Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
CLOUD SECURITYUnderstanding Cloud Security
and Threats
AGENDA
• Overview of Cloud Computing• What is Cloud Computing?• Benefits of Cloud Computing• Cloud Computing Models
• Service Models• Deployment Models• Billing Models
• Cloud Security• Threats, Vulnerabilities and Attacks• Countermeasures• Legal Challenges
• Research Challenges
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 2
INSTRUCTOR
• Malek Al-Zewairi
• PhD. Computer Science / Security at PSUT, Class 2015
• MSc. Information Systems Security and Digital Criminology
• Technical Certificates:• ISO 27001:2013 Certified LI (PECB)• ISO 27001:2013 Certified LA (IRCA) • ISO 27001:2005 LA/LI• CEI, CEH, CHFI, COSFE, CCFP, …
• Co-Founder of the Jordan Information Security & Digital Forensics (JISDF) Research Group, http://JISDF.org
• EC-Council CHFIv9 Advisory Board Member
• Head of Information Security at the University of Jordan
• Security Trainer & Pen-Tester at NSQAC
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 3
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
OVERVIEW OF CLOUD COMPUTING
PART 1
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 5
WHAT IS CLOUD COMPUTING?
• Outsourcing the management & delivery ofcomputational resources to a third-party
• Hardware (Servers, Workstations, Printers, …)
• Software (Email, CRM, MS Office 365, …)
• Network (AWS VPC, IoT, …)
• Storage (Amazon S3, Dropbox, OneDrive, …)
• Service (Security, DBMS, …)
• …
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 6
NIST 5 CHARACTERISTICS OF CLOUD
On-Demand Self-Service
• Is the ability to scale the cloud resources up or down whenever need without disrupting the operation.
Broad Network Access
• Is the ability to access and mange the cloud resources from multiple device types (e.g. smart phone, PC, laptop, …)
Resource Pooling
• Is the ability to dynamically assign the cloud resources to multiple tenants based on the client demand.
Rapid Elasticity
• Is the ability to resize the cloud resources in real time both Vertically and Horizontally.
Measured Services
• Is the ability to monitor, control and generate reports of the cloud resources usage.
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 7
BENEFITS OF CLOUD COMPUTING
High Accessibility
Dynamic Scalability
Improved Reliability
Increased Sustainability
Save MoneyRapid
DevelopmentEnergy Saving
Higher Productivity
Zero Maintenance
Elasticity 24/7 Support Security
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 8
CLOUD COMPUTING MODELS
Cloud Computing Models
Service ModelsDeployment
ModelsPayment Models
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 9
CLOUD MODELS: SERVICE MODELS
IaaS
• Infrastructure as a Service
• E.g. AWS EC2, Azure, Google CE, CDN
PaaS
• Platform as a Service
• E.g. Google App Engine
SaaS
• Software as a Service
• E.g. Gmail, Office 365, WebEx
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 10
CLOUD MODELS: SERVICE MODELS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 11
Infrastructure as a ServiceIaaS• Provides virtual machines and other abstracted hardware and operating systems (i.e. processing, storage,
networks and other computing resources)
• The customer is able to deploy and run arbitrary software. In addition to self-provision this infrastructure
Platform as a ServicePaaS• Simply, PaaS is an operating system in the cloud
• Provides a platform on which the customer’s applications can run
• Typically combines Web Server + Database + Programming Execution Environment
Software as a ServiceSaaS• Provides service to the customers in the form of software running on and accessible in the cloud
• Enables the customer to use the cloud provider applications running on the cloud provider infrastructure
• Email services and office applications are example of SaaS
SEPARATION OF RESPONSIBILITIES IN CLOUD
OPERATION
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 12
OTHER SERVICE MODELS
XaaS: Anything as a Service• DRaaS: Disaster Recovery as a Service
• DSaaS: Data Storage as a Service
• DaaS: Database as a Service
• ITaaS: IT as a Service
• NaaS: Network as a Service
• CaaS: Crime as a Service
• …
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 13
CLOUD MODELS: DEPLOYMENT MODELS
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 14
CLOUD MODELS: DEPLOYMENT MODELS
Public Cloud
• Cloud infrastructure is made available to the general public
Private Cloud
• Cloud infrastructure is implemented within the internal IT environment of the organization
Community Cloud
• Cloud infrastructure is shared between several organizations from a specific community
Hybrid Cloud
• Cloud infrastructure is a composition of two or more clouds (private, community, or public)
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 15
CLOUD MODELS: BILLING MODELS
On-Demand Model: Pay as you Use
• Clients are charged by what they used (CPU, memory, storage, …)
Subscription-based Model
• Clients pays a steady monthly fees
Spot-Pricing Model
• Market forces drives the spot-pricing model. Clients can bargain for the cloud resources price
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 16
CLOUD SECURITY
PART 2
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 17
“Through 2020, 80% of cloud breacheswill be due to customer misconfiguration,mismanaged credentials or insider theft,not cloud provider vulnerabilities.” –Gartner 2016
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 18
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 19
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 20
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 21
Shared Technology, Shared Dangers
• A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud
DoS Attacks
• Being part of or victim of DoS attack both will consume large amounts of processing power, a bill the customer may ultimately have to pay
Cloud Service Abuses
• Using shared cloud computing resources to launch Phishing campaign for example
Changes of Jurisdiction
• Requires compliance with different regulatory & legal requirements
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 22
Malicious Insiders
• A malicious insider, espionage, or disgruntle employee can do prominent damage
Insecure or Incomplete Data Deletion
• Secure Data deletion is extremely hard, as it is probably stored on multiple disks and in different geographical locations that are shared with other customers
Data Breaches
• iCloud, Yahoo, DropBox, …
Cloud Isolation Failure
• In a multi-tenant environment, isolation failure can result in influencing another tenant's resources or even resources starvation
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 23
Cloud Provider Acquisition
• E.g. Rackspace acquisition Aug 2016
Lock-In
• Inability to change the cloud service provider
Compliance Risk
• It might be hard for organizations to provide evidence of compliance. Client auditing might not be permitted
Hypervisor Vulnerabilities
• Successful exploitation of a hypervisor vulnerability breaks the isolation of untrusted code, and provides the attacker with access to all the resources available to the hypervisor
COUNTERMEASURES
Client-side Data Encryption
Server-side Encryption (FS and/or Data)
Network Traffic Protection
API Secure Access (Authentication, Encryption, Integrity)
Built-in Firewalls
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 24
COUNTERMEASURES
Rule-based Access Control
Multi-Factor Authentication
Private Subnets
Cloud-based HSM
Dedicated Connection
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 25
COUNTERMEASURES
Understand the Cloud Service Provider Global Infrastructure
Use of Different Cloud Provider for Backup/DR
Review Cloud Provider SLA and Security Policies
Perform Regular Security and Risk Assessment
Monitoring, Alerting, Audit Trail and Incident Response
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 26
LEGAL CHALLENGES
• Which legislation applies?
• Which agencies can access the data?
• It’s harder to provide evidence of compliance
• Performing penetration testing and security assessment become more complex task.
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 27
RESEARCH CHALLENGES
PART 3
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 28
RESEARCH CHALLENGES
• Cloud Forensics
• Alternatives to MapReduce
• Managing Trust in the Cloud
• Software Defined Networking in cloud environment
• Energy-aware resource allocation in cloud data centers
• e-Health data CIA in the cloud
• High availability across multiple clouds
• Big Data computing and clouds
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 29
THANK YOU
REFERENCES
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
• http://www.rightscale.com/lp/2016-state-of-the-cloud-report?campaign=701700000015euW
• http://www.datacenterjournal.com/top-cloud-security-trends-for-2016/
• http://www.gartner.com/newsroom/id/3143718
• http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html
• http://www.lybrary.com/cloud-computing-security-foundations-and-challenges-p-872988.html
• https://aws.amazon.com/webinars/emea-journey-through-the-aws-cloud/
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 31