1

Suronapee Phoomvuthisarn, Ph.D.Email: suronape@mut.ac.th / Q305

NETE4631:Cloud Privacy and Security - Lecture 12

Characteristics of Cloud (NIST)

2

Statistical Challenges in the Cloud

3

Security & Privacy Challenges

4

Outsourcing Data and Applications Extensibility and Shared Responsibility Service-Level Agreements (SLAs) Virtualization and Hypervisors Heterogeneity Compliance and Regulations

Three kinds of issues in standards and regulations “How” issues – how an application of specific type should

operate in order to protect certain concerns specific to its problem domain

“Where” issues – where you can store certain information “What“ issues – standards that prescribe specific

components to your infrastructure

The Life Cycle of a Modern Attack

5

Functional Traits of Botnets

6

Key Components and Tools in the Modern Attack Strategy

7

Data Security

8

Physical security Data control

Encryption (both in transit and storage) Off-side backups regularly

Data segmentation Minimize the impact of the compromise of

specific nodes

Network security Firewall

Firewall-like traffic rules to govern which traffic can reach which virtual servers, such as security groups in Amazon EC2

Network Intrusion Detection monitor local traffic for anything that looks

irregular

9

Firewall rules

10

A firewall rules in AmazonTraditional firewall

Brokered Cloud Storage Access

11

Network Intrusion Detection Systems (NIDS) NIDS

to monitor local traffic for anything that looks irregular scans/ Denial-of-service attacks/known vulnerability

exploit attempts

12

Host Security Host security describes how your server is set

up for the following tasks Preventing attacks Minimizing the impact of a successful attack on

the overall system Responding to attacks when they occurs

13

Host Security (2) Security patches

In cloud environments, rolling out a patch across the infrastructure takes three simple steps: Patch you machine images with the new security fixes Test the results Re-launch your virtual servers

System hardening The process of disabling or removing unnecessary

services and eliminate unimportant user accounts Antivirus protection

Selection criteria – (1) how wide the known exploits does it covers (2) time when a virus is released and recovered

Host Intrusion Detection Systems (HIDS)

14

Host Intrusion Detection Systems (HIDS)

15

Identity Management What is the identity?

Things you are Things you know Things you have Things you relate to

They can be used to authenticate client requests for services and preventing unauthorized uses

Maintain user roles Use secure approach such as SSH and public private

keys pair rather than password-based method (brute force attack) to access virtual servers Encryption in transit Only user that have an operational needs in certain time

period 16

Defining Identity as a Service (IDaaS)

17

Store the information that associates with a digital entity used in electronic transactions

Core functions Data store Query engine Policy engine

Core IDaaS applications

18

Authentication Protocol Standards

19

OpenID 2.0 http://openid.net OAuth http://oauth.net

Auditing

20

Auditing is the ability to monitor the events to understand performance

Challenges Proprietary log formats Might not be co-located

Auditing (2)

21 Picture from Alexandra Institute

Security Mapping

22

Determine which resources you are planning to move to the cloud

Determine the sensitivity of the resources to risk Determine the risk associated with the particular

cloud deployment type (public, private, or hybrid models) of a resource

Take into account the particular cloud service model that you will be using

If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud

The AWS Security Center

23

Security Responsibilities

24

Cloud Deployment Models (NIST) Public clouds Private clouds Hybrid clouds

Security Service Boundary

25 By Cloud Security Alliance (CSA)

Regulatory Compliance

26

All regulations were written without keeping Cloud Computing in mind.

Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place.

Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).

Regulatory Compliance (2)

27

You have to ensure the followings: Contracts reviewed by your legal staff The right to audit in your SLA Review cloud service providers their security and

regulatory compliance Understand the scope of the regulations that

apply to your cloud-based applications Consider what steps to take to comply with the

demand of regulations that apply and/ or adjusting your procedures to this matter

Collect and maintain the evidence of your compliance with regulations

Defining Compliance as a Service (CaaS)

28

CaaS needs to Serve as a trusted party Be able to manage cloud relationships Be able to understand security policies and

procedures Be able to know how to handle information and

administer policy Be aware of geographic location Provide an incidence response, archive, and allow

for the system to be queried, all to a level that can be captured in a SLA

Defining Compliance as a Service (CaaS) (2)

29

Examples of clouds that advertise CaaS capabilities include the following: Athenahealth for the medical industry Bankserv for the banking industry ClearPoint PCI for mechant transactions FedCloud for goverment

Techniques for securing resources

30 Picture from Alexandra Institute

Virtualized Data Center NetworkSecurity Challenges The major network security challenges in the

virtualized data center include Hypervisor integrity.

A successful attack against a host’s hypervisor can compromise all of the workloads being delivered by the host.

Intra-host communications. Communications traffic between different VMs on the same

physical host is often not visible and therefore cannot be controlled by traditional physical firewalls and IPS.

VM migration. When VMs migrate from one physical host to another or

from one physical site to another, they tend to break network security tools that rely on physical and/or network-layer attributes.

31

Data center evolution and security requirements

32

Criteria for Network Security in the Virtualized Data Center Safe Application Enablement of Data Center

Applications Identification Based on Users, Not IP

Addresses Comprehensive Threat Protection Flexible, Adaptive Integration High-Throughput, Low-Latency Performance Secure Access for Mobile and Remote Users One Comprehensive Policy, One Management

Platform

33

References

34

Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc.

Chapter 6, Cloud Application Architectures, building applications and infrastructure in the cloud, O’Reilly, Reese, G., 2009

Network Security in Virtualized Data Centers For DUMMIES, Lawrence C. Miller, John Wiley& Sons

Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh