The Security and Privacy Threats to Cloud Computing

  • Published on
    17-Oct-2014

  • View
    6.052

  • Download
    3

Embed Size (px)

DESCRIPTION

 

Transcript

<p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>The Security and Privacy Threatsto</p> <p>Cloud Computing</p> <p>Ankit SinghFrankfurt am Main, Germany</p> <p>April 23, 2012</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>1 Introduction to Cloud ComputingCloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>2 In-depth Security Analysis for Cloud Computing [2]Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>3 Project for Trustworthy Cloud Computing and ConclusionThe TClouds ProjectConclusion of the Talk</p> <p>4 Bibliography</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>Quick Introduction to Cloud Computing I</p> <p>Cloud computing is a term from information technology (IT) andmeans that software, memory capacity and computer power can beaccessed via a network, for instance, the Internet or within aVirtual Private Network (VPN), as and when it is needed.The IT landscape (e.g. data processing centre, data storagefacilities, e-mail and collaboration software, developmentenvironments and special software such as Customer RelationshipManagement [CRM]) is no longer owned and run by the companyor institution, but is a service which can be rented from one ormore cloud service providers [1]</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>Cloud Computing Example I</p> <p>Figure: Cloud Computing Example (adapted from wikipedia)</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>Three Cloud Service Models [1] [2] I</p> <p>Software as a Service (SaaS): Users as consumers.e.g. Accounting, collaboration tools, CRM etc.</p> <p>Platform as Service (PaaS): Data processing services.e.g Google App Engine and Microsoft Azure Platform.</p> <p>Infrastructure as Service (IaaS): Hosting services.e.g webspaces like Amazon EC2, Go Daddy etc.</p> <p>- The Cloud Computing Service models viewed as layers in samesequence shown above.- These models are deployed on top of cloud infrastructure asdefined by NISTs [3].</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>List of Threats to Cloud Computing [4] I</p> <p>1 Abuse of Cloud computing: Effected Services:- Iaas, PaaS:- Absuing service due to anonymity due to loose registrationand validation process.- Adversaries usage the models for spamming, writingmalicious code etc.</p> <p>2 Insecure Interfaces and APIs: Effected Services:-IaaS, Paas, SaaS:- Interfaces or APIs provided by service providers to customersto manage and interact with cloud services.- The security and availability of cloud services is dependentupon the security of these basic APIs.- Interfaces must be designed to protect against accidentaland malicious attempts to mislead the policy.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>List of Threats to Cloud Computing [4] II</p> <p>3 Malicious Insiders: Effected Services:- Iaas, Paas, SaaS:- An adversary can harvest confidential data or gain completecontrols over cloud services depending on the level of access.</p> <p>4 Shared Technology Issues: Effected Services:- IaaS:- The disk partitions, CPU caches and GPUs and other sharedelements were never designed for strongcompartmentalization.- A virtualization hypervisor addresses this gap whichmediates access between guest operating systems and physicalcompute resources.- The hypervisors have the flaw which may result in gaininginappropriate levels of control or influence on the underlyingplatform.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>List of Threats to Cloud Computing [4] III</p> <p>5 Data Loss or Leakage: Effected Services:- IaaS, PaaS, SaaS:- Deletion or alteration of records without a backup of theoriginal content.- Unlinking a record from a larger context may render itunrecoverable.- Unauthorized parties must be prevented from gaining accessto sensitive data.- Examples: Insufficient authentication, authorization andaudit (AAA) controls</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing</p> <p>List of Threats to Cloud Computing [4] IV</p> <p>6 Account or Service Hijacking: Effected Services:-IaaS, PaaS, SaaS:- Attack methods such as phishing, fraud and exploitation ofsoftware vulnerabilities still achieve results. Credentials andpasswords are often reused.</p> <p>7 Unknown Risk Profile: Effected Services:- IaaS, PaaS, SaaS:- Versions of software, code updates, security practices,vulnerability profiles, intrusion attempts are the factors forestimating companys security posture.- Some questions which need to addressed like how data andrelated logs are stored and who has access to them? whatinformation may be disclosed in case of security breach? etc.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Security weakness in Cloud Computing I</p> <p>Cloud Providers fail to provide encryption to their users:- Cloud service providers not providing encrypted access totheir Web applications</p> <p>Man in the middle attacks:-Attackers redirects traffic between a client and a serverthrough him.- Achieved by forging DNS packets, DNS cache poisoning, orARP spoofing.- Prevention: DNSSEC and HTTPS/TLS are twotechnologies which can prevent this attack.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Security weakness in Cloud Computing II</p> <p>Data encryption caveats:- Where will the encryption key be stored?- Where will the encryption and decryption processes beperformed?</p> <p>User interface attacks:- A Web browser is used for accessing Web applications. Thus,browsers user interface becomes an important security factor.- Example: An attacker tries to fool the user into thinkingthat she is visiting a real website instead of a forgery.Techniques used here include fake HTTPS lock icons.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Research Recommendations by ENISA [5] I</p> <p>Research recommendations by European Network and InformationSecurity Agency (ENISA):</p> <p>Building Trust in the Cloud:Certification processes and standards for clouds: COBIT (52),ITIL (53) etc.Metrics for security in cloud computingEffects of different forms of reporting breaches on securityIncreasing transparency while maintaining appropriate levels ofsecurityEnd-to-end data confidentialityExtending cloud-based trust to client-based data andapplications</p> <p>Data Protection in Large-Scale Cross-OrganizationalSystems:</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Research Recommendations by ENISA [5] II</p> <p>Data destruction and lifecycle managementIntegrity Verification - of backups and archives in the cloudand their version managementForensics and evidence gathering mechanismsIncident resolution and rules of evidenceInternational differences in relevant regulations, including dataprotection and privacy i.e legal means to facilitate the smoothfunctioning of multi-national cloud infrastructures.</p> <p>Lage-Scale Computer Systems Engineering:Security in depth within large-scale distributed computersystemsSecurity services in the cloud i.e adaptation of traditionalsecurity perimeter control technologies to the cloud like HSM,web filters, firewalls, IDS etc.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Research Recommendations by ENISA [5] III</p> <p>Resource isolation mechanisms - data, processing, memory,logs, etc.Interoperability between cloud providersPortability of VM, data and VM security settings from onecloud provider to another (to avoid vendor lock-in), andmaintaining state and session in VM backups.Standardization of interfaces to feed data, applications andwhole systems to the cloud.Resource (bandwidth and CPU, etc) provisioning andallocation at scale (elasticity)Scalable security management (policy and operatingprocedures) within cloud platforms</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Government and the Cloud [2] I</p> <p>United States: One of the most important legal tools usedby the U.S. Government to force cloud providers to handthem users private data is the third-party doctrine. Otherrelevant laws include the Wiretap Act, the All Writs Act andthe Foreign Intelligence Surveillance Act.Example: Facebook can provide complete profile informationand uploaded photos to law enforcement irrespective of herprivacy</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud</p> <p>Government and the Cloud [2] II</p> <p>Germany: 111 and 112 of the 2004 TelecommunicationsAct (Telekommunikationsgesetz in German) allow thegovernment to force telecommunication service providers(which include cloud service providers like webmail) to handover information such as a customers name, address,birthdate, and email address, without a court order, throughan automated query system that includes a search function incase law enforcement has incomplete request data.Example: court-ordered surveillance in Germany is the JavaAnonymous Proxy (JAP), which is an open source softwarefor anonymously browsing websites.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>The TClouds ProjectConclusion of the Talk</p> <p>The TClouds Project I</p> <p>Trustworthy Clouds - TClouds is a European Commission fundedproject.GOAL: To develop a trustworthy cloud computing infrastructure,which enables a comprehensible and audit proof processing ofpersonal or otherwise sensitive data in a cloud without limiting thesolution to just a physically separated private cloud [6].Target Scenarios:</p> <p>Energy Sector: Potugals leading energy supplier Energias dePortugal (EDP) and electronics company EFACEC in field ofsmart power grid</p> <p>Healthcare Sector: Italian hospital San Raffaele in Milano</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>The TClouds ProjectConclusion of the Talk</p> <p>The TClouds Project II</p> <p>Techinical Implementation: Focuses on communicationprotocols between different cloud service providers, new opensecurity standards, APIs and effective management components forcloud security.</p> <p>Ankit Singh The Security and Privacy Threats to Cloud Computing</p> <p>Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]</p> <p>Project for Trustworthy Cloud Computing and ConclusionBibliography</p> <p>The TClouds ProjectConclusion of the Talk</p> <p>Conclusion I</p> <p>Cloud computing is a upcoming field due to attractive servicesprovided by cloud computing service providers.</p> <p>Privacy and data security are the biggest challenges when itcomes to storing and processing critical business or personaldata in a cloud.</p> <p>There are many challenges that we can only face if weunderstand what we are dealing with, how it may a affect usand which possible solutions exist.</p> <p>We must convince cloud providers and users of theimportance of implementing available security technologies.</p> <p>Ankit Singh The Security and Privacy Thr...</p>