Sikkerhed i skyen Cloud-baserede løsninger udfordringer, krav og risici Jacob Herbst, CTO, Dubex A/S Søborg, den 12. april 2016
Hvad er Cloud Computing?
Hvad er Cloud Computing? Cloud Computing? Cloud == Internet Det er blot outsourcing Det er virtualisering Hype og marketing Ikke noget nyt Cloud? Computing Cloud Computing En helt ny service model *aas = as a Service On-demand / Pay-as-you-go Fleksibelt og skalerbart Abstrakt ressourcebegreb Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. http://www.nist.gov/itl/cloud/ http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf NIST - Definition of Cloud Computing
IT Infrastructure evolution Past Servers are standalone Limited mobility Present Partly virtualization Partly mobile Future Cloud Computing Mobile Enterprise
The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Private Cloud Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security
Enabling teknologier Virtualisering Effektiv udnyttelse af ressourcer Hurtig provisionering Stordriftsfordele Lavere omkostninger Åbne standarder Fælles protokoller Web 2.0 brugervenlige webapplikationer Management Virtual Machines Hypervisor Servers Automatisering Internet & båndbredde Storage Billig båndbredde Global mulighed for opkobling
Cloud som forretningsenabler Forretning er interesseret i processer og information - ikke teknologi, applikationer og infrastruktur On-demand self-service Brugeren kan i realtid selv tildele ressourcer Automatiseret; Ingen involvering af serviceudbyderen eller it-afdelingen It er et værktøj og ikke et mål i sig selv Det er i forretning at der genereres værdien, alt andet er i princippet blot understøttelse Fra et forretningssynspunkt har IT i sig selv ingen værdi - værdien ligger i hvor effektivt IT kan understøtte forretningen Krav fra forretningen er med til at drive adoptionen af Cloud Computing Broad network access Resource pooling Rapid elasticity Measured Service Service tilgås via internettet Anvendelse af standardmekanismer Ressourcer (for)deles mellem flere brugere, abstraheret fra selve implementeringen Kunden har ikke kendskab til infrastrukturen Fleksibel, simpel og enkel realtidsservice ressourcer tildeles efter behov Pay-as-you go - Ressourceforbruget måles, overvåges, styres og afregnes løbende Ingen CapEx kun variabel OpEx
Software as a Service (SaaS) Anvender udbyderens applikationer over netværket Eksempler Webmail, SalesForce, Google Docs Brugeren har ingen adgang til den underliggende cloud-infrastruktur Management Virtual Machines Hypervisor Servers Automatisering Storage Dine data Dit problem
Platform as a Service (PaaS) Brugerens applikationer afvikles på en cloud-infrastruktur Eksempler Google Engine, Windows Azure og VMforce Kræver at applikationerne er udviklet i værktøjer supporteret af leverandøren Brugeren har kun adgang til at administrere egne applikationer Management Virtual Machines Hypervisor Servers Storage Automatisering Din applikation Dit problem
Infrastructure as a Service (IaaS) Adgang til processor, storage og netværk Mulighed for selv at tildele og styre alle ressourcer brugeren kan afvikle vilkårlige operativsystemer og applikationer Eksempler Amazon Webservice og Microsof Azure Brugeren har ingen adgang til den underliggende cloud-infrastruktur, men kontrol over egne ressourcer Management Virtual Machines Hypervisor Servers Storage Automatisering Dine Servere Dit problem
Deployment Models Enterprise Community cloud Enterprise Private cloud Private cloud Hybrid cloud Private cloud Virtual Private cloud Public cloud Private cloud Cloud-infrastruktur for en organisation - administreret af organisationen selv. Community cloud Cloud-infrastruktur for flere kendte organisationer med samme mål og krav - administreret af organisationerne selv. Public cloud Cloud-infrastruktur tilgængelig for alle - administreret af cloudservice leverandøren Hybrid cloud Cloud-infrastruktur der en blanding af clouds (private, community eller public) og bundet sammen så data og applikationer kan flyttes rundt Internt Eksternt
Positionering af løsninger SaaS PaaS IaaS Private Hybrid Public
Service Models shared responsibility Private (On-Premise) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Access control Access control Access control Access control lications lications lications lications Data Data Data Data Security & Integration Security & Integration Security & Integration Security & Integration Databases Databases Databases Databases Servers Servers Servers Servers Virtualization Virtualization Virtualization Virtualization Server HW Storage Networking Server HW Storage Networking Server HW Storage Networking Server HW Storage Networking Managed by you Managed by vendor
Nye teknologier nye udfordringer Dagens datacenter Vi har selv kontrol over data Serverrummet er placeret på X adresse Data ligger på server Y og Z Vi har backup på plads Vi har styr på vores administratoradgang Vores oppetid er tilstrækkelig og ellers kan vi selv gøre noget ved det Vi har vores egne sikkerhedseksperter Morgendagens Cloud løsning Hvem har kontrol? Hvor står serverne? Hvor er vores data opbevaret? Hvad sikre der er taget backup? Hvem har adgang? Hvor robust er det? Hvordan kan vi lave audit? Hvordan skal vores sikkerhedsfolk arbejde??
Eksempler på overvejelser Hvor i verden er mine data? Hvad er risikoen ved at jeg deler applikation, platform og infrastruktur med andre? Har min cloudleverandører fokus på sikkerhed? Hvordan kan jeg kontrollere compliance? Hvordan er mine data beskyttet overholdes mine krav til fortrolighed? Vil flytning af mine data give fremmede lande adgang? Må jeg opbevare min virksomhedens data på fremmed udstyr? Hvem har adgang til mine data i skyen? Hvordan laver jeg auditering og penetrationstest af min cloudbaserede infrastruktur? Hvilke data er gemt i skyen? Hvordan krypterer jeg mine data? Hvor mange cloudløsninger kender jeg ikke til? Hvem har ansvaret? Hvad laver brugerne i skyen? Hvordan overvåger jeg sikkerheden i cloud?
Cloud-hændelser Nirvanix prepares to close, tells customers to stop using its cloud SEP 17 2013 2:56PM GMT Posted by: Sonia Lelii The speculation about troubled cloud storage vendor Nirvanix was true: today the company took steps to begin closing its doors. Nirvanix did not comment on its future, but advised customers to stop replicating data to the Nirvaix cloud and to move their data off the company s systems in the next couple of weeks. Nirvanix sent a notification to customers late this afternoon with suggestions to follow for data migration, because it plans to disable uploads to the cloud on Sept. 23. The e-mail to customers read: We are notifying you as soon as possible after making this decision so that you can make alternative plans for storage service. Nirvanix will have resources available to continue to provide service between now and Oct. 15 for you to download your data free of charge. It s been crazy, said Chris Pyle, chief executive of Champion Solutions Group, a Nirvanix partner who received a call from Nirvanix at 9 a.m. today. It s a complete surprise. Yes, it s disheartening. Champion Solutions Group became a partner about a year ago, Pyle said. He would not confirm how many customers he has using Nirvanix cloud storage, but it s enough to cause me a lot of angst. Murder in the Amazon cloud Nirvanix advised customers to stop uploading data immediately if Nirvanix is the first copy or second copy of data and advised them to consider migrating data to another public cloud provider such as IBM-SoftLayer, Amazon S3, Google Storage or Microsoft Azure. InfoWorld Jun 23, 2014 Microsoft Azure failure puts websites offline Karl Flinders Wednesday 19 November 2014 15:52 Websites have been sent crashing as a result of problems with Microsoft s Azure cloud computing platform. The problems began in the early hours of Wednesday (19 November 2014) when access to Microsoft's Office 365 apps and Xbox Live gaming were affected. A Microsoft spokesperson said the company is looking into the problems: Microsoft is investigating an issue affecting access to some Microsoft services. We are working to restore full access to these services as quickly as possible. Fears over using the cloud for business-critical IT has always been a major concern for large enterprises, however this is reducing as cloud matures. A study of 300 IT and business decision-makers from analyst firm Forrester revealed 81%, are either already running business-critical apps in the cloud or plan on doing so in the next two years. If Nirvanix handles the second or third copy of the data, customers should stop uploading data and contact its rapid response team for assistance with data deletion. The demise of Code Spaces at the hands ofthis an attacker showscould that, set in the type of incident planning back. In 2011, Amazon and Microsoft's European cloud, off-site backups and separation of services could be key to survival cloud services were down for a weekend after a lightning strike caused power failures at their http://itknowledgeexchange.techtarget.com/storage-soup/nirvanix-to-customers-stop-sending-data-to-our-cloud/ datacentres in Dublin. Code Spaces was a company that offered developers source code repositories and project management services using Git or Subversion, among other options. It had been going for The lightning strike took out the main power supply and affected part of the phase-control seven years, and it had no shortage of customers. But it's all over now -- the company was system that synchronises the backup generator plant, causing a disruption to the service of essentially murdered by an attacker. Amazon's Elastic Compute Cloud (EC2) cloud computing platform for the second time that well affecting Microsoft's Business Productivity Online Suite (BP). We talk about security, backups, and especially theyear, cloud,as but it's as hard to quantify most of the Businesses concerned cloud effort we make, especially in light of budgetary concerns. We canstill fortify our walls over as best we can with the resources we have, and in the vast majority of instances, that will suffice.
Top Concerns of Security in the Cloud OK Loss of Control Data Security Reliability Compliance Security Management Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease. Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important. High availability will be a key concern when worrying about a loss of service should outages Mission critical applications may not run in the without strong availability guarantees. Complying With SOX, HAIPA, and other regulations may prohibit clouds for some applications. Comprehensive auditing capabilities are essential. Providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud. Focus on a business' privacy, protection, and resiliency
There is no such thing as the cloud. It s just someone else s computer.
Sikkerhed opfattes som en udfordring 2013 IDC Services Group Survey: U.S. Professional Services Opportunities Related to Cloud Services, Doc #239862, March 2013, N = 421, IDC, 2012 Cloud Professional Services Survey N = 402, IDC, 2009 Cloud Professional Services Survey N = 364, Note: in 2009 Survey Legal was not offered as an option.
CSA Top Threats for 2016 *Ranked in order of severity per survey results 1. Data Breaches 2. Weak Identity, Credential and Access Management 3. Insecure APIs 4. System and lication Vulnerabilities 5. Account Hijacking 6. Malicious Insiders 7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues Follow up to earlier research artifacts Top Threats research plays a crucial role in the CSA research ecosystem The report provides organizations with an up-todate, expert-informed understanding of cloud security concerns in order to make educated riskmanagement decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud.
Cloud Security Alliance (CSA) Non-profit organisation med det formål at fremme anvendelsen af best practices ved sikringen af sikkerhed i Cloud Computing Opererer med 14 domæner ifbm. sikring af Cloud Computing Cloud Architecture 1. Cloud Computing Architectural Framework Governance Domains 2. Governance and Enterprise Risk Management 3. Legal Issues: Contracts and Electronic Discovery 4. Compliance and Audit Management 5. Information Management and Data Security 6. Interoperability and Portability Operational Domains 7. Traditional Security, Business Continuity and Disaster Recovery 8. Data Center Operations 9. Incident Response 10. lication Security 11. Encryption and Key Management 12. Identity, Entitlement, and Access Management 13. Virtualization 14.Security as a Service http://www.cloudsecurityalliance.org/guidance.html
Loss of availability Account hijacking Data breach De mest almindelige trusler og angreb Loss of data Government warrant Provider administration Unexpected expenses CIA Malicious insider Unintentional disclosure Insecure Instances Management console Reputation Provider outbreak Communication outbreak Hacking Side Channel Attack Cloud Attack Vector Multi tenancy & virtualization Account Lockout DDoS Supply chain Automation & API
Sikkerhed - fordele og ulemper Fordele Sikkerhed er en integreret del af leverandørens infrastruktur Stordriftsfordele ressourcer til at sikkerhed bliver lavet rigtigt Standardisering sikkerheden kan blot gentages Hvis offentligt tilgængelige systemer flyttes til en ekstern cloud-service mindskes eksponeringen af følsomme interne data Man bliver (oftere) tvunget til et aktivt valg omkring sikkerhed Cloud-servicen indeholder automatiserede sikkerhedsfunktioner Redundans og Disaster Recovery er (som regel) en del af løsningen Ulemper Nødt til at tro på leverandørens sikkerhedsmodel og rapportering Man har ikke mulighed for selv at reagere på hændelser Det kan være besværligt at få hjælp til efterforskning Tillidsfuld sælgers sikkerhedsmodel Manglende mulighed for at reagere på revisionsanmærkninger Indirekte administratoransvar Proprietære løsninger kan ikke kontrolleres Tab af fysisk kontrol
Hvad er cloud-sikkerhed? Sikring af anvendelsen af cloudløsninger (SaaS) - Cloud Enabling Sikring af opkoblingen af cloudløsninger via f.eks. Blue Coat og Check Point Kryptering af data i cloud Visibilitet og overvågning, DLP Integration af cloud-løsninger fx IAM, Federation (F5), m.fl. Sikkerhed i cloud-løsninger (IaaS) Sikkerhed på AWS og Azure med Check Point, Trend Micro, F5 m.fl. Sikring af private cloud-løsninger Design af sikkerhed i cloudløsninger Compliance i cloud-løsninger Sikkerhedsservices leveret via Cloud Cloud websikkerhed fra fx BlueCoat, TrendMicro, Zscaler Mobil sikkerhed DDoS-beskyttelse Threat Emulation fra fx Check Point Dubex Managed Security Services Dubex Security Operations Center: Tufin, Airwave, Check Point, Trend Micro m.m. Dubex Security Analytics Center: LogSafe and Security Analytics Center
Cloud-løsninger er ikke en ting, så derfor kan sikring af cloud heller ikke være det
Sikring af anvendelsen af cloud-løsninger (SaaS) - Cloud Enabling Cloud Access Security Brokers (CASBs) Discover apps and assess risk Shadow IT unauthorized risky cloud services used Understand content to, from, and in apps Protect data in context who, what, where, activity, data Identity, provision & deprovision of users Secure access to apps with SSO and strong authentication Detect anomalies risky behavior, security threats Ensure compliance audit trails, remediation, reporting Segment apps sanctioned/unsanctioned Audit activities user/admin/data Enforce granular policies in real-time, across any app Coach users via conversations and automated Visibility CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. Compliance CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. Data security CASBs provide the ability to enforce datacentric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud services. Threat protection CASBs prevent unwanted devices, users and versions of applications from accessing cloud services. Other examples in this category are user and entity behavior analytics (UEBA), the use of threat intelligence and malware identification. SaaS security is identity and data centric not network centric Gartner, Market Guide for Cloud Access Security Brokers, ID:G00274053
Through 2017, 90% of enterprises will fail to prevent the use of unauthorized cloud services Gartner Cloud Access Security Brokers (CASBs) Organization Direct to Cloud CASB IBM Bluemix Force.com Oracle Cloud Paa Paas Mobile Devices and Data Inside Perimeter Redirected End- user and Administrator Traffc to Cloud Services Traffic Enterprise Integration Visibility Data Security Enterprise Integration Compliance Threat Protection Redirected Traffic API Access ServiceNow Workday Google at Work Salesforce SaaS Microsoft Azure IBM SoftLayer Amazon Web Services IaaS
Tak!