270 likes | 432 Views
Cloudy Security. Kia Manoochehri. Outline. Background Threat Classification Traditional Threats Availability of cloud services Third-Party Control The “Notorious Nine” Contractual Obligations. What is “security”?. Security: “freedom from risk and danger”
E N D
Cloudy Security Kia Manoochehri
Outline • Background • Threat Classification • Traditional Threats • Availability of cloud services • Third-Party Control • The “Notorious Nine” • Contractual Obligations
What is “security”? • Security: “freedom from risk and danger” • In Computer Science we define security as… • “the ability of a system to protect information and system resources with respect to confidentiality and integrity”
What is “security”? • Three core areas • Confidentiality • Integrity • Authentication
What is “security”? • Some other security concepts • Access Control • Nonrepudiation • Availability • Privacy
Background • Cloud Service Providers (CSP) provide a “target rich environment” • Consolidation of information draws potential attackers • Potential problematic areas in the field of Cloud Computing aren’t transparent.
Threat Classification • Three broad classifications • Traditional Threats • Availability Threats • Third-Party Control Threats
Traditional Threats (User) • Anytime a computer is connected to the internet they are at risk… • When we are dealing with Cloud based applications we are amplifying these threats • Question of responsibility • User vs Provider
Traditional Threats (User) • Authorization and Authentication • Individual access vs enterprise access • One solution would be to have tiered access • Not every user is created equal!
Traditional Threats (Cloud) • Distributed Denial of Service attacks (DDoS) • SQL Injection • Phishing • Cross-Site Scripting
Traditional Threats (Cloud) • Digital forensics cannot be applied to the cloud • Difficult to trace where an attack is from • Virtual Machine vulnerabilities extend to the cloud as well
Availability Threats • System failures • http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/ • Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning. • Netflix, Instagram, and Pintrest were down for at least a few hours.
Third Party Control Threats • Problem stems from CSP outsourcing certain aspects of their operation • How does this affect • Introduces more points of entry and vulnerability to the Cloud
“The Notorious Nine” • In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing • February 2013 yielded their “Notorious Nine” list • 9 major threats in Cloud Computing
“The Notorious Nine” • Data Breaches • Currently the biggest threat • The solution is encryption… but • What if you lose the key? • Backing up the data is not viable either • Example: Epsilon
“The Notorious Nine” • Data Loss • Malicious deletion • Accidental deletion by CSP • Physical catastrophe • Loss of the encryption key • Compliance policies require audit audit records • Example: Mat Honan
“The Notorious Nine” • Account/Service Hijacking • Phishing, fraud, software exploits • Organizations should be proactive • Two-Factor authentication • Example: XSS attack on Amazon
“The Notorious Nine” • Insecure Interfaces and APIs • Any vulnerability in an API bleeds over • Can effect security and availability • Partially falls on the consumer
“The Notorious Nine” • Denial of Service • From the user end… most frustrating • Can cost cloud users $$$ • Makes the user doubt the cloud
“The Notorious Nine” • Malicious Insiders • Straightforward • Systems that only depends on the CSP for security are at greatest risk • If data-usage encryption is used thedata is still vulnerable during storage
“The Notorious Nine” • Abuse of Cloud Services • Using CSP for malicious purpose • Hacking encryption keys via cloud • DDoS attacks via cloud • Problems of detection arise
“The Notorious Nine” • Insufficient Due Diligence • Insufficient user experience • Unknown levels of risk when using CSP • Design and architecture issues for devs • Countered by: • Capable resources • Extensive internal understanding of risks
“The Notorious Nine” • Shared Technology Vulnerabilities • CPU caches, GPUs are not designed tobe isolated • A single vulnerability can lead to an entire environment being compromised
Buffer Overflow SQL Injection Privilege escalation DDoS attacks SSL Certificate spoofing Attacks on browser caches Phishing attacks Limiting resources Privilege-related attacks Data Distortion Injecting additional operations
Contractual Obligations • Goal is to minimize the security risks • Contract between the CSP and user should: • State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws • Spell out CSP liability for mishandling information • Spell out CSP liability for data loss • Spell out rules governing ownership of data • Specify the geographical regions where information and backups can be stored.
Cloudy Security Kia Manoochehri