1. Encryption in the public cloud: Security techniques Dave Asprey • VP Cloud Security [email_address] @daveasprey (cloud + virtual security tweets)
2.
3.
4. Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications . We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access , (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. Translation: If it gets hacked, it’s your fault. Trend Micro Confidential 01/27/11 http://aws.amazon.com/agreement/#7 (23 November 2010)
5. Security and privacy higher than Sum (performance, immaturity, regulatory compliance) Gartner (April 2010) Security: the #1 Cloud Challenge Classification 01/27/11
6. Use encrypted, self-defending hosts Classification 01/27/11 Shared Storage Shared Firewall Virtual Servers Shared network inside the firewall Shared firewall – Lowest common denominator – less fine grained control Multiple customers on one physical server – potential for attacks via the hypervisor Shared storage – is customer segmentation secure against attack? Easily copied machine images – who else has your server? Doesn’t matter – the edge of my virtual machine is protected Doesn’t matter – treat the LAN as public Doesn’t matter – treat the LAN as public Doesn’t matter – They can start my server but only I can unlock my data Doesn’t matter – My data is encrypted Internet
7.
8.
9.
10.
11.
Hinweis der Redaktion
My name is Todd Thiemann thank you for attending this session on
Data is stored in plain text Who can see my sensitive information? Data stored in a raw format removes confidentiality and allows a savvy attacker an open door to view all of your information. Virtual volumes can be moved without the owners knowledge Has my data been moved offshore, breaking laws or regulations? Privacy laws like Little ability to audit or monitor access resources or data What happened to my data when I was not looking? How can I comply with legislation, security policies and best practices? Hypervisors and storage are shared with other users Is my neighbor trustworthy? How good is my neighbor’s security? Will he get hacked and attack me? Storage devices contain residual data - Is storage recycled securely when I change vendors? What happens if my cloud provider goes out of business?
This is the online Amazon EC2 Customer Agreement. You can read the whole thing, but the bolded part is the key concept. The user of the virtual machine is responsible for security of their virtual machine. You have the responsibility and accountability for security in the IaaS world. You need to plan for protection in the public cloud.