A Cloud Risk That Is Different In Kind

The risks in cloud deployments are generally differences of degree rather than different in kind. But there are some risks that are fundamentally new. We saw two examples recently. First was Bloomberg, not a 21st century Cloud for sure, more like 1990s era Cloud but the precedent is right there for anyone using a Cloud application:

In one instance, a Bloomberg reporter asked a Goldman executive if a partner at the bank had recently left the firm — noting casually that he hadn’t logged into his Bloomberg terminal in some time, sources added.

Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said.

The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was — and if the privacy of their business strategy had been compromised.

“You can basically see how many times someone has looked up news stories or if they used their messaging functions,” said one Goldman insider.

And the second, the Google stalker case

former Google engineer, repeatedly took advantage of his position as a member of an elite technical group at the company to access users' accounts, violating the privacy of at least four minors during his employment, we've learned. Barksdale met the kids through a technology group in the Seattle area while working as a Site Reliability Engineer at Google's Kirkland, Wash. office. 

Cloud apps have to deal with the normal IT risks, but in addition we have the above examples of new risks that are brought on in part by panopticon effects of Cloud apps.

Security > 140 Conversation with Jason Chan

Jason Chan is Cloud Security Architect at Netflix. In this Security > 140 conversation, we discuss some of the innovations that Netflix has applied to its security in AWS and what other enterprises can learn from their pioneering experiences.

GP: Jason, your practitioner's perspective of AWS in particular and overall approach to security in general at Netflix is something I think the industry can benefit from. You use an evocative image to describe the shared security responsibility for AWS users, a rock climber way up  high (you) and on the ground with the belay rope its Amazon. It shows in a nutshell where the risk lies. I am curious though how well defined is the interface between the AWS user and Amazon, does the carabiner and harness give you a simple way to engage with Amazon security services? What problems do you face here with integration? 

 Jason Chan: I do like that rock climbing analogy - I think anyone that's been paying attention to cloud security these past few years is familiar with the notion of shared responsibility for security, but it's critical that the true nature of that relationship be understood. Cloud service providers have a vested interest in meeting their customers' security requirements, but ultimately the customer holds the responsibility.

Regarding AWS' approach and interface for security - I think their Security and Compliance Center and product documentation are good places for customers and prospective customers to start. The tricky part about AWS security is really related to common adoption patterns. AWS use within an organization can spread quickly and organically, and before you know it non-trivial apps and architectures are deployed. However, it is hard to grok all the details of AWS security (including both recommendations and gotchas) until you have some experience under your belt - which is of course too late if you're deploying quickly and widely.

 With regard to overall security integration with AWS, the biggest thing we're missing is access to a general purpose event notification system for AWS audit and logging events. For example - when are users added, when are firewall rules changed, when is an access control policy deleted. This missing link has driven much of our security approach, especially with regard to our Security Monkey framework, which relies heavily on ongoing monitoring and analysis to fill these gaps.

 On the positive side, of course everything is API-driven, which makes integration with new and existing tools much more straightforward.

GP: That quick, organic spread is the bane of most Infosec groups, wherever you go it seems like security is always lagging behind development process and playing catch up. I guess the Cloud makes this even more challenging because it speeds up development so security needs to move faster too. 

One approach can be to use patterns and frameworks so that when you get the old "...and we are going live in a month" in your first conversation with a team, well at least there are proven building blocks (patterns) to help move forward. It seems like AWS has a lot of these to build on for access keys, certificates, MFA, and some basic IAM functionality, but what about authorization? In my experience, this can be challenging because its domain or app specific. Have you seen cases where more dynamic and granularity attribute based access control rather than static ACL kind of mapping is required?

JC: First - to tackle the building blocks and patterns component - that's absolutely a key element of how we operate. We are a very loosely coupled organization, but we share platform components, lessons learned, tested patterns, etc. across the engineering organization. We use the Simian Army to validate that those patterns and techniques have been implemented. This allows us to move fast and ensure quality without potentially heavyweight and burdensome constructs like architectural review boards and change approval meetings.

Regarding AWS and IAM, I like the direction they are moving and the building blocks they are making available. They have a rich and comprehensible policy language, and the newly released "EC2 Roles" feature provides a means of delivering short-lived credentials for access to services from running instances (which is a core part of how our service operates). We had solved that problem separately prior to the AWS release, but we are looking to migrate to their offering to allow us to focus on other unsolved problems. I would like to see AWS standardize more on their access model, though, with regard to controlling service and resource access. Some services (e.g. SQS, S3) have a pretty full-featured access control model that applies to the service and API as well as the resources involved (e.g. I can control who lists a storage container, as well as separately protect the objects in the container). Other services like EC2 have a much coarser model. You can restrict access to APIs, but you can't restrict which resources those restrictions apply to. So, if I grant a user rights to terminate an EC2 instance, they can terminate any EC2 instance. This makes segregation a bit more of a challenge. 

The way I look at it, the more AWS and other cloud vendors can provide usable, scalable, dynamic and fine-grained access control mechanisms, the faster their customers will be able to innovate.

GP: I assume that the Simian Army and Security Monkey follow the guidance I have heard out of Netflix' chaos monkey - "the best way to avoid failure is to fail constantly." Availability is an important part of security in most companies, are there any security specific aspects to the "fail constantly testing regime? What things have worked well that companies can utilize to improve their own vulnerability assessment processes?

JC: To give a little more info on the Simian Army - there a few approaches that they take. The approach that the Chaos Family (including Monkey and Gorilla) and Latency Monkey uses is to inject faults into the production environment to see whether deployed applications and systems can robustly handle and recover from these issues.

Some of the other members (namely Security, Conformity, and Janitor) take some different approaches. They are looking for adherence to known good practices and architectures for secure, distributed, cloud-based systems. One of the key cloud tenets we embrace is self-service - we want to make it as easy as possible for engineers to leverage the cloud and the platform we've provided. This freedom sometimes leads to suboptimal deployment, communication, and security implementations, so we use these Monkeys to seek out these anomalies (and in many cases, make automatic corrections).

In terms of what others can leverage, we are open sourcing many of the Monkeys (in fact, Chaos Monkey was just open sourced on 7/30), so others are free to reuse and extend what we've created. At a more abstract level, I think it's really about minimizing any friction you create with the inbuilt advantages that the cloud provides (e.g. broad accessibility, self-service, elasticity). The more you put in between cloud users and the benefits that the cloud provides, the less value you'll derive from cloud deployment. To do this safely, you have to refresh your thinking around monitoring, architectural pattern compliance, and security assessment.

GP: Can you share an illustrative end to end example of a vulnerability or class of vulns that Security monkey looks for, how you identify that its worked or not and how remediation fits in?

JC: A good example would be around how we use Security Monkey to evaluate AWS security groups (the Amazon implementation of a hypervisor-level firewall, used to control network access between instances). Security Monkey monitors our configuration of security groups, and will alert on simple add/change/delete events. These types of events are standard in our environment, so they are not necessarily a call to action. 

Security Monkey also looks for potential misconfiguration of security group rules. For example, a security group being opened to the Internet, using an unsafe port/service (e.g. Telnet, FTP), providing access across AWS accounts, etc. These kinds of configurations can signify a serious vulnerability, so we also alert on them and aggregate them up to a sort of "Exposures" report that is easy to evaluate and use for additional investigation (if needed). We don't take automatic action on these, as they often require some human analysis to establish validity. We also have the ability to whitelist and document exceptions for valid cases that would otherwise trip these alarms.

On a somewhat related front, several of us at Netflix are working with some folks from the open source community on a new security assessment tool called Gauntlt. It's a framework intended to mesh behavior-driven development with security and security testing. I think it's got a lot of potential, especially in shops like ours where developers are more involved with deployment and operational support and continuous integration and deployment are used quite broadly.

GP: Do you have anything on the back end reporting that discerns between Security Monkey and an attack, so that you know - "the calls are coming from inside the house"? 

JC: We do have a means of differentiating, and this actually brings up another good point about security and operating in the cloud. We can write to our production timeline system that tracks important events (e.g. code deployments, configuration changes, etc.). That way, our SRE team and other interested parties can easily tell if scanning is occurring, etc. Also, we plug into our other security tools (e.g. web application firewalls), to register/whitelist hosts.

The key here is that at scale (and with the nature of cloud elasticity and ephemerality), you need to do this via API and automation, not via someone manually updating an administrative UI. This is a point that I'm finding some security vendors have not picked up on yet. "Cloud Security" is a popular term, but in terms of tools, controls, etc. - if it does not have an API, it is difficult or impossible to use and integrate in our environment. This has become a real differentiator for security vendors, in my opinion.

 GP: I see the same thing, many security tools have some good raw capabilities but they require so much manual effort, I tend to think of it as an integration gap - better/simpler APIs and Automation would help close the gap and help security teams.

When I looked at Gauntlt, it seems like a concrete implementation of the objectives of Security Monkey where your web app is constantly attacked by Metasploit, fuzzers, Nessus, and other tools. Its also interesting to see a DSL emerging here. Can you talk a little about the Gauntlt project and where you see it going?

JC: Sure, I don't want to speak too officially for Gauntlt; I am working on it but I defer to James Wickett for the most authoritative perspective on roadmap and progression. As I see it, it can become a great framework for packaging, executing, and normalizing security testing tools and resulting output. There are so many great security tools out there, but it's non-trivial (for experts or non-experts) to select a decent toolset, determine how they should be configured and run for your environment, and intelligently evaluate the output of the chosen toolset. I think Gauntlt can help facilitate this process, and hence provide an easier mechanism for integrating security testing into development lifecycles of all shapes and sizes.

**

Interested in Mobile AppSec, Mobile AppSec Triathlon training - November 5-7,2012 in San Jose. Hands on training with Gunnar Peterson and Ken van Wyk for Mobile, iOS and Android security for developers, security teams and architects. 

Understanding Cloud Security Standards Part 3

Part three of my three part series on Cloud Security Standards is available on the Intel blog (Part 1, Part 2, Part 3)

Part 1 examines four Identity and Access Anti-Patterns that occur regularly with enterprises moving to Cloud include:

• Low/no access control - we'll see if it works and add security later
• Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider
• Copying credentials - copying or hardcoding credentials to Cloud based services
• “Trusted” proxy - Gateway is a pass through lacking support for security standards and services

Part 2 looks at how SAML, oauth and other standards help enterprises retain control of user management whilst leveraging Cloud services. Part 3 looks at how XACML can be used to close out some of the gnarlier Anti-Patterns through improved integration and granular, dynamic authorization.

Understanding Cloud Security Standards Part 2

Over on the Intel Cloud Access 360 blog I have series on Understanding Cloud Security standards. In part one, I looked at Cloud Security Anti-Patterns. The four Anti-Patterns that occur regularly with enterprises moving to Cloud include:

• Low/no access control - we'll see if it works and add security later
• Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider
• Copying credentials - copying or hardcoding credentials to Cloud based services
• “Trusted” proxy - Gateway is a pass through lacking support for security standards and services

In part 2, I look at how security standards like SAML, Oauth and OpenID help enterprises mitigate the common Anti-Patterns.

Understanding Cloud Security Standards

I have a post on Intel's Cloud Access Security blog on Understanding Cloud Security Standards, this is part 1 of a series. Before diving into the standards and patters, I discuss four Anti-Patterns that have emerged in Cloud Security:

• Low/no access control
• Replicating user accounts
• Copying credentials
• “Trusted” proxy

These examples of Anti-Patterns, i.e. things to avoid are discussed further in the blog, and we'll look at how remedy these in your Cloud Security Architecture read it here.

Cloud Security Class at Cloud Identity Summit

Yesterday I taught my Cloud Security class at Cloud Identity Summit. In the class we go through the four design patterns that I describe in "Don't Trust. And Verify. A Security architecture stack for the Cloud" think are foundational elements for Cloud security. The four patterns that we focus on are

• Security Gateways 
• Monitoring Services
• Security Token Services
• PEP/PDP for Fine grained authorization

These patterns have seen tremendous progress in the past year since my keynote at last year's Cloud Identity Summit 

My favorite part of the class is Case Study and Threat model. We break into groups and build threat models similar to these. What I enjoy the most is that in every single class of the many times I have taught this, the people in the class identify different threats, different countermeasures, and different ways to pair threats and countermeasures.

Security isn't one thing, if it was Microsoft, IBM, Google, et al would ship it out of the box. Unfortunately each enterprise needs to do after market work to identify, locate, and integrate countermeasures. As one person in class yesterday mentioned the class "helped pull together ideas and identify missing pieces." This is music to my ears, about the best compliment I can get on my class is when people have a different way of looking at their security problems. We don't have any new security primitives in the last 34 years, but we can always collaborate to find new ways to integrate our security services.

Security > 140 Conversation with Chuck Mortimore

Chuck Mortimore is Director of Product management for Identity & Security at Salesforce.com. His presentation at last year's Cloud Identity Summit was one of my favorite talks an in depth look at oauth and identity in the Cloud, I believe Eve Maler termed it "mind melting conceptual density." Chuck is presenting at this year's Cloud Identity Summit July 18-21 in Colorado. I will also be there doing a talk and a Cloud Security class, its a high point on the conference lineup.

For this Security > 140 conversation, Chuck and I discuss in some detail the architecture choices and constraints for people moving to the Cloud and what Salesforce.com, who I consider a leader in this space, has learned.

GP: One of the first times I worked on deploying SAML was at a Service Provider who had a large customer ask/tell them they had to support SSO via SAML. The SP was not a technology visionary, but they were good at listening to their customers. I have noticed that Salesforce continually has led the way for many Cloud and SaaS providers in identity options. How much is driven by your own tech arch vision and how much is driven by customers?

CM: It's about 50/50.   Customers tend to articulate pain, and high level direction.  For instance, our customers that have invested in federation consistently ask us to make single sign-on work with mobile and desktop clients.  The actual technology strategy to achieve that is then driven by us.   Inputs are a combination of our own deployments, understanding of our customer's IT landscape, and evolving best practice on the consumer web.  We're also willing to release capabilities and iterate on real feedback.

GP: It seems like SAML and oauth are two standards leading the way currently. Do you see this standards-based trend continuing?

CM: Yes – we see this continuing.   We’ve made great progress with Federation standards, and would like to see this trend continue into user provisioning, audit, etc.

GP: What's the likelihood of proprietary identity like Facebook, Apple, and others being used for certain use cases?

CM:  We’re pretty customer driven, so these Identity providers are important for consumer driven use-cases.   While we don’t have much demand for using these to login directly to our core products, our customers do want to source and maintain relationships with customers from these consumer IDPs.    As such, we increasingly integrate with these sources for CRM purposes.

GP: I remember in the 90s people used to call PERL the duct tape of the Internet. Now computing seems to be bifurcating into two modes humongous (Cloud) and tiny (Mobile); and identity is playing a key role, maybe the key role in linking these two models at runtime.  You recent Android oauth release is a good example of this. I was surprised that Google did not deliver any web identity model and just stopped at the OS level for security, its very good for the industry that your team filled this gap and published yoru work as open source for others to learn from. What design questions should mobile developers think about when integrating Mobile apps into Cloud providers?

CM:  We’ve been focused on a few key challenges with Mobile development

Time to value – we’ve been investing heavily in oauth and optimizing it for mobile experiences.   The mobile development experience is complicated enough on it’s own, and the last think developers want to worry about is first writing a bunch of authentication code before they can focus on their core application.    With oauth we’re trying to take care of all of that on the developer’s behalf – open up a web browser and wait for a callback.

How does mobile impact your traditional security posture – it’s pretty difficult to really know what applications you’re communicating with to any degree of certainty in a mobile environment.   That has ripple effects across traditional perimeter security postures with things like IP restrictions – you want to relax them to some decree for your mobile devices, but are you sure they really are your mobile devices. 

We’ve been working on activation and registration protocols to return some degree of control to our customer’s administrations and security staff while still dealing with the influx of consumer mobile devices into IT.

Credentials – a lot of our want to use their own credentials for usability, policy, and lifecycle management reasons, which generally leads to federation or delegation protocols being used.  At the same time these same customers are uncomfortable with that credential on mobile devices.    This is particularly challenging in the mobile and desktop space, as the well deployed federation protocols tend to use HTTP and web browsers as a substrate for moving messages around.   We’ve been investing a lot to weave together oauth and SAML, such that a single investment in federation can be used across a wide variety of device types.

GP:  So in weaving these together are you looking to the SAML Bearer Assertion Grant Type Profile to help solve some of this?

CM: We actually took a somewhat simpler route.    We have the customer get setup to support SP initiated SAML.   We then just treat the Oauth protocol flow like any other deeplink into our site.  If the user is un-authenticated, they go through SP Initiated SAML.   The Oauth protocol passes through RelayState and once we complete the SAML exchange, we pass them along to complete the Oauth flow.   Pretty straightforward.  Goal being federate once, and use the same pattern anywhere.   We actually can support using the same SAML assertions against our API endpoints as well.

GP: What's been the response from customers and developers on ease of use and implementation? Are the identity concepts easy to grok and something that they understand quickly or is  there a lot involved to go from standards, protocols and abstractions to a developer-friendly view?

CM: We’re still feeling this out.   The largest usability issue we have is that it requires connecting to a custom url for the customer, and we’re still working on the best model for users or their admins to easily express to the client the url they want to connect to.   So – conceptually it’s well received, but we’re still gaining experience on how best to scale the administration/deployment.

GP: What is your current guidance on protecting tokens once they are minted? It seems like the community would benefit from thinking about where the protocol security ends and where host/app security begins.

CM: In general, I try and simplify the language for people new to oauth.   Treat refresh_tokens like passwords, and access_tokens like sessions.   Use native mechanisms like iOS keychain where ever possible.

Leveraging Enterprise Credentials for Cloud Applications

I have a new post over on the Cloud Access Security blog on Leveraging Enterprise Credentials to Connect with Cloud Applications, it begins:

Many pundits say that you must pick a Cloud Provider and trust them. I beg to differ. First off why should we trust the Cloud Provider? A Cloud Consumer wants to leverage the Cloud Provider’s capabilities for functionality and scale where it makes but why should this equate to blind naïve trust? And anyway, what specifically is the Cloud Consumer trusting the Cloud Provider? As the old country music song says, “In God, we trust, all others pay cash.”

Instead of blindly trusting the Cloud provider to do the right thing (and a glance at any recent news will show how hard this is in practice) it makes more sense for the Cloud Consumer, e.g. you, to limit how much control you choose to pass to the Cloud Provider. One technique for accomplishing this is to retain control of User Account Management at the Cloud Consumer site.

When the Cloud Consumer retains the responsibility for User Account Management, the security architecture gains in several ways:

 

Read the whole thing

Providing Fine Grained Access to SalesForce and Google Apps

I have a blog post over on the Cloud Access Security on FGA for Salesforce and Google Apps

Companies that move to Cloud Providers like Salesforce and Google apps quickly discover that part of the migration involves revisiting their security model. Authentication, authorization, account management, and federation are on the menu of activities for most organizations as they strive to garner the cost savings and distribution of the Cloud and retain some level of control of users and assets.

Cloud consumers can insulate their implementations from the vagaries of proprietary identity implementations through using standards. In most cases, SAML represents a logical starting point for conveying identity information from the Cloud Consumer to the Cloud Provider. SAML is a well adopted industry standard that is available in many commercial and open source implementations. SAML is referenced by many industry groups such as the Cloud Security Alliance.

SAML’s architecture lends itself to Cloud scenarios, because the Cloud Consumer (enterprise) and Cloud Provider fit naturally into the core SAML roles. The primary roles in a SAML architecture are the Identity Provider (IdP) who asserts information about a user, and Relying Party (RP), who acts on the information for the service provider, such as the Cloud Provider. Because SAML was designed with this separation of roles in mind, it maps cleanly onto Cloud Deployment models.

Read the whole thing here

My favorite line in the CSA Guidance

Is this:  “A portion of the cost savings obtained by Cloud Computing services must be invested into increased scrutiny of the security capabilities of the provider, application of security controls, and ongoing detailed assessments and audits, to ensure requirements are continuously met”

There's no question that some companies can save a lot of money by using Cloud services. But saving money on paper versus the real world is two different things.

If you find a way to save some money via Cloud ask yourself:

* what capabilities are you going to use to Verify identity, access and data to and  from the Cloud?

* what Visibility do you have into the identity, access and data to and from the Cloud?

The answer in both of these cases almost guarantees that your organization requires new technologies for Verifying identity (such as STS and XACML PEP) and for Visibility (such as Monitoring services and Gateways). They will need to be mapped to the Cloud providers that you are working with as well. 

So given the hypothetical $100 cost savings, some portion of that $100 savings needs to be invested in Verification and Visibility capabilities. Otherwise the cost savings are as illusory as cardboard desks.