Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Similar documents
Security Issues in Cloud Computing

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Security:Threats & Mitgations

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How To Protect Your Cloud Computing Resources From Attack

SECURE CLOUD COMPUTING

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

APIs The Next Hacker Target Or a Business and Security Opportunity?

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Cloud Essentials for Architects using OpenStack

Cloud security architecture

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

A Secure Authenticate Framework for Cloud Computing Environment

Cloud-Security: Show-Stopper or Enabling Technology?

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Software and Cloud Security

Cloud Security. DLT Solutions LLC June #DLTCloud

D. L. Corbet & Assoc., LLC

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Where every interaction matters.

Evaluating IaaS security risks

Security Issues in Cloud Computing

FileCloud Security FAQ

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

From 0 to Secure in 1 Minute APPSEC IL Moshe Ferber CCSK, CCSP

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Security Framework (CSF): Gap Analysis & Roadmap

A Survey on Cloud Security Issues and Techniques

Secure Identity in Cloud Computing

Cloud Security Introduction and Overview

SECURITY ANALYSIS OF CLOUD COMPUTING

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Data Protection: From PKI to Virtualization & Cloud

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Cloud Security and Managing Use Risks

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Network Security Administrator

Building an Effec.ve Cloud Security Program

Security Architecture for Cloud Computing Platform

From Zero to Secure in 1 Minute

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Addressing Security for Hybrid Cloud

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir

managing SSO with shared credentials

Privacy + Security + Integrity

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

Secure and control how your business shares files using Hightail

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Threat Modeling. 1. Some Common Definition (RFC 2828)

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

SERENA SOFTWARE Serena Service Manager Security

Secure Cloud Computing

Effective End-to-End Cloud Security

Security & Cloud Services IAN KAYNE

Key Enablers for the Cloud Service Broker: Identity, Privacy, and Security

PICO Compliance Audit - A Quick Guide to Virtualization

Cloud Database Storage Model by Using Key-as-a-Service (KaaS)

Top 10 Cloud Risks That Will Keep You Awake at Night

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Assessing Risks in the Cloud

Rational AppScan & Ounce Products

Glinda Cummings World Wide Tivoli Security Product Manager

Transcription:

t Cloud Security Let s Open the Box t Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Facts about Ericsson Ericsson is a world-leading provider of telecommunication equipment and services More then 40 percent of mobile traffic passes through Ericsson network Ericsson is the 5 th largest software company in the world Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 2

Why ericsson in cloud For Clouds: - It is difficult to optimize the cost of Computation, Networking and Storage at the same time ( Revision of Brewer s CAP theorem) - MNO s can play a key role to optimize the Networking Figure from Ericsson Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 3

Dark days of cloud Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 4

Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 5

Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 6

Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 7

http://www8.hp.com/us/en/hp-news/press-release.html?id=1303754#.ujt8glf4epy Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 8

We are not talking about Virtualization security Trusted Computing Base Every details of Cloud Security Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 9

Today s talk about Security in General, Is cloud security different? What process you should consider before cloud adoption? Major Threats against cloud Discussion on two focus areas: - Identity and access management - Governance and Compliance Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 10

Security engineering Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 11

Security engineering is building systems which remains dependable in the face of malice, error, or mischance The goal is to provide critical assurance Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 12

Security engineering framework Policy Mechanism Incentives Assurance Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 13

Security engineering for cloud evaluation Scenario 1 Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 14

Bob s blog Requirements - Ensure uptime - No sensitive content - Simple user authentication - Monitor the traffic - Low cost Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 15

Cloud provider a 99% uptime Simple user authn/z No sensitive content Load balancer User/password, access control IDS system Attacker: No data and monetary Incentives Site defacement Assurance: Availability moderate Access control moderate Monitoring - moderate Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 16

Scenario 2 http://www.projectwalk.org/hospitals/ Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 17

A hospital system Requirements Patients record are strictly confidential A nurse can access patient s data of her ward who stayed in last 30 days Doctors need strict assurance for life critical data e.g., medical and drug history Strict assurance for critical system Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 18

Cloud provider b Granular AuthN/Z data privacy & confidentiality data integrity Constant availability Multi-level and multi-lateral Auth, XACML, VM hardening Encrypted disk, anonymizer, inference control Digital signature policy Replicas, DR, caching, Load balancer IDS system Attacker: Personal data acquisition Assurance: Access control strict Privacy & confidentiality strict Integrity Strict Availability - Strict Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 19

Evaluation Requirements Cloud Provider A Cloud Provider B Assurance Assurance: Availability moderate Access control moderate Monitoring - ok Assurance: Access control strict Privacy & confidentiality strict Integrity Strict Availability - Strict Deployment model Public Private / Public with VM hardening Accessible and consumed by Un-trusted Trusted SPI SaaS IaaS Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 20

Security considerations before Cloud adoption Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 21

Security is a Balance between benefits and RISK Security depends on how much risks we like to take in comparison to economic benefits. Economic Benefits Risk So how will we proceed? See Next Slides Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 22

Step 1 Define assets, resources, and information being managed Who manages and owns them and how Which security controls are in place Identify your compliance requirements Define the risk you can tolerate Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 23

Step 2: choose cloud model Ref: Cloud Cube, Jericho Forum Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 24

Step 3: Find the gap Ref: Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 25

Threats in cloud Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 26

Cloud security alliance - TOP Threats in Cloud Abuse and Nefarious use of cloud Insecure Interfaces and APIs Malicious Insiders Shared Technology (Isolation) Issue Data Loss or Leakage Account or Service hacking Unknown risk profile Source: https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 27

# Nefarious use of Cloud Recommendations: 1. Strict registration 2. Enhanced monitoring http://blogs.zdnet.com/security/?p=5110 Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 28

# Insecure interfaces and APIs Recommendations: 1. Analyze CSP s security 2. Strong access control 3. Understand API dependency chain http://www.prweb.com/releases/2012/11/prweb10092437.htm Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 29

# Malicious Insider Recommendations: 1. Strict supply chain 2. Multi-level and Multi-lateral security Photo credit: http://clicksafe.kensington.com/laptop-security-blog/bid/ 50771/Tackling-data-theft-from-insiders Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 30

# Shared Technology issues Recommendations: 1. Strong access control 2. Perform vulnerability scanning 3. Monitor environment Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 31

# Data loss Recommendations: 1. Strong API access control 2. Encrypt the data 3. Data protection design Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 32

Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 33

Identity, entitlement and access management Identity and Access Management (IAM) should provide controls for assured identities and access management. Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 34

Identity management Identification Authentication Authorization Who are you Prove it Here is the resource An identifier that can be used to uniquely recognize a principal The process to verify the identity of a principal The granting of rights and capabilities to the principal by the system Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 35

OLD school of IAM Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 36

What s new in cloud IAM system The changing business need requires a new identity perimeter for the cloud Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 37

OLD school vs. NEW school Old School New School Enterprise Centric Access Control List Directory Server Authen6ca6on Principal Centric Resource Centric Rule Based Access Authen6ca6on Rou6ng Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 38

Symetrical Symmetrical Evolving Jericho Authoriza6on Model Principal Iden6ty, A@ributes Access Request A@ribute Updates Access Control Enforcement Func6on Access Rules Resource Resource Labels Decision Cache Access Rules Rela6vely Dynamic Audit Logs Request, Iden6ty, Rules, A@ributes Access Control Decision Func6on Decision Decision Support Informa6on Verified Rules Verified A@ributes Environmental, Resource, & Principal A@ributes; Iden6fiers Rela6vely Sta6c Ref: Jericho Forum Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 39 Rules Policy Admin

Recommendation Support for SSO & federation ( e.g., OpenID, SAML, OAuth) Identity attributes need to be consumed from multiple sources Support for granular authorization (e.g., XACML) Support for standard provisioning languages ( e.g., through SPML) Be careful about sensitive personal data (SPI) Reuse identity rather than create new one Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 40

ERICSSON in Cloud identity: OpeniD with gba for cloud Authentication OpenStack" Telecom Nodes" Nova! KeyStone! Dashboard! OpenID provider & NAF! Browser! HSS! BSF! SIM enabled! A prototype based on 3GPP defined 'OpenID with GBA' to integrate federated and secure SIMbased authentication to the IaaS management layer. User! Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 41

Governance, risk management and compliance Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 42

Why GRC is important in Cloud Lack of user control Dynamic allocation means resource is not known beforehand Separation of logical and physical entities Location independence Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 43

Compliance in Cloud Can I assess trust in a cloud provider? Is there a way to automatically verify trust in real time? Is there an easy way to expose this information? Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 44

CSA GRC stack Description Common technique and nomenclature to request and receive evidence and affirma6on of current cloud service opera6ng circumstances from cloud providers Common interface and namespace to automate the Audit, Asser6on, Assessment, and Assurance (A6) of cloud environments Industry- accepted ways to document what security controls exist Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider https://cloudsecurityalliance.org/wp-content/uploads/2011/12/grc-stack-csa-congress-2011-part-1.pptx Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 45

An approach for Compliance monitoring Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 46

Take away Security in cloud is not that different, rather risk has changed or new risk has emerged Always evaluate the risk of your assets before transition towards cloud Remember, Attackers will exploit the threat Access control and compliance are important for cloud adoption Do design your system based on customer need, but don t forget security. Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 47

References 1. https://collaboration.opengroup.org/jericho/ cloud_cube_model_v1.0.pdf 2. https://cloudsecurityalliance.org/topthreats/ csathreats.v1.0.pdf 3. Chapter 1, Chapter 9, Ross Anderson, Security Engineering 4. Domain 1, Domain 12, Security Guidance For Critical Areas of Focus in Cloud Computing V3.0, CSA 5. OpenID authentication as a service in OpenStack, 7th International Conference on Information Assurance and Security (IAS), 2011 6. CSA - Cloud Control Matrix, https:// cloudsecurityalliance.org/research/ccm/ Ericsson AB 2012-11-12 Lecture on Cloud Security at Aalto Page 48

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information