China Hack (eWeek)
• “Google is investigating whether some of its own staff are behind the
repeated attempts to hack into the Gmail accounts of Chinese human rights
activists”
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Interception or Hijacking of Traffic
Description
• Intercept and/or redirect traffic destined for the clients or cloud
• Steal credentials to eavesdrop or manipulate account information /
services
Impact
• Confidentiality and integrity of data
• Damage to reputation
• Consequences (legal) from malicious use of resources
Example
• Twitter DNS account compromise
• Zeus botnet C&Cs on compromised Amazon EC2 accounts
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Insecure APIs
Description
• APIs designed to permit access to functionality and data may be
vulnerable or improperly utilized, exposing applications to attack
Impact
• Data confidentiality and integrity
• Denial of service
Example
• P0wning the Programmable Web (Websense – AusCERT 2009_
• 80% of tested applications not using available security in APIs (e.g.
unencrypted traffic and basic authentication)
• Demonstrated CSRF, MITM and data leakage attacks
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Nefarious Use of Service
Description
• Attackers are drawn to the cloud for the same reasons as legitimate
consumers – access to massive proceesing power at a low cost
Impact
• Password cracking, DDoS, malware hosting, spam, C&C servers,
CAPTCHA cracking, etc.
Example
• Current search of MalwareDomainList.com for ‘amazonaws.com’
returns 21 results
• “In the past three years, ScanSafe has recorded 80 unique malware
incidents involving amazonaws” – ScanSafe blog
• Amazon's EC2 Having Problems With Spam and Malware - Slashdot
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Unknown Risk Profile
Description
• A lack of visibility into security controls could leave cloud consumers exposed to
unnecessary risk.
Impact
• Significant data breaches could occur, possibly without the knowledge of the cloud
consumer.
Example
• Heartland Payment Systems was “willing to do only the bare minimum and comply with state
laws instead of taking the extra effort to notify every single customer, regardless of law, about
whether their data [had] been stolen.”
http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
How will Cloud Computing play out?
• Much investment in private clouds for 3-5 years
• Rise of mobile clouds
• Eventual 80/20 rule favoring public clouds
• Cloud assurance ecosystem being built
• Virtual private clouds compromise between public and
private
• Long legacy of hybrid clouds
• Disruption to markets, IT, security best practices
• Challenges public policy and critical infrastructure
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
About the Cloud Security Alliance
•
Global, not-for-profit organization
• 10,000+ individual members
• Fast growing – chapters, translations, alliances
• Inclusive membership, supporting broad spectrum of
subject matter expertise: cloud experts, security,
legal, compliance, virtualization, etc
• We believe Cloud Computing has a robust future, we
want to make it better
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing.”
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA Research Projects
Go to www.cloudsecurityalliance.org/Research.html for
Research dashboard and Working Group signup
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Released Research
• CSA Guidance for Critical areas of Focus
• Popular best practices V2.1
• CSA Cloud Controls Matrix
• Security controls framework mapped to existing regulations
and standards
• Top Threats
• Released 2x annually
• Identity & Access Management “Dom12” paper
• Supporting Trusted Cloud Initiative
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Research & Initiatives in Progress
• Certificate of Cloud Security Knowledge (CCSK)
• Individual competency testing and certificate
• Trusted Cloud Initiative
• Interoperable IAM, reference models, cert criteria
• CSA Cloud Controls Matrix V2
• Controls refinement, automation, increased mappings
• Consensus Assessments Initiative
• Common question sets to measure providers’ security
capabilities
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Research Initiatives being Scoped
• CloudCERT
• Best practices research for emergency response in
Cloud
• Standardized processes
• Hosted Community
• Cloud Security Metrics
• Library of recommended measurements & surveys
• Cloud Security Use Cases
• Document real world lessons learned
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Third Party Initiative Participation
• CloudAudit
• Common Assurance Maturity Model (CAMM)
• ENISA eGovernment
• Cloud-Standards.org
• NIST
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Schedule
•
•
•
•
•
•
CSA Summit at BlackHat, July 28-29, Las Vegas
CSA Congress, Nov 16-17, Orlando
CSA Summit at RSA 2011 (tentative), SF
Participating in most major events
Several chapter launch events
Other Summits as research requires
Copyright © 2010 Cloud Security Alliance
www.cloudsecurityalliance.org
Thank you!
www.cloudsecurityalliance.org