Infrastructure as a Service Flexibility. Economy of resources. Free choice of computing power. New risks to providers and enterprises.
Economy 1. IT infrastructure on demand – more cost-effective. 2. No redundant IT infrastructure, staff, and/or investments. No restraining factor to innovations. 3. Flexible response to the needs in computing power. Flexibility, scalability, configurability, mobility.
Flexibility 1. Outsourcing hardware infrastructure; retaining IT management. 2. Outsourcing all aspects of IT management. 3. Mixed model; outsourcing some segments of IT management where applicable. Most often implemented on demand of enterprise administrative branches.
IDC market research International Data Corporation Surveyed top managers of 244 leading IT companies world-wide. As early as in 2008.
Primary concerns Will I have the same level of control over the IT infrastructure and the data? Does the IT infrastructure comply with the Law? How can I demonstrate it to the auditors? How will I prove to my company that the IT system is secure? How do I know that Service-Level Agreements will be observed?
Data-Processing Centre Risk 1: Placing sensitive data outside the secure perimeter may expose them to security risks. Risk 2: Placing sensitive data outside the secure perimeter may be incompatible with the Law.
Secure perimeter Firewall. DMZ. Network segmentation. Intrusion Detection & Prevention Systems. Network monitors.
Virtualization More computing power from physical servers' redundant capacities. Smaller DPC's, server consolidation, reduced costs of operation. Individual services; diversified configuration of applications.
Virtualization kills secure perimeter Impossible to build and apply secure perimeter: Many servers are installed on one hardware platform. Data security has to be built around the data themselves and each server. Generally low level of security. Secure perimeter loses its sense. Only application of new line of defence allows for transferring IT operations to the cloud.
Difficulties of cloud security Means of cloud security in principle the same as traditional means of system security. Providers of cloud services install virtual machines on the same physical servers. Increases efficiency of virtualization, compromises security. Traditional means of system security can't protect from attacks on virtual machines from within the same physical server.
System administrators have access via Internet. Access to the servers System administrators have access via Internet. Unlike traditional systems with access control on physical level. Additional challenges to the system security. Strict control of the administrators' access – critical. So is control and transparency of changes on the system level.
VM state and volatility Virtual machines are dynamic. Can be easily – rolled back to a previous state; – shut down and/or restarted; – cloned and moved between servers. Vulnerabilities and/or misconfigurations can spread uncontrollably.
Vulnerabilities & attacks from within The same level of risk to be hacked or infected. In fact it's even higher: A number of VM's working at the same time on a physical server increases the attacked space. New challenge: hacking or infecting from within. On the same physical server one virtual machine may attack another virtual machine. Intrusion Detection and Prevention systems now must be capable of working on the VM level, regardless of the location of that VM in the cloud.
A VM may be compromised even if turned off. Idle virtual machines A VM may be compromised even if turned off. Enough if the perpetrator has access to the images storage. VM defenceless while turned off: No security software is operating. It's responsibility of the provider of cloud services to scan idle virtual machines regularly. Companies should control if providers enable scanning on regular basis in their cloud environment.
Security solutions designed for x86 platform. Efficiency Security solutions designed for x86 platform. Without the virtualization in mind. Massive scanning of multiple resources will cause a dramatic decrease in efficiency of the whole cloud structure. Solution is in scanning on the hypervisor level: No concurrency for resources on the VM level. Companies should control if providers enables scanning on regular basis in their cloud environment.
Data integrity In a cloud attacked space is bigger and under greater risks than in traditional environment. It's critically important to prove that the data were not compromised to internal and external auditors. Logs must be analyzed for system integrity, file integrity, as well as internal activities. Compliance with security standards (PCI DSS, HIPAA, etc.) provides “safe haven” in case of data security breach.
Update management Once a company subscribed to a cloud service, updating their applications is not provider's responsibility. About 90% of data security breaches occurred due to misunderstanding of update management. “Virtual patches”: Blocking vulnerability attacks on the network level. If timely update is impossible or impracticable.
Laws and policies Data security standards (PCI DSS, HIPAA, GLBA, etc.) and security audit recommendations (ISO, SAS70, etc.) require ability to prove compliance with Law regardless physical loction of the cloud system Service-Level Agreements must provide for access to physical servers, virtual servers, firewall configuration, intrusion detection and prevention systems, logs, and anti-viruses.
Firewalls Reduce the attacked space. Cloud firewalls must comprise: – VM isolation; – input/output traffic filtration; – IP protocols coverage (TCP, UDP, ICMP, etc.); – IP frameworks coverage (TCP, ARP, etc.); – DoS attacks prevention; – sniffing and spoofing prevention. Also control over the physical location.
Intrusion detection & prevention Primary task to screen operating system's and applications' vulnerabilities until they will be eliminated. Must provide protection from known, as well as unknown (zero-day) vulnerabilities. Must provide protection from XSS and SQL injection.
Data integrity Detecting and preventing unauthorized changes in the operating system, files, and/or registers. Must include: – scheduled scanning and scanning on demand; – files' formats, properties, attributes and CRC; – directories' properties and attributes; – configurability of the scope of scanned objects; – reports (for audit).
Log analysis Detecting events, significant from the point of view of the information security, in the logs. Suspicious behaviour. Administrators' actions. Statistical analysis of events throughout the whole cloud infrastructure. Security of Information and Event Management (SIEM).
Measures against malicious s/w Anti-viruses adpted for the cloud environment. VMsafe: Software interface provided from the hypervisor (Vmware). Scanning active and idle virtual machines. Checking integrity of the VM's as well as their content (files, applications, and registers). Guarantees economical use of the physical resources.
VMsafe Protects active as well as idle virtual machines. Prevents blocking and/or uninstalling anti-viruses. Integrated with the cloud management control panel (Vmware vCenter). Automatic configuration of new virtual machines.
Thank you for your attention! Any questions? Thank you for your attention!