Red Hat Cloud security: Frameworks & enforcement. Kurt Seifried Security Response team April 16, 2014 v1.0

Transcription

1 Red Hat Cloud security: Frameworks & enforcement Kurt Seifried Security Response team April 16, 2014 v1.0

2 Agenda A quick history of the future Cloud IT and Security it's all about operations Cloud security standards and technologies Emerging / Future technologies Q&A 3/17/13 2

3 What is the cloud? IaaS (Infrastructure as a Service) PaaS (Platform as a Service) SaaS (Software as a Service) MaaS (Metal as a service) SecaaS (Security as a Service) CaaS (Communications as a Service Let's apply regex:.*aas Voila: XaaS (Anything as a Service) 3/17/13 3

4 Open Hybrid Cloud You want a cloud that includes IaaS, PaaS, SaaS, MaaS, SecaaS, CaaS, etc. That works on both private resources (in house/on premises/off site) and public resources That prevents vendor lock in That increases agility/capabilities (e.g. RHEL+Windows+whatever else you need) Aka Open Hybrid Cloud 3/17/13 4

5 Handling the past This means the cloud will have to handle your existing systems and services without any major changes or else you get to rewrite/rebuild everything (which you don't want to do) 3/17/13 5

6 Handling the future Self service both bring your own and buffet/menu style (e.g. build your own system and run or select from a catalog) Rapid deployment of heterogeneous systems (Linux + Windows + your old COBOL box) New methods and modes of operations we haven't even thought of yet 3/17/13 6

7 Supporting Hybrid IT You have mature IT (like your payroll system) You have bleeding edge IT (like your social media app or your Big Data project) You want your cloud to support both modes of operations 3/17/13 7

8 Building on sand You can build reliable services on top of unreliable systems (within reason), RAID, replication, multi-pathing, transactions, etc. You cannot build secure systems on top of insecure systems 3/17/13 8

9 The cloud is all about operations Technology is an enabler, nobody actually wants to run operating system X or software package Y, they want to run it to get stuff done Virtualization has allowed us to decouple from hardware, with Cloud we are able to decouple from operational constraints 3/17/13 9

10 Sliced, diced and julienned In theory with cloud you can have a single pool of systems that is shared amongst all, using multitenant systems, networks, storage and services This requires very strong controls to separate things, especially with shared workloads and services (you can cheat and dedicate servers, but this reduces flexibility and efficiency) 3/17/13 10

11 Strong controls Virtualization almost a decade of KVM SELinux over a decade now IPTables - over a decade now Many, many other technologies Real world validation - OpenShift Online only requires attackers have an address to register and login via SSH, we see a lot of attacks and as a consequence have robust SELinux policies that also allow people to still do what they need to do 3/17/13 11

12 Dialing security up and down One size does not fit all Highly regulated and unregulated Contractual requirements Multiple legal jurisdictions Systems in use for years at a time and systems used for 5 minutes at a time by QA 3/17/13 12

13 Secure deployment and updates You need to deploy secure systems You then need to keep them up to date And properly configured And you need to be able to deploy insecure systems/configurations as needed (dev/testing) 3/17/13 13

14 Orchestration and management You need Orchestration that can handle all sorts of weird situations and systems This is especially true for self service clouds, some people need freedom, others need strong controls You also want to prevent things like an intern firing up a clone of the employee database and grabbing all the personal data You need to support multiple operation models 3/17/13 14

15 Cloud security standards and technologies There are several existing standards that are cloud specific, and many that are not You will have to support these standards, you will be judged by these standards Providers want to minimize the number of standards they have to deal with, so convincing them to deal with your own standard NOPE. 3/17/13 15

16 FedRAMP The US gov has learned a lot of painful lessons and applied them to FedRAMP It's a collection of open standards, acronym soup It addresses the many providers to many consumers issue It includes continuous testing and certification It is flexible and supported by many tools and vendors today 3/17/13 16

17 Red Hat support of FedRAMP The main thing here is SCAP and OpenSCAP Red Hat has content for RHEL, Fedora Can be applied during kickstart! Automated remediation tools like Aqueduct Red Hat also publishes OVAL data, CVE, CPE, CWE, CVRF and others Red Hat has numerous people in the federal government and security space, we are heavily involved in this 3/17/13 17

18 Cloud Security Alliance Heavily aimed at operational security Includes mappings to other security standards Currently self attestation and third party testing through BSI Working on additional standards and updates Working on 3 rd party assessment and continuous assessment 3/17/13 18

19 Red Hat support of CSA OpenSCAP can be used for the technical side of security, but many of the things CSA looks for are operational decisions (e.g. employee training) We submitted a CAIQ entry for OpenShift Online 1 year ago (April 15, 2014) We are a corporate member of the CSA and keep a close eye on things 3/17/13 19

20 ISO/IEC ISO is creating a set of cloud specific security standards under 27017, initial drafts look pretty good ISO has stated that they are expected to be released in late /17/13 20

21 Red Hat support for ISO/IEC Since the cloud specific standards are not final yet I can't really say that we support them per se But we do have OpenSCAP for the technical side And we are keeping a close eye on them 3/17/13 21

22 Other non cloud security standards All the usual suspects (PCI DSS, blah blah blah) Enough workload has moved to the cloud, these non cloud standards have been made to work in the cloud You can mostly get away with compensating controls, using cloud services that are certified, and using dedicated resources 3/17/13 22

23 A quick note on failure cases of security standards Failure to include ongoing testing/certificate Actively malicious vendors and testing/certification vendors that allow bad things DigiNotar Massive data breaches at various companies A possible outcome is that cloud providers try to discredit each other and thus keep each other honest? 3/17/13 23

24 Emerging / Future technologies But wait, there's more! 3/17/13 24

25 Stateless and stateful systems a.k.a. Mutable and immutable systems Separate systems and services by state or mutability, stateless/immutable systems are much easier to auto scale up and down Stateless/immutable systems can be locked down heavily, think read only web front ends using file serving/database back ends Stateless/immutable systems shouldn't change, so any compromise should be obvious 3/17/13 25

26 Short lived systems Think xinetd for Vms/containers, one request, one system gets started, services it, and is shut down Requires technology still in development Extremely dense systems using ARM system on a chip and transactional memory are not to far away however... 3/17/13 26

27 Software Defined Perimeter (SDP) Brings the perimeter in from the network and system directly to the application critical with multi-tenant systems Also an intelligent control plane, so you spin up a new web front end and add access rules/certificates/whatever to the database back end and other resources it needs Automated security is the only sane way to handle auto scaling systems 3/17/13 27

28 Conclusion The cloud is happening, your accountants will see the utilization numbers and make you do it, also OPEX vs CAPEX, also pay as you go with bursting is kind of awesome IT is changing more than ever, and staying the same more than ever (COBOL and FORTRAN), we need to support both, preferably with one system Self serve is awesome and it can be done securely, doing it insecurely will be very bad 3/17/13 28

29 Question and answers

30 Up to date slides, notes, 5-10 page write up and additional materials are available at:

31 URLS 3/17/13 31