The nested cloud
Now is the perfect time to approach Cloud security through the interplay between data planes and control planes—a perspective I call "planeswalking."
The reasons are:
Planeswalking isn't merely about distinguishing between 'the' data plane and 'the' control plane. The strong driving forces of services integration imply that
service planes are often nested, or intertwined: if we peel off the layers, their overlaps, ambiguities, and perils can be revealed.
Let's start from the obvious planes on the top and move to the nested ones in the bottom.
Peeling off the layers
Service level responsibilities
Starting from any service from an Azure or AWS service catalog, the separation between the control and data planes is straightforward:
The APIs delineate the responsibility domains of the provider and its tenants. This aligns nicely with the Cloud shared responsibility model that is widely advertised by all mainstream Cloud players. Regardless of which end of the APIs you stand, it is pretty clear that:
For all Cloud services, an isolation breach can happen between a tenant and the provider in the SCP.
But the control/data plane divide also tells another story:
For compute and network services, an isolation breach can happen between a tenant and the provider in the SDP.
So an important takeaway is that tenant violations happen vertically (from one customer to the next) and horizontally (from one provider to her customer).
Backend level responsibilities
If you wear the hat of the Cloud provider feature team in charge of a Cloud service for a minute you will acknowledge that the SCP is further broken down into two planes:
Being aware of this vertical separation between BCP and BDP is actually quite useful for you, the customer: it lets you understand how and to which extent you are actually shielded from arbitrary co-residents, from an angle that is almost never taken.
For compute services, an isolation breach can happen between two tenants in the BDP.
So that's a third tenant violation boundary you should feel concerned about.
Frontend level responsibilities
Due to automation (everything-as-code), the PaaS platform will be constantly spinning up all types of workloads, so it is likely that a constellation of your feature teams will operate following a loosely coupled devOps modus operandi.
In this picture, a handful of feature teams will manage your?landing-zone (a set of traversal/reusable assets, including IT security and architecture patterns enforcements that will be used to groom all other zones) while the majority of feature teams will spend most of their time adding business value into the form of continuous deployments into?your application?zones:
As far as responsibilities are concerned, tenants have to enforce separation of concerns between the central feature teams and the satellite teams:
For all services, an isolation breach can happen between landing and app zones, or between two app zones.
Nothing specific to the Cloud here, it’s just standard devOps. But... The CDP is where most of customers risks hide: plenty observables are available from PaaS runtimes (pods, functions, worker nodes): what to do with the many false positives, how not to miss true positives, how to prevent runtime harm from happening are some of the biggest challenges in cybersecurity, as of today!
Control flow in quasi-SaaS
Finally, an analysis of the control flow of sophisticated PaaS (a "quasi-SaaS") should typically raise questions about how far off its design is from the Cloud Shared Responsibility Model promise.
A few months ago, I illustrated this concern using a particularly extreme example: confidential computing in PaaS pods (these are now called peer pods).
The flow must pass through a series of control plane components until it reaches your SDP (almost) without touching your CDP: quite a challenge!
Crossing the Tenant boundary (the vertical dashed green line) in a confidential computing scenario must meet very strong guarantees , otherwise it's pretty useless, right?
Now that we've explored the various layers, let me provide some ways to deal with the risk.
Planeswalking security
Assessing planeswalking risks: a concrete example
Whenever a new vulnerability is discovered, I perform a planeswalker assessment. The diagram below show how I reason about planes traversal on a couple of real-life examples: #Azure autoWarp vulnerability and #AWS superGlue.
Preventing planeswalking risks
At this stage, it is clear that customers cannot prevent all planeswalking risks, far from it. Still, a useful preventive approach for Cloud customers is to follow the PEACH framework designed by Amitai Cohen at Wiz, to which I contributed.
Measuring planeswalking risks
When a potential Tenant breach is found in the Cloud, the typical response is to resort to CVSS to measure its severity. However, when it comes to the Cloud, CVSS has several important limitations:
These are the reasons why I created the Piercing Index in 2022: it's a risk-assessment metric to better account for data plane and control plane traversals. While it isn't meant to replace CVSS, it helps to put cloud vulnerabilities into a more useful perspective.
Like the logarithmic Richter scale, the Piercing Index employs a tiered approach to assess the severity of security boundary violation: each tier is an order of magnitude higher than the previous one.
The Piercing Index is implemented by Wiz in their Cloud Vulnerability Database and the methodology is publicly available: Take a look at the repository if we want to know more!
Note: parts of this newsletter edition take inputs from key teleportation in Azure and AWS , an article I wrote in 2020.
Great dad | Inspired Risk Management and Security Profesional | Cybersecurity | Leveraging Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
3 天前Christophe Parisel thank you for sharing this valuable insights
Certified Expert in Multi-Cloud Solutions (#GCP, #Azure) | Speaker, Author, Blogger on Cloud Security, Architecture & Compliance | Cloud Security Alliance - UK Chapter member
3 天前Love this (and need to read it a few more times I think!)