Software and Cloud Security

Transcription

1 1 Lecture 12: Software and Cloud Security 2 Lecture 12 : Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of cloud environments Page 1 1

2 3 Lecture 12 : Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of cloud environments 4 ISO/OSI Security Services 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation Page 2 2

3 5 Authentication of SW Components SW user Signature SW vendor SW vendor s key Verification? 6 MS Authenticode System VeriSign SW user Microsoft Signature Page 3 3

4 7 Java Signed Applets javakey SW user SW vendor Signature 8 ISO/OSI Security Services 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation Page 4 4

5 9 AC in LAN s OS Security??? UserID 1 0 Standard Operating System Applications Programs Kernel Files Network Page 5 5

6 11 Security Extensions (AC) Applications OS Programs? Kernel Files OK r,w x,d l,c Network 1 2 ISO/OSI Security Services 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation Page 6 6

7 1 3 Encrypted Software Encrypted Applications Encrypted Instructions Encryption Decryption OS Clear Instructions Kernel 1 4 ISO/OSI Security Services 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation Page 7 7

8 1 5 Part of Authentication SW user Signature SW vendor SW vendor s key Verification? 1 6 Signed Software Signed Applications Signed Code Signing Verification OS Verified Code Kernel Page 8 8

9 1 7 ISO/OSI Security Services 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation 1 8 Lecture 12 : Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of cloud environments Page 9 9

10 1 9 Specific Aspects 1. Viruses 2. Worms 3. Trojan Horses 4. Copyrighting 5. Licensing 2 0 Viruses Damages Not harmful Potentially harmful Disastrous Page

11 2 1 Viruses Distribution Viruses Activation Page

12 Subject: Normal letter! Date: 7-July-1993! What are you doing?! Subject: Normal letter! Date: 7-July-1993! What are you doing?! Subject: Normal letter! Date: 7-July-1993! What are you doing?! Subject: Normal letter! Date: 7-July-1993! What are you doing?! Subject: Normal letter! Date: 7-July-1993! What are you doing?! 2 3 E mail Attachments and Port 80 From: dsv.su.se! To: ccvax.ucd.ie! Dear Ahmed:! How are you today?! From: dsv.su.se! To: ccvax.ucd.ie! Dear Ahmed:! How are you today?! From: dsv.su.se! To: ccvax.ucd.ie! Dear Ahmed:! How are you today?! From: dsv.su.se! To: ccvax.ucd.ie! Dear Ahmed:! How are you today?! From: dsv.su.se! To: ccvax.ucd.ie! Dear Ahmed:! How are you today?! 2 4 Viruses Effects Page

13 2 5 Detection and Elimination! Virus characteristics ( Signatures )! Updates from vendor s site! Post factum intervention 2 6 Prevention 1. Authentication 2. Access control 3. Data confidentiality 4. Data integrity 5. Non - repudiation Page

14 2 7 Worms and Trojan Horses 2 8 Software Copyright C C Page

15 2 9 Digital Signature Author C 3 0 Activation User Author s Public Key C Page

16 3 1 Software Licensing TM 3 2 Pay per Use Schemes Apache Software Repository SW module Page

17 3 3 Pay per Use Schemes Apache Shared Execution Application data 3 4 Digital Envelope Authorization TM Page

18 3 5 Digital Envelope Authorization TM User s Public Key 3 6 Digital Envelope Activation TM User s Private Key Page

19 3 7 Lecture 12: Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of mobile agents 3 8 Trusted Software Systems Trusted Software : 1. Functional correctness 2. Correctness of programs underneath Properties : 1. Functional correctness 2. Enforcement of integrity 3. Limited privileges 4. Appropriate security level Page

20 3 9 OS Controls Mutual Suspicion : 1. Bilateral authentication 2. Balanced exchange of proprietary information Confinement : 1. Limitation of accessible system resources 2. Strict (continuous) control of operations Compartmented Environment Access Log 4 0 Administrative Controls Standards for Program Development : 1. Standards for design stage 2. Standards for program/system documentation 3. Standards for programming and source code evaluation (QA) 4. Standards for testing 5. Standards for configuration management Page

21 4 1 Security in DB Systems All - None Protection of Files/DB Segments Problems: 1. Lack of trust 2. All or nothing not suitable for many situations 3. Rise of timesharing 4. Complexity of access requirements 5. Sensitive file listings 4 2 Alternative Protection Schemes OS Security Extensions Group protection Single permissions 1. Password or other tokens 2. Temporary acquired permissions 3. Per-object and per-user permissions Static vs. dynamic permissions Page

22 4 3 Lecture 12: Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of cloud environment 4 4 Page

23 4 5 Cloud Access Points User Wi-Fi App-1 Internet User CAP AAP App-2 User 3G/4G Web 4 6 Cloud Security Components IDMS PDP CA User Wi-Fi Internet App-1 User CAP/FW SAP AAP User 3G/4G App-2 CAP/FW Cloud Access Point / Firewall SAP Security Access Point (Portal Security ) AAP Application Access Point (Cloud Portal) IDMS Identity Management PDP Policy Decision Point CA Certification Authority Page

24 4 7 Architecture of the OpenStack Platform 4 8 OpenStack Components Page

25 4 9 Cloud Services Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) SalesForce CRM LotusLive Google App Engine 5 0 Security for Cloud Environment Page

26 5 1 Three Aspects of Security (1) Security services in cloud framework! It deals about all security requirements of cloud framework like auditing, virus scanning and security related to virtualization, security of installed components on virtualized environment, security of hypervisors (2) Security of services! Required to protect sensitive data stored in the cloud environment. it deals normally privacy, confidentiality and integrity of the stored user s data (3) Accessibilities of the data or user s interaction with cloud environment! It deals with availability, authentication, secure communication and authorization issues. In this research activity, we focused to deal issues mentioned in first two areas. 5 2 Open Questions!! How to provide two factor authentication and XACML based access control using smart card and mobile devices in OpenStack?!! How to ensure the protection and integrity of Virtual Machines, its images and live migration to other environment?!! How to ensure the integrity and protection of user-based services which are dynamically loaded in the cloud environment?!! On top of all the above issues the most important is the Key Management and Security of Cryptographic Tokens which should be controlled, only accessible and used by the owner? Page

27 5 3 Components Certification Authority (CA Service) XACML Authorization Service Application -1 Authentication Service IDMS Policy Enforcement Point Application -2 Cloud Access Point Client Client Client Client 5 4 Cloud Central Security Customer HR DB IDMS CA Smart Cards Card Cards Admin Station Admin SAML / PDP Security Admin Cloud Admin Station Auth Internet Internet Cloud Proxy Security Portal Admin Portal Station Admin Cloud VM Internet Web PEP VPN Web User Cloud Station Proxy Cloud VM Docs Page

28 5 5 Lecture 12: Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and modules 3. Trusted software systems 4. Security of cloud environments 5 6 Q u e s t i o n s?? Page