Cloud and Virtualization Security #
Exploring the Cloud #
- oversubscription - allocates more virtual resources than physical resources actually available, betting that not all customers will use their full allocation simultaneously.
- multitenancy - Different users share resources in the same cloud infrastructure.
Benefits of the Cloud #
- On-demand self-service computing
- Scalability (vertical & horizontal) - rapidly increasing capacity
- Elasticity - expand and contract capacity as needed
- Measure Service - You pay for waht you consume
- Agility & Flexibility
Cloud Roles #
- Cloud Service Providers - offer the cloud computing
- Cloud Consumers - ones that consume the cloud computing
- Cloud Partners/brokers - Resell supplementary products or services in regards of the cloud
- Cloud Auditors - independents that audit cloud services and operations
- Cloud Carriers - The network service provider that delivers connectivity between cloud consumers and providers.
Anyone can take multiple roles, like neptune was a Cloud consumer and service provider.
Cloud Service Models (XaaS) #
- IaaS - Customer does full config
- PaaS - Run apps that customer developed themselves, but without granualr network/infrastructure responbilities
- Example FaaS upload just the code and it will execute on an event without further overhead.
- SaaS - Customer only does config in the “application”, see ERP, CRM, ..
- Managed Service Providers (MSPs) - service organizations that are responsible for all tech infrastructure for a customer.
- If they offer security, they are Managed Security Service Providers (MSSPs)
Cloud Deployment Models #
- Public Cloud - Default - Shared infrastructure for the general public/anyone
- Private Cloud - provisioned for a single customer
- Build/deployed by either a 3th party or the organization itself.
- More excess resources, so less cost efficient
- Community Cloud - Like Public multitenant, but all tenants are from the same community that share same needs or mission (e.g. regualrity needs, compliance, etc..)
- Hybrid Cloud - catch all of blending public, private and/or community
- Requires technology to unify the different clouds into single coherent platform
Note: The intelligence community uses “Private Public” cloud. The infrastructure resides in a CIA facility, but provides (for example) decicated AWS services. Azure Arc allows to use Azure platform but on hardware/infrastructure you manage yourself. So it is a private cloud, but it uses the functinality/platform layer from a public cloud.
- Public Cloud bursting- You use only public cloud to expand capacity when necessary, but by default use private/on-prem
Shared Responsibility Model #
Your security responsibilities fall in the “customer responsibilites”, the vendor area secuirty is for, the vendo
Cloud Standards and Guidelines #
- NIST Cloud Computing Reference Architecture
- This shared understanding helps to also talk about cybersecurity.
- Cloud Security Alliance (CSA) - industry organization focused on best practices in cloud security.
- CSA Site
- Designed the Cloud Controls Matrix (CCM) to help understand the right use of cloud security controls and map those to various regulatory standards.
- Edge Computing - Push some of the (pre-)processing to the edge/sensors before shipping it back to the central server/cloud.
- Fog Computing - Local gateway devices close to the sensors that does the preprocessing before sending it to the central server/cloud.
Virtualization #
Is made possible by hypervisors, virtual machines don’t know they’re in a virtual environment.
Hypervisors #
- Hypervisior is a special OS that mediates access to underlying hardware resources.
- Primary responsibility : Enforce vertical isolation between the VMs.
- Gives the VM the illusion that its a single independent physical device.
- VM’s are not able to access/information/resources assigned to another VM.
- Types
- Type I Hypervisor AKA Bare-metal hypervisor - Operate directly on underlying hardware
- Most efficient and default for datacenter virtualization
- THIS IS the OS
- Type II Hypervisors - Run as an application on top of an OS (e.g. Parrallels, VirtualBox)
- THIS IS AN APP installed on another OS
- More for personal computers, hobby, but less efficient.
- Type I Hypervisor AKA Bare-metal hypervisor - Operate directly on underlying hardware
Cloud Infrastructure Components #
Cloud Compute Resources #
- Virtual Machines - OS level virtualization
- Specify assigned hardware, OS, pay on consumption, SSH/RDP for access.
- Containers - Application level virtualization
- Same security concerns as VMs, isolation of access and resources
Cloud Storage Resources #
- Block Storage - for VMS
- Preallocated, so you pay for that.
- Most expensive
- Object Storage - S3
- You pay for how much actually used
- Cheaper
- Security Considerations
- Set permissions Properly
- Consider high availability and durability
- Use encryption to protect sensitive data
Cloud Networking #
- Software defined networking (SDN)
- Software defined visibility (SDV) offer insights into the traffix of the virtual networks
- Security Groups -
- kind of the Firewall feature
- work at network and transport layer
- WAF works on higher levels (application layer for example)
- Usually no cost
- Virtual Private Cloud (VPC/VNET)
- Segmentation - Different security levels on differenet subnets.
- Similar grouped systems can talk to each other, others not.
- On hardware level they would use VLAN (Virtual LAN) instead of virtual subnets.
- VPC endpoints - CSP backbone that allows to connect VPC with each other
- Cloud transit gateways is to connect a VPC with your on-prem network directly and securily
- Requires physical actions and efforts.
- Segmentation - Different security levels on differenet subnets.
Cloud Security Issues #
Availability #
- Baselevel services don’t always provide High Availability, you need to configure/architect accordingly.
Data Sovereignty #
- Data is subject to legal restrictions of any jurisdiction where it is collected, stored or processed.
- you might be subject to laws that you don’t have much to do with, just cause your data is hosted there.
- Encrypt data, to keep control of your data, even when it goes over different jurisdictions, but understand what your situation is.
Virtualization Security #
- Virtual Machine Escape Vulnerabilities - most serious, it breaks the isolation between VMs in data and/or resource access.
- Virtual Machine Sprawl - When user creates IaaS VM and forgets about it and it accrues cost and security issues
- Resource Reuse When hardware resources assigned to one customer is reassigned to another, and there was no proper cleanup, like old data still there.
Application Security #
- See Application Security
- API Injection Technology - inspect API requests for security issues (e.g. WAF)
- Secure Web Gateways (SGWs) - monitors egress web requests and evaluates agains security policies.
- in other words, an egress firewall/WAF
- mostly work on application layer
- Some do Network and transport layer
Governance and Auditing of Third-Party Vendors #
Auditiability of a CSP is important.
Hardening Cloud Infrastructure #
- Cloud native controls
- Have direct integrations and are more cost effective
- 3th party solutions
- more costly, but integrate with various CSPs
- or combined
Cloud Access Security Brokers (CASBs) #
Software tools that serve as intemediaries between cloud service users and cloud service providers. This allows for monitoring user activity and enforce policy requirements, 2 different approaches:
- Inline CASB solutions - physically/logically reside in connectio path between the user and service.
- Requires configurtion of network and/or endpoints.
- Allows to see and block requests before they arrive at cloud service.
- API-Based CASB solutions - Interacts directly with CSP’s API
- No real changes/reconfigurtion to be done
- Unable to block requests
- More limited to monitoring and reporting
- Fixs policy violations after the fact.
Resource Policies #
Policies to limit actions or users can make. (eg. you can only deploy in region x)
Secrets Management #
Offer Hardware Security Modules (HSM) for internal key usage but also for customers. Keys are generated and never exposed externally.