Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Similar documents
Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Clouds. Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage

Linstantiation of applications. Docker accelerate

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Commercial Software Licensing

Cloud computing security

Cloud Computing. Adam Barker

Security Issues in Cloud Computing

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

COS 318: Operating Systems. Virtual Machine Monitors

Data Centers and Cloud Computing. Data Centers

The Threat of Coexisting With an Unknown Tenant in a Public Cloud

Security Model for VM in Cloud

Performance Management for Cloudbased STC 2012

Before we can talk about virtualization security, we need to delineate the differences between the

Virtualization for Cloud Computing

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Data Centers and Cloud Computing. Data Centers. MGHPCC Data Center. Inside a Data Center

Why Does CA Platform Use OpenShift?

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

HEY, YOU, GET OFF OF MY CLOUD: EXPLORING INFORMATION LEAKAGE

RED HAT CONTAINER STRATEGY

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Configuring and Managing a Private Cloud with Enterprise Manager 12c

Cloud Computing #6 - Virtualization

CHOOSING THE RIGHT RED HAT ENTERPRISE LINUX SUBSCRIPTION. Gerry Riveros Senior Manager Server Solutions, Red Hat May 6, 2011

Cloud security CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642

CSE543 Computer and Network Security Module: Cloud Computing

Lecture 02a Cloud Computing I

CompTIA Cloud+ 9318; 5 Days, Instructor-led

Networks and Services

Geoff Raines Cloud Engineer

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

The Software Container pattern

Introduction to Engineering Using Robotics Experiments Lecture 18 Cloud Computing

CLOUD COMPUTING. When It's smarter to rent than to buy

Cloud Computing Architecture: A Survey

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

<Insert Picture Here> Cloud Computing Strategy

IOS110. Virtualization 5/27/2014 1

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) Introduction to Cloud Security. Taniya

Stackato PaaS Architecture: How it works and why.

Performance Management for Cloud-based Applications STC 2012

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

Virtualization and the U2 Databases

Performance Comparison Analysis of Linux Container and Virtual Machine for Building Cloud

Planning, Provisioning and Deploying Enterprise Clouds with Oracle Enterprise Manager 12c Kevin Patterson, Principal Sales Consultant, Enterprise

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Cloud Models and Platforms

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

A Gentle Introduction to Cloud Computing

Use Cases for Docker in Enterprise Linux Environment CloudOpen North America, 2014 Linda Wang Sr. Software Engineering Manager Red Hat, Inc.

16 April Cloud Security. Dr. Andreas Wespi IBM Corporation

Are Cache Attacks on Public Clouds Practical?

Building Docker Cloud Services with Virtuozzo

Data Centers and Cloud Computing

Windows Azure and private cloud

Datacenters and Cloud Computing. Jia Rao Assistant Professor in CS

Introduction to Cloud Computing - 02

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

9/26/2011. What is Virtualization? What are the different types of virtualization.

Toward a Unified Ontology of Cloud Computing

Control your corner of the cloud.

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

How Data-Centric Protection Increases Security in Cloud Computing and Virtualization

The Cloud to the rescue!

Security & Cloud Services IAN KAYNE

Virtual Hosting & Virtual Machines

Virtual Machine Security

Security & Trust in the Cloud

Introduction to Cloud Computing

Li Sheng. Nowadays, with the booming development of network-based computing, more and more

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Cisco Application-Centric Infrastructure (ACI) and Linux Containers

Evaluation Methodology of Converged Cloud Environments

Amazon Web Services Primer. William Strickland COP 6938 Fall 2012 University of Central Florida

Windows Azure Platform

NoHype: Virtualized Cloud Infrastructure without the Virtualization

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

Transcription:

About PaaS Security Donghoon Kim Henry E. Schaffer Mladen A. Vouk North Carolina State University, USA May 21, 2015 @ ICACON 2015

Outline Introduction Background Contribution PaaS Vulnerabilities and Countermeasures Cloud Applications Software Platform (SaaS) Virtualization Data Security & Integrity Cloud Software Environments (PaaS) Cloud Software Infrastructure (IaaS) Operating Systems Hardware Some Security Trends Isolation for multi-tenant environments Protection of sensitive data Features: Runtime environments Database Web server Development tools Programming environments Etc. Vulnerabilities SW Platform Virtualization Data Side1channel* a4 acks Protec' ng* sensi' ve*data 2

Introduction: Background Three Service delivery model for cloud computing Defined by NIST SaaS (Software) PaaS (Platform) IaaS (Infrastructure) Cloud Applications (SaaS) Cloud Software Environments (PaaS) Cloud Software Infrastructures (IaaS) Operating Systems Hardware PaaS (Platform as a Service) Provide middleware resources to cloud customers (E.g., developers and providers of SaaS) Hide complexity of maintaining the infrastructure Enable low costs and higher computing efficiency Surveyed over the last five years (i.e., since 2010) Research papers, industrial technical reports, etc. 3

Introduction: Contribution Three categories of PaaS security issues Vulnerabilities and corresponding countermeasures PaaS security trends Isolation for multi-tenants against side-channel attacks Protection of sensitive data Cloud Applications (SaaS) Cloud Software Environments (PaaS) Cloud Software Infrastructure (IaaS) Operating Systems Hardware Features: Runtime environments Database Web server Development tools Programming environments Etc. Vulnerabilities SW Platform Virtualization Side1channel* a4 acks Data Protec' ng* sensi' ve*data 4

Software Platform (1/2) OS to Hypervisors and Virtual Platform (VP) (e.g., Java and.net platform) The limitation of achieving proper isolation for multi-tenants OS limitation as a hosting environment (i.e., PaaS Platform) PaaS providers may prefer simplified abstractions OS may not support a set of applications; Need tuning depending on each application Proper isolation mechanisms with three options Isolation at OS level Isolation at Standard Java Security Isolation at VM level 5

Software Platform (2/2) Main open security issues at different layers OS, Java VM, Container Container for controlled environments Dockers released in March 2013 Resource isolation features of the Linux kernel Provide lightweight containers to run processes in isolation. The user needs to own the whole stack for complete isolation. Bare machine or sole-use may be the only safe solution 6

Virtualization (1/2) Major components of cloud computing Drive the growth of clouding computing Enabling sharing of resources for multi-tenancy Multi-tenancy vulnerabilities The adversary may identify internal cloud structure which can launch a comprised VM Cross-VM side channel attacks due to the sharing of physical resources (e.g., a single core CPU, cache) Countermeasures Cloud providers may obfuscate both internal structure of their services and the placement policy Avoid co-residence Expose the risk and placement policy directly to users 7

Virtualization (2/2) Vulnerabilities Components sharing between VMs, but lack of isolation Countermeasures Strong isolation, nevertheless a large overhead Performance between isolation and consolidation Major cause: contention on memory channels or processor caches on the physical machine Physical and functional hierarchical Functional: divide a platform into available zone 8

Data Security & Integrity Protecting data and maintaining data integrity are important for all cloud service delivery model Additional security checks should be applied to sensitive data Countermeasures Storing meta-data information in different locations; making information invaluable if a malicious user tries to recover Secure block storage for encrypted data chucks Authentication scheme by Merkle tree-based structure Practical and scalable by reducing the storage overhead Data Geolocation technique 9

Some Trends A side-channel attach is still popular due to multi-tenant virtualization Require proper isolation mechanism But, existing countermeasures may not applicable Too specific (i.e., application-specific) Protecting sensitive data Minimize the exposure of sensitive data as a plaintext To protect personal data, the EU issued EU Data protection Directive Limited storage in organization or governmental agencies while a tremendous increase in the scale of data Need more robust methods of data geolocation SaaS PaaS IaaS 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information