Module: Cloud Computing Security

Size: px
Start display at page:

Download "Module: Cloud Computing Security"

Transcription

1 Module: Cloud Computing Security Professor Trent Jaeger Penn State University 1

2 Cloud Computing Is Here Why not use it? Systems and Internet Infrastructure Security (SIIS) Laboratory 2

3 What s Happening in There? Systems and Internet Infrastructure Security (SIIS) Laboratory 3

4 Overview Cloud computing replaces physical infrastructure Is it safe to trust these services? 4

5 From Data Center to Cloud Systems and Internet Infrastructure Security (SIIS) Laboratory 5

6 Reasons to Doubt History has shown they are vulnerable to attack SLAs, audits, and armed guards offer few guarantees Insiders can subvert even hardened systems Data Loss Incidents Incident Attack Vector External 54% Accidental 23% Insider 16% Unknown 7% Credit: The Open Security Foundation datalossdb.org 6

7 Cloudy Future New problem or new solution? New challenges brought on by the cloud (plus old ones) Utility could provide a foundation for solving such challenges Systems and Internet Infrastructure Security (SIIS) Laboratory 7

8 Cloudy Future Improve on data centers? On home computing? Seems like a low bar Systems and Internet Infrastructure Security (SIIS) Laboratory 8

9 What is Cloud Computing? Cloud vendor provides managed computing resources for rent by customers What do you want to rent? (Virtualized) Hosts (Infrastructure as a Service) Rent cycles: Amazon EC2, Rackspace Cloud Servers, OpenStack Environment (Platform as a Service) Rent instances: Microsoft Azure, Google App Engine Programs (Software as a Service) Rent services: Salesforce, Google Docs Other variations can be rented 9

10 What is Cloud Computing? 10

11 IaaS Platform: OpenStack Cloud Customer Client Cloud API Cloud Database Instances Message Queue Cloud Node Cloud Vendor Network Controller Scheduler Image Store Volume Store Systems and Internet Infrastructure Security (SIIS) Laboratory 11

12 PaaS Platform: Google App Platform for deploying language-specific apps Java, Python, PHP, etc. Vendor provides OS and middleware E.g., Web server, interpreters Customers deploy their customized apps You focus on custom code Clients use these apps Analogously to IaaS 12

13 How to Build an IaaS Cloud? Vendors obtain hardware resources for Various cloud services: API, Messages, Storage, Network,... Compute nodes for running customer workloads Install your hardware Need to choose software configurations specific for services and compute nodes Start your hosts Join the cloud - services and available compute nodes Now your cloud is running Have fun! Customers are ready to use your services and nodes 13

14 How to Use an IaaS Cloud? Customers choose an OS distribution These are published by the cloud vendor and others Obtain cloud storage necessary to store these and your data Configure your instance (VM) Prior to starting - enable you to login and others to access the instance s services Start your instance Boots the chosen OS distribution with the configurations Now your instance is running Have fun! Login via SSH or ready for your clients 14

15 Multiple Stakeholders Are my data protected? Client Data Clients Are my services running correctly? Service Providers Cloud Instance (VM) Is my platform secure? Cloud Administrators Cloud Node Systems and Internet Infrastructure Security (SIIS) Laboratory 15

16 Cloud Complexity Cloud environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM VM Cloud Platform Cloud Service Node Cloud Node VM Cloud Node Cloud Node 16

17 What Could Go Wrong? What do customers depend on from the cloud? Trust Model Are those parties worthy of our trust? Who are potential adversaries in the cloud? Threat Model Are customers protected from their threats? What would be ideal from a security standpoint? Ideal Security Model How many trusted parties and how many threats? 17

18 our case, operates the IaaS cloud infrastructure, authenticates users and bills them for the resources they consumed. The Publisher creates and publicly o ers cloud apps, called Amazon Machine Images (AMIs). For this, he selects an existing AMI (AMI-1 in Fig. 1), instantiates it (Instance-1 AMI-1 ), logs into the running instance to configure it, and finally publishes a snapshot as a new AMI (AMI-2). The Consumer selects this AMI from a list of available AMIs, instantiates it (Instance-2 AMI-2 ), and uses it for her purposes. Optionally, a Publisher can declare an AMI as paid AMI to earn money from Consumers invoking it. Published Instances Consumers use published instances!"#$%&'()* +,-&".()* -.&/#012$+,& 8.&$5,& Systems and Internet Infrastructure Security (SIIS) Laboratory =05*60/,>3 '?=>3& 9.&($:"45;& =05*60/,>- '?=>-&!),/%0()* 3.&405*6076*,& <.&405*6076*,&!"#$%&'((& )*#+,& '?=>3 & '?=>- & Figure 1: Basic System Model of Cloud App Store Who do you trust? What are threats? code repositories, administ of credentials of various we The Cloud App Store poses security challenges for both, SSH Vulnerabilities in Consumers and Publishers (see also [48, 17]). several vulnerabilities in AM Security of Consumer. The Consumer must trust the rect usage and configuratio Publisher not to include any malware into the AMI. Such tested 1100 public AMIs in a malicious AMI could contain a Trojan horse that spies contain an SSH backdoor, i on or modifies the Consumer s data, or a backdoor for malicious remote login. Even though full protection against such and informs a ected custom in which a backdoor was fo In this paper we show tha dents are only the tip of the available AMIs have severe highly sensitive data. Our Contribution and Ou After summarizing relat ground information on the in 3 we present the followi Extraction of Sensitiv AMIs (cf. 4). Through a to extract highly sensitive i available EC2 AMIs. To m e ective we developed an a search strategies and explo the Amazon cloud. The co less than $20 while the inf AMIs would allow an attac several $10, 000 per day and tion of several companies th After testing overall 1225 allows remote login for the 18 ple instances that use the s

19 SSH Study [AmazonIA] Publisher left an SSH user authentication key in their AMI Fortunately, Amazon agreed that this is a violation Unfortunately, it was not an isolated problem 30% of 1100 AMIs checked contained such a key Also, pre-configured AMIs had SSH host keys Thus, all instances use the same host key pair Implications? 19

20 Security Configuration Zillions of security-relevant configurations for instances Do you have the right code and data installed? Are you running the expected code? Discretionary access control Firewalls Mandatory access control SELinux, AppArmor, TrustedBSD, Trusted Solaris, MIC Application policies (e.g., Database, Apache) Pluggable Authentication Modules (PAM) Application configuration files Plus new configuration tasks for the cloud - e.g., storage Systems and Internet Infrastructure Security (SIIS) Laboratory 20

21 Cloud Service Vulnerabilities Vulnerabilities have been found in cloud services E.g., OpenStack identity service, web interface, and API service Adversaries who compromise such services may launch a variety of attacks E.g., Key Injection Attack mised cloud services by compute the serker crafted responses service reponse (i.e. Step 1 nova keypair-add mykey API Service mykey : ssh-rsa ABC Database lify and analyze each Step 2 nova boot --key-name mykey API Service mykey : ssh-rsa ABC Compute Service btain sensitive data ugh taking a snapshot Systems and Internet Infrastructure Security (SIIS) Laboratory ssh-rsa ABC ssh-rsa DEF Fig. 3: Key Injection Attack 21

22 Insiders Although the vendor may have a good reputation, not every employee may Embracing the cloud Trust me with your code & data You have to trust us as well Client Cloud Provider Cloud operators Problem #1 Client code & data secrecy and integrity vulnerable to attack Systems and Internet Infrastructure Security (SIIS) Laboratory 22

23 Insider Threats May trust the cloud vendor company But, do you trust all its employees? Insiders can control platform Determine what software runs consumers code Insiders can monitor execution Log instance operation from remote Insiders may have physical access Can monitor hardware, access physical memory, and tamper secure co-processors 23

24 Co-Hosting Threats An instance co-hosted on the same physical platform could launch attacks against your instance Co-hosted instances share resources Computer CPU, Cache, Memory, Network, etc. Shared resources may be used as side channels to learn information about resource or impact its behavior 24

25 Resource Freeing Attacks Setup Victims One or more VMs with public interface Beneficiary VM whose performance we want to improve (contend over target resource) Helper Mounts attack using public interface Vic&m# VM# VM# Beneficiary# Helper& 25

26 Resource Freeing Attacks Resource contention over the CPU Schedule beneficiary more frequently Attack: shift resource usage via public interface Normally, victim is scheduled and pollutes the cache Approach lower scheduling priority Make victim appear CPU-bound RFA$intensi*es$ $*me$in$ms$per&second& 60%$ Performance$ Improvement$ 196%$slowdown$ 86%$slowdown$ 26

27 Preventing Vulnerabilities How would you prevent these threats? Misconfigured instances Untrusted cloud services Insiders Side channels (Attacks to cloud platform also) 27

28 Verifiable Computation Your services are black boxes - to the cloud! Send a program and encrypted data Program computes over encrypted data Scheme: KeyGen (for Program), Compute (Program), Verify Client Data Service Depends on heavy crypto - homomorphic encryption 28

29 Pinocchio [Oakland 2013] New cryptographic protocol for general-purpose public verifiable computation with support for zero-knowledge arguments Big advance: Performance History: PCP (2007) = 72 trillion years, GGP (2010) = 37 centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms) Encoding in quadratic programs ; signature depends only on security constant Idea behind quadratic arithmetic programs: each multiplication gate is a small expression. Construct polynomials that encode the equations, such that if the evaluation is correct, then D(z) / P(z). Then the protocol just checks divisibility randomly Beats local C execution (for verification) 29

30 Integrity Monitor Concept Integrity monitor similar to a reference monitor Mediate access to service based on integrity criteria Integrity Client Data Service Monitor Challenges Where do we measure integrity-relevant events? How do we verify ongoing integrity? How can we deploy this in a cloud environment? 30

31 Excalibur Policy-sealed data [USENIX Sec 2012b] Do not release my data to the cloud until that cloud satisfies my requirements Customer-chosen policy How to ensure that only nodes that satisfy customerchosen policy get data? Attribute-based encryption Encrypt data using ABE description of load-time configuration A verifiable monitor is trusted to delegate correct credentials to nodes (using hardware-based attestations - e.g., via TPM) Systems and Internet Infrastructure Security (SIIS) Laboratory 31

32 Excalibur Approach Excalibur Architecture!! Check node configurations! Monitor attests nodes in background! Scalable policy enforcement! CP-ABE operations at client-side lib Customer Monitor seal attest & send credential + Policy-Sealed Data unseal 13 Nuno Santos 4/19/13 Datacenter From Nuno Santos slides Systems and Internet Infrastructure Security (SIIS) Laboratory 32

33 Runtime Monitoring Excalibur does not address runtime issues with instance Customers may want to ensure that clients of their services only receive communications from satisfactory instances Customer may want to take remediative actions Systems and Internet Infrastructure Security (SIIS) Laboratory 33

34 Integrity Verification Proxy Clients specify criteria to be enforced by a channel mediator [TRUST 2012] Set of measurement modules verifies the criteria Loadtime modules measure VM components VM Introspection to examine runtime criteria E.g., Binaries/data loaded, enforcement disabled, policy changes, kernel data (binary handler), etc. Client (1) Register criteria (2) Verify Monitor / Node Integrity Verification Proxy (3) Verify VM Channel Mediator (5) Report Violation Modules Measure Framework Monitor VM VM (4) Connect Cloud Node 34

35 Cloud Verifier Overview Cloud Anchor [CCSW 2010, TrustCom 2012] +IVP in OpenStack [CSAW 2013] Client monitors CV and cloud criteria CV monitors cloud node IVP monitors cloud instance Client Client provides criteria Cloud Verifier Client criteria sent to IVP IVP Node Cloud Instance Client stops using Cloud Disable Cloud Node Block connection at the Cloud Node Systems and Internet Infrastructure Security (SIIS) Laboratory 35

36 Customer-Driven Monitoring CV/IVP Limitation IVP must be trusted by cloud vendor Part of management VM What if you need to perform monitoring that the cloud vendors will not support? Systems and Internet Infrastructure Security (SIIS) Laboratory 36

37 Self-Service Clouds Customizable cloud platform stack [CCS 2012] Why do these problems arise? Management$ VM$(dom0)$ Work" VM" Work" VM" Work" VM" Hypervisor Hardware Slides courtesy of Vinod Ganapathy 14" Systems and Internet Infrastructure Security (SIIS) Laboratory 37

38 Self-Service Clouds Customizable cloud Our platform solution stack [CCS 2012] SSC: Self-service cloud computing Management$ VM$ Client s$vms$ Hypervisor Hardware 19" Systems and Internet Infrastructure Security (SIIS) Laboratory 38

39 Self-Service Clouds Customizable cloud platform stack [CCS 2012] An SSC platform UDom0 boots customer-defined Service VMs SDom0$ UDom0$ Client s$metabdomain$ Service$ VM$ Work$ VM$ Work$ VM$ SSC Hypervisor Hardware Equipped$with$a$Trusted$Plaiorm$Module$(TPM)$chip$ Systems and Internet Infrastructure Security (SIIS) Laboratory 25" 39

40 Take Away Cloud computing is here to stay In some form May be a solution or a problem or both Introduces new types of vulnerabilities into systems we ran on data centers - which had vulnerabilities to begin with Ultimately, have to improve service providers jobs Make it easy to ensure that systems perform as expected Two possible methods Verifiable computation and instance monitoring 40

CSE543 Computer and Network Security Module: Cloud Computing

CSE543 Computer and Network Security Module: Cloud Computing CSE543 Computer and Network Security Module: Computing Professor Trent Jaeger 1 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2 Computing Is Here Systems and Internet

More information

How to Secure Infrastructure Clouds with Trusted Computing Technologies

How to Secure Infrastructure Clouds with Trusted Computing Technologies How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.

More information

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2 DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing Slide 1 Slide 3 A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.

More information

Assignment # 1 (Cloud Computing Security)

Assignment # 1 (Cloud Computing Security) Assignment # 1 (Cloud Computing Security) Group Members: Abdullah Abid Zeeshan Qaiser M. Umar Hayat Table of Contents Windows Azure Introduction... 4 Windows Azure Services... 4 1. Compute... 4 a) Virtual

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Certified Cloud Computing Professional VS-1067

Certified Cloud Computing Professional VS-1067 Certified Cloud Computing Professional VS-1067 Certified Cloud Computing Professional Certification Code VS-1067 Vskills Cloud Computing Professional assesses the candidate for a company s cloud computing

More information

Software Execution Protection in the Cloud

Software Execution Protection in the Cloud Software Execution Protection in the Cloud Miguel Correia 1st European Workshop on Dependable Cloud Computing Sibiu, Romania, May 8 th 2012 Motivation clouds fail 2 1 Motivation accidental arbitrary faults

More information

Technical Brief Distributed Trusted Computing

Technical Brief Distributed Trusted Computing Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,

More information

Software and Cloud Security

Software and Cloud Security 1 Lecture 12: Software and Cloud Security 2 Lecture 12 : Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and

More information

Automated Configuration of Open Stack Instances at Boot Time

Automated Configuration of Open Stack Instances at Boot Time Automated Configuration of Open Stack Instances at Boot Time N Praveen 1, Dr. M.N.Jayaram 2 Post Graduate Student 1, Associate Professor 2, EC Department, SJCE, Mysuru, India Abstract: Cloud Computing

More information

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk About PaaS Security Donghoon Kim Henry E. Schaffer Mladen A. Vouk North Carolina State University, USA May 21, 2015 @ ICACON 2015 Outline Introduction Background Contribution PaaS Vulnerabilities and Countermeasures

More information

Cloud Computing. Adam Barker

Cloud Computing. Adam Barker Cloud Computing Adam Barker 1 Overview Introduction to Cloud computing Enabling technologies Different types of cloud: IaaS, PaaS and SaaS Cloud terminology Interacting with a cloud: management consoles

More information

Data Centers and Cloud Computing

Data Centers and Cloud Computing Data Centers and Cloud Computing CS377 Guest Lecture Tian Guo 1 Data Centers and Cloud Computing Intro. to Data centers Virtualization Basics Intro. to Cloud Computing Case Study: Amazon EC2 2 Data Centers

More information

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization

More information

Risks and Challenges

Risks and Challenges Cloud and Mobile Security: Risks and Challenges Chong Sau Wei (CISM) chong@scan associates.net General Manager Managed Security Services SCAN Associates Berhad Seminar e Kerajaan Negeri Pulau Pinang 14

More information

2) Xen Hypervisor 3) UEC

2) Xen Hypervisor 3) UEC 5. Implementation Implementation of the trust model requires first preparing a test bed. It is a cloud computing environment that is required as the first step towards the implementation. Various tools

More information

Cloud Essentials for Architects using OpenStack

Cloud Essentials for Architects using OpenStack Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing

More information

Security Considerations in Cloud Deployments Matthew Garrett

Security Considerations in Cloud Deployments Matthew Garrett <matthew.garrett@nebula.com> Security Considerations in Cloud Deployments Matthew Garrett (cloud) Computing for the Enterprise Security concerns in traditional hosting Someone hacks your system Your hosting

More information

Mobile Cloud Computing T-110.5121 Open Source IaaS

Mobile Cloud Computing T-110.5121 Open Source IaaS Mobile Cloud Computing T-110.5121 Open Source IaaS Tommi Mäkelä, Otaniemi Evolution Mainframe Centralized computation and storage, thin clients Dedicated hardware, software, experienced staff High capital

More information

Networks and Services

Networks and Services Networks and Services Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Fall 2015 TOC 1 Infrastructure as a Service 2 Platform as a Service 3 Software as a Service Infrastructure as a Service Definition Infrastructure

More information

Control your corner of the cloud.

Control your corner of the cloud. Chapter 1 of 5 Control your corner of the cloud. From the halls of government to the high-rise towers of the corporate world, forward-looking organizations are recognizing the potential of cloud computing

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald About DN-Systems Global Consulting and Technology Services Planning Evaluation Auditing Operates own Security Lab Project Management Integral

More information

What is Cloud Computing? Why call it Cloud Computing?

What is Cloud Computing? Why call it Cloud Computing? What is Cloud Computing? Why call it Cloud Computing? 1 Cloud Computing Key Properties Advantages Shift from CAPEX to OPEX Lowers barrier for starting a new business/project Can be cheaper even in the

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

OpenStack Introduction. November 4, 2015

OpenStack Introduction. November 4, 2015 OpenStack Introduction November 4, 2015 Application Platforms Undergoing A Major Shift What is OpenStack Open Source Cloud Software Launched by NASA and Rackspace in 2010 Massively scalable Managed by

More information

Self-service Cloud Computing

Self-service Cloud Computing Self-service Cloud Computing Published in Proceedings of ACM CCS 12 Shakeel Butt shakeelb@cs.rutgers.edu Abhinav Srivastava abhinav@research.att.com H. Andres Lagar-Cavilla andres@lagarcavilla.org Vinod

More information

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Introduction

More information

Cloud Computing Architecture: A Survey

Cloud Computing Architecture: A Survey Cloud Computing Architecture: A Survey Abstract Now a day s Cloud computing is a complex and very rapidly evolving and emerging area that affects IT infrastructure, network services, data management and

More information

CLOUD COMPUTING. When It's smarter to rent than to buy

CLOUD COMPUTING. When It's smarter to rent than to buy CLOUD COMPUTING When It's smarter to rent than to buy Is it new concept? Nothing new In 1990 s, WWW itself Grid Technologies- Scientific applications Online banking websites More convenience Not to visit

More information

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems Yacov Y. Haimes and Barry M. Horowitz Zhenyu Guo, Eva Andrijcic, and Joshua Bogdanor Center

More information

What Is It? Business Architecture Research Challenges Bibliography. Cloud Computing. Research Challenges Overview. Carlos Eduardo Moreira dos Santos

What Is It? Business Architecture Research Challenges Bibliography. Cloud Computing. Research Challenges Overview. Carlos Eduardo Moreira dos Santos Research Challenges Overview May 3, 2010 Table of Contents I 1 What Is It? Related Technologies Grid Computing Virtualization Utility Computing Autonomic Computing Is It New? Definition 2 Business Business

More information

CIT 668: System Architecture

CIT 668: System Architecture CIT 668: System Architecture Cloud Security Topics 1. The Same Old Security Problems 2. Virtualization Security 3. New Security Issues and Threat Model 4. Data Security 5. Amazon Cloud Security Data Loss

More information

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud-Security: Show-Stopper or Enabling Technology? Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics

More information

NCTA Cloud Architecture

NCTA Cloud Architecture NCTA Cloud Architecture Course Specifications Course Number: 093019 Course Length: 5 days Course Description Target Student: This course is designed for system administrators who wish to plan, design,

More information

SkySecure System Overview

SkySecure System Overview SKYSECURE SYSTEM COMPONENTS SKYSECURE SERVER Trusted compute platform based on locked-down firmware, signed immutable images, Intel Trusted Execution Technology and the SkySecure I/O Controller. Controller

More information

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis

More information

How to Grow and Transform your Security Program into the Cloud

How to Grow and Transform your Security Program into the Cloud How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management

More information

Providing Flexible Security as a Service Model for Cloud Infrastructure

Providing Flexible Security as a Service Model for Cloud Infrastructure Providing Flexible Security as a Service Model for Cloud Infrastructure Dr. M. Newlin Rajkumar, P. Banu Priya, Dr. V. Venkatesakumar Abstract Security-as-a-Service model for cloud systems enable application

More information

yvette@yvetteagostini.it yvette@yvetteagostini.it

yvette@yvetteagostini.it yvette@yvetteagostini.it 1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work

More information

The Cloud, Virtualization, and Security

The Cloud, Virtualization, and Security A Cloud: Large groups of remote servers that are networked to allow centralized, shared data storage and online access to computer services or resources A Cloud: Large groups of remote servers that are

More information

Infrastructure as a Service

Infrastructure as a Service Infrastructure as a Service Jose Castro Leon CERN IT/OIS Cloud Computing On-Demand Self-Service Scalability and Efficiency Resource Pooling Rapid elasticity 2 Infrastructure as a Service Objectives 90%

More information

Last time. Today. IaaS Providers. Amazon Web Services, overview

Last time. Today. IaaS Providers. Amazon Web Services, overview Last time General overview, motivation, expected outcomes, other formalities, etc. Please register for course Online (if possible), or talk to Yvonne@CS Course evaluation forgotten Please assign one volunteer

More information

Cloud Security is a First Principle:

Cloud Security is a First Principle: Cloud Security is a First Principle: Elements of Private Cloud Security Table of Contents Why the Security Minded are Drawn to Private Cloud Deployments....2 Security is the Driver Behind Private Clouds...3

More information

McAfee Public Cloud Server Security Suite

McAfee Public Cloud Server Security Suite Installation Guide McAfee Public Cloud Server Security Suite For use with McAfee epolicy Orchestrator COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766,

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

Cloud Security Overview

Cloud Security Overview UT DALLAS Erik Jonsson School of Engineering & Computer Science Cloud Security Overview Murat Kantarcioglu Outline Current cloud security techniques Amazon Web services Microsoft Azure Cloud Security Challengers

More information

Get Off of My Cloud : Cloud Credential Compromise and Exposure. Ben Feinstein & Jeff Jarmoc Dell SecureWorks Counter Threat Unit

Get Off of My Cloud : Cloud Credential Compromise and Exposure. Ben Feinstein & Jeff Jarmoc Dell SecureWorks Counter Threat Unit Get Off of My Cloud : Cloud Credential Compromise and Exposure Ben Feinstein & Jeff Jarmoc Dell SecureWorks Counter Threat Unit 2 The Public Cloud 3 Brief Introduction to the Amazon Cloud First, some terminology

More information

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems RH413 Manage Software Updates Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems Allocate an advanced file system layout, and use file

More information

Virtual Machine Security

Virtual Machine Security Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ 1 Operating System Quandary Q: What is the primary goal

More information

Security Issues In Cloud Computing And Their Solutions

Security Issues In Cloud Computing And Their Solutions Security Issues In Cloud Computing And Their Solutions Mr. Vinod K. Lalbeg Lecturer (Management), NWIMSR, Pune-1 & Ms. Anjali S. Mulik Lecturer (Management), NWIMSR, Pune-1 ABSTRACT Cloud Computing offers

More information

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services Ronnie D. Caytiles and Byungjoo Park * Department of Multimedia Engineering, Hannam University

More information

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

An overwhelming majority of IaaS clouds leverage virtualization for their foundation. 1 2 3 An overwhelming majority of IaaS clouds leverage virtualization for their foundation. 4 With the use of virtualization comes the use of a hypervisor. Normally, the hypervisor simply provisions resources

More information

Cloud Courses Description

Cloud Courses Description Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment

More information

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) Security Management of Cloud-Native Applications Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) 1 Outline Context State-of-the-Art Design Patterns Threats to cloud systems Security

More information

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following

More information

The Magazine for IT Security. May 2010. issue 3. sör alex / photocase.com

The Magazine for IT Security. May 2010. issue 3. sör alex / photocase.com The Magazine for IT Security May 2010 sör alex / photocase.com free digital version made in Germany issue 3 Luiz Fotolia.com Clouds or storm clouds? Cloud Computing Security by Javier Moreno Molinero Gradually,

More information

Lecture 02a Cloud Computing I

Lecture 02a Cloud Computing I Mobile Cloud Computing Lecture 02a Cloud Computing I 吳 秀 陽 Shiow-yang Wu What is Cloud Computing? Computing with cloud? Mobile Cloud Computing Cloud Computing I 2 Note 1 What is Cloud Computing? Walking

More information

idash Infrastructure to Host Sensitive Data: HIPAA Cloud Storage and Compute

idash Infrastructure to Host Sensitive Data: HIPAA Cloud Storage and Compute integrating Data for Analysis, Anonymization, and SHaring idash Infrastructure to Host Sensitive Data: HIPAA Cloud Storage and Compute Claudiu Farcas, Antonios Koures Outline Infrastructure Overview Typical

More information

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014 An Overview on Cloud Computing Services And Related Threats Bipasha Mallick Assistant Professor, Haldia Institute Of Technology bipasm@gmail.com Abstract. Cloud computing promises to increase the velocity

More information

Virtualization System Security

Virtualization System Security Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability

More information

Cloud computing: benefits, risks and recommendations for information security

Cloud computing: benefits, risks and recommendations for information security Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation

More information

Protection Profile for Server Virtualization

Protection Profile for Server Virtualization Protection Profile for Server Virtualization 29 October 2014 Version 1.0 i 0 Preface 0.1 Objectives of Document This document presents the Common Criteria (CC) Protection Profile (PP) to express the fundamental

More information

Cloud Computing using

Cloud Computing using Cloud Computing using Summary of Content Introduction of Cloud Computing Cloud Computing vs. Server Virtualization Cloud Computing Components Stack Public vs. Private Clouds Open Source Software for Private

More information

CSE543 - Introduction to Computer and Network Security. Module: Final review

CSE543 - Introduction to Computer and Network Security. Module: Final review CSE543 - Introduction to Computer and Network Security Module: Final review Professor Trent Jaeger Fall 2012 1 Since Midterm Firewalls Intrusion Detection Malware Botnets Web Security Virtualization Cloud

More information

Oracle Applications and Cloud Computing - Future Direction

Oracle Applications and Cloud Computing - Future Direction Oracle Applications and Cloud Computing - Future Direction February 26, 2010 03:00 PM 03:40 PM Presented By Subash Krishnaswamy skrishna@astcorporation.com Vijay Tirumalai vtirumalai@astcorporation.com

More information

Making Data Security The Foundation Of Your Virtualization Infrastructure

Making Data Security The Foundation Of Your Virtualization Infrastructure Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges

More information

Cloud Hosting. QCLUG presentation - Aaron Johnson. Amazon AWS Heroku OpenShift

Cloud Hosting. QCLUG presentation - Aaron Johnson. Amazon AWS Heroku OpenShift Cloud Hosting QCLUG presentation - Aaron Johnson Amazon AWS Heroku OpenShift What is Cloud Hosting? According to the Wikipedia - 2/13 Cloud computing, or in simpler shorthand just "the cloud", focuses

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Sentinet for Windows Azure SENTINET

Sentinet for Windows Azure SENTINET Sentinet for Windows Azure SENTINET Sentinet for Windows Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Isolated Deployment Model... 3 Collocated Deployment Model...

More information

Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems

Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems Lorenzo Martignoni, Pongsin Poosankam, y Matei Zaharia, Jun Han, y Stephen McCamant, Dawn Song, Vern Paxson, Adrian Perrig,

More information

Mutual Authentication Cloud Computing Platform based on TPM

Mutual Authentication Cloud Computing Platform based on TPM Mutual Authentication Cloud Computing Platform based on TPM Lei Peng 1, Yanli Xiao 2 1 College of Information Engineering, Taishan Medical University, Taian Shandong, China 2 Department of Graduate, Taishan

More information

24/11/14. During this course. Internet is everywhere. Frequency barrier hit. Management costs increase. Advanced Distributed Systems Cloud Computing

24/11/14. During this course. Internet is everywhere. Frequency barrier hit. Management costs increase. Advanced Distributed Systems Cloud Computing Advanced Distributed Systems Cristian Klein Department of Computing Science Umeå University During this course Treads in IT Towards a new data center What is Cloud computing? Types of Clouds Making applications

More information

Mandatory Access Control in Linux

Mandatory Access Control in Linux Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ In the early 2000s Root and administrator Many

More information

Self-service Cloud Computing

Self-service Cloud Computing Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University 2 The modern computing spectrum The Cloud Web browsers and other apps Smartphones and

More information

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise

More information

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab.

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab. VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab. Motivation The era of cloud computing Motivation In the

More information

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc. Public Clouds Krishnan Subramanian Analyst & Researcher Krishworld.com A whitepaper sponsored by Trend Micro Inc. Introduction Public clouds are the latest evolution of computing, offering tremendous value

More information

Top virtualization security risks and how to prevent them

Top virtualization security risks and how to prevent them E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced

More information

PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION

PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION White Paper May 2012 Abstract Whether enterprises choose to use private, public or hybrid clouds, the availability of a broad range

More information

Security Model for VM in Cloud

Security Model for VM in Cloud Security Model for VM in Cloud 1 Venkataramana.Kanaparti, 2 Naveen Kumar R, 3 Rajani.S, 4 Padmavathamma M, 5 Anitha.C 1,2,3,5 Research Scholars, 4Research Supervisor 1,2,3,4,5 Dept. of Computer Science,

More information

Security Considerations for Public Mobile Cloud Computing

Security Considerations for Public Mobile Cloud Computing Security Considerations for Public Mobile Cloud Computing Ronnie D. Caytiles 1 and Sunguk Lee 2* 1 Society of Science and Engineering Research Support, Korea rdcaytiles@gmail.com 2 Research Institute of

More information

Cloud computing an insight

Cloud computing an insight Cloud computing an insight Overview IT infrastructure is changing according the fast-paced world s needs. People in the world want to stay connected with Work / Family-Friends. The data needs to be available

More information

Iaas for Private and Public Cloud using Openstack

Iaas for Private and Public Cloud using Openstack Iaas for Private and Public Cloud using Openstack J. Beschi Raja, Assistant Professor, Department of CSE, Kalasalingam Institute of Technology, TamilNadu, India, K.Vivek Rabinson, PG Student, Department

More information

T-110.5121 Mobile Cloud Computing Private Cloud & Assignment 2 19.10.2011

T-110.5121 Mobile Cloud Computing Private Cloud & Assignment 2 19.10.2011 T-110.5121 Mobile Cloud Computing Private Cloud & Assignment 2 19.10.2011 Yrjö Raivio, Koushik Annapureddy, Ramasivakarthik Mallavarapu Aalto University, School of Science Department of Computer Science

More information

How to Keep a Cloud Environment Current, Secure and Available October 16, 2014

How to Keep a Cloud Environment Current, Secure and Available October 16, 2014 How to Keep a Cloud Environment Current, Secure and Available October 16, 2014 Brought to you by Vivit Cloud Builders Special Interest Group www.vivit-worldwide.org Hosted by Sumit Sengupta Information

More information

Modeling Public Pensions with Mathematica and Python II

Modeling Public Pensions with Mathematica and Python II Modeling Public Pensions with Mathematica and Python II Brian Drawert, PhD UC Santa Barbara & AppScale Systems, Inc Sponsored by Novim & Laura and John Arnold Foundation Pension Calculation: From Mathematica

More information

Sistemi Operativi e Reti. Cloud Computing

Sistemi Operativi e Reti. Cloud Computing 1 Sistemi Operativi e Reti Cloud Computing Facoltà di Scienze Matematiche Fisiche e Naturali Corso di Laurea Magistrale in Informatica Osvaldo Gervasi ogervasi@computer.org 2 Introduction Technologies

More information

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES Contents Introduction... 3 DRM Threat Model... 3 DRM Flow... 4 DRM Assets... 5 Threat Model... 5 Protection of

More information

Cloud Computing 159.735. Submitted By : Fahim Ilyas (08497461) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

Cloud Computing 159.735. Submitted By : Fahim Ilyas (08497461) Submitted To : Martin Johnson Submitted On: 31 st May, 2009 Cloud Computing 159.735 Submitted By : Fahim Ilyas (08497461) Submitted To : Martin Johnson Submitted On: 31 st May, 2009 Table of Contents Introduction... 3 What is Cloud Computing?... 3 Key Characteristics...

More information

NCTA Cloud Operations

NCTA Cloud Operations NCTA Cloud Operations 093018 Lesson 1: Cloud Operations Topic A: Overview of Cloud Computing Solutions Identify the core concepts of cloud computing. Operations Terminology Identify the terminology used

More information

Virtualization & Cloud Computing (2W-VnCC)

Virtualization & Cloud Computing (2W-VnCC) Virtualization & Cloud Computing (2W-VnCC) DETAILS OF THE SYLLABUS: Basics of Networking Types of Networking Networking Tools Basics of IP Addressing Subnet Mask & Subnetting MAC Address Ports : Physical

More information

Protecting the Cloud from Inside

Protecting the Cloud from Inside Protecting the Cloud from Inside Intra-cloud security intelligence Protection of Linux containers Mitigation of NoSQL injections Alexandra Shulman-Peleg, PhD Cloud Security Researcher, IBM Cyber Security

More information

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager pchadwick@suse.com. Product Marketing Manager djarvis@suse.

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager pchadwick@suse.com. Product Marketing Manager djarvis@suse. SUSE Cloud 2.0 Pete Chadwick Douglas Jarvis Senior Product Manager pchadwick@suse.com Product Marketing Manager djarvis@suse.com SUSE Cloud SUSE Cloud is an open source software solution based on OpenStack

More information

Cloud Computing Security Master Seminar, Summer 2011

Cloud Computing Security Master Seminar, Summer 2011 Cloud Computing Security Master Seminar, Summer 2011 Maxim Schnjakin, Wesam Dawoud, Christian Willems, Ibrahim Takouna Chair for Internet Technologies and Systems Definition of Cloud Computing 2 Cloud

More information

Scyld Cloud Manager User Guide

Scyld Cloud Manager User Guide Scyld Cloud Manager User Guide Preface This guide describes how to use the Scyld Cloud Manager (SCM) web portal application. Contacting Penguin Computing 45800 Northport Loop West Fremont, CA 94538 1-888-PENGUIN

More information

Performance Management for Cloudbased STC 2012

Performance Management for Cloudbased STC 2012 Performance Management for Cloudbased Applications STC 2012 1 Agenda Context Problem Statement Cloud Architecture Need for Performance in Cloud Performance Challenges in Cloud Generic IaaS / PaaS / SaaS

More information

Cloud Courses Description

Cloud Courses Description Cloud Courses Description Cloud 101: Fundamental Cloud Computing and Architecture Cloud Computing Concepts and Models. Fundamental Cloud Architecture. Virtualization Basics. Cloud platforms: IaaS, PaaS,

More information

UNCLASSIFIED Version 1.0 May 2012

UNCLASSIFIED Version 1.0 May 2012 Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice

More information