More Related Content Similar to Cloud Computing and Security - ISACA Hyderabad Chapter Presentation (20) More from Venkateswar Reddy Melachervu (8) Cloud Computing and Security - ISACA Hyderabad Chapter Presentation1. “…dare to dream; care to win…”
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Venkateswar Reddy Melachervu
Associate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
Cloud Computing and Safety
Let’s Secure Cloud!
20th July 2013
In God we trust; All others, we virus scan
2. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
“The only truly secure system is one that is powered off,
cast in a block of concrete and sealed in a lead-lined room
with armed guards”
- Unknown
Only the Paranoid Survive
- Andy Grove, Former Chairman, Intel Inc.
3. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
“Some of the generally available information in the cloud on computing and cloud security is
the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby
thankfully acknowledge those sources”
Disclaimer
4. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Agenda
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
5. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
In 1988 a "worm program“ – Morris Worm -
written by a college student - Robert T.
Morris, Jr. of Cornell University - shut down
about 10 percent of computers connected to
the Internet. This was the beginning of the
era of cyber/Cloud attacks
First National Bank of Chicago is the victim of
$70-million computer theft
Cyber Crime – The Beginning
6. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Heartland Payment Systems
Impact: 134 million credit cards
exposed through SQL injection to install
spyware on Heartland's data systems.
March 2008
Incident Few Years Back
7. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
2012 Global Cyber Attacks Stats
8. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Revenue loss
Customer data loss and liabilities
Embarrassment to yourself and/or the
University
Having to recreate lost data
Identity theft
Data corruption or destruction
Loss of patient, employee, and public trust
Costly reporting requirements and penalties
Disciplinary action (up to expulsion or
termination)
Unavailability of vital data
Security Violation Consequences
9. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
What’s Computing Security?
10. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Protection of computing systems and the
data that they store or access
To prevent theft of or damage to the
hardware, Software etc. - Confidentiality
To prevent theft of or damage to the
information and to protect privacy –
Privacy and Integrity
To prevent disruption of service -
Availability/Denial of Service
What Is Computing/IT Security?
11. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Isn’t this just an IT Problem?
Why Do I Need to Learn About Computer
Security?
Everyone who uses a computer needs to understand how
to keep his or her computer and data secure
IT Security is a not a product, but a process
12. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
No major operating system has ever worked perfectly
No OS vendor has dared offer a warranty against
malfunctions
It is far easier to build a secure system than to build a
correct system
You might be able to live in a house with a few holes
in the walls, but you will not be able to keep burglars
out
Securing a system has traditionally been a battle of
wits
The problem is people/exploitation - not computers
Why Computers Are Not Secure?
13. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing – NIST Definition
“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction”
13
14. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing - Business
Definition
“A large-scale distributed computing
paradigm that is driven by economies of
scale, in which a pool of abstracted,
virtualized, dynamically-scalable,
managed computing power, storage,
platforms, and services are delivered on
demand to external customers over the
Internet”
15. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
On demand computational services over
web
Spiky compute needs of the scientists
Horizontal and dynamic scaling with no
additional cost
Increased throughput
Multi-tenant
Accessed over a network
Only pay for what you use
Shared internally or with other customers
Resources - storage, computing, services, etc.
Internal network or Internet
Similar to Timesharing
Rent IT resources vs. buy
Cloud Computing Demystified
16. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Multi-Tenancy
16
17. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Service Layers and Models
17
IaaS
PaaS
SaaSModelsLayers
AutonomousMore Control/ Flexibility
IaaS PaaS
18. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Conventional Data Centre
19. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Modelled Data Centre
20. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Public, Private, Hybrid Clouds
20
21. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing
Enablers and Inhibitors
22. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Why Cloud Computing Brings
New Security Challenges?
Data, applications, resources are located with
provider
User identity management is handled by the
cloud provider
User access control rules, security policies and
enforcement are managed by the cloud
provider
Multi-tenancy
Consumer relies on provider to ensure
Data security and privacy
Resource availability
Monitoring and repairing of services/resources
Self-managed or Private Clouds overcome
most of the above new threats
22
23. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Dimensions – The CIA Triad
Secured
Hardware
24. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Confidentiality
The need for keeping information
secret
Protecting proprietary designs from
competitors
Protecting a company’s personnel records
Protecting personal financial/ID info
against ID theft
Applies to resource hiding
System configuration data
Resources - Systems, Equipment, Services
etc.
25. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Integrity
Preventing improper or unauthorized
change or access
Data integrity and system integrity
Non-repudiation
Example : Digital Cert of the Origin Source
26. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Availability
Reliability and system design
To prevent Denial of Service Attacks - The
attempts to block the availability of systems or
services
System designs usually assume a statistical
model to analyze expected patterns of use
27. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Example 1: C vs. I+A
Disconnect computer from Internet to
increase confidentiality
Availability suffers, integrity suffers due to
lost updates
Example 2: I vs. C+A
Have extensive data checks by different
people/systems to increase integrity
Confidentiality suffers as more people see
data, availability suffers due to locks on data
under verification)
Need to Balance CIA Triad
28. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Scope of Cloud Security
Cloud
Data Center
LAN/WAN/
Wifi/PLMN/
PAN
LAN/WAN/
Wifi/PLMN/
PAN
Cloud Eco-system
C
I
A C
29. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Challenge Eco-system
Physical
Logical
Environmental
Operational
Hardware Software
HumansData
Network
30. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Vulnerability
A weakness in a security system
Threat
Circumstances that have a potential to
cause harm
Exposure Points
External access points that can be taken
advantage compromising security by
most advanced attacker
Attack - materialization of a
vulnerability/threat/compromised
exposure point or combination)
Attack may be:
Successful a.k.a. an exploit - Resulting in
a breach of security, a system
penetration, etc.
Unsuccessful - When controls block a
threat trying to exploit a vulnerability
Vulnerabilities, Threats, and
Exposure Points
31. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Software Deletion
Easy to delete needed software by mistake
To prevent this: use configuration
management software
Software Modification
Worms, Trojan Horses, Viruses, Logic
Bombs, Trapdoors, Information Leaks ...
Software Theft
Unauthorized copying
via P2P, etc.
Software Vulnerabilities
32. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Add or remove a hardware
device
Ex: Snooping, wiretapping
Ex: Modification, alteration of a
system
Physical attacks on hardware
Accidental or voluntary
Theft / destruction
Damage the machine
(spilled coffe, mice, real
bugs)
Steal the machine
Hardware Vulnerabilities
33. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Network/Web Vulnerabilities
Phishing
An evil website pretends to be a trusted website
Example:
You type, by mistake, “mibank.com” instead of
“mybank.com”
mibank.com designs the site to look like mybank.com
so the user types in their info as usual
BAD! Now an evil person has your info!
SQL Injection
Cross Site Scripting
Writing a complex Javascript program that steals
data left by other sites that you have visited in same
browsing session
34. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Kinds of Threats
Interception
An unauthorized party (human or not) gains
access to an asset
Interruption
an asset becomes lost, unavailable, or
unusable
Modification
an unauthorized party changes the state of an
asset
Fabrication
an unauthorized party counterfeits an asset
35. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Over the Internet
Over LAN
Locally
Offline
Theft
Deception
Modes of Attacks
36. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Not all hackers are evil wrongdoers trying to steal
your info
Classification 1
Amateurs
Opportunistic attackers (use a password they
found)
Script kiddies
Hackers - nonmalicious
In broad use beyond security community: also
malicious
Crackers – malicious
Career criminals
State-supported spies and information warriors
Classification 2
Recreational hackers / Institutional hackers
Organized criminals / Industrial spies / Terrorists
National intelligence gatherers / Info warriors
Types of Attackers
37. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Common Attacks
Network Attacks
Packet sniffing, man-in-the-middle, DNS
hacking
Web attacks
Phishing, SQL Injection, Cross Site Scripting
OS, applications and software attacks
Virus, Trojan, Worms, Rootkits, Buffer
Overflow
38. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Network Attacks
Packet Sniffing
Internet traffic consists of data “packets”, and these
can be “sniffed”
Leads to other attacks such as
password sniffing, cookie
stealing session hijacking,
information stealing
Man in the Middle
Insert a router in the path between client and server,
and change the packets as they pass through
DNS hijacking
Insert malicious routes into DNS tables to send traffic
for genuine sites to malicious sites
39. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Bacterium
A specialized form of virus which does not attach to a specific file. Usage
obscure.
Logic bomb
Malicious logic that activates when specified conditions are met. Usually
intended to cause denial of service or otherwise damage system resources.
Trapdoor
A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the
trap door to gain access to the computer without being blocked by security
services or mechanisms
Trojan horse
A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms,
sometimes by exploiting legitimate authorizations of a system entity that
invokes the program.
Malicious SW Attacks
40. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Virus
A hidden, self-replicating section of computer software, usually malicious logic,
that propagates by infecting (i.e., inserting a copy of itself into and becoming
part of) another program. A virus cannot run by itself; it requires that its host
program be run to make the virus active.
Worm
A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume
computer resources destructively.
Malicious SW Attacks
41. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues
The Notorious Nine
Cloud Computing Top Threats in 2013
Source : Cloud Security Alliance
42. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Castle in Middle Ages
Location with natural
obstacles
Surrounding moat
Drawbridge
Heavy walls
Strong gate
Tower
Guards
Computers Today
Encryption
Software controls
Hardware controls
Policies and procedures
Multiple controls – physical and
computational
System perimeter – defines
inside/outside
Pre-emption – attacker scared away
Deterrence – attacker could not
overcome defences
Faux environment – attack deflected
towards a worthless target
Tenets of Security Defence
and Control
43. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Policy vs. Procedure
Policy: What is/what is not allowed
Procedure: How you enforce policy
Policy - must consider
Alignment with users’ legal and ethical standards
Probability of use
Inconvenient: 200 character password, change
password every week
Periodic reviews
A given control usually becomess less effective with time
Need to replace ineffective/inefficient controls with
better ones
Advantages of policy and procedural controls
Can replace hardware, software controls
Can be least expensive
Tenets of Security Control
44. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Prevent attack
Block attack / Close vulnerability
Deter attack
Make attack harder (can’t make
it impossible )
Detect attack
During or after
Deflect attack
Make another target more
attractive than this target
Recover from attack
Security
Methods of Defence
IT Defense consists of:
Encryption
Software controls
Hardware controls
Policies
Physical controls
45. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Life Cycle
Analyze Threats
Policy
Specification
Design
Implementation
Operation and Maintenance
Governance
46. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Analysis Process
Identify Assets
Which assets are we trying to protect?
What properties of these assets must be
maintained?
Identify Threats
What attacks can be mounted?
What other threats are there (natural
disasters, etc.)?
Identify Countermeasures
How can we counter those attacks?
Independent Analysis
46
47. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter
Security
Elastic Elements: Storage,
Processing, and Virtual Networks
Cloud Security Components
48. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Organize Threats – STRIDE Model
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
48
49. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Legal
Functional
Which functions & services in the Cloud have
legal implications for both parties
Jurisdictional
Which governments administer laws and
regulations impacting services, stakeholders,
data assets
Contractual
Terms & conditions
49
50. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Governance
Identify, implement process, controls to
maintain effective governance, risk mgt,
compliance
Provider security governance should be
assessed for sufficiency, maturity, consistency
50
51. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Tiered Cloud Security Handling
Framework
Physical Infrastructure
Tenant
#2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant
#1
Insulate
information from
cloud providers’
employees
Insulate
information
from other
tenants
Insulate infrastructure
from Malware, Trojans
and cybercriminals
Segregate and
control user
access
Control and
isolate VM in the
virtual
infrastructure
Federate
identities with
public clouds
Identity
federation
Virtual
network
security
Access
Mgmt
Cybercrime
intelligence
Strong
authentication
Data loss
prevention
Encryption &
key mgmt
Tokenization
Governance
Anti-malware
Enable end to end view of security events and compliance and control across
infrastructures
52. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
CCSK - Cloud Security Alliance Certifications
CISSP – (ISC)2
CPTC – Certified Penetration Testing Consultant
CPTE – Certified Penetration Testing Engineer
CompTIA – Security+
CSTA – Certified Security Testing Associate
GPEN – GIAC Certified Penetration Tester
OSCP – Offensive Security Certified Professional
CEH – Certified Ethical Hacker
ECSA – EC-Council Certified Security Analyst
CEPT – Certified Expert Penetration Tester
Security Certifications
Source : http://www.concise-courses.com/security/certifications-list/
53. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Bottom Line
Engage in full risk management process
for each case
For small and medium organizations
Cloud security may be a big improvement!
Cost savings may be large (economies of scale)
For large organizations
Already have large, secure data centers
Main sweet spots:
Elastic services
Internet-facing services
Employ countermeasures
53
54. © 2010. All rights reserved.
Cloud Computing and Security
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Take-Aways
Policy defines security and
mechanisms enforce security
Confidentiality
Integrity
Availability
Trust and knowing assumptions
Importance of assurance
The human factor
55. © Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing and Safety
Let’s Secure Cloud!
20th July 2013
Venkateswar Reddy Melachervu
Associate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
In God we trust; All others, we virus scan
Thank You
“…dare to dream; care to win…”