CLOUD SECURITYUnderstanding Cloud Security

and Threats

AGENDA

• Overview of Cloud Computing• What is Cloud Computing?• Benefits of Cloud Computing• Cloud Computing Models

• Service Models• Deployment Models• Billing Models

• Cloud Security• Threats, Vulnerabilities and Attacks• Countermeasures• Legal Challenges

• Research Challenges

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 2

INSTRUCTOR

• Malek Al-Zewairi

• PhD. Computer Science / Security at PSUT, Class 2015

• MSc. Information Systems Security and Digital Criminology

• Technical Certificates:• ISO 27001:2013 Certified LI (PECB)• ISO 27001:2013 Certified LA (IRCA) • ISO 27001:2005 LA/LI• CEI, CEH, CHFI, COSFE, CCFP, …

• Co-Founder of the Jordan Information Security & Digital Forensics (JISDF) Research Group, http://JISDF.org

• EC-Council CHFIv9 Advisory Board Member

• Head of Information Security at the University of Jordan

• Security Trainer & Pen-Tester at NSQAC

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 3

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier

OVERVIEW OF CLOUD COMPUTING

PART 1

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 5

WHAT IS CLOUD COMPUTING?

• Outsourcing the management & delivery ofcomputational resources to a third-party

• Hardware (Servers, Workstations, Printers, …)

• Software (Email, CRM, MS Office 365, …)

• Network (AWS VPC, IoT, …)

• Storage (Amazon S3, Dropbox, OneDrive, …)

• Service (Security, DBMS, …)

• …

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 6

NIST 5 CHARACTERISTICS OF CLOUD

On-Demand Self-Service

• Is the ability to scale the cloud resources up or down whenever need without disrupting the operation.

Broad Network Access

• Is the ability to access and mange the cloud resources from multiple device types (e.g. smart phone, PC, laptop, …)

Resource Pooling

• Is the ability to dynamically assign the cloud resources to multiple tenants based on the client demand.

Rapid Elasticity

• Is the ability to resize the cloud resources in real time both Vertically and Horizontally.

Measured Services

• Is the ability to monitor, control and generate reports of the cloud resources usage.

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 7

BENEFITS OF CLOUD COMPUTING

High Accessibility

Dynamic Scalability

Improved Reliability

Increased Sustainability

Save MoneyRapid

DevelopmentEnergy Saving

Higher Productivity

Zero Maintenance

Elasticity 24/7 Support Security

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 8

CLOUD COMPUTING MODELS

Cloud Computing Models

Service ModelsDeployment

ModelsPayment Models

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 9

CLOUD MODELS: SERVICE MODELS

IaaS

• Infrastructure as a Service

• E.g. AWS EC2, Azure, Google CE, CDN

PaaS

• Platform as a Service

• E.g. Google App Engine

SaaS

• Software as a Service

• E.g. Gmail, Office 365, WebEx

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 10

CLOUD MODELS: SERVICE MODELS

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 11

Infrastructure as a ServiceIaaS• Provides virtual machines and other abstracted hardware and operating systems (i.e. processing, storage,

networks and other computing resources)

• The customer is able to deploy and run arbitrary software. In addition to self-provision this infrastructure

Platform as a ServicePaaS• Simply, PaaS is an operating system in the cloud

• Provides a platform on which the customer’s applications can run

• Typically combines Web Server + Database + Programming Execution Environment

Software as a ServiceSaaS• Provides service to the customers in the form of software running on and accessible in the cloud

• Enables the customer to use the cloud provider applications running on the cloud provider infrastructure

• Email services and office applications are example of SaaS

SEPARATION OF RESPONSIBILITIES IN CLOUD

OPERATION

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 12

OTHER SERVICE MODELS

XaaS: Anything as a Service• DRaaS: Disaster Recovery as a Service

• DSaaS: Data Storage as a Service

• DaaS: Database as a Service

• ITaaS: IT as a Service

• NaaS: Network as a Service

• CaaS: Crime as a Service

• …

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 13

CLOUD MODELS: DEPLOYMENT MODELS

Public Cloud

Private Cloud

Community Cloud

Hybrid Cloud

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 14

CLOUD MODELS: DEPLOYMENT MODELS

Public Cloud

• Cloud infrastructure is made available to the general public

Private Cloud

• Cloud infrastructure is implemented within the internal IT environment of the organization

Community Cloud

• Cloud infrastructure is shared between several organizations from a specific community

Hybrid Cloud

• Cloud infrastructure is a composition of two or more clouds (private, community, or public)

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 15

CLOUD MODELS: BILLING MODELS

On-Demand Model: Pay as you Use

• Clients are charged by what they used (CPU, memory, storage, …)

Subscription-based Model

• Clients pays a steady monthly fees

Spot-Pricing Model

• Market forces drives the spot-pricing model. Clients can bargain for the cloud resources price

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 16

CLOUD SECURITY

PART 2

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 17

“Through 2020, 80% of cloud breacheswill be due to customer misconfiguration,mismanaged credentials or insider theft,not cloud provider vulnerabilities.” –Gartner 2016

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 18

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 19

THREATS, VULNERABILITIES AND ATTACKS

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 20

THREATS, VULNERABILITIES AND ATTACKS

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 21

Shared Technology, Shared Dangers

• A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud

DoS Attacks

• Being part of or victim of DoS attack both will consume large amounts of processing power, a bill the customer may ultimately have to pay

Cloud Service Abuses

• Using shared cloud computing resources to launch Phishing campaign for example

Changes of Jurisdiction

• Requires compliance with different regulatory & legal requirements

THREATS, VULNERABILITIES AND ATTACKS

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 22

Malicious Insiders

• A malicious insider, espionage, or disgruntle employee can do prominent damage

Insecure or Incomplete Data Deletion

• Secure Data deletion is extremely hard, as it is probably stored on multiple disks and in different geographical locations that are shared with other customers

Data Breaches

• iCloud, Yahoo, DropBox, …

Cloud Isolation Failure

• In a multi-tenant environment, isolation failure can result in influencing another tenant's resources or even resources starvation

THREATS, VULNERABILITIES AND ATTACKS

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 23

Cloud Provider Acquisition

• E.g. Rackspace acquisition Aug 2016

Lock-In

• Inability to change the cloud service provider

Compliance Risk

• It might be hard for organizations to provide evidence of compliance. Client auditing might not be permitted

Hypervisor Vulnerabilities

• Successful exploitation of a hypervisor vulnerability breaks the isolation of untrusted code, and provides the attacker with access to all the resources available to the hypervisor

COUNTERMEASURES

Client-side Data Encryption

Server-side Encryption (FS and/or Data)

Network Traffic Protection

API Secure Access (Authentication, Encryption, Integrity)

Built-in Firewalls

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 24

COUNTERMEASURES

Rule-based Access Control

Multi-Factor Authentication

Private Subnets

Cloud-based HSM

Dedicated Connection

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 25

COUNTERMEASURES

Understand the Cloud Service Provider Global Infrastructure

Use of Different Cloud Provider for Backup/DR

Review Cloud Provider SLA and Security Policies

Perform Regular Security and Risk Assessment

Monitoring, Alerting, Audit Trail and Incident Response

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 26

LEGAL CHALLENGES

• Which legislation applies?

• Which agencies can access the data?

• It’s harder to provide evidence of compliance

• Performing penetration testing and security assessment become more complex task.

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 27

RESEARCH CHALLENGES

PART 3

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 28

RESEARCH CHALLENGES

• Cloud Forensics

• Alternatives to MapReduce

• Managing Trust in the Cloud

• Software Defined Networking in cloud environment

• Energy-aware resource allocation in cloud data centers

• e-Health data CIA in the cloud

• High availability across multiple clouds

• Big Data computing and clouds

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 29

THANK YOU

REFERENCES

• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

• http://www.rightscale.com/lp/2016-state-of-the-cloud-report?campaign=701700000015euW

• http://www.datacenterjournal.com/top-cloud-security-trends-for-2016/

• http://www.gartner.com/newsroom/id/3143718

• http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

• http://www.lybrary.com/cloud-computing-security-foundations-and-challenges-p-872988.html

• https://aws.amazon.com/webinars/emea-journey-through-the-aws-cloud/

Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 31