1 / 27

Cloudy Security

Cloudy Security. Kia Manoochehri. Outline. Background Threat Classification Traditional Threats Availability of cloud services Third-Party Control The “Notorious Nine” Contractual Obligations. What is “security”?. Security: “freedom from risk and danger”

mya
Download Presentation

Cloudy Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloudy Security Kia Manoochehri

  2. Outline • Background • Threat Classification • Traditional Threats • Availability of cloud services • Third-Party Control • The “Notorious Nine” • Contractual Obligations

  3. What is “security”? • Security: “freedom from risk and danger” • In Computer Science we define security as… • “the ability of a system to protect information and system resources with respect to confidentiality and integrity”

  4. What is “security”? • Three core areas • Confidentiality • Integrity • Authentication

  5. What is “security”? • Some other security concepts • Access Control • Nonrepudiation • Availability • Privacy

  6. Background • Cloud Service Providers (CSP) provide a “target rich environment” • Consolidation of information draws potential attackers • Potential problematic areas in the field of Cloud Computing aren’t transparent.

  7. Threat Classification • Three broad classifications • Traditional Threats • Availability Threats • Third-Party Control Threats

  8. Traditional Threats (User) • Anytime a computer is connected to the internet they are at risk… • When we are dealing with Cloud based applications we are amplifying these threats • Question of responsibility • User vs Provider

  9. Traditional Threats (User) • Authorization and Authentication • Individual access vs enterprise access • One solution would be to have tiered access • Not every user is created equal!

  10. Traditional Threats (Cloud) • Distributed Denial of Service attacks (DDoS) • SQL Injection • Phishing • Cross-Site Scripting

  11. Traditional Threats (Cloud) • Digital forensics cannot be applied to the cloud • Difficult to trace where an attack is from • Virtual Machine vulnerabilities extend to the cloud as well

  12. Availability Threats • System failures • http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/ • Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning. • Netflix, Instagram, and Pintrest were down for at least a few hours.

  13. Third Party Control Threats • Problem stems from CSP outsourcing certain aspects of their operation • How does this affect • Introduces more points of entry and vulnerability to the Cloud

  14. “The Notorious Nine” • In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing • February 2013 yielded their “Notorious Nine” list • 9 major threats in Cloud Computing

  15. “The Notorious Nine” • Data Breaches • Currently the biggest threat • The solution is encryption… but • What if you lose the key? • Backing up the data is not viable either • Example: Epsilon

  16. “The Notorious Nine” • Data Loss • Malicious deletion • Accidental deletion by CSP • Physical catastrophe • Loss of the encryption key • Compliance policies require audit audit records • Example: Mat Honan

  17. “The Notorious Nine” • Account/Service Hijacking • Phishing, fraud, software exploits • Organizations should be proactive • Two-Factor authentication • Example: XSS attack on Amazon

  18. “The Notorious Nine” • Insecure Interfaces and APIs • Any vulnerability in an API bleeds over • Can effect security and availability • Partially falls on the consumer

  19. “The Notorious Nine” • Denial of Service • From the user end… most frustrating • Can cost cloud users $$$ • Makes the user doubt the cloud

  20. “The Notorious Nine” • Malicious Insiders • Straightforward • Systems that only depends on the CSP for security are at greatest risk • If data-usage encryption is used thedata is still vulnerable during storage

  21. “The Notorious Nine” • Abuse of Cloud Services • Using CSP for malicious purpose • Hacking encryption keys via cloud • DDoS attacks via cloud • Problems of detection arise

  22. “The Notorious Nine” • Insufficient Due Diligence • Insufficient user experience • Unknown levels of risk when using CSP • Design and architecture issues for devs • Countered by: • Capable resources • Extensive internal understanding of risks

  23. “The Notorious Nine” • Shared Technology Vulnerabilities • CPU caches, GPUs are not designed tobe isolated • A single vulnerability can lead to an entire environment being compromised

  24. Buffer Overflow SQL Injection Privilege escalation DDoS attacks SSL Certificate spoofing Attacks on browser caches Phishing attacks Limiting resources Privilege-related attacks Data Distortion Injecting additional operations

  25. Contractual Obligations • Goal is to minimize the security risks • Contract between the CSP and user should: • State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws • Spell out CSP liability for mishandling information • Spell out CSP liability for data loss • Spell out rules governing ownership of data • Specify the geographical regions where information and backups can be stored.

  26. Cloudy Security Kia Manoochehri

More Related