TechNet Talks: Mark Russinovich on Cloud Security and Ethical Hacking
We caught up with Mark Russinovich , Chief Technology Officer of Microsoft Azure, to find out a bit about what he talked about at IPEXPO this year plus his thoughts on cloud security and ethical hacking as well what he feels the future of the cloud will be and how the IoT will impact this.
1. Firstly tell us a bit about how you got started at Microsoft?
My route into the business really started through establishing a relationship with Microsoft. I started working on Windows 95, then Windows NT, before I ended up getting into trouble with Microsoft by revealing the fact that server and workstation versions were exactly the same code, just configured with a switch that made them behave differently.
So I started off on the wrong foot, but then ended up healing that relationship as I worked with Microsoft developers by reporting bugs, eventually signing up to co-author a book on internals. That brought me to meet Microsoft developers to get information about the internals of Windows.
I also began teaching Windows Internals, which would bring me to Microsoft and where I taught Windows Internals to the Windows Developers themselves. Through those experiences I established trust and a number of strong relationships within Microsoft.
At the same time I was building my own software company. In about 2005 Microsoft started talking about what it would take to get me to join them, and for me part of that was always to buy my software company. If you’ve heard of Microsoft DaRT, that diagnostics and repair tool kit is based on one of the products my company made that was purchased as part of that acquisition. That’s when I joined back in 2006.
2. Tell us a bit about what you covered in your keynote session at IPEXPO this year?
It was a talk on public cloud security and I thought that the best way to frame it was to take a look at the threats as identified by the Cloud Security Alliance. They’ve got a paper called the notorious nine that they wrote last year, where through surveying of their members and security officers in a range of companies they have come up with a list of the nine top cloud security threats. So I went through each of those threats, talking about what the threat really is, what the risk of the threat is and ways it can be mitigated.
3. What are your top tips for assessing these threats?
It’s really the same tips that would apply to any risk assessment classification, mitigations for on-premises also apply to the cloud. You need to classify your data to have an understanding of which data is at risk. And for your more sensitive data, you will want to take special precautions to protect, with proper authorisation, tracking and backups. With that in mind, I think the top tip is to go through the process of classifying your data, so you can focus your energy on the right places.
4. Of those you discussed, which are the most prominent threats to cloud security?
From a Microsoft perspective it’s the threat of zero day vulnerability in one of our explicit software services, such as a vulnerability in the hypervisor that would potentially put everybody’s data at risk. That’s what I worry about, making sure we can deal with that and hoping that we never end up facing one that is being exploited on our cloud.
When it comes to customers, it’s important to understand that the cloud doesn’t necessarily introduce new threats, but it can magnify them. Weak control of access credentials, not knowing the potential cause of a breach and what can exacerbate the problem, especially when people like companies are consuming cloud services without knowledge of central IT.
It’s common for companies to not have a firm understanding of how many cloud services they actually consume. On average companies are consuming more than 200 cloud services, but when you go and ask them how many they are consuming, they normally give you an answer back of around 15 or 20. So they have no idea really what’s going on. For each cloud services that is being used by their end users, there are credentials and data governance to consider. So it is that lack of control and awareness that the cloud can create, impacting data management and credentials, which is the most prominent threat to cloud security.
5. How should IT Pros think differently about security for the cloud vs. security on prem.?
One of the things IT Pros should do, is utilise products like Microsoft Azure Cloud App Discovery, so that they can become aware of the use of cloud services within their organisation. Ultimately though, unless IT becomes an enabler of the use of the services, they are going to be circumvented. So the challenge for IT is how to identify when the cloud is in use and then figure out how they can facilitate rather than get in the way and become an obstacle, or risk losing control of governance and ultimately putting their business at risk.
6. Despite Government Accreditation and financial institutions using Azure, people are still concerned around data security. What do you think this stems from?
I saw this when cloud was a relatively new term. No one really understood what it was, and when you don’t understand what something is, it can seem scary because the cloud is this big amorphous thing. In terms of security the question is how do I control data and access it when I don’t understand where the data is or how it is moving around or accessed? It’s then hard to have a grounded conversation about security and I think part of it might stem from that lack of understanding.
I think everybody should always be concerned about data protection and proper classification and handling of corporate data. Even when you do understand what the cloud is and what cloud architectures look like and how data is being managed, extracted and imported into the cloud you still have to figure out where the risk points are and how to mitigate them. That requires work and potentially also means changing your philosophies and coming up with new tracking and governance methods. As this is relatively new, a lot of the systems that companies have in place to manage corporate governance for their on premises infrastructures can’t apply to the cloud.
7. Many perceive hacking as a big threat to an organisation’s security, but it can also lead to making infrastructure more secure. What’s your stance on ‘Ethical Hacking’?
We practise ethical hacking in Microsoft as part of our business. We have these teams called red team and blue team, which is pretty common in companies with mature security operating models. You have the blue team who are your defenders, the people responsible for securing your corporate network and your data. You then compile together a team of ethical hackers that are designated the red team, their job is to try to hack the systems. Every time they are successful you learn something, the goal is you never have an expectation that the red team will not be successful. If they are not successful it means you are not pushing yourself hard enough, there’s always room for improvement.
The other reason why the red team is always going to be successful is because the systems are always changing and evolving. If they were static, resulting in companies deeming to have the perfect security in place, then they might run into a situation where they are not making progress. However, things are always changing so you’re always going to be learning from the red team.
8. How can someone get started with ethical hacking?
There’s a number of books on red team penetration testing. There are also companies that specialise in training for red team ethical hacking, as well as a number of different certifications. Conferences like Black Hat, DEF CON, and RSA Conference are a few places to make connections and learn about that community.
9. Ethical Hacking deals with what many perceive to be the root cause of the problem – people breaking directly in to a service. However, social engineering is just as prominent a threat, and growing. How can organisations educate and combat this security threat?
There’s a couple of different ways attackers leverage social engineering to get into a system. One way is tricking users into installing software. What you need is a solid policy around if you want to stop that. Education isn’t enough and we find that no matter how much security training and anti-phishing training you put people through, all the attacker needs is one weak spot to get in. I think the only way to deal with malicious documents that unpack and execute malicious code is to segment your users, ideally implementing a white listing policy that only allows authorised software to execute on your end points.
Network segmentation means that even if user’s end point does get compromised, the attacker cannot go to traversing across the network and compromising other systems. A lot of the weaknesses that we see are pass-the-hash type vulnerabilities, where sitting on your laptop is some type of credential that lets an attacker hop onto another machine and capture credentials from there.
Another means of protection is multifactor authentication, like that provided by Microsoft Azure Active Directory. That will prevent somebody from engineering your credentials by having you log into a fake website.
10. If you were a web dev hosting your application in AWS, why would you move to Azure?
Because it’s better. If you’re a company interested in bettering your business on a platform that is going to evolve and become a comprehensive base for the future of your business, that’s where Azure becomes incredibly compelling. Azure differentiates from other cloud providers across three key areas – hyperscale, enterprise grade and hybrid.
For hyperscale, what we are talking about is global reach. We have 19 Azure regions open for business around the world. To put this into perspective this is close to double the number of regions provided by Google. This enables customers to use Azure to deploy and run apps closer to their own customers and employees than ever before.
With the next differentiator, enterprise grade, we deliver an enormous range of enterprise benefits from bottom-to-top service delivery, integrated experiences, and enterprise SLAs. Azure also allows customers to benefit from a partner ecosystem that will bring to bare third party services and make them easy to consume, as well as enterprise insurance that your company may already have with Microsoft. This enables consumption of Azure services at an extremely low cost, even lower than you can get from Amazon.
In addition to all of that, there’s also the Hybrid story. If you are a corporate company you probably have assets in your own data centres that you want to eventually take to the cloud, but not all at once. We focus on that hybrid connectivity, and the consistency of our software offerings makes it possible for you to write an application that runs in the cloud, bring it back down to your premises and vice versa. It’s a combination of these kinds of things that make Azure the logical choice for the cloud.
11. What is the future for the cloud and how is the IoT going to impact this?
The cloud is exploding, we’re just at the start of this eruption. I think the world generally recognises that we’re going from the second phase of computing to the third, the previous one being client server, now this one being mobile-cloud. The third phases is going to be bigger in terms of the impact on the world, mostly because we’re now so dependent on computing, in a much deeper way then we were thirty years ago.
The explosion of computing and explosion of data is driven heavily by the Internet of Things, combined with the ability to process that data like we haven’t been able to before. This is aided by bringing cloud scale to bare, enabling big data analysis that provides insights across our lives and businesses that have never before been possible, because of this ubiquitous affordable, high scale computing platform that we’re building.