Dan Stolts Security BSides Boston 2013 - Cloudy Weather How Secure Is The Cloud?

good morning welcome to Dan Schultz talking about Cloud security please set your communication devices on vibrate or just turn them off and sit back and enjoy if you need to have a conversation please step outside and it's now my great pleasure to introduce Dan from Microsoft good morning everyone my name is Dan Stoltz I work for Microsoft I've been with Microsoft for about five years you can reach me on my blog itproguru.com um you can also reach me via email Guru microsoft.com or my preferred method of communication Twitter at it pro Guru my job basically as a public speaker I've been in the technology industry for almost 30 years and in addition to my duties at

Microsoft I also own and operate a hosting and Consulting business out of the South Shore Bay State integrated technology I'm also very involved with the community so I am the President of Boston user groups which is a um basically they manage a website of all the user group and community activities that go on in the Boston area actually it's all of New England and even outside of New England in a lot of cases so I would encourage you to check it out Boston usergroups.com bostonusicgroups.org actually I think.org.com will both get you there I'm also uh involved in the local community in my neighborhood I'm a scout leader I've been doing that with my son for the the last couple of years and

absolutely enjoy it um immensely in addition I also help with a lot of other local user groups like virtualization group Boston I'm the chairman there they're online at vertg.com as well as lots of other things and you know I support the community the security Community whenever I can and I really appreciate you guys having me here to uh um to speak at this event So today we're going to talk about um uh how secure is the cloud and really since I'm a Microsoft employee I'm really going to focus that discussion around windows Azure uh which is the Microsoft Cloud solution but a lot of the things that we're going to talk about are the the same questions that

you're going to want to ask no matter what cloud provider that you're that you're looking at um and I want to start the discussion with letting you know that you can get if you want to try some of this stuff out if you want to actually get it get familiar with the cloud you can go to a link I have up here AK dot Ms forward slash iaas iaas stands for information uh infrastructure as a service sorry um brain dead this is caused from too much work so um anybody feel like they work too much in their job just me a few people okay um yeah I'm definitely guilty of that um so in addition

um if you want to try some stuff out you want to actually get step by step on how to do different things on my blog itpogrouper.com Hol for Hands-On Labs I do have some step by steps to walk you through getting familiar with some of these Technologies and I do a lot of public speaking so if you want to follow me or look at other topics that I'm speaking on whether it be Windows server or Windows Azure security whatever I have a public calendar any itpro.com so uh you might want to check that out and you know find out what else what other opportunities there are to get some some free education and oh by the way

Whenever you set up Azure account um even if you're not interested in you know cloud services or you know deploying cloud services in your organization it's a really cool opportunity um since companies like Microsoft do give you a free evaluation accounts to spin up some servers in the in the cloud to do you know cool stuff fun stuff um so um you know I mean I wouldn't necessarily Advocate that you spin up a thousand you know servers in the in the in the sky to go you know hack somebody but if you want to spend up a few servers in the cloud to go try to hack yourself right um to see how vulnerable you might be

it's there's some really cool opportunities there for Security Professionals so let me ask you a couple of questions while we're on that topic how many people in the room would uh are you know consider themselves developers or attached to the developer community wow okay a fair number and so the same question on the it pro side or infrastructure side how many people are consider themselves more infrastructure all right and who's just straight up security wow okay excellent I wanted to kind of just get a gauge of the of the audience and who I'm talking with today now if you do decide to spin up a Windows Azure service you want you want to leverage that I am offering a uh um a

challenge for this is an event challenge so before I go into any detail on this side just to show of hands if I gave you a challenge that takes you five minutes to do um and um it's only available to the people that are here at this event today and I'm giving you until Tuesday to do it who how many people would be interested in doing that for the opportunity to win either an Xbox console with connect or a Microsoft Surface their choice show of hands anybody okay so there's a little bit interest I'll spend a couple seconds on it there's a handout at the table if you didn't get it it looks like this right

it gives you all the instructions but basically all you got to do is build a Windows Azure system right I'll give you a link to do it for free that takes you about that one takes a little more than five minutes that one takes about if you already have an Azure account it says five minutes if you don't have an Azure account it does take about 15 minutes to set up an Azure account the free free trip but to do the downloads you don't need a an Azure account you just need a live ID which just takes a couple of minutes and then start the download do a screenshot of the download that's you and then pause it if you're going to do

it here at the event please don't download these bits because there's a lot of a lot of stuff there those are ISO images um download an event because it'll uh it'll really chew up but you can start it you know as soon as it hits the zero percent pause so it's not downloading here on our wireless and then send me a screenshot of that paused image email the screenshot to me and that'll that'll enter you for the for the drawing and I'll do the drawing Tuesday afternoon and I'll email whoever the winner is and say hey you're the winner would you like the surface or the Xbox and what's your address that I can send it to so uh take

a look grab one of these by the way I did this this is the first time that I've done the Xbox and the uh surface uh you know you get to pick kind of thing um sorry this is the second time the first time I did it was in front of a in front of an audience it was at the keynote very similar to what we just had in the last session I was doing the Keynote um and there were 280 people in the audience I only had three people that wanted to take the five minutes to do this so it kind of surprised me so this is the second time I've done I'll see if

I have better results this time but the person that won it actually had a one in one in three chance of winning I don't know if you'll have a one in three chance of winning here maybe it'll be one and three maybe one and five maybe one in fifty I don't know but still really good odds if you if you want to spend the five minutes to do the work if you don't want to spend the five minutes to do the work or you know you're not going to win anyway hey you know what do it anyway for me because it helps your community because these links are tied back to Microsoft monitors these links

and they give out swag to different Community organizations based on the number of people that actually do this so if you don't want to do it for the drawing go ahead and do it for the community they would appreciate it all right so um I also wanted to let you know in case you in case you're certified on Windows Server there's a free early experts program so you can get Microsoft has an has an online university where they have free free training and early experts is an online program that will allow you to walk through and get your certification on Windows Server 2012 for free so it's early experts.net I would encourage you to check that out if you're interested

in getting more more training all right so here's our agenda for today who can read this okay it um this was uh encrypted with my private key so you'd have to have the publicly key in order to decrypt it um so it's a classifying right um and really that's what we're going to talk about is how secure is stuff um and talking about um uh you know classifying your data um and your your systems but really from yeah is your presentation going to be available I will make my presentation available so I would presume it would be on the B-side site I'll email to them as soon as I'm done with the presentation today so absolutely I'll make it

available I'm also going to put it on my blog so if you go to igproguru.com and then click on resources it'll be right there under the resources page and it'll probably be sometime this weekend that I get it up so it won't be up today because I've got another engagement right after this but I will get it up there uh by Monday so these are really the questions that I'm going to try to answer today during this presentation and oh by the way this is a really a 75 minute presentation that I've narrowed down to the 40 minutes that they've given me so I'm going to kind of Screen through it a little fast but I hope I

think with the uh the speed at which I'm able to talk that uh that I'll be able to get you all of the information and really a few few things that we want to talk about in terms of security versus confidentiality that is whenever I have data how how um how how secure is that data in terms of not somebody else not being able to gain access to it so if I'm putting my data my servers in the cloud is Microsoft going to be able to see all of my stuff right and who knows the answer to that absolutely right no just kidding um so we're going to talk we're going to talk a little bit about

that we're going to talk about integrity what is the possibility that somebody other than me can change my data once it's if it's sitting in the cloud right and how do I protect from making or make sure that I that my data is has absolute integrity and then of course availability because whenever you move to the cloud you know your stuff is not in your infrastructure anymore now you have availability concerns obviously on your on-prem systems as well because if a server goes down it's not available right but you need some kind of extra assurances that whenever you put something on somebody else's infrastructure that it is going to be available because I mean let's face it

what good is having you know data in the cloud if you can't access it right so you have to have availability and kind of underneath all that or wrapped around all of that we we need to consider risk management and compliance lots of people have uh different you know things that they look at from a risk management standpoint they have different things that are different requirements from a compliance standpoint so we're going to look at all of those so um moving to the cloud first and foremost I want to say there's a lot of customer accountability right let's face it you put a server in the cloud and you make your username administrator and you make your password

password it's not very secure right it doesn't matter if you have you know um uh private public Keys certificates doing you know uh you know creating a tunnel between your on-prem and your your cloud services if you have RDP open and you have no password right so there is some accountability for you just like there's accountability in your organization to make sure that you're doing the best practices to make sure that your your information is secure and safe um and then you know in a multi-tenant environment multi-tenancy is where you have more than one person more than one company's data on a single resource like a server a computer a hard disk whatever um and you know are those people going

to be able to gain access to my data am I going to be able to am I I going to be able to protect my systems from them and there's there's a lot of things that go into moving to the cloud so different responsibilities who has responsibility for the different components that make up the infrastructure and the the resources that that data is stored on you know we've got to understand um and and some of the things that we're doing within Microsoft are are differentiations of roles of responsibility so you know people that have a a you know a key to do things are supposed to have the key to do those things and can get into those areas and

if they if they don't need to be somewhere they're not going to be able to be somewhere but fundamentally really what um the the bulk of what we need to consider today is trust so let me ask you a question who trusts Microsoft with all of their data and all of their systems not a single hand okay me and I you know do I well let me put it a different way how many of you have your data on a Windows Server system data on a Windows Server system okay really only that many hands who's sleeping a few okay um so the moral of that story is there is inherently some trust already right because you trust HP if you have HP

servers that they're not going and getting after your data through stuff you know that's built into the firmware of their servers right you trust Microsoft if you have a if you have servers running in your organization you trust that they're not you know scraping your data and sending it somewhere now so but whenever we whenever we talk whenever we talk about trust um uh let me sorry I moved ahead too fast when we talk about when we talk about trust let me let me say this um you guys uh know from a privacy standpoint what Microsoft's policy you guys have I have an idea of what privacy how how Microsoft feels about privacy right um they feel like your data is your data

it belongs to you um um well maybe not maybe whenever you move to the cloud their policy is more like Google you know what Google's policy is right right um so whenever you look at cloud services it's important that you understand what the different companies have for their for their policies right um in Microsoft's case your data is your data in other companies case you know it may not be the case so it's important for us as consumers to recognize whenever we go to cloud services what the different policies are so it's not good enough to get that screen that says you know privacy policy and just click OK after you know you've scrolled down

at a million miles an hour through the 14 pages or it didn't bother scroll down at all so whenever you move into the cloud these are some things that you have to do because trust is a big factor now there are multiple sources for trust and there's there's lots of things that go and go into trust I mean from a from a legal stand standpoint you know the the laws are created to um with some inherent trust built in right you trust that the government is not um looking at your data and doing bad things with it you trust that within within the within the industry that people are going to play fair and not

everybody is trying to you know for the sake of better words screw everybody else right there's some inherent trust that you otherwise you're just going to be a paranoid addict and you know you might as well just put all your stuff in a in a vault and not connect it to anything you know connected with a wire I mean really if you don't trust anybody about anything that's the only way that you can really secure anything right you guys know that anybody not know that okay good so ISO standards I mean uh if you are ISO compliant then you have a certificate if you will that says that I am meeting meeting uh the requirements

for this certificate therefore other people can trust that I am meeting those criteria right that's what that that's what that means so if you are ISO compliant that means you have these policies and procedures in place and that others can't trust that you're following those policies and procedures so everybody else trust you that because you have that certification you are compliant in those areas and then of course you have your own internal trusts uh maybe you do background checks or something too uh for your employees or maybe you have your own internal policies and procedures that go above and beyond some of the others even right so there's trust inherently built into everything that we do

um and what we've got to do is we've got to figure out how much we're going to trust the different layers of the different components that are involved with our infrastructure so let's go back to Windows Azure and compliance in the core services so some of the things Microsoft can't have everybody so if everybody if somebody wants to put a server on the cloud they can't have their own private Auditors come in and out at Microsoft anybody see an issue with that you know you'd have Auditors running through the data center all day every day right it's just not physically possible it would not be a secure environment if that were the case so what we have to do is we have to trust

that we have we have these certifications and more coming right I mean there's thousands of certifications these are these are some of the biggest ones we have to trust that because they have these certifications we know we trust the certifying organization and therefore we know that though that in order to maintain that certification they have to do X Y and Z we know that we can trust them on these different components now and there's there's more as well so like HIPAA as an example so HIPAA and baa now when it comes to HIPAA paas uh it's really more about the application than about the infrastructure so um and there's some so there's some caveats you know you can first of all

there's a contract addendum so in order to get that certification in order to maintain that level of trust um you you do have to have a contract addendum and it's only good for virtual machines cloud service storage and networking so it's not automatically going to cover you for anything and everything that you do in Windows Azure um and uh and there's of course there's new ones you know Microsoft is constantly going to be expanding their uh their level of trust or their level of certificates or the level of trust that you can provide in them that you can get in them by getting these different different certificates and going through these different processes but if you want to find out more there's

a Windows Azure trust Center and I've given you the link here and I would encourage you to go look at it it talks about privacy trans uh transparent compliance and Relentless I would strongly encourage you to read through some of the things that they're doing to make sure that your that your data is safe secure private you know not able to be modified etc etc etc in fact when it comes to um uh you know really protecting your data you know who's writing most of the white papers a lot of the white papers around this stuff I mean it's the guys that are implementing it um uh as part of what whenever they introduced Windows Azure a lot of the

stuff a lot of the policies and a lot of the white papers that were put on best practices um you know they're put out by these guys uh these guys that put all this infrastructure together so I would encourage you to take a look take a look at that now Office 365 is one of those applications that is fully compliant with like the HIPAA baa um and as you look at different applications it's also important to look at from an application security standpoint what are the requirements that are being met what level of trust can I have in that application and the security of my data in that application okay there's also an Office 365 trust Center

So and I've given you a link for that so you can get deeper and deeper into how much you can trust how much how secure is your data and what are the what are the Privacy policies what are the security policies what are the implications of you putting data into those different environments all right so we're going to talk about defense and depth you guys have heard this term before defense in depth and really what I'm going to what I'm going to talk about for the next 15 minutes wow Time Flies what I'm going to talk about in the next 15 minutes is each one of these layers and getting and really having your defense in depth your your

depth level of Defense at each and every layer of of your uh of your stack so first first and foremost let's talk about physical security so Microsoft doesn't have your servers whenever you put something up on Windows Azure they don't have them sitting in a closet or underneath somebody's desk right that's not the way they do things they're a carrier class data center you know uh they're they have you know armed guards at the gates and if you have a work order to work on something uh you're not going to get in there unless you have all the proper paperwork and whenever you go in there you've those armed guards are going to make sure you're

only going where your paper works as you can go right um 24x7 monitoring biometric access controls at every single lab level right so access to get into the data center access to get into the to the to the particular area of the data center access to get to a particular room access to get to a particular rack all of those things require different levels of access so you have um you have that you know depth um um defense in depth from a physical from a physical standpoint um from a network standpoint automatic configuration this is key right because the the way the network works is you um uh whenever a new network is spun up it

is uh it's spun up by the user whenever they basically you know configure their uh their Azure their Azure account or their Azure networking settings and all of that is done on the fly your the network is created on the fly so there's no possibility for um One Network to being crossed with another Network or having wires crossed and stuff like that it's all automated it's fully 100 automated so you don't have any possibility of user error and every time a news a new system is spun up it's all scripted it's all scripted so um you know you you don't whenever whenever you spin something up you don't have there's just no possible way for one user thank you there's no

possible way for one user to be able to access data on your network or for them to access your network you have full encryption within your network that is a private Network for you so you have you have that literally that VPN separation between between networks and of course you have firewalls and and packet filters at the network layer and oh by the way you can't turn that off you can configure it for your little piece of the network but Microsoft at the network layer yeah you can you can change the firewall settings on your local computer but at the network layer um you you can't you can't turn off security so you can't do something so

bad that you're opening up your network to other outside vulnerabilities Without Really realizing it we do some really incredible things at the host level level like hyper-v isolation so hyper-v isolation gives you some really really really smart people with some really great Cool Tools can do things like monitor a CPU to see what other systems are what other systems are doing on that what other computers might be doing on that host via just the CPU traffic on there I don't know how I don't know the technical details of how they do that but some I guess it's possible so what Microsoft does to do to combat those really Advanced threats are like hyper-v isolation where a single a

single core um uh you know that they're not gonna they're not going to split a core into multiple systems right or into multiple multiple different different networks or multiple tenants so you're going to be dedicating your network so you're there's zero possibility that somebody else is going to be able to kind of reverse engineer what's going on in memory or what's going on on in the CPU to find out you know to to check capture data from somebody else and you know totally totally secure Communications reduced OS footprint you don't have all these extra capabilities or vulnerabilities based on you know a large full server data set you get only what you need for the services that

you're running on that on that server and you know you don't you don't have to worry about all of the other stuff so trust level when we talk about the application every application needs to be looked at very very differently every application needs to be looked at differently it's not a matter of I have this set of policies for applications this set of policies for the server this set of policies for the network it's not that simple every application should have it should just you could go through its own diligence on understanding what the level of trust should be on that application in Windows Azure whenever you deploy an application you are you are rebuilding when a new when a new

application is spun up your the windows Azure is rebuilding the entirety of the infrastructure that application runs on so it's building the servers building the network it's it's building the application it's building um all the pointers to wherever the data is for that application and it does it on the Fly literally so whenever whenever an application a server for an application gets spun down it goes away right it completely rebuilds so if you've got a if you've got an application that's running on the data center and you've got three servers running a server goes down literally what happens is for redundancy Microsoft just spins up another server whenever they spin up another server they're not copying

existing server they're rebuilding that server from scratch granted it only takes a minute or two because it's all scripted they're rebuilding that server from scratch based on configuration files so there's really no possibility that oh my server got hacked therefore anytime any new machine that I got that I get spun up is gonna is going to be automatically infected kind of thing so there's there's lots of protection built into the whole process and the way that that works um SQL Server I'm going to talk just a moment about this SQL Server is one of those areas that's really really important to protect right because if you don't what's the point of protecting anything right um and

um SQL Server is built this um what you what you fundamentally don't want to do is you as you you don't want to store your keys in the same place that you store your data so SQL server has the capability and really all of azure has the capability of storing the keys in one place storing the data in another place and then we use a trust Center Trust Services in order to marry those two together and I'm gonna I'm gonna show you a little bit about how what that looks like before I go there though I want to re-emphasize and over emphasize don't put your keys and the data in the same place putting your keys in the data and

data in the same place is kind of like putting a padlock on your front door right or putting a whole bunch of padlocks on your front door and then on the doorknob you have a rubber band with the key hanging off of it right that's kind of equivalent right putting your keys in your data in the same place somebody somebody that has access to your data can have access to your keys and now the whole system can be can be compromised so the way uh the way Microsoft handles that handles that issue is the administrator has has a key the key is uh goes to the trust server the trust server like whenever you have

data the data is encrypted like a social security number the data is encrypted the trust server actually handles the key and the encryption is done by the trust server uh and then the the um you know through the the key I forgot I had a build on this uh plus a social security number gives you the encrypted data the encrypted data is then sent to the um to the SQL Azure and that's where the encrypted data is stored so the key and the data are stored in two very different places now if the user wants to get that data out they have to go to the trust server to get the uh the public key or the subscription to

give them the key and then they have to go get the encrypted data and uh and then it can be decrypted to give you the social security number so the last thing that I wanted

to access control so let me start with I'm going to actually flip this around a little bit I'm going to start start with education how many people here have gone through at least how many people manage a firewall in the room how many people manage a firewall how many people have gone through at least a month worth of training on just managing firewalls okay wow okay a couple people um there's only a few people that manage firewalls exclusively and only and only a few a couple people that have been through that much training well the thing that I want to point out is um how many people in the room have do regular security training on a regular

basis scheduled security training now I would expect the numbers be a little bit higher in this kind of a setting because this is a security conference right so there was a few hands in the room and that doesn't surprise me what has surprised me is actually in this audience if there was Zero however in most I.T events that I do usually I would get zero hands if I asked that kind of question um so it's really important to understand that whenever your data is protected by you know a data center you don't have people that manage the firewall first of all the firewall that they're managing is not an 89 you know uh firewall that they've gotten at Best

Buy right it's a world-class firewall and you've got world-class people working on those firewalls that have world-class training and that training is ongoing and constant you know they're constantly being patched they're constantly putting up roadblocks they're constantly monitoring logs they're constantly working on that's what they do for a living how many people show of hands how many people that's what you do for a living 100 of the time nothing but security nothing but security okay these are the guys that are total total professionals that's all they do is security in a data center like uh like a Microsoft data center they take it one step further it's not that they're just working security they're just working

this piece of security because it goes remember we talked about separation of responsibilities before we don't want any one person to have the full understanding of the security scope right that's that goes back to the separation of responsibilities so in Microsoft's case they have they have you know they have awesome equipment they have awesome people and they have they they firmly believe in in training um so let's talk about Federation for me who knows what federation is anybody okay so Federation for those that don't understand um Federation gives you the capability of authenticating through other services so just to put it in simple simple terms um if you have a Twitter account you have a Facebook account you can go to

Facebook and sign in with your Twitter account right that's Federation that's what federation is where you have um where you're trusting that somebody else has authenticated this user and you're TR you trust that certifying Authority so Live ID is an example of that so Live ID you can authenticate with Live ID and some Partners some Microsoft Partners will trust that authentication that they know they trust Microsoft as being the authentication Authority the Federated uh Authority um to that you are who you say you are that's what federation is and and from uh from the user standpoint and the user defense in depth um Federation is the way that Azure subscribes to security now in that you

can also do active directory Federal active directory Federation is not the same as having active directory on Azure okay even though it has a name like active directory for Azure or Azure active directory to get active directory in Azure you have to put a domain controller there but to do Federation through active directory you can do that through Azure services so those are all key things when it comes to defense and depth so when we talked when we look at all the different layers and all the different things that go into securing your infrastructure in the cloud it begs the question is the cloud really secure well it is if you trust all of if it is

if you trust all the different certifying authorities that have vetted that particular cloud service provider it is if you trust um the people that you have um setting up the infrastructure that is you know not setting up administrator with a password for a password right so if you trust the people that are setting that up to do due diligence and do smart things and follow best practices than it is if you trust private and public key authentication between on-prem and in Cloud if you trust that that secure connection or that that uh that tunnel that encrypted tunnel if you trust that encrypted tunnel then it is secure so really it comes down to trust what do

you trust right who do you trust um and um what are their what are their policies what are their procedures you know who trusts who trusts who would trust their all of their all of their data to to to to Gmail to Google right who trusts their information to Microsoft still no hands okay you trust your mom okay it's interesting that you say that because I know everybody in here does anybody not have a single Windows server nobody not a single window server in your organization one two okay um so I guess my whole talk on trust didn't didn't sit in I got to figure out how to articulate this better because I believe that you do have some level of

trust for people right for some level of trust for companies because if you did it you wouldn't trust them in your data center right um uh so I I've got like two minutes left for questions um so yeah go ahead

cure and what the how the security model for azira and ECU differ wow do you have another hour uh um so the question was what is the difference between the security models between Amazon and Microsoft and that could be extended to be Amazon Microsoft Google Salesforce or any other provider right um so uh you really gotta and that was kind of the whole point of what they're doing um to to uh increase your trust in them um Ed that is a long discussion and I'm not even sure that you can have that discussion in an hour because there are so many differences between between uh between privacy between policies between security now this is a security discussion not

enough because there's other things too there's performance there's availability there's all those all these other things you have to consider when you're going into the cloud but for the security conference we're talking about security right so there's a lot of things that you have to look at um security is one of them and it's really beyond the scope to be able to answer that in a 30 second question sorry yeah is the trust Center support having the key encryption key in an HSM or off-prem facility so say I'm big Co and I have some hsms and the SQL Server Enterprise Azure version can can the key encryption actually be hosted in HSM so it unwraps the views that are

field specific I'm not 100 positive but I think the answer to that is yes if you send me an email I will find the full answer and how to make that work and what I do whenever I get a question that I don't know the answer to I can't answer on stage is I will post the answer post a question and the answer the question was is there a possibility of storing the keys outside of windows Azure and have going to a third party to do that authentication I believe the answer to be yes because that's question yeah close on that um and I'll find out send me the question in detail I'll find the answer

and I'll post it to my blog so everybody has the benefit of the answer other question questions yeah like one minute wow okay thank you all very much I just want to remind you about the the download of the windows Azure I would encourage you to go ahead and get set up a couple of servers if you're going to set up a couple of servers might as well do in the next couple days so you can take advantage of getting your name entered into the drawing for the Xbox and I'll be around for a little bit longer if you have if you have any other questions or more want to do some more private questions thank you all thank

you