The document discusses cloud computing security. It begins with an introduction to cloud computing that defines it and outlines its characteristics, service models, and deployment models. It then discusses common security concerns and attacks in cloud computing like DDoS attacks, side channel attacks, and attacks on management consoles. It provides best practices for different security domains like architecture, governance, compliance, and data security. It also discusses current industry initiatives in cloud security.
1. CLOUD COMPUTING SECURITY Ajay Porus ISO27K LA,CPISI Founder & Director CSA Hyderabad Chapter Lead Implementer Honey Net Project India 1
2. Agenda Introduction to Cloud Computing Cloud Architecture and Characteristics Cloud Security Concerns and Attacks Different Security Domains Best Practices What's going in Industry on Cloud 2
3. Introduction to Cloud Computing Is It Really New? What is Cloud Computing? How Does it Evolve? What are the Characteristics of Cloud Computing? What is difference in Architecture from traditional Computing? What are different Services Delivery Models? What are different deployment models? Frame work of Cloud Computing Cloud Eco-System 3
4. Is It Really New? No,its Not it’s the evolution of old technologies to a new level which bring together many technologies to provide huge computational power First Cloud around networking (Network As a Cloud) as said ..”we Didn’t care where the message sent, the cloud had it from us” –Kevin Marks, Google Second Cloud around Documents (WWW data abstraction) Third Cloud Present and future. This abstracts infrastructure complexities of servers, application, database and different platforms. (Amazon CEO) 4
5. Cloud Computing Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of Seven essential characteristics, three service models, and four deployment models 5
6. How Does it Evolve? Mainframes Mini Computer Personal desktops Client – Server Ip Networks Mobile Devices Cloud Computing 6
7. Characteristics of Cloud Computing Multi-tenancy (shared resources) Massive scalability Rapid Elasticity Measured service On-demand self-service Broad network access 7
8. Traditional vs Cloud Computing Dedicated/traditional High upfront IT investments for new builds High cost of reliable infrastructure High complexity of IT environment Complex infrastructure IT Cloud computing Reliability built into the cloud architecture Low upfront IT investments pay-for-use model Modular IT architecture environments No infrastructure 8
12. Cloud Computing Framework Hybrid Clouds Deployment Models Community Cloud Public Cloud Service Models Private Cloud Essential Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Massive Scale Resilient Computing Broad Network Access Rapid Elasticity Homogeneity Geographic Distribution Common Characteristics Virtualization Service Orientation Resource Pooling Measured Service Low Cost Software Advanced Security 12
14. Cloud Security Concerns & Attacks General Security Concerns Cloud Security Challenges Top Threats to Cloud Computing DDOS & EDOS Side Channel Attack MIM Crypto graphic Attack Poisoned VM’s Attack Against Management Console Abusing Cloud Billing Models and Cloud Phishing DNS Cache poisoning Attacks Authentication Attack 14
15. General Security Concerns Trusting vendor’s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can’t be examined Loss of physical control 15
16. Cloud Security Challenges Data dispersal and international privacy laws Need for isolation management Logging challenges Data ownership issues Using SLAs to obtain cloud security Dependence on secure hypervisors Attraction to hackers (high value target) Encryption needs for cloud computing Handling compliance 16
17. Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology Issues Account or Service Hijacking Loss of governance Lock-In Compliance risks Management interface compromise Data protection (Data Loss or Leakage) 17
18. DDOS & EDOS Distributed denial of service: An attack that make computer or network resources unavailable. Economic denial of service: A DDosattack that make large number of request for which cloud user have to pay (generally per 100oo request 1$ in Amazon) Originates majorly from compromised computers 18
19. Side Channel Attack Attack based on information gained from the physical implementation of a cryptosystem. Timing Attack Power Consumption Attack - Simple Power Analysis Attack (SPA) - Differential Power Analysis Attack (DPA) Electromagnetic Attack Acoustic Crypto Analysis Cache Attack Differential Fault Analysis 19
20. MIM Crypto graphic Attack Phishing Scam Attack Communication Steal Private or public Key Attacker’s eavesdropping between the two parties Send and execute malicious code Gain access to Victim’s system 20
21. Poisoned VM’s Administrator with full access to configure VM Addition of malicious code Tampering with AMI(Amazon Machine Image) Isolation provided by CSP Launch of Shared AMI Preconfigured Malicious Business Logic No ways till this time to find out. 21
22.
23. Abusing Billing Models & Cloud Phishing Phishing Scams for Amazon Phishing from Amazon cloud Blacklisting Amazon domain in phishing database Once secret key hacked Cloud based DDOS very costly Million of poisoned VM initiate by 1 CSRFattack Payment for the network and CPU consumption 23
24. DNS Cache Poisoning Attacks Shared IP’s Once IP released take time to clear from cache & Arp table Till cleared can be accessed with same IP Lack of Knowledge for DNS cache & ARP table Washigton post face d problem at Amazon EC2 Even IP released but had access from internal network 24
25. Authentication Attack Weak Password Google Hack Database Sql Injections Cross site Scripting Man in the Middle Brute force Attack Session Hijacking Social Engineering 25
26. Different Security Domains Best Practices Cloud Computing Architectural Framework . Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Data Security Lifecycle Portability and Interoperability Traditional Security, BCP & DR Data Center Operations Incident Management Application Security Encryption and Key Management Identity and Access Management Virtualization Security 26
27. Cloud Architectural Security Hardware Security (xeon 5600, AES and TXT Support) Virtualization Security (Hypervisor Hardening) Guest OS Security (Operating system Hardening) Platform Security ( Patches and Updates) Application Security ( Secure Development Lifecycle) Network Security ( Firewall, IDS, IPS, VPN, SSL/TLS) Cryptographic Security (PGP Keys, AES, 3DES, 2-DNF) 27
28. Governance and Risk Management Invest some of saved money for Security Robust IS governance with defined roles & responsibilities Collaborative governance structure between provider & customer Assess for sufficiency, maturity, and consistency with the user’s ISMS. SLA should be added in Risk assessment New approach for risk assessment from both end’s. CSP include metrics and controls 28
29. Legal and Electronic Discovery Mutual understanding of each other’s R&R related to electronic discovery, litigation & Laws. Responsive Information security system to preserve data to authentic & reliable. Providing equal guardianship as in owner’s hand. Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination Unified process for responding to subpoenas, service of process, and other legal requests. 29
30. Compliance and Audit Involve Legal and Contracts Teams in SLA Right to Audit Clause Analyze Compliance Scope Analyze Impact of Regulations on Data Security Review Relevant Partners and Services Providers Analyze Impact of Regulations on Provider Infrastructure Auditor Qualification and Selection Cloud Provider’s SAS 70 Type II Cloud Provider’s ISO/IEC 27001/27002 Roadmap 30
31. Data Security Lifecycle Maintain CIA of data Security practices and procedures Strong SLA with all area’s. System of service penalties in SLA Data Classification Encryption Perform Regular Backup 31
32. Portability and Interoperability Identify and eliminate any provider-specific extensions to the VM environment. Appropriate de-provisioning of VM images Appropriate de-provisioning of discs & storage device. Platform components with a standard syntax Understand the impacts on performance and availability of the application. Consistency of control effectiveness across old and new providers. Vendor to test and evaluate the applications before migration 32
33. Traditional Security, BCP & DR Centralization of data Adopting as a security baseline Perform onsite inspections of cloud provider facilities Customers should inspect cloud provider disaster recovery BCP Policy approved by the provider’s board of directors 33
34. Data Center Operations permission to conduct customer or external third-party audits. Demonstrate compartmentalization of systems, networks, management, provisioning, and personnel. SLA should be clearly defined, measurable, enforceable, and adequate for your requirements Continual improvement in policies, processes, procedures. 24*7*365 days Technical support should be available. 34
35. Incident Management Define incident and event before SLA signoff to CSP What incident detection and analysis tools used by CSP Conducting proper risk management to stop incidents A robust Security Information and Event Management (SIEM) required Deliver snapshots of the customer’s entire virtual environment Whole data should be encrypted 35
36. Application Security Application assessment tools Create trust boundaries for SDLC Use Own VM with configured policies in IAAS Use best practice to harden system as in DMZ Multi-tenancy in application threat model Securing inter host communication Metrics to assess effectiveness of Security Program Keep cloud architecture in Mind. 36
37. Encryption & Key Management Encrypting data In transit (SSL/TLS, SSH) Encrypting data at rest (AES128, 3DES, 2DNF) Encrypting data on Backup media Use of encryption data separate then for use. Stipulate encryption in contract Define secure key lifecycle management Use industry level key management systems Make keys secure, limited access to key store & key backup. 37
38. Identity and Access Management Avoid proprietary identity provisioning system Use 2 factor authentication Consider user centric authentication (Google, live Id) Use open standard for authentication and VPN Use of federated identity and gateways like SAML Use mechanism to transmit user info from PIP to PDP Use IdaaS to have better security & risk mitigation 38
39. Virtualization Security Identify types of virtualization provided by CSP Understand hypervisor security and isolation mechanism Understand security to protect administrative interfaces (API, web-based) Strong authentication mechanism with tamper proof logging and integrity monitoring tools Explore Efficiency and feasibility of segregating VMs Strong reporting mechanism for raising alert if compromised 39
40. What's going in Industry on Cloud Different Initiatives Fabric Computing Homomorphic Encryption Future of Cloud –Mobile Computing 40
41. Different Initiatives Cloud Security Alliance Cloud Cert Cloud CAMM(Capability and Maturity Model) Cloud Audit A6 CCM ( Cloud Control Matrix Tool) CAI (Consensus Assessment Initiative CSA GRC Stack Trusted Cloud Initiative CCSK (Certificate of Cloud Security Knowledge) Cloud Metrics Research 41
42. Fabric Computing Next generation computing by interconnecting nodes like fabric (including various clouds) High performance computing by loosely coupled storage network devices and parallel processors 42
43. Homomorphic & Predicate Encryption Processing of encrypted data very difficult IBM announced Homomorphic encryption (2DNF+) Enables Processing of encrypted data. Require immense computational power Predicate encryption No need to Decrypt whole data Decrypt only required Supporting Disjunctions, Polynomial Equations, and Inner Products 43
44. Future of Cloud –Mobile Computing Mobile computing increasing rapidly Android Platform next generation mobile computing Application to access cloud on mobile phone Wi-Fi and 3G connection enabling high bandwidth SSL/TLS and SSH from Phone web browser to VM Trusted certificate and private key on phone 2 factor Authentication (Fingerprint and password) Different platforms to configure cloud API’s 44