Cloud Security Progression…..yes….but transparency still an issue?

Posted on by
Reply

So I’m sat in Frankfurt airport lounge awaiting a delayed flight home and I am reflecting on the last 2 days of the CSA Secure Cloud 2012 conference. Lots of excellent content, excellent speakers (especially as most of them weren’t presenting in their native tongue!) and the conclusions I am coming too are that yes, cloud security has moved on in the preceding couple of years, and is quite possibly as good, if not better than that provided by those best of breed inhouse data centres. However the challenge is to evangelise this to prospective clients, and gan the evidence that will enable those pesky auditors to be satisfied when they come knocking each year. The CSA STAR initiative and NISTs working groups on cloud are working towards standards in this space which will hopefully be acceptable to auditors – and of course we can’t omit ISO from the standards game either (ISO 27036-5). That said though it does seem that moving the crown jewels of your corporate data into the cloud is still some way off until the “silver bullet” of Fully Homomorphic Encryption is delivered :-)

Has Cloud Security Progressed in last 2 Years?

Posted on by

So I’m here at the end of day one of the SecureCloud2012 conference in Frankfurt being hosted by the CSA, having attended previously in 2010 (Barcelona). Prior to going in 2010 I had written a couple of blog entries (yes I know I’m not exactly prolific when it comes to blogging) about cloud provider compliance and  security and these topics were covered in depth during that conference. One question I posed during a panel debate was about the potential for an independent Cloud Service Provider (CSP) certification to which I was enthusiastically pointed towards the Common Assurance Maturity Model (CAMM) as the answer. 2 years later the same problem still exists – there is not yet a recognised cloud provider certification and the CAMM is (as far as I can tell) still to be rolled out with meaningful data acquired to enable comparison of service providers (including CSPs). Thankfully there is a silver lining to this cloud (apologies for the pun) as at last a meaningful attempt seems to be being made by the CSA to tackle this issue with today’s announcement that they are to create a CSP certification framework. I look forward to seeing how this initiative develops and hope that in another two years time we’ll finally have a CSP certification that means something and enables cloud customers and proponents to answer the question “what about compliance”. Well done CSA!

 

RSA – An Insecure ID?

Posted on by
Reply

With the ongoing focus on RSA and in particular the well publicised hack and subsequent exploitation of the two factor authentication solution, SecurID, I thought it about time an objective response was made about RSA SecurID as opposed to the up in arms approach of “SecurID is broken”. More importantly, how can existing users of SecurID protect themselves until they get new tokens, whether through the normal lifecycle replacement or an RSA initiated full scale swap out.

First off, what exactly has happened?

It appears from the various security forums and technology websites that a targeted attack was made against RSA employees which was successful in providing the attackers with remote access into the internal RSA network. Through various account privilege escalation processes and ever deeper penetration the attackers managed to obtain access to various degrees of proprietary RSA SecurID information. This information has then been used to target a number of RSA SecurID corporate customers, the highest profile and publicised one being Lockheed Martin, the US defence contractor.

Unfortunately, to date RSA have not released any specific details of what the attackers managed to obtain but an understanding of how RSA SecurID tokens protect organisations is a good starting point to understand what may have occurred.RSA SecurID is a two factor (2FA) one time password (OTP) solution for providing authentication services. An RSA token has a 6 or 8 digit LCD that displays a number (the passcode) that changes every 60 seconds. The 2FA in this case is your username and private PIN (what you know) and the passcode (what you have – i.e. the passcode on your token). The changing passcode is created using a pseudo random number generator that is embedded within the token for which there is a seed code. On the back end authentication system that same seed code is used to enable this system to know what the current passcode that the token is displaying.

Given that the algorithm RSA uses to generate the next token passcode is believed to be known it becomes very clear that the seed value for each token is the critical component that must remain confidential to ensure that an attacker cannot predict the passcode of a given token at any given time. The supposition is that the direct attack on RSA resulted in the hackers obtaining either some or all of the seed codes for the issued and active RSA tokens. If this is the case then a large amount of the security that RSA SecurID tokens affords to individuals and organisations is potentially compromised. However, does this mean that we should all hold our hands up and say RSA is broken we have to change our authentication systems immediately?

My view is not immediately. Why? Well the seed code, although an extremely important component, doesn’t on its own provide an attacker who has access to this supposed harvest of seed codes the ability to log into any RSA protected customers system because;

1) A list of seed codes doesn’t immediately identify which token it relates too;

2) Even if there is a way of deriving the token serial number from the seed code (this is another supposition being touted) then there is no way of identifying remotely which token belongs to which corporate customer;

3) Even if the attacker somehow knows which seed codes belong to tokens owned by a particular customer (yet another supposition) then the attacker then needs to find out which of the customers users have SecurID tokens and which token belongs to which user and their associated user logon ID;

4) Even if an attacker knows which token a user has and their associated logon ID, the user still has a secret PIN component which assuming token lockouts are in place would protect against directed brute force attacks.

Let’s take points 1 and 2 as a possible given. We are still left with a number of protections in place. For point 3 a separate attack would need to be launched against a target RSA customer. One option would be to hack into the RSA customers network to obtain this information (e.g. perhaps it is stored in a spreadsheet or weakly protected staff HR/ID system) by which time the whole point of obtaining a users SecurID credentials is probably already immaterial.

Alternatively, and this is probably one of the most likely scenarios, social engineering techniques may be used combined with some good guesswork. Remember, if an attacker has the seed code then all they need to now obtain is the users token serial number, their username and their PIN. To achieve this then either some decent shoulder surfing in a public internet cafe of a user logging onto a protected site with SecurID credentials would be required (including seeing the token serial number), or combination of offline collection of the token serial number and then a targetted attack at an individual such as a spear phishing attack or installation of a key logger to obtain those critical final component details.

RSA have intimated that a complete token replacement programme may be their next step in remediating the security breach and improving user confidence, but in the mean time what protective measures can SecurID users take to reduce their risk exposure. Well, with most social engineering techniques the answer is end user awareness and education.

1) Don’t leave SecurID tokens lying around, especially in public places

2) Don’t wear your SecurID token around your neck and especially attached to the lanyard of your building access pass – this usually has the users name on and a good guess at usernames is usually quite productive – first.last maybe?

3) If possible try to make your corporate userid indirectly related to your name so that it isn’t guessable. E.g. have random letters or numbers in your ID such as John Smith might become smithjb9 or something equally unpredictable.

4) When using a SecurID token try to ensure that the serial number isn’t visible to prying eyes. If available for your token form factor then the leather keyfob protectors should be used as these cover the back of the token.

5) Instruct users never to reveal their token serial number to someone calling them pretending to be their helpdesk trying to sort out an issue with their token. Serial numbers should only be divulged to the users company help desk when they have called the help desk directly in response to troubleshooting an authentication issue.

6) Remind users about the dangers of unsolicited emails and phishing attacks.

7) Encourage users always to manually type in the URL of company resources when accessing corporate systems. This reduces the potential for a phishing email to trick the user into thinking they are logging into their company site.

Of course, some of RSA’s competitors are taking advantage of the current hiatus and offering extremely competitive pricing to encourage users to switch vendor. Is this the right solution? I’m not going to say yes or no, but it is worth considering a number of factors in your decision. Just like the Microsoft OS platform, RSA has probably been specifically targeted due to the massive coverage and crown jewel customers, such as Lockheed Martin. If everyone switches to a competitor then, just as Apple are starting to experience, the focus can start to turn onto the players gaining greater market penetration. Who’s to say if the competitors would be susceptible to the same or even different attacks as RSA? What is really needed now to help companies make this decision is some clear information from RSA on exactly what happened, and what measures are now being put in place to stop it re-occurring both at the original hack level, but also from a procedural and technical level around seed generation, storage and registration process. Anything less and the receipt of a replacement token is only a temporary solution which will not instil the confidence in a concerned user base to enable a decision to remain with RSA to be acceptable.

CIAvailability and economics of Internet Connectivity

Posted on by
Reply

Many discussions on cloud computing have thus have focused on Confidentiality and Integrity of Cloud provided services. But what about Availability as well?

I think one of the biggest challenges is that if a company moves its core application processing infrastructure to cloud based services then access to these services is 100% reliant on an Internet connections. Gone will be the days when you turn up at work to find the Internet is down but at least you have access to your internal LAN and data centre which will give you your core tools for working and your files. Move it to the cloud and the loss of the Internet connection will mean loss of your ability to work.

Another point is that many corporations have spent large sums of money investing in highly resiliant and solid SLA protected WAN implementations with diversly routed connectivity to protect against circuit and equipment failures. This isn’t necessarily the same case with their Internet connections.

One issue that people seem to be overlooking (or at least not talking about) at this stage when it comes to the economics of moving to cloud based services is how much will companies need to spend upgrading their Internet connectivity to provide similar levels of resilience and the additional bandwidth – this needs to cover the connections and all of the supporting infrastructure such as proxy servers, firewalls, routers, switches, IDS/IPS etc etc. If you needed a Gigabit backbone connection to your old data centre for normal use won’t you need similar levels of connectivity now to the internet – not cheap in a resilient form !! And if you do start moving data intensive workload to your cloud provider have you checked that they have similar resilience and capacity capabilities to support not just your requirements, but also their ever growing customer base?

And what of those SLA’s – it seems people are happy to consider an uptime SLA of 99.9% from a cloud provider (where has 3 or 4 nine’ gone?), but lets not forget that this is an SLA on their infrastructure up time. We also need to factor in the SLA of your internet connectivity which will reduce the combined SLA below 99.9%. And all that aside I am not sure that anyone can yet offer an end to end SLA on the Internet per se so can we realistically attach any SLA to services provided through an internet based cloud provider?

This will be a fun one for CIO/CFO discussions. I can just see the dilemma faced by the CFO as he is told by the CIO he can save 50% on the cost of his Oracle/SAP/Microsoft Finance system if he moves to cloud, but in doing so he will have to forgo his four nines SLA and replace it with a best endeavours SLA instead. The phrase having your cake and eating it immediately springs to mind.

Cloud Provider Security

Posted on by
Reply

One of the questions I have been regularly asked by colleagues and customers alike is how do I know which of the growing band of “enterprise” cloud service providers is providing a secure cloud infrastructure, how are they doing it and are they doing it well. At this stage cloud providers treat some of the answers as proprietary or confidential and getting at the detail is almost impossible. But is this the correct way for cloud providers to engage with potential customers and security professionals alike?

Recently Microsoft announced to the world its new Government Cloud Offering which offered security and privacy enhancements over the public cloud. All well and good with a smattering of security credentials (ISO27001, FIPS140-2, FISMA) but what does this mean in practice for this particular offering and more importantly what security is being provided to Job Public cloud customers. And does FIPS140-2 just mean implementing SSL Certificates or does it mean specialist HSM protected cryptographic key management controls?

Likewise last June Unisys launched their “Unisys Secure Cloud“  the focus being that it is protected with their patent pending Stealth technology. But what of firewalls, IDS/IPS, Access Controls etc and where is the independant technical validation of Stealth within this environment?

I’m sure similar could be said of all the enterprise cloud providers looking to take advantage of the numerous world wide Cloud marketing campaigns. The problem is with this lack of transparency comes lack of trust and confidence. If the only way to get visibility into this level of detail is to engage in protracted due diligence by potential customers of individual cloud providers then the cost savings offered up through cloud services is going to be swallowed up by consultants, technical advisers and lawyers.

In this age of compliance obligations no company will be able to migrate its computing services to the cloud without the assurance levels that first hand knowledge of the technical, logical and physical controls in place at the Cloud provider will give.

I suggest therefore that We need a new approach to Cloud security assurance that takes a similar path to approved public domain encryption algorithms. In this case security is in the secrecy of the cryptographic key and not the secrecy of algorithm. The translation for cloud is that the security should be in the proper implementation of the controls and not the controls themselves. If this can be achieved then there would be no reason for a Cloud provider to openly publish their security architecture and controls to the world thus enabling customers to identify those cloud providers that take security seriously and those that don’t. My guess is that those who don’t would be less likely to publish in the first place.

So my challenge to cloud providers – which one is prepared to be the first to openly publish their security architecture and controls enabling customers to make an informed decision about which cloud provider to go with.

Who’s job is it to move Cloud Compliance forward?

Posted on by
Reply

One of the issues Cloud Service Providers are facing at the moment is the significant confusion that they have between them generated about what cloud computing really is. One area is location of your cloud providers data centre – on the one hand you have global cloud providers such as Google and Amazon abstracting the location of the cloud data centers from the end customer, whilst on the other hand there are cloud providers taking the definition you posted and providing this from a contracted location.

This becomes significant when you start dealing with compliance – lets take one simple PCI DSS requirement as an example- are there any non WPA2 protected wireless connections connected to the same logical network as that within scope of PCI DSS. If you don’t know which location your cloud provider is hosting your application/data/system from (and it could be multiple over a period of time!) then, unless the cloud provider has certified every single possible location that they could host from, your PCI DSS QSA is not going to be able to tick the compliance box.

I think there is a significant danger of cloud providers taking the rather negative stance towards auditors and their ability to understand new technology. I’ve seen this attitude appearing in recent Cloud Security Alliance discussions where it is all very well to criticize auditors for not updating their views on compliance, however I do think that the Cloud Providers and Cloud technologists really need to make a positive contribution given that it is their technology strides that have resulted in the current debate.

Cloud Computing and Compliance

Posted on by
Reply

Over the past 6 months I’ve been busy considering how the cloud computing paradigm and traditional compliance requirements can work together, if at all. Given the change in subscriber/provider relationships compared to traditional co-lo/hosting operations I am sure that this is going to generate many headaches. Questions around where is your data actually being hosted…..today….tomorrow are immediate harbingers of concern when it comes to demonstrating compliance and that’s before you get into the issues around right to on-site audits, penetration testing and the such like.

Cloud providers, subscribers and compliance auditors are all going to have to get their heads together soon to work out how compliance can be achieved and validated in this new paradigm otherwise we will either end up with very little compliance data being transferred to the cloud, or alternatively we will have lots of subscribers suddenly finding out that their previously hard earned certificates are suddenly under threat.

My two cents worth of contribution to this ongoing debate is that perhaps we need a new class of internationally recognized certifications for data centre/cloud providers to adhere too and be measured against that are recognized by existing compliance bodies. Perhaps this new certification could also be graded such that a provider can choose which of the existing compliance objectives (e.g. PCI DSS, SOX, SAS, BASEL, FSA, ISO etc etc) they want to be measured against and thus flow down to their customers.

An interesting debate which can only get hotter as cloud services take on more live mainstream customers.