Slide 1

CLOUD COMPUTING SECURITYAjay Porus ISO27K LA,CPISIFounder & Director CSA Hyderabad ChapterLead Implementer Honey Net Project India

1AgendaIntroduction to Cloud Computing

Cloud Architecture and Characteristics

Cloud Security Concerns and Attacks

Different Security Domains Best Practices

What's going in Industry on Cloud 2

Introduction to Cloud ComputingIs It Really New?What is Cloud Computing?How Does it Evolve?What are the Characteristics of Cloud Computing?What is difference in Architecture from traditional Computing?What are different Services Delivery Models?What are different deployment models?Frame work of Cloud ComputingCloud Eco-System

3Is It Really New?No, its Not its the evolution of old technologies to a new level which bring together many technologies to provide huge computational powerFirst Cloud around networking (Network As a Cloud) as said ..we Didnt care where the message sent, the cloud had it from us Kevin Marks, GoogleSecond Cloud around Documents (WWW data abstraction)Third Cloud Present and future. This abstracts infrastructure complexities of servers, application, database and different platforms. (Amazon CEO)

4Cloud Computing DefinitionCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of Seven essential characteristics, three service models, and four deployment models5How Does it Evolve?MainframesMini ComputerPersonal desktopsClient ServerIp NetworksMobile DevicesCloud Computing

6Characteristics of Cloud ComputingMulti-tenancy (shared resources)

Massive scalability

Rapid Elasticity

Measured service

On-demand self-service

Broad network access

7Traditional vs Cloud ComputingDedicated/traditional High upfront IT investments for new builds High cost of reliable infrastructure High complexity of IT environment Complex infrastructure

IT Cloud computingReliability built into the cloud architectureLow upfront IT investmentspay-for-use modelModular IT architecture environmentsNo infrastructure

8Services Delivery Models

9Deployment ModelsPublic Cloud Private CloudCommunity CloudHybrid Cloud

10Cloud Computing Framework

11Cloud Computing Framework12CommunityCloudPrivate CloudPublic CloudHybrid CloudsDeploymentModelsServiceModelsEssentialCharacteristicsCommon CharacteristicsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)Resource PoolingBroad Network AccessRapid ElasticityMeasured ServiceOn Demand Self-ServiceLow Cost SoftwareVirtualizationService OrientationAdvanced SecurityHomogeneityMassive ScaleResilient ComputingGeographic DistributionCloud Eco-System

13Cloud Security Concerns & Attacks General Security ConcernsCloud Security ChallengesTop Threats to Cloud ComputingDDOS & EDOSSide Channel AttackMIM Crypto graphic AttackPoisoned VMsAttack Against Management ConsoleAbusing Cloud Billing Models and Cloud PhishingDNS Cache poisoning AttacksAuthentication Attack

14General Security ConcernsTrusting vendors security modelCustomer inability to respond to audit findingsObtaining support for investigationsIndirect administrator accountabilityProprietary implementations cant be examinedLoss of physical control

15Cloud Security ChallengesData dispersal and international privacy lawsNeed for isolation managementLogging challengesData ownership issues Using SLAs to obtain cloud securityDependence on secure hypervisorsAttraction to hackers (high value target)Encryption needs for cloud computingHandling compliance

16Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud ComputingInsecure Interfaces and APIsMalicious InsidersShared Technology IssuesAccount or Service HijackingLoss of governanceLock-InCompliance risksManagement interface compromiseData protection (Data Loss or Leakage)17DDOS & EDOSDistributed denial of service: An attack that make computer or network resources unavailable.Economic denial of service: A DDos attack that make large number of request for which cloud user have to pay (generally per 100oo request 1$ in Amazon) Originates majorly from compromised computers

18Side Channel AttackAttack based on information gained from the physical implementation of a cryptosystem.Timing AttackPower Consumption Attack- Simple Power Analysis Attack (SPA)- Differential Power Analysis Attack (DPA)Electromagnetic AttackAcoustic Crypto AnalysisCache AttackDifferential Fault Analysis

19MIM Crypto graphic AttackPhishing ScamAttack Communication Steal Private or public KeyAttackers eavesdropping between the two partiesSend and execute malicious codeGain access to Victims system20Poisoned VMsAdministrator with full access to configure VMAddition of malicious codeTampering with AMI(Amazon Machine Image)Isolation provided by CSPLaunch of Shared AMI Preconfigured Malicious Business LogicNo ways till this time to find out.

21Attack Against Management ConsoleProprietary console of CSPMost critical console as environment can be changedGoogle Made 2 management consoles- 1st console for normal administration2nd to upload apps to google apps by cmd python script Amazon shared domain of EC2 and amazon.comIf vulnerability found Like CSRF attack on secret keys Once keys hacked then management console can be hacked

22Abusing Billing Models & Cloud PhishingPhishing Scams for AmazonPhishing from Amazon cloud Blacklisting Amazon domain in phishing databaseOnce secret key hacked Cloud based DDOS very costlyMillion of poisoned VM initiate by 1 CSRF attackPayment for the network and CPU consumption

23DNS Cache Poisoning AttacksShared IPs Once IP released take time to clear from cache & Arp tableTill cleared can be accessed with same IPLack of Knowledge for DNS cache & ARP tableWashigton post face d problem at Amazon EC2Even IP released but had access from internal network24Authentication AttackWeak PasswordGoogle Hack DatabaseSql InjectionsCross site ScriptingMan in the MiddleBrute force AttackSession HijackingSocial Engineering25Different Security Domains Best PracticesCloud Computing Architectural Framework .Governance and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditData Security LifecyclePortability and InteroperabilityTraditional Security, BCP & DRData Center OperationsIncident ManagementApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualization Security26Cloud Architectural SecurityHardware Security (xeon 5600, AES and TXT Support)Virtualization Security (Hypervisor Hardening)Guest OS Security (Operating system Hardening)Platform Security ( Patches and Updates)Application Security ( Secure Development Lifecycle)Network Security ( Firewall, IDS, IPS, VPN, SSL/TLS)Cryptographic Security (PGP Keys, AES, 3DES, 2-DNF)

27Governance and Risk ManagementInvest some of saved money for SecurityRobust IS governance with defined roles & responsibilitiesCollaborative governance structure between provider & customer Assess for sufficiency, maturity, and consistency with the users ISMS.SLA should be added in Risk assessmentNew approach for risk assessment from both ends.CSP include metrics and controls 28Legal and Electronic DiscoveryMutual understanding of each others R&R related to electronic discovery, litigation & Laws.Responsive Information security system to preserve data to authentic & reliable.Providing equal guardianship as in owners hand.Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination Unified process for responding to subpoenas, service of process, and other legal requests.

29Compliance and AuditInvolve Legal and Contracts Teams in SLARight to Audit ClauseAnalyze Compliance ScopeAnalyze Impact of Regulations on Data SecurityReview Relevant Partners and Services ProvidersAnalyze Impact of Regulations on Provider InfrastructureAuditor Qualification and SelectionCloud Providers SAS 70 Type IICloud Providers ISO/IEC 27001/27002 Roadmap30Data Security LifecycleMaintain CIA of data Security practices and proceduresStrong SLA with all areas. System of service penalties in SLAData ClassificationEncryptionPerform Regular Backup

31Portability and InteroperabilityIdentify and eliminate any provider-specific extensions to the VM environment. Appropriate de-provisioning of VM imagesAppropriate de-provisioning of discs & storage device. Platform components with a standard syntaxUnderstand the impacts on performance and availability of the application. Consistency of control effectiveness across old and new providers. Vendor to test and evaluate the applications before migration

32Traditional Security, BCP & DRCentralization of dataAdopting as a security baselinePerform onsite inspections of cloud provider facilitiesCustomers should inspect cloud provider disaster recoveryBCP Policy approved by the providers board of directors33Data Center Operationspermission to conduct customer or external third-party audits.Demonstrate compartmentalization of systems, networks, management, provisioning, and personnel.SLA should be clearly defined, measurable, enforceable, and adequate for your requirementsContinual improvement in policies, processes, procedures.24*7*365 days Technical support should be available.34Incident ManagementDefine incident and event before SLA signoff to CSPWhat incident detection and analysis tools used by CSPConducting proper risk management to stop incidentsA robust Security Information and Event Management (SIEM) requiredDeliver snapshots of the customers entire virtual environmentWhole data should be encrypted 35Application Security Application assessment tools Create trust boundaries for SDLCUse Own VM with configured policies in IAASUse best practice to harden system as in DMZMulti-tenancy in application threat modelSecuring inter host communicationMetrics to assess effectiveness of Security ProgramKeep cloud architecture in Mind. 36Encryption & Key ManagementEncrypting data In transit (SSL/TLS, SSH)Encrypting data at rest (AES128, 3DES, 2DNF)Encrypting data on Backup mediaUse of encryption data separate then for use.Stipulate encryption in contractDefine secure key lifecycle managementUse industry level key management systemsMake keys secure, limited access to key store & key backup.

37Identity and Access ManagementAvoid proprietary identity provisioning system Use 2 factor authenticationConsider user centric authentication (Google, live Id)Use open standard for authentication and VPNUse of federated identity and gateways like SAML Use mechanism to transmit user info from PIP to PDPUse IdaaS to have better security & risk mitigation

38PIP policy information point pdp policy decision point38Virtualization SecurityIdentify types of virtualization provided by CSPUnderstand hypervisor security and isolation mechanismUnderstand security to protect administrative interfaces (API, web-based)Strong authentication mechanism with tamper proof logging and integrity monitoring toolsExplore Efficiency and feasibility of segregating VMsStrong reporting mechanism for raising alert if compromised 39What's going in Industry on Cloud Different Initiatives

Fabric Computing

Homomorphic Encryption

Future of Cloud Mobile Computing

40

Different Initiatives Cloud Security AllianceCloud CertCloud CAMM(Capability and Maturity Model)Cloud Audit A6CCM ( Cloud Control Matrix Tool)CAI (Consensus Assessment InitiativeCSA GRC StackTrusted Cloud InitiativeCCSK (Certificate of Cloud Security Knowledge)Cloud Metrics Research

41

Fabric ComputingNext generation computing by interconnecting nodes like fabric (including various clouds)High performance computing by loosely coupled storage network devices and parallel processors42

Homomorphic & Predicate EncryptionProcessing of encrypted data very difficultIBM announced Homomorphic encryption (2DNF+)Enables Processing of encrypted data.Require immense computational power Predicate encryption No need to Decrypt whole dataDecrypt only requiredSupporting Disjunctions, Polynomial Equations, and Inner Products43

Future of Cloud Mobile ComputingMobile computing increasing rapidlyAndroid Platform next generation mobile computingApplication to access cloud on mobile phoneWi-Fi and 3G connection enabling high bandwidthSSL/TLS and SSH from Phone web browser to VM Trusted certificate and private key on phone2 factor Authentication (Fingerprint and password)Different platforms to configure cloud APIs44Questions?45Thank YouContact:www.csaindia.inajayporus@csaindia.inhttp://in.linkedin.com/in/ajayporusSkype: ajayporus1Yahoo: ajayporus198646