Secure Cloud Computing

Similar documents
Cloud Security Prof. Dr. Michael Waidner Fraunhofer SIT CASED. Fraunhofer SIT. Fraunhofer-Gesellschaft 2011

Secure Cloud Computing

IT Security in Industrie 4.0

Cloud Security Introduction and Overview

Security and Cloud Computing

Security & Trust in the Cloud

Cloud Security: The Grand Challenge

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud Security Who do you trust?

Security and Cloud Computing

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Security Officer s Checklist in a Sourcing Deal

Security Issues in Cloud Computing

How To Protect Your Cloud Computing Resources From Attack

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Security Who do you trust?

IBM Security in the Cloud

Cloud-Security: Show-Stopper or Enabling Technology?


CLOUD SECURITY: THE GRAND CHALLENGE

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Security Issues in Cloud Computing

Security & Cloud Services IAN KAYNE

Cloud Computing: Risks and Auditing

Security and Compliance in Clouds: Challenges and Solutions

Top 10 Cloud Risks That Will Keep You Awake at Night

A Survey on Cloud Security Issues and Techniques

A Gentle Introduction to Cloud Computing

Compliance in Clouds A cloud computing security perspective

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

D. L. Corbet & Assoc., LLC

GoodData Corporation Security White Paper

Securing the Cloud through Comprehensive Identity Management Solution

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?


A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

IBM EXAM QUESTIONS & ANSWERS

Data Protection: From PKI to Virtualization & Cloud

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Cloud Computing Governance & Security. Security Risks in the Cloud

How to ensure control and security when moving to SaaS/cloud applications

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

Brainloop Cloud Security

Cloud Computing and Standards

Security Model for VM in Cloud

Architectural Implications of Cloud Computing

Clo l ud d C ompu p tin i g

Cloud Courses Description

Cloud Storage Security

FACING SECURITY CHALLENGES

Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview...

1.1.1 Introduction to Cloud Computing

Assessing Risks in the Cloud

Cloud Services Overview

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cloud Computing Tutorial

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Clinical Trials in the Cloud: A New Paradigm?

How To Secure Cloud Computing

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Security und Compliance in Clouds

Virtualization and Cloud Computing

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing. Jean-Claude DISPENSA IBM Distinguished Engineer

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) Introduction to Cloud Security. Taniya

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

Cloud Computing Architecture: A Survey

Getting Familiar with Cloud Terminology. Cloud Dictionary

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

How To Compare Cloud Computing To Cloud Platforms And Cloud Computing

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Big Data Analytics Service Definition G-Cloud 7

Time to Value: Successful Cloud Software Implementation

Transcription:

Secure Cloud Computing Prof. Dr. Michael Waidner Technische Universität Darmstadt and Fraunhofer Institute for Secure Information Technology SIT, Darmstadt Darmstadt, 14 March 2015

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 2

CASED Center for Advanced Security Research Darmstadt Cybersecurity Research in Darmstadt More than 350 Researchers and Engineers Techn. University 28 Profs in 10 Departments Fraunhofer SIT 170 Employees in 9 Departments Univ. of Applied Sciences 6 Profs LOEWE CASED (2008-2016)... EC SPRIDE (2011-2015 + 2015-2019)... SFB CROSSING (2014-) + several government & industry contracts 3

CASED Center for Advanced Security Research Darmstadt Cybersecurity Research in Darmstadt More than 350 Researchers and Engineers Techn. University 28 Profs in 10 Departments Fraunhofer SIT 170 Employees in 9 Departments Univ. of Applied Sciences 6 Profs Partners: Airbus, BMW, Boeing, Bosch, Commerzbank, Deutsche Bahn, Deutsche Bank, Deutsche Post, DLR, Genua, GM, Google, e.on, IBM, Infineon, Intel, Microsoft, Opel, Oracle, Samsung, SAP, Siemens, Sirrix, Software AG, Trumpf, Volkswagen +... + SMBs + State / Federal Government & EU, BSI,... 4

CASED Center for Advanced Security Research Darmstadt Cybersecurity Research in Darmstadt More than 350 Researchers and Engineers Security & Privacy by Design Cryptography and Secure Protocols Privacy, Identity and Trust Security and Cloud Computing Usability Security and Mobile & Cyberphysical Systems Internet und Infrastructure Security 5

Fraunhofer Institute for Secure Information Technology SIT Research and Technology Pipeline Largest and oldest institute for applied research in cybersecurity in Germany. Studies, Concepts, Prototypes Basic Research Contract Research & Development Consulting, Seminars, Tests & Certs, Forensics Licensing Funded by commercial clients Funded by Fraunhofer and research grants 170 employees, 2 professors @ TU Darmstadt, 9 research departments in Darmstadt & St. Augustin (Bonn), member of CASED and EC SPRIDE 7

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 8

Consumption and Delivery Model for IT Services»Cloud«represents the industrialization of delivery for IT supported services Hybrid Clouds Deployment Models On Premise Private Cloud Off Premise Community Cloud Public Cloud 3rd-Party Managed Service Models Business Process as a Service (BPaaS) Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Charateristics On Demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service Service Mgmt Automation Common Charateristics Massive Scale Geographic Distribution Low Cost Software Resilient Computing Resource Virtualization Advanced Security Homogeneity Standardized Workloads Service Orientation Cloud Enables Economies of scale Sourcing Options Flexible Payment Models Adapted from: [Mell, Grance: The NIST Definition of Cloud Computing; NIST SPUB 800-145] 9

Moving from Private to Public Real or perceived loss of control On Premise Private Cloud Off Premise Hybrid Clouds Community Cloud Public Cloud 3rd-Party Managed We Have Control It s located at X. We have backups. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged. Who Has Control? Where is it located? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 10

Service Model Implies Security Responsibilities Different splits of responsibilities between public cloud provider and subscriber Datacenter Infrastructure Middleware Application Process Business Process-as-a-Service Provider Subscriber Application-as-a-Service Provider Subscriber Platform-as-a-Service Provider Subscriber Infrastructure-as-a-Service Provider Subscriber Provider/Subscriber service agreement determines actual responsibilities. Source: IBM (2010) 11

Cloud Computing Status quo (Germany) 40% of German companies use cloud computing (29% are planning or discussing) 24% of IT budget is spent for private clouds (12% for public clouds) 25% of respondents favor a national cloud (even if it is more expensive) 74% of companies consider cyber attacks and intelligence services as real threats 61% of cloud users lost trust in cloud computing since NSA leakage 83% of private (and 67% of public) cloud users made good experience with cloud computing Source: KPMG Cloud-Monitor (2014) 12

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 14

What is Cloud Security? Confidentiality, integrity, availability of business-critical IT assets Stored or processed on a cloud platforms Cloud Computing Software as a Service Utility Computing Grid Computing Source: IBM (2010) There is nothing new under the sun but there are lots of old things we don't know. Ambrose Bierce, The Devil's Dictionary 15

Data are Central to the Analysis of Risks and Threats Transformation Privacy and Data Compliance Data Recovery Classical IT Security Shared IT 1. Vendor lock-in 2. Data security 3. Data protection, meeting privacy needs and expectations 4. General and industry-specific compliance 5. Uncertainty over data location 6. Inability to respond to law enforcement requests 7. Data recovery, resiliency 8. Account or service hijacking 9. Insecure interfaces and APIs 10. Management (incl. self-service) interface compromise 11. Insecure or incomplete data deletion 12. Process/VM isolation, data segregation, multi-tenancy 13. Malicious insiders (co-tenants, cloud provider) 14. Abuse of cloud services (extrusion) Source: CSA (2010), ENISA (2009), Gartner (2008), IBM X-Force (2010) 16

Cloud Security Must be Seen in Context Everything is connected in the Internet of Things, mobile access devices are the standard, malware and attacks are spreading across boundaries Data leaks Surveillance Espionage Malware Sabotage IoT, Mobile, Application Security Cloud Security 17

Security Challenges Two Perspectives... Multi-tenancy / Virt Cloud Management Cloud Data Center Provider perspective: How to provide a secure cloud service? Subscriber perspective: How to select a cloud? Who to use a cloud securely? 18

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 19

Components of a Cloud Security Solution Provider Perspective Isolation Identity Provider Perspective Compliance 20

Isolation Software, Server, Network Coloring/labeling resources, events, State of the art Key Issues Service and Application Can be done at all levels of the stack Server Hypervisor: z/vm, LPAR, phype, Xen, VMware ESX,... Network Security Zones, Trusted Virtual Domains VLAN (IEEE 802.1Q) Trusted / Secure Virtual Private Networks (VPN) Encryption of data in transit (SSL/TLS, SSH, IPSec) Standardized policies Verification of isolation Application security VM security Network security VN security Multi-tenancy support 21

Isolation Data, Storage, Backups Coloring/labeling resources, events, State of the art Key Issues Label-based Access Control (LBAC) Storage zoning (Virtual Storage Area Network, ) Enforcing location (per privacy laws) Cleanup of caches, files, disks, backups, Encryption of data at rest Data deduplication vs. encryption Provider vs. individual keys In-cloud vs. extra-cloud key management Fully homomorphic encryption Standardized policies Standardized data portability Meaningful key management Research in advanced crypto 22

Identity Main types of identities to consider in a cloud Standard identity management + access/usage control Major risk: reinventing the wheel Major challenge: correlation of identities and security events across multiple layers in the cloud stack Cloud subscriber administrators Initial enrollment and proofing of cloud subscriber Trust depends largely on proofing of identities Valid email address Upfront payment Out-of-band signed service contract Cloud subscriber end user identities Subscriber's employees, customers, Efficient on-boarding / off-boarding Directory synchronization (bad idea) Federated identity (good idea, standard in SOA) Cloud provider administrators Major issue: Control over privileged identities 23

Compliance Meeting regulatory requirements Provider auditing Subscriber-level auditing Practically often very hard Privacy Data encryption and suitable key management Enforcing data location Prevent cross-border data flows Cloud Forensics Discover evidence related to a specific cloud subscriber Freezing and surrendering virtual resources Protect confidentiality of third parties resources 24

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 25

Components of a Cloud Security Solution Subscriber Perspective Isolation Identity Provider Perspective Compliance Trust in Cloud Provider Control Subscriber Perspective 26

Trust in Cloud Provider»Secure Virtualized Runtime«is the provider's responsibility No direct control, hence provider must be trustworthy Reputation Stated provider security policies, SLAs Audits: general (low-end, standardized) or client-specific (high-end, specialized) Very few technologies enable extension of control into the cloud OmniCloud Classical cryptography Trusted computing: TCG, Intel SGX,... Research: Secure multi-party computations, automated verification of infrastructure properties 27

Analysis of Cloud Storage Services Fraunhofer SIT Technical Report Borgmann, M., Hahn, T., Herfert, M., Kunz, T., Richter, M., Viebeg, U., Vowé, S.: On the Security of Cloud Storage Services, published in March 2012 Seven cloud storage providers analyzed Result: Providers are security aware However, there are some typical security issues No data encryption, or server side encryption only No filename obfuscation for public files Registration: weak passwords, no email verification Shared files are indexed by search engines 28

OmniCloud Secure and Flexible Cloud Storage Main objectives Make software cloud-ready Make cloud storage secure Prevent cloud provider lock-in Market Security-aware SMEs without budget for private clouds Focus on backups, network drives, shared folders "Investment in your Future" Investments for this work were co-funded by the European Union with European regional development funds and by the state government of Hessen 29

Easy integration: OmniCloud Enterprise Gateway Standard communication protocols (e.g. FTP, WebDAV, S3) No client installation required 30

Easy integration: OmniCloud Enterprise Gateway Standard communication protocols (e.g. FTP, WebDAV, S3) No client installation required API Mapping 31

OmniCloud: Security Client-side file encryption Before leaving the company s intranet (Pseudo-)randomly generated keys for each file Keys under exclusive control of the company Role-based access control Filename and folder structure obfuscation 32

OmniCloud: Features Storage Strategies Specify how data is distributed over storages Consideration of storage specific properties Extensible approach (Inform. Dispersal, Reed Solomon) Mirroring Data Deduplication Recognition of duplicated files within a service Copied just once to the cloud Reduction of cloud storage costs Striping RAID 33

Contract Data Processing (acc. to Sec. 11 of the Federal Data Protection Act, BDSG) Legal obligation of controllers (cloud users) to continuously control the contract data processor (cloud provider) Problem: On-site inspections in the data centers of cloud providers not realistic Solution: Evaluation of cloud providers through auditors (trusted third parties) 35

Controlling Cloud Providers Mechanisms for controlling cloud providers Develop Metrics for quantifying the degree of compliance with evaluation criteria Evaluate Log Information of cloud providers Risk: Manipulation of log information by cloud providers (resp. administrators) Solution: Secure Logging Mechanism Automated Data Protection Certificates by auditors (trusted third party) 36

Controlling Cloud Providers Secure logging: principle Detect log manipulations: Log entry chaining provides forward integrity Log confidentiality: Trustee holds all encryption/decryption keys Auditor can only decrypt the log entries specific to a particular client Benefit of this approach: Trusted data without trusted computing 37

Log S 4 Log S 4 Log S 4 Log S 4 Log S 4 Log S 4 Fraunhofer-Gesellschaft 2014 Controlling Cloud Providers Secure logging: architecture VM Dienst-Instanz 1 Log-Adapter Cloud-Betreiber VM Dienst-Instanz 2 A 1 A 1 A 1 A 2A Log Log Log 3 Log A 2A 3 Log A 2A 3 Log Log-Adapter VM Dienst-Instanz 3 Log-Adapter VM Sicheres Logging L Log-Adapter Auth OAut 2.0 Treuhänder HSM / Auth Hypervisor Auditor Auth PP P Policies Hypercalls Log Log Log-Auswertung Hardware 1 Log Log Hardware 2 Log Log... Hardware n Log Log Log S 1 Log S 2 Log S 3 Log S 4 OAut 2.0 T Testat Ungesicherte Log-Dateien Gesicherte Log-Dateien Auth Kunde 38

Controlling Cloud Providers Data protection certificates Cloud Service Cloud Provider Evaluation Period Certificate Date Evaluation results, e.g. w.r.t. backup interval, encryption, redundancy, and physical storage location Auditor 39

Controlling Cloud Providers Compliance metrics, considering complete cloud lifecyle Verification of termination Specification of requirements, properties and metrics Selection of a cloud service Termination of a cloud service Usage of a cloud service Continuous evaluation of metrics during operation 40

Agenda Cybersecurity @ Darmstadt Cloud Computing and Security Security Challenges Provider Perspective Subscriber Perspective Summary 41

Summary Cloud security is nothing fundamentally new Cloud security extends well-known concepts Even public clouds may offer superior security Major sources of risk New technologies IT professionals often unaware of cloud specifics Important trends Software security cloud service security Cloud and mobile / IoT computing are merging Gateways, brokers, marketplaces for cloud services Using crypto to extend trust into the cloud 42

Prof. Dr. Michael Waidner Fraunhofer Institute for Secure Information Technology SIT Director www.sit.fraunhofer.de Technische Universität Darmstadt Computer Science, Professor CASED & EC SPRIDE, Director www.sit.tu-darmstadt.de Rheinstrasse 75, 64295 Darmstadt michael.waidner@sit.fraunhofer.de +49 6151 869 250 (Office) +49 170 929 8243 (Cell) 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information