Cloud-Security: Show-Stopper or Enabling Technology?



Similar documents
D. L. Corbet & Assoc., LLC

Security Issues in Cloud Computing

FACING SECURITY CHALLENGES

What Cloud computing means in real life

How To Protect Your Cloud Computing Resources From Attack

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud computing: benefits, risks and recommendations for information security

Cloud Security:Threats & Mitgations

Cloud Essentials for Architects using OpenStack

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

CLOUD COMPUTING SECURITY ISSUES

A Survey on Cloud Security Issues and Techniques

Cloud Computing Governance & Security. Security Risks in the Cloud

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Attacks from the Inside


Top 10 Cloud Risks That Will Keep You Awake at Night

Addressing Security for Hybrid Cloud

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

Cloud Security Introduction and Overview

Security Issues In Cloud Computing And Their Solutions

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

SERENA SOFTWARE Serena Service Manager Security

Security & Cloud Services IAN KAYNE

Cloud Courses Description

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Security Issues in Cloud Computing

SECURITY IN SERVICE LEVEL AGREEMENTS FOR CLOUD COMPUTING

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

THE BLUENOSE SECURITY FRAMEWORK

05.0 Application Development

IBM Cloud Academy Conference ICACON 2015

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Data Protection: From PKI to Virtualization & Cloud

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

How to Grow and Transform your Security Program into the Cloud

Keyword: Cloud computing, service model, deployment model, network layer security.

Cloud Computing, and REST-based Architectures Reid Holmes

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

How cloud computing can transform your business landscape

Cloud Computing: Risks and Auditing

Risks and Challenges

Cloud Models and Platforms

ISSN: (Online) Volume 2, Issue 5, May 2014 International Journal of Advance Research in Computer Science and Management Studies

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Effective Service Security Schemes In Cloud Computing

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

QuickBooks Online: Security & Infrastructure

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

Cloud Computing. Cloud computing:

Assessing Risks in the Cloud

Chapter 6: Fundamental Cloud Security

Cloud Security and Managing Use Risks

THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER

Securing Storage as a Service Model of Cloud Computing using Client Authentication in Virtualized Environment

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Managing Cloud Computing Risk

Security and Compliance in Clouds: Challenges and Solutions

Cloud Courses Description

Security Considerations for Public Mobile Cloud Computing

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Information Technology Branch Access Control Technical Standard

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How Data-Centric Protection Increases Security in Cloud Computing and Virtualization

Cloud Computing and Amazon Web Services

Cloud Infrastructure Security

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Electronic Records Storage Options and Overview

Cloud Security Who do you trust?

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

White Paper: Cloud Security. Cloud Security

Cloud Computing Security Issues And Methods to Overcome

Lecture 02b Cloud Computing II

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

APIs The Next Hacker Target Or a Business and Security Opportunity?

What Is It? Business Architecture Research Challenges Bibliography. Cloud Computing. Research Challenges Overview. Carlos Eduardo Moreira dos Santos

Cloud security and OpenStack Primož Cigoj Laboratorij za odprte sisteme in mreže IJS-E5.

CLOUD COMPUTING PHYSIOGNOMIES A 1.1 CLOUD COMPUTING BENEFITS

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 1, Jan-Feb 2015

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Workshop on High Performance Computing for Science and Applications for Academic Development

Security Threats in Cloud Computing Environments 1

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Transcription:

Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics 2. Security Implications 3. Some Attacks (real World) 4. Specific Challenge: ID Management 5. Summary 2

1. Cloud-Computing Cloud: Pool of networked IT components Cloud Characteristics Resources will be provided on demand User don t have to maintain/operate an own infrastructure An unlimited amount of resources: capacities can be dynamically added: Scalability, flexibility, on demand usage, Access to outsourced data: at anytime, from anywhere Fast development of new web applications offered as Cloud Services Software as a Service 3 1. Cloud-Computing Economic forecast: Estimated Market Shares for Cloud Computing Services: Merrill Lynch (2008): $169 Mrd. until 2011 IDC (2009): $42 Mrd. until 2012 Gartner (2009): $150 Mrd. until 2013 BITKOM (2009): 564 Mio. for Germany until 2011 Applications Infratsrucure 4

1. Cloud-Computing Main aspects forming the Cloud Types Features Models/Modes Stakeholders Benefitss And: legislation! 5 1. Cloud-Computing: Typs IaaS Software layer Platform layer Infrastructure layer User / Customer PaaS Virtualization SaaS Infrastructure as a Service (IaaS) e.g.: Elastic Compute Cloud (Amazon): providing virtual Server Platform as a Service (PaaS) e.g.: Google App Engine: Framework for application development & upload Software as a Service (SaaS) (Mail, CRM, presentations, ) e.g.: Google Docs, GMail, gliffy 6

1. Cloud-Computing: Show-Stopper Security? 7 2. Security Implications User: e.g. Enterprises Change of paradigm from closed and supervised IT infrastructures to outsourced services and remotely operated IT infrastructures Providers: e.g. Who uses the offered services? Who is liable for abuse of resources? General security implications Loss of control over data, infrastructures, processes, etc. Difficult Identity and Access management in the Cloud Compliance with security guidelines and legal standards, privacy issues Trustworthiness of service providers 8

2. Security implications: Scenario Cloud-provider #1 social network collaboration service end user Backupservice Cloud-provider #2 email-service enterprise Cloud-provider #3 9 2. Security Implications Cloud Characteristics and their effects on security Resources will be provided on demand: Confidentiality? Where is my data (in which country?), which crypto regulation rules apply, e.g. key escrow requirements? unlimited amount of resources: Privacy? compliant with privacy legislation? Development of new web applications as services Trustworthiness of Cloud Service? How does the Cloud platform handle access rights, key management, certificate management, etc.? Accesses to outsourced data: at anytime, from anywhere Availability? Which measures against DoS, risk of Data Lock in,. AND: Cloud Computing: Door opener for new kinds of attacks 10

2. Security Implication Top Threats in Cloud Computing: source: http://cloudsecurityalliance.org/topthreats.html Abuse of Cloud Computing Resources Shared Technology Vulnerabilities Data Loss Leakage Insecure Application Programmer Interface Account, Service & Traffic Hijacking Malicious Insiders Unknown risk profile Some threats in more detail 2. Security Implication Abuse of Cloud Computing Resources Problem Statement: IaaS provider offer unlimited resource usages coupled with frictionless registration process, i.e. users might act relatively anonymously Spammers, Malicous Code authors other attackers take advantage of that Attacks like DDoS, Passwort Cracking, controlling botnets,. Remediations: e.g. Improved initial registration and validation processes Comprehensive introspection (if compliant with legislation) of customer network traffic

2. Security Implication Shared Technology Vulnerabilities Problem Statement: IaaS vendors often share underlying infrastructure: cashes, storage,.. Improper isolation concepts are used: vulnerable hypervisor levels, no isolation on network layer etc. Attacks: information leakage, unauthorized data access Remediations: e.g. Strong compartmentalization Strong authentication and access controls Monitoring of access, activities Vulnerability scanning, configuration audits 2. Security Implication Data Loss Leakage Problem Statement: Missing backup concepts: data loss due to alteration, deletion, improper access controls Loss of encryption keys: data is lost Missing audit controls Attacks: Deletion or alteration of data, circumvent improper access controls, identity theft (leaked credentials, hijacking sessions etc.) Remediations: e.g. Strong access control, proper redundancy, backup concepts Data encryption and proper key management

2. Security Implication Insecure Application Programmer Interface Problem Statement: Providers offer APIs for services provisioning, orchestration, monitoring etc. with improper or even missing security concepts: Authentication, Encryption, logging, access control are often missing Third parties offer value added services using these APIs: e.g. credentials are forwarded to third parties using (insecure?) APIs Attacks: exploiting weak authentication like clear text passwords, reusable tokens, improper authorization,.. Remediations: e.g. Security analysis of the providers API, model dependencies Use strong authentication, encryption, logging concepts on top 3. Attacks Quelle: http://wiki.cloudcommunity.org/wiki/cloudcomputing:incidents_database 16

3. Attacks Example: Virtualization layer Vulnerable VMMonitor: access to all data Possible Attack Scenario Distribution of virtual machines via public market places Amazon Machine Image (AMI) market place for EC2: Amazon: AMIs are launched at the user's own risk. Amazon cannot vouch for the integrity or security of AMIs shared by other users. [ ] Ideally, you should get the AMI ID from a trusted source (a web site, another user, etc). If you do not know the source of an AMI, we recommended that you search the forums for comments on the AMI before launching it. Attack: Setup of Bot nets, information leakages, 17 3. Attacks DDos attack on Bitbucket.org (Amazon) DDoS attack with UDP Flooding Service was unavailable for storing data in persistent storage Problem solution lasts 18 hours: No detection of DDoS through Amazon Support Isolation of Network traffic via QoS guideline failed Connection over external IP address instead of internal addresses Design flaws in architecture of Bitbucket no Load balancing no Redundancy over decentralized data centers, no dynamic allocation of resources 18

3. Attacks Cracking keys in the Cloud (10/2009) Costs for breaking a PGP key with utilization of EDPR on Amazon EC2 Resources source: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html 19 3. Attacks Misuse of Google App Engine for controlling Bot Nets (11/2009) CPU time, storage, 500 MByte disc storage and up to 5 millions Page Views per month for free Command & Control Server of Bot net by using Google App Engine Contacting Bot computers with the server, for receiving new orders Google had to manually delete the application sources: http://asert.arbornetworks.com/2009/11/malicious google appengine used as a cnc 20

Risk Assessment Cloud Security Study from Fraunhofer SIT, See: http://www.sit.fraunhofer.de/en/news1.jsp Aim: Framework and guidelines for risk assessments Classification Infrastructure Application Administration Compliance and Platform Physical security Host Virtualization Network Data security Application security Platform security Security as a service Interoperability and Portability Testing Identity and access management Key management Data protection Risk management Legal framework Governance 4. Identity Management in the Cloud Lesson learned so far: There are still lots of Security Problems in Cloud Computing: show stopper! Enabling technology: Strong Authentication spanning domains! The IdM Cloud ecosystem: Identity Providers Governments (e.g. in Germany via npa), Enterprises Large Internet Destinations (e.g. Google, Facebook, ) Cloud Providers: May also be Identity Providers SaaS/PaaS/IaaS (e.g. Amazon, Salesforce, Google, SAP, HP, IBM,...) Users Consumers or Business Individuals may have many Identities

4. Identity Management in the Cloud Core IdM Challenges Identity provisioning and deprovisioning: secure and timely management of on boarding (provisioning) and off boarding (deprovisioning) of users in the cloud. Extend user management processes within an enterprise to cloud services. Authorization & user profile management Establishing trusted user profile and policy information to control access within the cloud service, and doing this in an auditable way. Delegation and Federation exchanging identity attributes surely and trustworthy, Establishing a identity lifecycle management 4. Identity Management in the Cloud Support for compliance Enable customers to pull together information about accounts, access grants and segregation of duty enforcement in order to satisfy an enterprise's audit and compliance reporting requirements. Authentication How to provide cross domain strong multi factor authentication? How to provide strict multi tenancy model: isolation on all levels? How to identify, manage fine grained components, like Applications? How to guarantee interoperability, How to support multi tenancy

4. Identity Management in the Cloud Authentication: Scenario SaaS Strong Authentication? One Time Pad Credentials Cloud-based Authentication Service e.g. FireID true/false Authenticatio n Service Provider Enterprise User A Request SaaS Strong Authentication? Cloud-based Service e.g. Mail-Servce Service Provider 6. Summary Cloud Computing: Great Opportunities for enterprises and providers Security, Privacy and Trust are still open issues: Show Stopper?! Top threats: e.g. Abuse, Data Loss, Shared Technologies, Hijacking, Privacy and Compliance are still unsolved problems Cloud Computing provides a valuable environment to launch attacks Spamming, Bot net setup, Password and Key cracking Solved Security Problems will be Cloud Enablers! Trustworthy Identity Management within Clouds is one main issue Core Challenges and open research issues : Identity provisioning and deprovisioning, Authentication, Delegation and Federation, Authorization & user profile management, compliance Standards and Reference Architectures, Best Practice Guides are required 26

Thank you for your kind attention Contact: Fraunhofer Institute for Secure Information Technology Tel: +49 89 3 22 99 86-292 +49 6151 869-285 E-Mail: claudia.eckert@sit.fraunhofer.de Internet: http://www.sit.fraunhofer.de 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information