1 / 37

What is the current state of the art in cloud security?

What is the current state of the art in cloud security?. By: Muhammad Nadeem mn338@msstate.edu . Acknowledgements . Dr. Edward B. Allen for his guidelines . References .

edena
Download Presentation

What is the current state of the art in cloud security?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is the current state of the art in cloud security? By: Muhammad Nadeem mn338@msstate.edu

  2. Acknowledgements • Dr. Edward B. Allen for his guidelines

  3. References • Bernd Grobauer, Tobias Walloschek and Elmar Stocker, “Understanding Cloud Computing Vulnerabilities”, IEEE Journal of Security and Privacy, vol. 9, no. 2, Apr. 2011, pp. 50-57. • Cloud computing webcasts hosted on: http://www.brighttalk.com

  4. Contents • Basic terminology • Cloud specific vulnerabilities • Core technology vulnerabilities • Essential cloud characteristic vulnerabilities • Vulnerabilities in standard security controls • Prevalent vulnerabilities in State-of-the-Art cloud offerings • Conclusion • Discussion

  5. Vulnerability • Probability that an asset will be unable to resist actions of a threat agent • Is there any “cloud-specific” vulnerabil­ity? • If so, certain factors in cloud computing’s nature must make a vulnerability cloud-specific.

  6. Cloud-Specific Vulnerabilities • A vulnerability is cloud specific if: • It is intrinsic to or prevalent in a core cloud computing technology • It has its root cause in one of NIST’s essential cloud characteristics • It is caused when cloud innovations make tried-and-tested security controls difficult to implement • It is prevalent in established state-of-the-art cloud offerings

  7. Core Cloud Computing Technologies • Web applications and services • SaaSofferings are typically imple­mented as Web applications • PaaS provide development and runtime environments for Web apps • For IaaSofferings, administrators typically implement associated services and APIs (e.g., management access for customers) using Web application/service technologies • Virtualization • IaaS technologies have virtualization techniques at their very heart • Because PaaS and SaaS services are usually built on top of a supporting IaaS infrastructure, the importance of virtualization also extends to these service models • Cryptography • Many cloud computing security re­quirements are solvable only by using cryptographic techniques

  8. Essential Characteristics • On-demand self-service. Users can order and manage services without human interaction using a Web portal and management interface. Provisioning and de-provi­sioning of services and associated resources occur automatically at the provider. • Ubiquitous network access. Cloud services are accessed via the network , using stan­dard mechanisms and protocols. • Resource pooling. Computing resources used to pro­vide the cloud service are realized using a homo­geneous infrastructure that’s shared between all service users. • Rapid elasticity. Resources can be scaled up and down rapidly and elastically. • Measured service. Resource/service usage is constantly metered, supporting optimization of resource usage, usage reporting, and pay-as-you-go business models. Source: US National Institute of Standards and Technology (NIST)

  9. Cloud-Specific Vulnerabilities • A vulnerability is cloud specific if: • It is intrinsic to or prevalent in a core cloud computing technology • It has its root cause in one of NIST’s essential cloud characteristics • It is caused when cloud innovations make tried-and-tested security controls difficult to implement • It is prevalent in established state-of-the-art cloud offerings

  10. Core-Technology Vulnerabilities • Web applica­tions & services, virtualization, and cryptography - have vulnerabilities that are either intrinsic to the technology or prevalent. • Examples • Virtual machine escape • Session hijacking • Insecure/obsolete cryptography • Virtualization vulnerabilities (Virtual machine escape) • The possibility that an attacker might success­fully escape from a virtualized environment lies in virtualization’s very nature. Hence, we must consider this vulnerability as intrinsic to virtualization and highly relevant to cloud computing.

  11. Core-Technology Vulnerabilities • Examples • Virtual machine escape • Session hijacking • Insecure/obsolete cryptography • Web application technologies vulnerabilities (Session hijacking) • HTTP proto­col is a stateless protocol, whereas Web applications require some notion of session state. • Session handling implementations are vulnerable to session riding and session hijack­ing. • Such vulnerabilities are certainly relevant for cloud computing.

  12. Core-Technology Vulnerabilities • Examples • Virtual machine escape • Session hijacking • Insecure/obsolete cryptography • Cryptographic vulnerabilities (obsolete cryptography) • cryptanalysis advances can render any cryptographic mechanism or algorithm insecure • It’s common to find crucial flaws in crypto­graphic algorithm implementations • Because uptake of cloud computing is unthinkable without the use of cryptog­raphy, insecure or obsolete cryptography vulner­abilities are highly relevant for cloud computing.

  13. Cloud-Specific Vulnerabilities • A vulnerability is cloud specific if: • It is intrinsic to or prevalent in a core cloud computing technology • It has its root cause in one of NIST’s essential cloud characteristics • It is caused when cloud innovations make tried-and-tested security controls difficult to implement • It is prevalent in established state-of-the-art cloud offerings

  14. Essential Cloud Characteristic Vulnerabilities • NIST describes five essential cloud characteristics: • on-demand self-service, • ubiqui­tous network access, • resource pooling, • rapid elasticity, and • measured service • Following are examples of vulnerabilities with root causes in one or more of these characteristics: • Unauthorized access to management interface • Internet protocol vulnerabilities • Data recovery vulnerability • Metering and billing evasion

  15. Essential Cloud Characteristic Vulnerabilities • Unauthorized access to management interface • The cloud characteristic on-demand self-service requires a management interface that’s accessible to cloud ser­vice users. • Unauthorized access to the management interface is relevant vulnerability for cloud systems • The probability that unau­thorized access could occur is much higher than for traditional systems where the management func­tionality is accessible only to a few administrators.

  16. Essential Cloud Characteristic Vulnerabilities • Internet protocol vulnerabilities • The cloud characteristic ubiquitous network access means that cloud services are accessed via network using standard protocols. • In most cases, this network is the Internet, which must be considered untrusted. • Internet protocol vulnerabilities (e.g., man-in-the-middle attacks ) are therefore relevant for cloud computing.

  17. Essential Cloud Characteristic Vulnerabilities • Data recovery vulnerability • The cloud characteristics of pooling and elasticity entail that resources allocated to one user will be reallocated to a different user at a later time. • For memory or storage resources, it might therefore be possible to recover data written by a previous user.

  18. Essential Cloud Characteristic Vulnerabilities • Metering and billing evasion • The cloud characteristic of measured service means that any cloud service has a metering capability at an abstraction level ap­propriate to the service type (such as storage, pro­cessing, and active user accounts). • Metering data is used to optimize service delivery as well as billing. Relevant vulnerabilities include metering and bill­ing data manipulation and billing evasion.

  19. Cloud-Specific Vulnerabilities • A vulnerability is cloud specific if: • It is intrinsic to or prevalent in a core cloud computing technology • It has its root cause in one of NIST’s essential cloud characteristics • It is caused when cloud innovations make tried-and-tested security controls difficult to implement • It is prevalent in established state-of-the-art cloud offerings

  20. Defects in Known Security Controls • Vulnerabilities in standard security controls must be considered cloud specific if cloud innovations directly cause the difficulties in implementing the controls. • Insufficient network based controls in virtualized networks • Key management challenges • Non existence of cloud security metrics

  21. Defects in security controls • Insufficient network based controls in virtualized networks • Virtualized networks offer insufficient net­work-based controls. • The administrative access to IaaSnetwork infrastructure and ability to tailor network infrastructure are typically limited • Standard controls such as IP-based network zoning can’t be applied • Tech­niques such as network-based vulnerability scanning are usually forbidden by IaaS providers (Friendly scans can’t be distinguished from at­tacker activity) • Network traffic occurs on both real and virtual networks, such as when two virtual machine en­vironments (VMEs) hosted on the same server commu­nicate. Such issues constitute a control challenge because tried and tested network-level security controls might not work in a given cloud environment.

  22. Defects in security controls • Key management challenges • The second challenge is in poor key management procedures. • As per European Network and Information Security Agency study, cloud com­puting infrastructures require management and stor­age of many different kinds of keys. • Because virtual machines don’t have a fixed hardware infrastructure and cloud-based content is often geographically dis­tributed, it’s more difficult to apply standard con­trols - such as hardware security module (HSM) storage - to keys on cloud infrastructures.

  23. Defects in security controls • Non existence of cloud security metrics • Security metrics aren’t adapted to cloud infrastructures. • Currently, there are no standardized cloud-specific security metrics that cloud customers can use to monitor the security status of their cloud resources. • Until such standard security metrics are de­veloped and implemented, controls for security assess­ment, audit, and accountability are more difficult and costly, and might even be impossible to employ.

  24. Cloud-Specific Vulnerabilities • A vulnerability is cloud specific if: • It is intrinsic to or prevalent in a core cloud computing technology • It has its root cause in one of NIST’s essential cloud characteristics • It is caused when cloud innovations make tried-and-tested security controls difficult to implement • It is prevalent in established state-of-the-art cloud offerings

  25. Prevalent Vulnerabilities in State-of-the-Art Cloud Offerings • If a vulnerability is prevalent in state-of-the-art cloud offerings, it must be regarded as cloud-specific. • Injection vulnerabilities are exploited by manipu­lating service or application inputs to interpret and execute parts of them against the programmer’s in­tentions. • SQL injection, in which the input contains SQL code that’s erroneously executed in the database back end; • Command injection, in which the input contains commands that are erroneously executed via the OS; and • Cross-site scripting, in which the input contains JavaScript code that’s erroneously executed by a vic­tim’s browser.

  26. Prevalent Vulnerabilities in State-of-the-Art Cloud Offerings • In addition, many widely used authentication mechanisms are weak. • Insecure user behavior (choosing weak passwords, reusing passwords, and so on) • Limitations of one-factor authentication mechanisms • Credential interception and replay

  27. Examples: virtual images • Vulnerabilities may spread by cloning virtual machine images • Attacker may rent a virtual server to analyze vulnerabilities and later attack other customers

  28. Examples: DoS by account lockout • Several unsuccessful authentication attempts might lock out the web based management interface

  29. Examples: Cryptographic problems • Random number generation uses hardware resources • Random number generation using virtual machine are weak • Multiple virtual machines running on same hardware impose limitations on random number generation

  30. Examples: Insufficient logging and monitoring • Currently there are no standards or mechanisms to give cloud customers logging and monitoring facilities • Logging and monitoring is usually centrally managed by service provider

  31. Examples: Data destruction • Data destruction policies at the end of the life cycle may require physical disk destruction • This might not be possible in cloud computing, as physical disk may be in use by other tenants

  32. Examples: Communication • In IaaS offerings, customers may share certain network infrastructure components • Vulnerabilities in these shared infrastructure components might enable network-based cross tenant attacks • Implications of “real” vs. “virtual” network traffic

  33. Conclusion • Many cloud-specific vulnerabilities and challenges • Solutions and technologies are emerging • There is a long way to go to adequately secure Clouds

  34. Thanks…

More Related