Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter.

Similar presentations


Presentation on theme: "Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter."— Presentation transcript:

1 Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter

2 Agenda Virtualization Security Risks and Solutions Cloud Computing Security Identity Management

3 Virtualization and Cloud Computing Virtualization Security Risks and Solutions

4 Blue Pill Attack

5 Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

6 Red Pill Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed

7 VMM Vulnerability By attacking a VMM, one could attack multiple servers at once

8 Datacenter Management SW Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hosts at once

9 Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

10 One Ring to rule them all… Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash …

11 Demo DoS attack on virtualization infrastructure

12

13 Disabling Host-VM Communication

14 Physical vs. Virtual Firewall With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

15 Traffic isolation

16 Demo Configuring traffic isolation on Vmware ESXi

17 Other risks of virtualization Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

18 Security Solutions Virtual Firewall Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI)

19 Agentless AV

20 Extensible Switch

21 Mobile Virtualization Platform

22

23 Supported devices

24 Virtual Desktop Infrastructure

25 Virtualization and Cloud Computing Cloud Computing Security Risks

26 Who has access to our data?

27 Physical Security

28 Hard Disk Crushers

29 Other Cloud Risks Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

30 Virtualization and Cloud Computing Identity Management

31 Basic Concepts External user DBs Two-factor authentication Role-Based Access Control (RBAC) Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

32 External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

33 Azure Active Directory

34 Two-Factor Authentication

35 Role-Based Access Control

36 Identity Federation

37 OAuth Used to delegate user authorization to a 3 rd -party service provider

38 Demo Creating a web application with Facebook/Twitter/ Microsoft Account authentication

39 OpenID

40

41 SAML Similar to OpenID, but targeted to the enterprise Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication

42 SAML

43 SAML (Google Apps)

44 SAML Example https://idp.example.org/SAML2... … member staff

45 Microsoft Active Directory Federation Services SAML-based Typically used to give access to intranet portals to business partners

46 Shibboleth SAML-based federation portal Open Source

47 Demo Signing in to a federated web application

48 RADIUS Proxy (Eduroam)

49 Identity Bridges

50 Identity Bridges: Azure Access Control Service


Download ppt "Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter."

Similar presentations


Ads by Google