Cloud Security: FUD

FUD stands for Fear Uncertainty and Doubt.  Big vendors scare the heck out of most customers - "you don't have any security and you need this, this and that ..." - to some extent it is true, but, many customers can't afford the cost as no simple solutions are proposed.  With different view points and ideologies customers face lot of uncertainty in buying solutions or architectural philosophy.

An article on Cloud Security: Good Bad and Ugly highlights some of the FUD.  The questions asked are very much valid (I have updated a few with my interpretation):

• Who audits (security, data storage and use, updates to provider infrastructure may change security threat model, etc) a Cloud provider?
• Are background checks done on the Cloud provider operators?
• How is data stored on Cloud provider protected - from hackers, Governments, disaster, etc?
• Some Cloud providers have teamed up with boutique security consulting firms.  What does it really mean?

It is wrong to state **anything** is insecure - these blanket statements are harmful.  Exact scenarios on how a service is used must be clearly determined and security testing must be appropriately applied.  Security is not black or white - it is Risk Management.

Virtualization divides Security & IT folks - maket immature

This article summaries the challenges in today's IT environments - one-third believe virtualization and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier."

This kind of spread between answers clearly underlines the maturity of virtualization & cloud security market - which is - very very nascent.  In mature markets, terminologies or concepts, we get one answer or an answer close to the correct one.  But, here, there is wide spread  interpretation of terminology, concepts and solutions too.  For the common IT person, my suggestion would be to go slow and understand fundamentals.  Ignoring is not an option as catching up will be almost impossible.

Virtualization security

In the report titled "Cisco gaining mind share in security", there is an interesting paragraph on Virtualization:

The survey consisted of 259 information security professionals.

All but 2% of the Fortune 100 participants said they had virtualization "in use" in their organizations or had plans to use, with 33% expecting virtualization to impact their security procurements. Check Point was cited most frequently as a vendor they chose to solve security concerns at this stage, the InfoPro report states. Among midsize enterprises, 41% said they were "very concerned" or "extremely concerned" about security in a virtual environment due to concerns about the complexity of it introducing a higher level of security risk.

In a question about cloud computing, the survey found about 35% of Fortune 1000 companies said they were already using cloud-computing services, with 25% planning to use them in the next two years. 

Technology behind Vancouver Winter Olympics 2010

Fascinating slide show with details on technology behind Vancouver Olympics - http://www.networkworld.com/slideshows/2010/021010-olympics-technology.html

Full IP converged network running on optical fibers (Avaya gear),  back end is based on Sun server and storage hardware, attendee accreditation is based on Windows platform, Windows Mobile based Samsung smart phones, Cisco medianet engine for Video (stream, edit), and NBC is using Microsoft Silverlight for Internet streaming.

OpenID and Credit Cards

Lets take a quick look at how Credit Cards (CCs) work - they are primarily provided by Visa, MasterCard, Discover, AmEx, etc which are issued via various banks.  When someone swipes a CC at a merchant location, the information is sent to a authorized payment gateway which further talks to the network (Visa, MasterCard, etc) which the card belongs to for authorization.  Today, the security weak points are at merchant locations, payment gateways.  Security issues include - loss of CC data, privacy info, Identity fraud and so on.

If we apply the CC analogy to OpenID distributed authentication model, then we may have some similar (to CC data) and some much more security issues.  If we assume that we are going to get there, what kinds of laws and protection mechanisms need to be in place to make this a success?

OpenID, a disturbed authentication

You can read about OpenID and how it works here

Though OpenID is marketed and used as a distributed authentication system, there are very few players and these are the big ones - AOL, Google, Yahoo, Facebook, etc.  There is one thing common among them - they all portals relying on advertising revenue as their business model.  The business model relies on getting as much information about the user as possible.

Lets check this scenario out:
A corp relies on a OpenID provider to authenticate users.  So, when the user tries to access an application, the application checks if the user is authenticated and if not, he/she is redirected to the OpenID provider for authentication.  Once the OpenID provider performs the login ceremony and successfully authenticates the user, the user is redirected to his application for access.  Similarly, when the user logsoff, the OpenID provider is notified.
Here the OpenID provider is keeping track of user login/logoff events - time stamps, application access, location of access, role of users for various applications, change in user population on the corp side and so on.  This kind of information is a gold mine for providers relying on ad revenue.  The provider is also able to track user movement among corporations, corporation's user and application movement.  Role management is also a issue - how are policies applied on users and application and where are they applied - on the OpenID provider or on corporate side?  Both of these methods have impact - if it is on corp side - it will be a performance impact, but, if it is on the OpenID provider side, then we have information disclosure issue.

It would be good to understand what corporations are thinking about using OpenID.

Virtualized Data Center - but, where is Security?

Cisco, NetApp & VMWare made a announcement on Virtual Data Center.  The paper gives a very high level view of how a virtual data center would look like.  One could possibly replace these company names with something like: Virtual Networking Components, Storage, and Hypervisor.  The only concern I have with this paper is it does not talk about security.  It does make a mention of "Secure multi-tenancy" without explaining what secure really means.  In the world we live in today with most information in electronic format, customers must reject marketing collateral if it does not explicitly address security.  With the advertised provisioning time of 1 minute, imagine the amount of damage that can be done by provisioning this and not realizing the effect of security for 30 minutes.

January 29 - Update
Here is the blueprint architecture guide to Designing Secure Multi-Tenancy into Virtualized Data Centers
While they talk about secure separation, it is illustrated via use of operational methods (use of different types of administrators, etc) and logically using vSwitches.  While these are MUST HAVE s, they are not sufficient.  One would also need a Virtual Firewall (Key Pair Technologies) for enforcing ACLs and for Identity based access, you will also need a wire-speed access control device - Access Control Appliance (Key Pair Technologies)

Cloud Customers Report Capital Cost Savings - really??

I was reading this article "Cloud Customers Report Capital Cost Savings" which is based on a research report from "Responsible Cloud": very interesting data:

• Total enterprises interviewed: 159
• Private Cloud preferred: 75% Out of which 52% are implementing both on-premises and off-premises
• Customers seeing CAPEX (power, cooling) savings: 61% 
•  Customers seeing both CAPEX & OPEX savings: 25%
• Other benefits include freeing up strategic resources (49%), enabling disaster recovery/business continuity planning (46%), and increased flexibility and agility (46%). Overall, 89% of customers reported multiple outcomes, with just under half of all enterprises (46%) reporting five or more significant outcomes.
• The report also found that the single most common level of OpEx reduction (from a sample of 79 respondents) was in the range of 21-30%. However, across all these respondents, cloud computing returned an average 22% OpEx saving.
• Of the 76% of cloud customers that also reported real, measurable cost savings, the single most common level of CapEx reduction was between 11-20%. The CapEx return across all these respondents was 26%.
  

There are many more numbers attached, but, I am not convinced how Cloud deployment can save mainly CAPEX savings.  I strongly believe that this is due to Virtualization and not just deploying REST based services.  If they really went to REST based services for storage, applications, etc., then they would have encountered lots of professional services expenses which is not shown.

Virtualization ROI

There is an article on Network World which is titled "Virtualization Projects fail to reach ROI targets".  The main reason provided was that customers believed too much into hypervisor vendor provided models which are skewed to illustrate ROI.  I agree with the author that there is some truth to it.

I started to look at major vendors like VMWare, Cisco, HP, Microsoft, IBM, etc and their version of Virtualization ROI.  They are talking mainly about energy (power & cooling) savings - which can be easily demonstrated as $ spent/saved.  What these don't take into account are the other costs to make this saving happen.

Here is an example: Datacenter wants to move 50 web servers to virtual environments.  If they just move 50 to such an environment + add a few more to compensate against performance, then ROI can be achieved.  But, if they now state, I want to move my switch to a virtual switch, my firewall to virtual firewall, my Single Sign On solution to vitrual platform, you are asking for trouble in terms of ROI as these were never accounted for (professional services costs, time to deploy, cost of new licenses, management infrastructure, security/threat modeling, etc)  in the first place.  There is nothing wrong in doing it, it just needs to be accounted for.

Security in a multi-tenant hypervisor (virtualization) platform

By definition, a hypervisor is a layer that sits between a guest operating system and the hardware or a native operating system.  By using a operating system, multiple applications can be run simultaneously.  By using a hypervisor, multiple guest operating systems can be run simultaneously on the same hardware.

By running multiple guest operating systems, on a single hypervisor, security must be ensured.  Security entails:

1. Isolation between multiple operating systems.  In a traditional network, one can check physical hardware and network cables.  But, this is a logical network and hence  settings must be carefully reviewed.
   
2. Protection of hypervisor and other guest operating systems due to compromised guest operating system or applications
   
3. Possibility of rootkits in Hypervisor or Hardware
4. Hypervisor (or the hardware on which it is running) can become the single point of failure
5. Misconfiguration of virtual networking components (virtual switch, virtual load balancer, virtual VPN, virtual firewall, etc) can enable serious threats
6. With dynamically available guest operating systems, audits and especially forensic audits become a nightmare (something went wrong a day ago - what/where can we look to determine the cause - especially if that guest operating system is no longer up).
7. Threat modeling and Regulatory compliance is a key requirement for many enterprises and service providers.  There is no cookie-cutter model for threat modeling or compliance when dynamic resource (de) allocation is enabled.
8. For an application or soft-appliance vendor, avoiding piracy and managing licenses is a significant challenge.  This impacts the customer who has to maintain the licensing information and protect the assets from being stolen and reused somewhere else.
9. Security patches or software updates on hypervisor may introduce unknown threats to guest operating systems and applications.  There is no real model for testing this.
10. Moving a virtual network with all of the guest operating systems & applications to another hypervisor may introduce unknown security risks. Known security risks include static polices may no longer be effective, guest OS may be moved to a different security domain, etc. There is a direct asset tracking & management risk - "Where is my Virtual Machine?"
11. Traditional IT is managed by a few teams: Network Operations, Security, Application Development, Business Operations and so on.  With everything being on  a single hypervisor, ownership lines are blurred.
12. Most viruses, trojans, etc are found on Windows Platform - because it is the most widely used.  Similarly, it is a matter of time that popular hypervisors and deployment models will be affected.
    

Security can be rephrased as "Risk Management".  While the above threats are real, one has to carefully look at the deployment model and build a playbook (people, process, technology) for rules of deployment.  That is the only way we can benefit from this new technology.

Cloud & Virtualization Security

This blog is intended to share our experiences & expectations with Cloud & Vitrualization security.  But, before we go there, lets get some understanding what these mean and why it matters.

Today, the top issue for a CIO is Data Center consolidation using Server Virtualization techniques.  This is mainly driven by the need to reduce CAPEX (better use of server hardware & depreciation costs) & OPEX (power and cooling $ savings).   But, moving applications to virtualized platforms introduces a change in deployment model and hence threat model.  Threats associated with this is widely categorized as "Virtualization Security".

There is another phrase that is loosely talked about by IT - "Cloud enablement".  The way I would explain this is  accessing services such as Storage, application, etc using REST based protocols.  Many of them even consider "Platform or Infrastructure as a Service" as a part of Cloud.  Platform would include Virtualization and Infrastructure would be configuring hardware (network, memory, CPU) dynamically.  So, it will be necessary for us understand the differences amongst all of these.  Google Apps, SalesForce.com are some Cloud based applications - we never ask them if they are running on platform A or infrastructure X.  In terms of Infrastructure as a Service Amazon EC2 or RightScale are some examples where they provide tools to upload software.  These services run on virtualized platforms.

As I mentioned, Cloud Applications mostly use REST based protocols.  Added to this, they may be dynamically provisioned or de-provisioned.  These applications need be secured from traditional threats, denial of service attacks, application attacks, cross site scripting, session hijacking, etc.  Single Sign On is an absolute must.  If these Cloud applications are hosted on public service Infrastructures or Platforms (Amazon, RightScale, etc) then, the applications can be a multi-tenant platform and hence they need to secure themselves.  The platform also needs to provide that confidence to their cloud application customers that their platforms are secure.

The above would be the starting points in enabling security for Virtualization and Cloud environments.