Wednesday, July 31, 2013

CCSK Study - Section 1: Cloud Architecture

I am currently studying for the CCSK and I thought I would post some of my notes here.

These notes are taken from the CSA : Security Guidance for Critical Areas of Focus in Cloud Computing V3.0.

Section 1 talks about cloud architecture and contains 1 domain which is titled Cloud Computing Architectural Framework.

The goal of Domain 1 is to establish a baseline of terminology as to facilitate the rest of the discussion around cloud security.

  • Cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (newtorks, servers, storage, etc).
    • This is the definition from NIST 800-145
  • NIST further describes cloud computing by defining essential characteristics, cloud service models, and cloud deployment models.
  • Essential Characteristics
    • Board Network Access
      • Capabilities are available over the network and accessed via standard protocols
    • On-Demand Self Service
      • Customer is in control to provision required services (network, storage, server) as needed
    • Resource Pooling
      • Providers resources are pooled to provide service to multiple customers in a "multi-tenant" model
      • Provider provides a "location independence" 
        • Customer is not really aware of where the resources are being provided from
        • Customer has no control over this either (except at higher levels of abstraction)
      • Security Impact: visibility or trace of operations by other uses or tenants
    • Rapid Elasticity
      • Capabilities can scale with demand (inward and outward)
      • Capabilities appear to the customer as "unlimited"
    • Measured Service
      • Cloud providers leverage a metering capability whereby usage can be monitored, controlled, and reported
  • Service Models
    • Service models build upon each other (ie:  PaaS builds upon IaaS and SaaS builds upon PaaS)
    • IaaS - Infrastructure as a service
      • Provides a set of API that allow management by consumers
    • PaaS - Platform as a service
      • Provides Integration and middleware services
      • Databases, messaging, queuing and development frameworks
    • SaaS - Software as a service
      • self-contained operating environment that is used to deliver the entire user experience including content, presentation, applications and management
    • Represents a tradeoff of security aspects between provider and tenant
    • "It should be clear in all cases that one can assign/transfer responsibility but not necessarily accountability"
  •  Deployment Models
    • Private Cloud
      • Cloud is provisioned for exclusive use by a single organization
      • Can be on or off permises
      • Can be serviced by a 3rd party
    • Community Cloud
      • Subset of Public cloud
      • Services are available to a specific community of consumers from organizations that have shared concerns
    • Public Cloud
      • Provisioned for use by the general public
    • Hybrid Cloud
      • Composition of two or more distinct cloud infrastructures
  •  Re-perimiterization of the network
    • Basically, trust boundaries are changing and so should the discussion and terms used
    • Cannot refer to services as "internal vs external" anymore as, for example, private cloud offerings could be considered internal as they are commissioned for a single customer but could be located externally to the traditional dmark points.
    • Risk conversation now has to include
      • Types of assests that are being managed
      • Who manages them and how
      • Who consumes them
      • Which controls are selected and how they are integrated
      • Compliance issues
  •  Gap analysis for security controls becomes a collaborative effort
    • Basically, we need to rely on the accuracy and transparency of a cloud provider to disclose the security controls in place (and provide access to output) and an organization must trust that it knows what security controls are required based on the compliance model it has chosen.
    • The ability to comply with any requirement is a direct result of the services and deployment model used and the design, deployment and management of the resources in scope.
  • Security controls are no different in the cloud than they are in traditional IT departments
    • maturity of posture defined by the completeness of the risk-adjusted security controls implemented
      • layered approach
      • Controls should be implemented at the people and process level as well as the technical level

My understanding is that the goal of this domain was to provide some basic definitions of cloud computing and to describe some global aspects and problems.   The NIST definition is pretty good, but, as described in the recommendations section of this domain, does not describe "Cloud Service Brokers".  CSBs seem to be a way of providing a unified model for security, governance, portability, etc across a number of CSPs.  It will be interesting to see how this all takes shape.  The cloud presents the same problems as traditional IT, except it doesn't reside all under your control.  The main point here is that while you can assign the responsibility, you as the customer are still accountable for the security of the whole solution.  Another point here is that many of the security controls that you would typically put in place must now be placed "in a contract" and that you must have sufficient provisions in that contract to have access/transparency into those controls.

Friday, July 19, 2013

Notes for a BitTorrent Sync Setup

I was looking into a few "self-hosted" cloud services and finally settled on btsync the other day.  I had taken a look at the synology disk station, and seafile / owncloud.  Ultimately I think the fact that btsync has security built from the ground up is why I chose it.  I don't need a ton of advanced features, but I don't want just anyone looking at my data.  I do, however, need something that runs on windows / linux / synology and andriod.  BTSync meets all of that.

Btsync is now at version 1.1.42 and with every version it is getting better and better.  I just recently had a chance to test out the beta app for andriod and it worked great!

A couple of notes to consider when using btsync.

1)  Use separate accounts to run the executable

I think this is important.  If you run btsync as yourself, you are giving it the same access that you have.  In all reality, the btsync application only needs access to the folder it is syncing.  Ideally, you can create "service accounts" for this, but keep in mind that by default btsync tries to create .sync files in home directories.  Not a big deal, this is all configurable (at least in linux).

I set up a btsync account on both my linux and windows box and then gave it access to one folder to sync.  This way, if the executable ever gets cracked, it won't (by default) have access to all of my user settings, etc.

2) TCP over LAN didn't work for me

I'm not sure if I did something wrong here, but I couldn't get my clients to connect using TCP over the lan.  They kept defaulting to UDP regardless of the settings on both clients.  Remember this if your lan isn't working like you planned

3)  Make sure you secure the webGUI

If you are using the webGUI (linux users almost always will) be careful about the webGUI.  By default it listens to on port 8888.  The first thing you can do is ensure your firewall is on and protecting that port from the outside world.  The other thing you can do is set a basic username and password in the config file.  (See the user manual)

4)  Monitor connections from the interweb

Remember, if you open a port on your firewall allowing the internet directly in, it is always good to have that go through some type of proxy.  Ultimately this is not going to be feasible for most people, so we have to rely on the bittorrent coders not making any buffer overflow mistakes!

5)  If you can, stay away from the tracker service and the "relay service"

Try it without those features turned on.  I know in most cases, for most people, those settings are turned on because it will just work.  In the case of the tracker stuff, you are broadcasting that your ip is hosting something and what port it is accessible on.  Yes they may not have the secret, but if you don't need that service, just don't use it.  The second is the relay service.  You will need this if you are behind certain network architectures, but for the most part you should be okay with out.  This way your data is not traversing through a server it doesn't have to.  I know the NSA is watching everything, but we might as well try and limit where we are sending our data.  These days, most "dynamic" ips are fairly static.  There are also a few dns services you could use.

6)  256-bit AES is a great choice

But I wonder how the key is derived from the secret and if this could be figured out some how.  According to the docs you can substitute your own base64 encoded key that is more than 40 symbols long.  This might be easier than sharing the base64 encoded version as you could come up with a poem line or something like that, and share it with friends/family.  I do like how you can change the key at any time, they have really through a lot of this stuff through.

All in all, so far I am really impressed by the product.  It works fast and is configurable to tweak in some of your own settings.  I look forward to future releases!

Friday, July 12, 2013

Technet Expiration

I must confess something, I am a technet subscriber!  Phew, at least now it is out in the open and I don't have to hide it anymore.

I'll be honest, I am not Microsofts' #1 fan.  Not by a long shot.  Whenever I can, I upgrade my machines to the Fedora/CentOS Experience.  I rely as much as I can on FOSS tools to get me through my day.  I am always looking for ways to decrease my dependence on MS products.  When I am at work, I bond with the *nix guys.  We make fun of the point and click simplicity that is windows.

But alas, the world runs on MS products and services.  That is why I subscribe to technet.  As a general IT enthusiast, I want to be able to play around with products.  I want to test their limits.  I want to try customizing it, to try new things, to try and integrate it with FOSS tools, and to try and get windows and linux to play nice together.  As a security enthusiast, I need windows to be able to test out the latest malware and exploits.

I am saddened that the technet subscription service is expiring.  If anything, MS owes me money for licenses that I have purchased (unavoidable) as part of my PC purchases.  I do like the idea of a affordable way for IT generalists and the like to tinker with MS products.  It is unfortunate that MS does not feel the same way.

If you like technet, please sign this petition.  I'm sure that because we don't have Premier support, we cannot expect anyone to get back to us within 4 hours, but it is worth a shot.

Monday, July 8, 2013

OpenCrowd Taxonomy

This post is more of a personal note, but I found it interesting so I thought I would share.

I found this "cloud taxonomy" while reading for my CCSK exam.  Although probably not a comprehensive list, it does outline some cool providers that may be worth checking out!

Saturday, July 6, 2013

Fedora 18 and Synology Shares Via CIFS

I finally got around to setting up my synology shares via CIFS on my Fedora 18 box.  I tried following the instructions here, but they didn't work so well.

I kept getting the following:

mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

I finally stumbled upon this forum post which helped me out.

It looks like in the newer version of CIFS, the security default has changed to ntlmssp from ntlm.  Switching this back worked. 

It will be interesting to see if the security settings on the synology can be upgraded to support some of the stronger protocols.

Hope that helps!