VMware Cloud Community
djak44
Enthusiast
Enthusiast
‎09-12-2011 09:57 PM
Jump to solution

Security in the Cloud

I always had this question in the back of my mind and still there:

"Who hold the root account on the cloud? AND where is the hardware located? "

For a client that owns his hardware and software on his site is the sole root/admin and whomever he whishes to add, but on the Cloud this understanding changes. Unless the cloud providers offer a block of hardware to client which in turn goes back to (old datacenters). So how can we overcome this hurdle?

DJ

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎09-15-2011 04:14 AM
Jump to solution

Hello,

Hello, I guess the law firms are out of the cloud, because in my experience a lawyer would ask about whom else access the information and this is still an issue.

Not really, I know some who are using the cloud, the key thing is to understand how to properly use the cloud. For example, some Lawyers use Forefront and Microsoft Exchange in the cloud. When using such a service, digitally signing email makes sense as well as ensuring that critical data does not leave the premises, so a DLP solution like Zscaler may be warranted.

Re: Jurisdiction

You are correct this is a big issue if you are using a cloud that spans countries but in the US not many span countries and there is almost no way for your data to be placed in another country, this is why you need to properly interagate your Cloud provider to determine its jurisdictional boundaries. The EU on the other hand may have issues with this.  A recent example of this is Canadian Democratic Party, they wanted to use Salesforce (based in the US), they determined if they encrypt the data before placing it in Salesforce, that it meets all requirements and that the US could not decrypt at will.  So in this case encrypting the data on premise and placing it in the cloud is one way around this possible issue.

Re: In memory has the keys

This is just plain true, no way around it if you are doing encryption within the cloud, instead I suggest encryption before it leaves your premises and then place it in the cloud. Very powerful that way. You just need to make sure its usable.

Remember it is not really about the VM or the cloud itself, but security in the cloud is about the data, yes the cloud you choose needs secondary controls such as IDS/IPS, but ultimately it is your data that counts. As such, encrypt and sign as necessary to confirm integrity and confidentiality and use well known, well thought out encryption mechanisms, such as something blessed by your government which believe me has done exhaustive testing and cryptoanalytic attacks against it.

Lastly, do your research and due diligence, keep up to date with Cloud and data attacks, so that you are prepared for the worse. This sort of intelligence gathering is critical for continued safety, do not depend on the tool vendors to do it for you as you know your data's risk as such ultimately data security is your responsibility.

Re: Provider Responsibility

In every Cloud provider document I have read in the US, You assume all risks, not them. There is no shared risk here. It is your data, therefore your responsibility. In the EU, this is a bit different due to different laws.

Encryption and digital signatures are not the end all of confidentiality and integrity but if done correctly will protect your data. If you stay ontop of the intelligence about attacks, then you will also know better ways to protect your data.

Not all cloud solutions are IaaS, and perhaps if you do set up an IaaS, you should consider how the data moves, is operated upon, and whether you can use something like CipherCloud to encrypt/decrypt data as it leaves your premises for use even within your IaaS cloud....

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
8 Replies
Texiwill
Leadership
Leadership
‎09-14-2011 06:58 AM
Jump to solution

Hello,

At the moment the highest level of cloud security we can achieve is Trusted Multi-Tenancy, in other words you still need to trust the cloud administrator to do the 'right thing'.  Until there is a better mechanism to encrypt VM memory and VM disk, the cloud administrator can see everything. Granted, if something like MLS/SELinux was imposed within the hypervisor and its management layers this could also be alleviated, given proper configurations, etc. But given the nature of the fully virtualized cloud, it is important to do three things if you want to close the windows on existing attack vectors (but not 100%)

1) Encrypt your transport into the cloud

2) Encrypt your virtual disks from within the VM (not 100% but closes the window quite a bit)

3) Encrypt your network transports within a cloud (a encrypted overlay network)

Now some tools like Apani, TrendMicro Secure Cloud, CloudLink take care of these issues.

Another option is to concentrate instead on the Data in the cloud and encrypt the data that is of high value and risk. CipherCloud does this.

Lot's of options depending on how you view cloud security.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
CrytpoGuy
Contributor
Contributor
‎09-14-2011 09:10 AM
Jump to solution

On Point #1 about encrypting disks, Vormetric would strike a balance between SaaS specific operations like salesforce (nee ciphercloud) and IaaS operations where a VM, os instance and all, is provisioned and needs to be fully secured.  Vormetric encrypts the cloud data, but does it at the individual file level rather than the mounted storage volume layer.

Full disclosure – I work for www.vormetric.com

Todd

Reply
michael_40catbi
Enthusiast
Enthusiast
‎09-14-2011 11:31 AM
Jump to solution

This continues to be a hard problem.

If the data is ever cleartext in the cloud, then it is vulnerable to provider abuse or to a cross-tenant attack.

I prefer solutions that maintain encipherment at all times in the cloud, and allow the subscriber to control access to the keys.

If you can not deploy the latter solution, then encrypt what you can.

Either way make sure you have secondary controls in place to prevent unauthorized access from the provider or another tenant.

These secondary controls must operate within the cloud and provide assurance for protecting against abuse of privilege and cross-tenant compromise.

I recommend at minimum, the following:

  • Virtual firewall
  • Virtual IDS/IPS
  • Virtualized vulnerability management
  • Virtualized change and configuration management
  • Auditing of access to virtual machine images, and virtualized storage
  • Auditing of access to and configuration of virtualized networks, virtualized switches, and virtual nics

Michael

Reply
djak44
Enthusiast
Enthusiast
‎09-14-2011 04:15 PM
Jump to solution

Hello, I guess the law firms are out of the cloud, because in my experience a lawyer would ask about whom else access the information and this is still an issue.

Even if we have a full control over the secondary controls, still the root account will do anything even if it the whole thing is encrypted. At a higher level from the legislative side, the place/geography where the data is hosted is a real big issue as well, countries have different laws and what is a crime in one country is not in other, and if the data is in the cloud:

The law enforcement would not need a warrant to have access to all the data. As well as the data is replicated to many sites (redundancy/DR) if the client choose to have disaster recover as well the DR site/objects are somewhere in the cloud which make it more spread in the unknown.

As food for thought, Novell has an Directory services that offer an interesting analogy if we compared to what is needed in the cloud and that is (Organizational Unit Partitioning) This is one feature that made the NDS, what is it? You can partition your tree into logical branches and have them completely cut off from the tree, each branch with its own admin, the Admin account at the root of the tree will not have access to the newly separated partition(s). Now I know with cloud is more complex because we are talking about (Processor/Cache, Memory, Disk) and multitenant. But if we have the hardware side of it managed by Novell Directory services (example) and come up with the magic of the virtualization (Hypervisor) to translate the hardware resource to NDS the way NDS manages object (Hard work), with the inherent mechanics of NDS we can partition resources the same way we partition any group of resources/Objects (servers/Routers/Applications...). If we succeed, logical branches become tenants, and the root/admin of each partition is separate from the tree admin.

I am just throwing thoughts out there since it is freeJ. Because we may see health departments, governments and others going cloud it is all fine for them because they TRUST the provider, I am worried about the provider not being able to keep the trust, and it is a good practice to lay this issue on the table, and the responsibility of the provider is to inform the client very clearly on the risks as well as responsible for the business interests.

DJ

Reply
0 Kudos
djak44
Enthusiast
Enthusiast
‎09-14-2011 05:51 PM
Jump to solution

Encryption keys are kept in memory, so preventing unauthorised memory access is the issue. I am with you for the encryption at all levels if necessary, but it will not address the memory access issue.

DJ

Reply
0 Kudos
michael_40catbi
Enthusiast
Enthusiast
‎09-14-2011 07:39 PM
Jump to solution

djak44 wrote:

Encryption keys are kept in memory, so preventing unauthorised memory access is the issue. I am with you for the encryption at all levels if necessary, but it will not address the memory access issue.

DJ

Right. AND the memory is easily accessed.

For those of you who may think it is difficult. It's rather trivial if you have admin privilege.

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎09-15-2011 04:14 AM
Jump to solution

Hello,

Hello, I guess the law firms are out of the cloud, because in my experience a lawyer would ask about whom else access the information and this is still an issue.

Not really, I know some who are using the cloud, the key thing is to understand how to properly use the cloud. For example, some Lawyers use Forefront and Microsoft Exchange in the cloud. When using such a service, digitally signing email makes sense as well as ensuring that critical data does not leave the premises, so a DLP solution like Zscaler may be warranted.

Re: Jurisdiction

You are correct this is a big issue if you are using a cloud that spans countries but in the US not many span countries and there is almost no way for your data to be placed in another country, this is why you need to properly interagate your Cloud provider to determine its jurisdictional boundaries. The EU on the other hand may have issues with this.  A recent example of this is Canadian Democratic Party, they wanted to use Salesforce (based in the US), they determined if they encrypt the data before placing it in Salesforce, that it meets all requirements and that the US could not decrypt at will.  So in this case encrypting the data on premise and placing it in the cloud is one way around this possible issue.

Re: In memory has the keys

This is just plain true, no way around it if you are doing encryption within the cloud, instead I suggest encryption before it leaves your premises and then place it in the cloud. Very powerful that way. You just need to make sure its usable.

Remember it is not really about the VM or the cloud itself, but security in the cloud is about the data, yes the cloud you choose needs secondary controls such as IDS/IPS, but ultimately it is your data that counts. As such, encrypt and sign as necessary to confirm integrity and confidentiality and use well known, well thought out encryption mechanisms, such as something blessed by your government which believe me has done exhaustive testing and cryptoanalytic attacks against it.

Lastly, do your research and due diligence, keep up to date with Cloud and data attacks, so that you are prepared for the worse. This sort of intelligence gathering is critical for continued safety, do not depend on the tool vendors to do it for you as you know your data's risk as such ultimately data security is your responsibility.

Re: Provider Responsibility

In every Cloud provider document I have read in the US, You assume all risks, not them. There is no shared risk here. It is your data, therefore your responsibility. In the EU, this is a bit different due to different laws.

Encryption and digital signatures are not the end all of confidentiality and integrity but if done correctly will protect your data. If you stay ontop of the intelligence about attacks, then you will also know better ways to protect your data.

Not all cloud solutions are IaaS, and perhaps if you do set up an IaaS, you should consider how the data moves, is operated upon, and whether you can use something like CipherCloud to encrypt/decrypt data as it leaves your premises for use even within your IaaS cloud....

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
djak44
Enthusiast
Enthusiast
‎09-15-2011 06:37 AM
Jump to solution

Hello and thank you, I really believe that alot of homework needs to be done, and it is not one solution for all, every client has different needs. Security issues are at different levels, it does not mean to give up, but have a wholistic understanding, even beyond the cloud is necessary, which brings with it a different mind (Mentality).

Regards,

DJ

Reply
0 Kudos