cloud security
DESCRIPTION
TRANSCRIPT
![Page 1: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/1.jpg)
Cloud Computing Security
![Page 2: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/2.jpg)
Ohio Information Security Forum 2
Topics
1. Why Is "Security" Everywhere 2. What is Cloud Computing?3. The Same Old Security Problems4. Virtualization Security5. New Security Issues and Threat
Model6. Data Security
![Page 3: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/3.jpg)
Ohio Information Security Forum
Why Is "Security" Everywhere
![Page 4: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/4.jpg)
Ohio Information Security Forum
Homomorphic Public-key EncryptionPublic-key Crypto with additional procedure: Eval
c* Evalpk(, c1,…,cn)
a Boolean circuit with ADD, MULT mod 2
Encryption of inputs m1,…,mn to Encryption of output value
m*=(m1,…,mn)
Homomorphic encryption slides borrowed from people.csail.mit.edu/shaih/pubs/IHE-S-and-P-day.ppt
44
"Cyberinfrastructure Visualized:"A Cloud, With Lots of "Security" References
![Page 5: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/5.jpg)
Ohio Information Security Forum 55
Why Is "Security" Everywhere on That Slide?
Security is generally perceived as a huge issue for the cloud:
During a keynote speech to the Brookings Institution policy forum, “Cloud Computing for Business and Society,” [Microsoft General Counsel Brad] Smith also highlighted data from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general population.
The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security, access and privacy of their own data in the cloud.
http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx
![Page 6: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/6.jpg)
Ohio Information Security Forum
What is Cloud Computing?
![Page 7: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/7.jpg)
Ohio Information Security Forum
What is Cloud Computing?
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
NIST definition of Cloud Computing
7
![Page 8: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/8.jpg)
Ohio Information Security Forum
Cloud Service Architectures as Layers
8
![Page 9: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/9.jpg)
Ohio Information Security Forum
Cloud Service Models Abstraction Layers
9
![Page 10: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/10.jpg)
Ohio Information Security Forum
Multi-Tenancy
10
![Page 11: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/11.jpg)
Ohio Information Security Forum
Cloud Deployment Architectures
11
![Page 12: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/12.jpg)
Ohio Information Security Forum
Same Old Security Issues
Data Loss Downtimes Phishing Password Cracking Botnets and Other Malware
![Page 13: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/13.jpg)
Ohio Information Security Forum
Data Loss
"Regrettably, based on Microsoft/Danger's latest recovery assessment of their systems, we must now inform you that personal information stored on your device—such as contacts, calendar entries, to-do lists or photos—that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger."
13
![Page 14: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/14.jpg)
Ohio Information Security Forum
Downtimes
14
![Page 15: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/15.jpg)
Ohio Information Security Forum
Phishing
“hey! check out this funny blog about you...”
15
![Page 16: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/16.jpg)
Ohio Information Security Forum
Password Cracking
16
![Page 17: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/17.jpg)
Ohio Information Security Forum
Botnets and Malware
17
![Page 18: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/18.jpg)
Ohio Information Security Forum
Virtualization Security18
Features IsolationSnapshots
IssuesState RestoreComplexityScalingTransienceData Lifetime
![Page 19: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/19.jpg)
Ohio Information Security Forum
Virtualization Security Features: Isolation
Using a VM for each application provides isolation
More than running 2 apps on same server.Less than running on 2 physical servers
19
![Page 20: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/20.jpg)
Ohio Information Security Forum
Virtualization Security Features: Snapshot
VMs can record state.
In event of security incident, revert VM back to an uncompromised state.
Must be sure to patch VM to avoid recurrence of compromise.
20
![Page 21: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/21.jpg)
Ohio Information Security Forum
State Restore
VMs can be restored to an infected or vulnerable state using snapshots.
Patching becomes undone. Worms persist at low level forever due to
reappearance of infected and vulnerable VMs.
21
![Page 22: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/22.jpg)
Ohio Information Security Forum
Complexity
Hypervisor may be simple or not, but It is often another layer on top of host OS,
adding complexity and vulnerabilities.
22
![Page 23: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/23.jpg)
Ohio Information Security Forum
Hypervisor Security
23
Vulnerability consequences
Guest code execution with privilege
VM Escape (Host code execution)
Xen CVE-2008-1943VBox CVE-2010-3583
![Page 24: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/24.jpg)
Ohio Information Security Forum
Inter-VM Attacks
Attack via shared clipboard http://www.securiteam.com/securitynews/
5GP021FKKO.html
Use shared folder to alter other VM’s disk image CVE-2007-1744
24
![Page 25: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/25.jpg)
Ohio Information Security Forum
Scaling
Growth in physical machines limited by budget and setup time.
Adding a VM is easy as copying a file, leading to explosive growth in VMs.
Rapid scaling can exceed capacity of organization’s security systems.
25
![Page 26: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/26.jpg)
Ohio Information Security Forum
Transience
Users often have specialized VMs.TestingDifferent app versionsDemosSandbox
that are not always up, preventing network from converging to a known state.
Infected machines appear, attack, then disappear from the network before can be detected.
Vulnerable systems likewise appear too briefly to be detected and patched.
26
![Page 27: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/27.jpg)
Ohio Information Security Forum 27
Data Lifetime
Although data was correctly sanitized from VM disk and/or memory, snapshots can retain multiple copies of both VM memory and disk data.
![Page 28: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/28.jpg)
Ohio Information Security Forum
New Security Issues
Accountability No Security Perimeter Larger Attack Surface New Side Channels Lack of Auditability Regulatory Compliance Data Security
![Page 29: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/29.jpg)
Ohio Information Security Forum
Accountability
29
![Page 30: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/30.jpg)
Ohio Information Security Forum
No Security Perimeter
Little control over physical or network location of cloud instance VMs
Network access must be controlled on a host by host basis.
30
![Page 31: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/31.jpg)
Ohio Information Security Forum
Larger Attack Surface
31
Cloud Provider
Your Network
![Page 32: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/32.jpg)
Ohio Information Security Forum
New Side Channels
You don’t know whose VMs are sharing the physical machine with you.Attackers can place their VMs on your
machine.
Shared physical resources includeCPU data cacheCPU branch predictionCPU instruction cache
In single OS environment, people can extract cryptographic keys with these attacks.
32
![Page 33: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/33.jpg)
Ohio Information Security Forum
Lack of Auditability
Only cloud provider has access to full network traffic, hypervisor logs, physical machine data.
Need mutual auditabilityAbility of cloud provider to audit potentially
malicious or infected client VMs.Ability of cloud customer to audit cloud
provider environment.
33
![Page 34: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/34.jpg)
Ohio Information Security Forum
Regulatory Compliance
34
![Page 35: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/35.jpg)
Ohio Information Security Forum
Certifications
35
![Page 36: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/36.jpg)
Ohio Information Security Forum
Data Security
Data in Transit Data at Rest Data in Processing Data Remanence Homomorphic Encryption
![Page 37: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/37.jpg)
Ohio Information Security Forum
Data Security
37
Confidentiality
Availability
Integrity
Storage Processing Transmission
Plus data remanence.
![Page 38: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/38.jpg)
Ohio Information Security Forum
Public Key Cryptography
38
![Page 39: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/39.jpg)
Ohio Information Security Forum
An Analogy: Alice’s Jewelry Store
Alice’s workers need to assemble raw materials into jewelry
But Alice is worried about theftHow can the workers process the raw materials without having access to them?
39
![Page 40: Cloud Security](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54702eefaf79597f648b479b/html5/thumbnails/40.jpg)
Ohio Information Security Forum
An Analogy: Alice’s Jewelry Store
Alice puts materials in locked glove boxFor which only she has the key
Workers assemble jewelry in the box Alice unlocks box to get “results”
40