“cloud computing security” cse 7344 – wildcard smu spring 2010 by gokhan gun ggun@ieee.org...

“Cloud Computing Security” CSE 7344 – Wildcard

SMU Spring 2010

By Gokhan Gunggun@ieee.org

ggun@smu.edu

Brief introduction of Cloud Computing

• Definition: class of the next generation highly scalable distributed computing platform in which computing resources are offered 'as a service' leveraging virtualization and Internet technologies

• Examples: Amazon's Elastic Compute Cloud (EC2) and IBM’s Blue Cloud are examples of cloud computing services

Introduction

• a precise definition is often debated

• The architecture and terminology of cloud computing is as clearly and precisely

defined as, well, a cloud. Since cloud computing is really a culmination of many technologies such as grid computing, utility computing, SOA, Web 2.0, and other technologies

“Cloud computing security”

• The US government projects that between 2010 and 2015, its spending on cloud computing will be at approximately a 40-percent compound annual growth rate and will pass $7 billion by 2015

• Cisco System’s current CEO, John Chambers indicated as “Cloud Computing a security nightmare”.

Cloud Security Issues (I)

• Securing data in “cloud” is difficult

• Security is a particularly critical feature of any SLA

• The SLA is the only legal agreement between the service provider and client

• SLA defines the relationship between two parties: the provider and the recipient

SLA

• Identify and define the customer’s needs

• Provide a framework for understanding

• Simplify complex issues

• Reduce areas of conflict in the event of disputes

• Eliminate unrealistic expectations

Standardization Process

• Privileged user access

• Regulatory compliance

• Data Location

• Data Segregation

• Recovery

• Investigative support

• Long term viability

Questionnaires (SLA needs to answer)

• What happens if the SLA is not met? • Who will check the security of cloud

providers?• How secure is encryption Scheme?• But an even larger question looming like a

dark cloud on the horizon is that of jurisdiction and legal status. Is stuff in the cloud on the same legal footing as stuff in your data center?

Security at different levels

• Server access security

• Internet access security

• Database access security

• Data privacy security

• Program and access security

Questions

• What is Data Security at Physical Layer?

• What is Data Security at Network Layer?

• What about investigation Support?

• How much safe is data from Natural disaster?

• How much trusted is Encryption scheme of Service Provider?

SLA

• the SLA has to discuss about many other issues like security policies, methods and their implementations.

• It also has to discuss what legal actions are taken if the services are misused by the customer

On Technical Security Issues in Cloud Computing (II)

• Cloud computing concept offers dynamically scalable resources

• it promises the reduction of capital expenditure (CapEx) and operational expenditure (OpEx).

Cloud layers

• Amazon’s Elastic Compute Cloud (EC2) is a prominent example for an IaaS offer

• Google’s App Engine is an example of (PaaS)

• The top layer (SaaS) provides it users with ready to use applications

in-depth discussion of security issues in Cloud Computing

• data confidentiality

• Safety

• privacy

• WS-Security- defines a SOAP header (Security) that carries the WS-Security extensions- defines XML security standards like XML signature and encryption that are applied to SOAP messages- XML Encryption defines an Encrypted- Key element for key transportation purposes

• i.e - X.509 certificates

• Additionally WS-Security defines security tokens suitable for transportation of digital identities

TLS – Transport Layer Security

• originally been introduced as Secure Socket Layer (SSL), in 1996 by Netscape

- Record Layer encrypts/decrypts TCP data streams

- keys negotiated in the TLS Handshake - offers many different options for key

agreement encryption and authentication of network peers

Cloud Computing Security Issues

• XML Signature– SOAP relies on XML– Other Application layer protocols

• RPC• HTTP

• Browser Security

• The Legacy Same Origin Policy

• Attacks on Browser-based Cloud Authentication

• Secure Browser-based Authentication

• Future Browser Enhancements– XML Encryption– XML Signature

• Cloud Integrity and Binding Issues

• Metadata Spoofing Attack

• Flooding Attacks

• Direct Denial of Service

• Indirect Denial of Service

• Accounting and Accountability

Conclusion and Future Work

• ongoing issues with application of XML Signature and the Web Services security frameworks

• Browser Security and SaaS

• Binding Issues, PaaS

• Threat of CC, IaaS

Data Security in the World of Cloud Computing (III)

• a tested encryption schema

• stringent access controls to prevent unauthorized access

• scheduled data backup and safe storage

Who Will Use Clouds and Proffer Security?

• users range from individuals and small businesses to Fortune 500 firms and governments

• Who has jurisdiction over data as it flows across borders?

• Can governments access that information as it changes jurisdiction?

• Is there more risk in storing personal personal information in data centers that belong to a single entity rather than in multiple data centers?

• legal decisions will ultimately determine who “owns” the responsibility for securing information shared within clouds

A Layered Security Approach for Cloud Computing Infrastructure

(IV)• a practical security model based on key

security considerations by looking at a number of infrastructure aspects of Cloud Computing

• a proposed shared security approach in system development life cycle focusing on the plan-built-run scope

• required security architecture incorporated firewalls, intrusion detection/prevention systems, antivirus, authentication, authorization, access control, encryption and other services

Dynamic Infrastructure Security Model:

• A well established dynamic security model

• a horizontally and vertically configurable and policy based security approach

• infrastructure scope covered within the domains of network, servers, storage and systems management

Top five cloud computing security issues (V)

• Every breached security system was once thought infallible

• Understand the risks of cloud computing • How cloud hosting companies have approache

d security

• Local law and jurisdiction where data is held • Best practice for companies in the cloud

• SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems

• Companies need to be vigilant, for instance about how passwords are assigned, protected and changed.

• Open Cloud Manifesto– bring together the emerging cloud computing

community – IBM, Cisco, SAP, EMC etc.

• handful of existing web standards which companies in the cloud should know about

• ISO27001 - designed to provide the foundations for third party audit

• SAS70 - auditing standard is also used by cloud service providers

Best practice for companies in the cloud

• Inquire about exception monitoring systems • Be vigilant around updates and making sure that staff don't

suddenly gain access privileges they're not supposed to. • Ask where the data is kept and inquire as to the details of data

protection laws in the relevant jurisdictions. • Seek an independent security audit of the host • Find out which third parties the company deals with and whether

they are able to access your data • Be careful to develop good policies around passwords; how they are

created, protected and changed. • Look into availability guarantees and penalties. • Find out whether the cloud provider will accommodate your own

security policies

References

• http://www.computer.org/portal/web/csdl/doi/10.1109/SCC.2009.84• http://www.computerweekly.com/Articles/2010/01/12/235782/Top-

five-cloud-computing-security-issues.htm• http://www.computer.org/portal/web/csdl/doi/10.1109/

CLOUD.2009.60• http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2009.87• http://www.computer.org/portal/web/csdl/abs/html/mags/co/

2007/02/r2045.htm• http://www.nr.no/~abie/security.htm• http://www.export.gov/safeharbor/SH_Overview.asp • http://www.opencloudmanifesto.org/Open%20Cloud

%20Manifesto.pdf

[1] Confidential @ Gokhan Gun, sections cited are copyrighted © by the authors

Questions, Comments?

Thanks -

ggun@smu.edu

ggun@ieee.org