TechEd NA 2014 – Public Cloud Security

TechEd North America 2014, Houston
Public Cloud Security: Surviving in a Hostile Multitenant Environment – Mark Russinovich

Day 3, 14 May 2014, 3:15PM-4:30PM (DCIM-B306)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • To move to cloud, customers must trust us
  • Need to follow best practices to make things secure
    • At least as good as what your customers are doing
  • Makes sense to look at top threats and think about mitigating risk in each case
  • Azure does a lot of work to mitigate risk in many areas
    • Often far more than you’d do in your own organization
  • Top three threats
    • Data breach
    • Data loss
    • Account or service hijacking
  • Encryption at rest not a panacea

Full video

Mark Russinovich – Technical Fellow, Azure, Microsoft

“There is no cloud without trust”

  • Security, Availability, Reliability

Misconceptions about what it means to be secure in cloud

  • Will dispel some of the myths
  • Look at what’s behind some of the risks
  • Mitigation of risks

The Third Computing Era

  • 1st – Mainframes
  • 2nd – PCs and Servers
  • 3rd – Cloud + Mobile
  • (Lack of) Security could ruin everything

Security

  • Study after study, CIOs say looking at cloud, but worried about security
  • Other concerns
    • Security
    • Compliance
    • Loss of control

Goals of this Session

  • Identify threats
  • Discuss risk
  • Mitigate

Cloud Architecture

  • Canonical reference architecture
  • Virtualized structure
  • Datacenter facility
  • Microsoft—deployment people and DevOps
  • Customers of cloud—Enterprise, Consumer
  • Attacker

Cloud Security Alliance

  • Microsoft is a member

The Cloud Security Alliance “Notorious Nine” (what are threats to data in cloud?)

  • Periodically surveys industry
  • 2010 – Seven top threats
  • 2013 – Nine top threats
  • Mark adds 10th threat

#10 – Shared Technology Issues: Exposed Software

  • Shared code defines surface area exposed to customers
    • In public cloud, servers are homogeneous—exact same firmware
    • Hypervisor
    • Web server
    • API support libraries
  • What if there’s a vulnerability?
  • Stability and security are balanced against each other
    • Patching might bring down servers
  • Assumes infrastructure is accessible only by trusted actors
  • Corporate and legal mechanisms for dealing with attackers
  • This is: Enterprise Multi-tenancy

#10 – Shared Technology Issues: The Cloud Risk

  • A vulnerability in publically accessible software enables attached to puncture the cloud
    • Exposes data of other customers
    • Single incident—catastrophic loss of customer confidence
    • Potential attackers are anonymous and in diverse jurisdictions
  • “Are you doing as good a job as I’d be doing if I had the data in the house”?
  • Important (vs. Critical) – data not at risk, but confidence in Azure is critical
    • “Cloud critical”
  • “Hostile Multi-tenancy”
  • We do whatever it takes to patch immediately

#10 – Shared Technology Issues: Bottom Line

  • Enterprises and clouds exposed to this risk
  • Clouds at higher risk
    • Data from lots of customers
    • API surface is easy to get to
  • Clouds are generally better at response
    • Azure has about 1,000,000 servers
    • Can do critical patch in just a couple hours, all servers
    • Breach detection/mitigation
  • Risk matrix
    • Perceived risk—bit below average
    • Actual risk – Fairly high (Mark’s assessment)

#9 – Insufficient Due Diligence

  • Moving to cloud, but side-stepping IT processes
    • Shadow IT
    • BYOIT – Bring your own IT—non-IT going to cloud
    • IT management, etc. are designed for on-premises servers
  • Bottom line
    • IT must lead responsible action

#9 – Insufficient Due Diligence – Azure

  • Azure API Discovery
    • Monitors access to cloud from each device
  • SDL
  • Cloud SDL (under development)

#8 – Abuse of Cloud Services

  • Agility and scale of cloud is attractive to users
  • Use of Compute as malware platform
  • Use of storage to store and distributes illegal content
  • Use of compute to mine digital currency
    • VMs shut down per month, due to illegal activity: 50,000-70,000
    • Bulk of it is for generating crypto currency
    • Top 3 countries that are doing this: Russia, Nigeria, Vietnam
    • Password for Vietnamese pirate: mauth123 (password123)
    • Harvard supercomputer was mining bitcoin

#8 – Abuse of Cloud Services: It’s Happening

  • Attackers can use cloud and remain anonymous
  • Bottom line
    • Mostly cloud provider problem
    • Hurts bottom line, drives up prices
  • Using machine learning to learn how attackers are working

#7 – Malicious Insiders

  • Many cloud service provider employees have access to cloud
  • Malicious check-in, immediately rolls out to everybody
  • Operators that deploy code
  • Datacenter operations personnel
  • Mitigations
    • Employee background checks
    • Limited as-needed access to production
      • No standing admin privileges
    • Controlled/monitored access to production services
  • Bottom line
    • Real risk is better understood by third-party audits

Compliance is #1 concern for companies already doing stuff in cloud

#7 – Malicious Insiders – Compliance

#6 – Denial of Service

  • Public cloud is public
  • Amazon was at one point brought down by DDOS
  • Your own app could get DDOS’d
  • Cloud outage – a form of DDOS
  • Redundant power from two different locations to each data center
  • Blipping power to data center results in major outage—several hours
  • Mitigations
    • Cloud providers invest heavily in DDOS prevention
    • Third party appliances that detect and divert traffic
    • We do this for our clients too
    • Large-scale DDOS, doesn’t catch smaller things
  • Geo-available cloud providers can provide resiliency
  • Azure
    • DDOS prevention
    • Geo-regions for failover

#5 – Insecure Interfaces and APIs

  • Cloud is new and rapidly evolving, so lots of new API surface
  • CSA – one of the biggest risks
  • Examples
    • Weak TLS crypto – DiagnosticMonitor.AllowInsecure….
    • Incomplete verification of encrypted content
  • Bottom line
    • Cloud providers must follow SDL
    • Customers should validate API behavior

#4 – Account or Service Traffic Hijacking

  • Account hijacking: unauthorized access to an account
  • Possible vectors
    • Weak passwords
    • Stolen passwords (e.g. Target breach)
    • Then you find that people use same password everywhere; so attacker can use on other services
  • Not specific to cloud
    • Cloud use may result in unmanaged credentials
    • Developers are provisioning apps, hard-coding passwords, publishing them
    • Lockboxes, “secret stores”
    • Back door—someone in DevOps gets phished, then brute force
  • Mitigations
    • Turned off unneeded endpoints
    • Strong passwords
    • Multifactor authentication
      • Entire world moving to multifactor
    • Breach detection
  • Azure
    • Anti-malware
    • IP ACLs (with static IP addresses)
    • Point-to-Site, Site-to-Site, ExpressRoute
    • Azure Active Directory MFA

#3 – Data Loss

  • Ways to lose data
    • Customer accidentally deletes data
    • Attacker deletes or modifies it
    • Cloud provider accidentally deletes or modifies it
    • Natural disaster
  • Mitigations
    • Customer: do point-in-time backups
    • Customer: geo-redundant storage
    • Cloud provider: deleted resource tombstoning
      • Can’t permanently delete
      • 90 days
  • Azure
    • Globally Replicated Storage
    • VM Capture
    • Storage snapshots
    • Azure Site Replica

#2 – Data Breaches

  • Represents collection of threats
  • Most important asset of company is the data

#2 – Data Breaches: Physical Attacks on Media

  • Threat: Attacker has physical access to data/disk
  • Mitigation: cloud provider physical controls
    • To get in data center, gate with guards
    • To get into room with servers, biometric controls
    • Disk leaving data center—very strict controls
    • Data scrubbing and certificate
    • SSDs never leave data center, because it’s so hard to scrub it
    • HDDs are scrubbed
  • Enhanced mitigations
    • Third-party certifications (e.g. FedRamp)
    • Encryption at rest
  • Azure: third-party encryption

Encryption at rest

  • Two types
    • Cloud provider has keys
    • Customer has keys
  • When you have keys, you’re also giving keys to cloud to decrypt

#2 – Data Breaches: Physical Attacks on Data Transfer

  • Man-in-the-middle
  • Mitigation
    • Encrypt data between data centers
    • APIs use TLS
    • Customer uses TLS
    • Customer encrypts outside of cloud

#2 – Data Breaches: Side-Channel Attacks

  • Threat: Collocated attacker can infer secrets from processor side-effects
  • Snooping on processor that they’re co-located on
  • Researcher assumptions (but unlikely)
    • Attacker knows crypto code customer is using and key strength
    • Attacker can collocate on same server
    • Attacker shares same core as you
    • Customer VM continuously executes crypto code
  • Not very likely
  • Bottom line
    • Not currently a risk, in practice

#2 – Data Breaches: Logical Attack on Storage

  • Threat: attacker gains logical access to data
  • Mitigations
    • Defense-in-depth prevention
    • Monitoring/auditing
  • Encryption-at-rest not a significant mitigation
    • If they can breach logical access, they can maybe get keys too
    • The keys are there in the cloud
    • Encrypt-at-rest isn’t based on real threat modeling

#2 – Data Breaches: Bottom Line

  • Media breach not significant risk
  • Network breach is risk
  • Logical breach is a risk
    • Encrypt-at-rest doesn’t buy much

#1 – Self—Awareness

  • E.g. Skynet
  • People are actually worried about this
Advertisements

TechEd NA 2014 – Data Privacy and Protection in the Cloud

TechEd North America 2014, Houston
Data Privacy and Protection in the Cloud– A.J. Schwab, Jules Cohen, Sarah Fender

Day 2, 13 May 2014, 10:15AM-11:30AM (OFC-B233)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • The issue of Trust is important whenever you talk about moving data to cloud
    • Need to convince users that data will be secure, private
  • Data Privacy is key goal for Microsoft
  • Lots of tools for controlling access to data, e.g. identity management
  • Security at many layers, e.g. physical, network, etc.
    • Microsoft pours lots of resources into security for the layers that they control

Full video

Jules Cohen – Trustworthy Computing group, Microsoft

Three major buckets, when thinking about moving data to the cloud

  • Innovation properties – will cloud let me do what I want?
  • Economics – what is TCO?
  • Trust

First two buckets are relatively un-complicated

  • Trust – harder to evaluate, more visceral
  • Privacy and data protection are part of trust

Trust

  • Microsoft has made significant investments
  • If you already trust the cloud, we’re going to improve level of trust

Changing Data Protection concerns to opportunities

  • You already trust people within your organization
  • In cloud world, some of these functions move off premises
  • Ref: Barriers to Cloud Adoption study, ComScore, Sept-2013
    • 60% – security is barrier to cloud adoption
    • 45% – concerned about data protection (privacy)

Definitions

  • Can’t have privacy without security
  • Security is a pre-req
    • Do the right people have access to the data?
  • Once data is in the right hands, we can talk about privacy
    • Do people who have access to data use it for the right things?

Perceptions after migration to cloud

  • 94% – said they experienced security that they didn’t have on-premise
  • 62% – said privacy protection increased after moving to cloud

Microsoft’s approach to data protection

  • 1 – Design for privacy
    • Corporate privacy policies, disclosures
    • Trustworthy Computing formed in 2002, after memo from Bill Gates—privacy, security, reliability
  • 2 – Built-in features
    • Customers can use these features to protect their data
  • 3 – Protect data in operations
    • Operating services – Microsoft committed to data protection in service operations
    • Microsoft complies with various standards, help customers comply with those standards
  • 4 – Provide transparency and choice

Privacy governance – Program

  • Design for Privacy
  • People – Employee several hundred people focused on privacy
  • Process
    • Internal standards
    • Rules maintained by Trustworthy Computing
  • Technology
    • Use tools to support people and processes
    • Look for vulnerabilities

Privacy government – Commitments

  • Microsoft services meet highest standards in EU (Article 29)
  • First (and only) service provider to get this approval

Sarah Fender – Director of Product Marketing, Windows Azure, Microsoft – Built-in Features

Data Protections in Azure

  • Data location – can choose to run in a single region, or multiple regions
  • Redundancy & Backup
    • 3 copies of data, within region
    • Can also do geo-redundant storage, to different region
    • E.g. Create new storage account, pick region
  • Manage identities and access to cloud applications
    • Centrally manage user accounts in cloud
    • Enable single sign-on across Microsoft online service and other cloud applications
    • Extend/synchronize on-premise to cloud – Active Directory synching to Azure
  • Monitor and protect access to enterprise apps
    • Passwords stored in encrypted hashes
    • Security reporting that tracks inconsistent access patterns – e.g. user accessing service from distant geo-locations
    • Step up to Multi-Factor Authentication – e.g. text message or e-mail with secret code

Data encryption

  • VMs – encrypted disk using BitLocker
  • Can encrypt data at rest
  • SQL TDE
  • Applications – RMS SDK
  • Storage – .NET Crypto, BitLocker (import/export), StorSimple w/AES 256

Data protections in Office 365

  • Encrypt data in motion and also at rest


A.J. Schwab – Senior Privacy Architect, Office 365, Microsoft – Protect Data in Operations

Value proposition of running in cloud

  • Less work—patching, reacting to problems

Defense in depth strategy

  • Physical
    • Who comes into facility?
    • What media goes in/out?
    • If bad guy can stand in front of your computer, it’s not your computer anymore
  • Network
    • Looking for anomalous traffic
    • Packet penetration testing
    • Watching logs
  • Identity & Access Management
    • Internal Microsoft authentication policies for internal staff
    • Know who people are and who gets access from within Microsoft
    • Just-in-time access – when someone wants access to customer information, it’s an exception
  • Host Security
    • Patching, managing OS on host
  • Application
    • Make sure that application is running in secure configuration
  • Data
    • “Data is everything” – data is money
    • Big part of the focus, protesting the data
  • 24x7x365 incident response

Cloud security must be equal or better to on-premise

Protect data in operations

  • Data isolation
    • Very important to customers
    • Only privileged user has access to data
  • Limited Access
    • MFA for service access
    • Auditing of operator access/actions
    • Zero standing permissions in the service
    • Automatic Microsoft staff account deletion
      • To make sure that things follow policies, everything is automated
    • Staff background checks, training
      • Can Microsoft trust the people that it hires?

Approach to Compliance

  • Industry standards and regulations
  • Controls Framework & Predictable audit schedule
  • Certification and Attestations

Customer Stories – Kindred Healthcare

  • Background
    • Big healthcare provider
    • Mobile service, ensure data privacy
  • Solution
    • Office 365 Exchange, SharePoint, Lync
    • Met security and privacy needs

Shared Protection Responsibility

  • IaaS – cloud customer has most of the responsibility
  • SaaS – cloud provider assume many of the responsibilities

Provide transparency and choice

  • Trust Center web page – for Office 365, and for Azure
  • Lots of documentation online

Summary

  • 1 – Design for privacy
  • 2 – Built-in features
  • 3 – Protect data in operations
  • 4 – Provide transparency and choice

Questions and Answers

Q: Sharepoint, is data encrypted while data is at rest? Is BitLocker available? Or third-party products?

  • Microsoft has committed to goal of having all data in transit and all data at rest is encrypted
  • By the end of 2014, Sharepoint data at rest will be fully encrypted
  • But law enforcement has generally been satisfied with current security and privacy policies

Q: What tools do you have to assist attorneys?

  • See materials in the Trust Center
  • Microsoft constantly talking to lawyers, to stay on top of current regulations
  • So probably collateral materials that are required are there
  • We do have Controls Framework that maps what Microsoft does and maps it to specific regulatory requirements
  • Thinking about how to package this up and present it for customers

Q: How to evaluate tools based on legal requirements?

  • We (Microsoft) can’t give you (customer) legal advice. But we can show you how tools map to particular requirements
  • Can do this in the context of certain verticals, e.g. Banking

If you have questions, stop by the Security & Compliance station in the Azure booth

TechEd NA 2014 – Microsoft Azure Security and Compliance Overview

TechEd North America 2014, Houston
Microsoft Azure Security and Compliance Overview– Lori Woehler

Day 2, 13 May 2014, 8:30AM-9:45AM (DCIM-B221)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Microsoft has done a lot of work to support various security standards
    • In some cases, you can use their documents as part of your own demonstration of compliance
  • Data can be more secure in cloud, given the attention payed to security
  • Customer has greater responsibilities for demonstrating compliance when using IaaS (Infrastructure)
    • Fewer responsibilities when using PaaS (Platform)—just application and data
  • Potentially more compliance issues in EU and Asia, or in certain verticals (e.g. Healthcare)
  • Good compliance cheat sheet that lists typical steps to take

Full video

Lori Woehler – Principal Group Program Manager, Microsoft. CISSP, CISA

LoriWo@Microsoft.com
At Microsoft since 2002
On Azure team for 18 months

Goals

  • Understand how Azure security/compliance helps you to meet obligations
  • Define Azure S&C boundaries and responsibilities
  • Info on new resources and approaches

Other sessions

  • B214 Azure Architectural Patterns
  • B387 Data Protection in Microsoft Azure
  • B386 MarkRu on Cloud Computing
  • B306 Public Cloud Security

Track resources

  • http://Azure.microsoft.com/en-us/support/trust-center/
  • Security Best Practices for enveloping Azure Solutions
  • Windows Azure Security Technical Insights
  • Audit Reports, Certifications and Attestations
    • Includes all details related to audits
    • Can just hand off the stack of paper to outside auditors

Other resources

Technology trends: driving cloud adoption

  • 70% of CIOs will embrace cloud-first in 2016
  • Benefits of cloud-first
    • Much faster to deliver solution
    • Scale instantly
    • Cheaper, e.g. $25k in cloud would cost $100k on premises

Cloud innovation

  • Pre-adoption concerns (barriers to adoption)
    • 60% – security is concern
    • 45% – worried about losing control of data
  • Security, Privacy, Compliance

Cloud innovation

  • Benefits realized
    • 94% – new security benefits
    • 62% – privacy protection increased by moving to cloud

Trustworthy foundation timeline

  • 2003 – Trustworthy Computing Initiative
  • Digital Crimes Unit
  • ISO/IEC 27001:2005
  • SOC 1
  • UK G-Cloud Level 2
  • HIPAA/HITECH
  • SOC 2
  • CSA Cloud Controls Matrix
  • FedRAMP/FISMA
  • PCI DSS Level 1

Azure stats

  • 20+ data centers
  • Security Centers of Excellence – combat evolving threats
  • Digital Crimes Unit – legal/technical expertise, disrupt the way cybercriminals operate
    • Info on botnets
    • Bing team publishes blacklist and API to access it
  • Compliance Standards – alphabet soup of standards, audits, certs

Microsoft Azure – Unified platform for modern business

  • Four pillars
    • Compute
    • Data Services
    • App Services
    • Network Services
  • Global Physical Infrastructure

Simplified compliance

  • Information security standards
    • Microsoft interprets, understands
  • Effective controls
    • Map to controls, e.g. SOC 1 type 2, SOC 2 Type 2
    • Evaluate both design and effectiveness of controls
  • Government & industry certifications
    • Ease of audit and oversight

Security compliance strategy

  • Security goals in context of industry requirements
  • Security analytics – detect threats and respond
  • Ensure compliance for high bar of certifications and accreditations
  • Continual monitoring, test, audit

Certifications and Programs

  • Slide shows summary of various certifications
  • ISO/IEC 27001 – broadly accepted outside U.S.
    • Now supporting “Revision 3” under 27001
  • SOC 1, SOC2 – for customers who need financial reporting
    • Five different areas: Security, Privacy, Confidentiality, Integrity, Availability
    • SSAE 16 / ISAE 3402 – accounting standard
  • For IaaS, compliance information is more detailed
  • Increasing focus on government certification and attestation
    • FedRAMP/FISMA

Contractual commitments

  • EU Data Privacy approval
    • Only Microsoft approved from EU Article 29
  • Broad contractual scope
    • Contractual commitments for HIPAA et al

Shared responsibility

  • Where is customer responsible, vs. Microsoft
  • Customer
    • Manages control of data in PaaS
    • Going with PaaS reduces customer responsibility to just Applications and Data
    • Under PaaS, no customer responsibility for Runtime, Middleware, O/S
  • SaaS – no customer responsibility

PaaS Customers – important things to know

Paas Customer Responsibilities

  • Access Control – define security groups and security set
    • Logs to demonstrate that access is due to customer granted permission
  • Data Protection
    • Geo-location – be careful about setting yourself up for potential non-compliance
      • There are obligations in Europe and Asia
      • You can check for access from outside your geo-location boundaries; then potentially restrict access
    • Data Classification and Handling
      • Deciding what data should go up to the cloud
      • Microsoft has published guides to classifying data (schemas)
      • Cloud Controls Matrix – show where you have programmatic obligation
    • Privacy and Data Regulatory Compliance
  • Logging & Monitoring Access and Data Protection
  • ISMS Programmatic Controls
  • Certifications, Accreditations and Audits
    • Can I just use Microsoft’s audit results are our own? No

IaaS Customer Responsibilities

  • Application Security & SDL (Security Development Lifecycle)
    • Can test outside of protection
    • Role segregation, between operations and development
    • E.g. rely on TFS to show process and evidence
  • Access Control – identity management
    • Start with access control to Azure environment itself
    • Then also access control to guest Oss (or SQL Server)
    • Auditors will focus on timing of provisioning/de-provisioning (e.g. remove user when they leave company)
  • Data Protection
    • Microsoft demonstrates that data in your environment is not exposed to other customers
    • Focuses on HyperV when testing
  • O/S Baselines, Patching, AV, Vulnerability Scanning
    • Standard build image in Azure, patched to most recent security update
    • Customers should adopt standard patching cadence; matching your on-premise infrastructure
    • Configuration and management of SSL settings is responsibility of customer
  • Penetration Testing
  • Logging, Monitoring, Incident Response
    • Microsoft has limited ability to access your logs and VM images
  • ISMS Programmatic Controls
    • Impact of documentation of Standard Operating Procedures—quite cumbersome
    • Can start by taking dependency on Azure, in documents that Microsoft have already generated
    • But this doesn’t go all of the way
  • Certifications, Accreditations & Audits
    • Auditors shouldn’t re-test customers in the areas that Azure already covers
    • Documentation that Azure provides should be enough
    • White papers in trust center describe how to leverage Microsoft stuff

Compliance cheat sheet

  • Identify your obligations/responsibilities
    • E.g. contractual
  • Adopt Standard Control Set
    • List of the rules, ties into policies
  • Establish policies and standards
    • “Your plan is your shield”
    • Criteria against which external auditors will evaluate your environment
    • Don’t try to be too broad, trying to cover every possible audit—auditor will apply their own judgment
    • Set level of detail listing deliverable and schedule for deliverable
    • Then you just demonstrate that you’ve met the policies that you’ve set
  • Document system(s) in scope
    • Challenging, if you haven’t implement an asset inventory mechanism
    • Auditors will want to see all assets—physical and virtual (e.g. user accounts, etc).
    • A significant amount of work
    • Log when systems come online and offline (into or out of production)
  • Develop narratives for each control
    • Written description of how a control executes
    • Ties back to specs for systems
    • Auditors will look at spec and then test plan
  • Test control design & execution
  • Identify exceptions and issues
    • No such thing as perfect
    • Document decisions made
    • “Qualified report” – auditor’s report that says that vendor is only partly compliant
  • Determine risk exposure
    • “Transferring risk” to third party—sometimes reduces your risks, sometimes increases your risks
    • Understand both costs and risks
    • Story of Singapore government, including keystroke loggers and video cameras, plus person observing live data feed (for traders using financial service)
  • Define remediation goals and plans
  • Monitor the system
    • And demonstrate to 3rd party that your controls are behaving as expected
  • Report on compliance status
    • Not just reporting for checklist

More detailed cheat sheet

Most Frequently Asked Questions

  • PCI Compliant? – no
  • Can xyz audit Azure? – no
  • Can we have your pen test reports? –
  • Will you fill out this 500 question survey? –
  • Kicked out of the room at this point