1 / 43

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments. Toni Draganov Stojanovski University for Information Science and Technology "St. Paul the Apostle", Ohrid , Macedonia

nguyet
Download Presentation

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology "St. Paul the Apostle", Ohrid, Macedonia NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework”, Ohrid, Macedonia, 10-12 June 2013

  2. Holy Grail of CIO Cloud Computing? Image source: https://www.link-assistant.com/blog/technology-news-sites-are-the-link-building-holy-grail/ A way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software.

  3. Hype Cloud computing Roadblocks

  4. Compelling economic case Security Issues (Old) Security Issues (New)

  5. Security Issues (Old) Security Issues (New) Compelling economic case

  6. Overview Image source: http://www.infraserve.com.au/resources/what-is-cloud-computing.aspx Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions

  7. Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Zero CAPEX Controlled OPEX

  8. Cloud Service Models • Software as a Service (SaaS) – Use provider’s applications over a network • : Google Apps, Microsoft Office 365, Salesforce • Platform as a Service (PaaS) – Deploy customer-created applications to a computing platform: OS, DB, and web server. • Google App Engine, Windows Azure Cloud Services • Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources • Amazon EC2, Azure Services Platform, Google Compute Engine

  9. Cloud Deployment Models Private cloud: enterprise owned or leased Community cloud: shared infrastructure for specific community Public cloud: sold to the public, mega-scale infrastructure Hybrid cloud: composition of two or more cloud types

  10. Essential Cloud Characteristics On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service

  11. Overview Image source: http://www.infraserve.com.au/resources/what-is-cloud-computing.aspx Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions

  12. Why rush into cloud computing? Info.Apps.gov is a place where agencies can gather information about how Cloud Computing can help create sustainable, more cost-effective IT Services for the Federal Government. Federal IT budget 2013: $82B $$$ Federal CIO VivekKundra (2009-2011): “The government spends a quarter of its $80 billion annual IT budget on basic infrastructure such as hardware, software, electricity, and personnel. … shifting to the cloud could significantly lower those costs.”

  13. The cloud market value • US$58.6B in 2009 • US$68B in 2010 • Will reach US$148B by 2014 • Source • Frank Gens, Robert P Mahowald and Richard L Villars, IDC Cloud Computing 2010.

  14. Right strategy? Right time? Hype Cycle Image source: http://www.gartner.com/technology/research/methodologies/hype-cycle.jsp Mature technologies approach a feasible level for developing products and service In periods of economic challenges, businesses look to cut costs and open up possibilities to gain competitive advantages. Governments also see an opportunity to cut costs and add to their agility.

  15. Benefits of Cloud Image source: http://www.weforum.org/pdf/ip/ittc/Exploring-the-future-of-cloud-computing.pdf

  16. Excitement andConcerns Source: Grant Gross. “Microsoft Calls for Cloud Computing Transparency.” IDG News, Jan. 2010. http://www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html 58% of the general population and 86% of senior business leaders are excited about the potential of cloud computing. > 90% of these same people are concerned about the security, access, and privacy of their own data in the cloud. Security is management’s number one concern

  17. Any analogy between physical world and cyberworld is a fraud?

  18. Overview Image source: http://www.infraserve.com.au/resources/what-is-cloud-computing.aspx Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions

  19. Roadblocks: What’s holding cloud computing back? Source: Cloud Computing Survey 2009, World Economic Forum and Accenture

  20. Key Issues with Cloud Computing Security Source: http://www.cspri.seas.gwu.edu/Seminar%20Abstracts%20and%20Papers/CloudComputingLumley.pdf Shared responsibility for securing the infrastructure Transparency into provider’s security management Penetration testing Vendor lock-in Gather forensic evidence Hypervisor vulnerabilities Side channel and covert channel Reputation fate-sharing Legal support

  21. Issue #1: Who is responsible for security? Source: http://www.cspri.seas.gwu.edu/Seminar%20Abstracts%20and%20Papers/CloudComputingLumley.pdf The responsibility for securing the infrastructure is a shared responsibility between the provider and the user of cloud services.

  22. Issue #2: Transparency into cloud services provider’s security management • Reduced ability to thoroughly analyze the security and continuity risks, and to verify the security measures and processes of cloud computing services. • Third-party certifications are immature and unable to address all aspects of cloud computing risk. • FedRAMP has been established to provide a standard approach to Assessing and Authorizing cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.

  23. Issue #3: Penetration testing Penetration testing (pentest) evaluates the security of a computer system or network. We must be able to conduct a pentestin a cloud computing environment without causing loss of cloud service

  24. Issue #4: Vendor lock-in • Possibility for vendor lock-in due to • the proprietary nature of many cloud provider services • a cloud provider can go out of business • Solutions: • SLAs and other contractual arrangements can provide effective protection. • Use cloud services based on open source and industry standards

  25. Issue #5: Gathering forensic evidence Intrusions happen! The only system that is truly secure is one that is switched off and unplugged, locked in a titanium lines safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it. Gene Spafford (alt.security FAQs)

  26. Issue #5: Gathering forensic evidence • How do we gather forensic evidence when the cloud instance becomes a crime scene? • Elastic Block Storage (from Amazon) allows the launching of a virtual machine image from a virtual storage area network (SAN). (IaaS) • Things get more complicated as we move up to the PaaS and SaaSlevels

  27. Issue #6: Hypervisor vulnerabilities Hypervisor is a low-level operating system layer which allows multiple operating systems to run concurrently on a host computer. It presents virtual hardware to the software running above the hypervisor layer.

  28. Issue #6: Hypervisor vulnerabilities NEW New technology = new risks, new vulnerabilities Hypervisor breach = one virtual machine customer can gain access to the data of a different customer

  29. Issue #7: Side channel and covert channel NEW • An attacker VM is placed on the same physical machine as a targeted VM • The activity of one cloud user might appear visible to other cloud users using the same resources, potentially leading to the construction of covert and side channels. • Similar to SSH Keystroke Timing Attack • Aim: Design cloud servers that optimise performance and power without leaking information

  30. Issue# 8: Reputation fate-sharing • Cloud users benefit from a concentration of security expertise at major cloud providers, ensuring that the entire ecosystem employs security best practices. • A single subverter can disrupt many users. • Spammers subverted EC2 and caused Spamhaus to blacklist a large fraction of EC2’s IP addresses • FBI raided on Texas datacenters in April 2009, based on suspicions of the targeted datacenters facilitating cybercrimes. The agents seized equipment, and many businesses co-located in the same datacenters faced business disruptions or even complete business closures.

  31. Issue# 8: Reputation fate-sharing NEW • Cloud usersrun brute forcers, botnets, or spam campaigns from the cloud; • Cloud providersscan cloud users’ data and sell confidential information to the highest bidder • Solution: Mutual auditability • Reassures both cloud users and providers that the other is acting in a fashion that is both benign and correct • Can assist with incident response and recovery • Enables the attribution of blame in search and seizure incidents

  32. Mutual auditability • Enable cloud providers in search and seizure incidents to demonstrate • to law enforcement that they have turned over all relevant evidence, • to users that they have turned over only the necessary evidence and nothing more. • A third-party auditor requires a setup quite different than today’s practice, in which cloud providers record and maintain all the audit logs.

  33. Issue #9: Legal support NEW • Email eavesdropping: • System administrator can be prosecuted for incorrect setting of server’s parameters • You can imagine the legal support for security issues in cloud computing! • NIST Cloud Computing Program • Accelerate the Federal government’s adoption of cloud computing • http://www.nist.gov/itl/cloud

  34. NIST Cloud Computing Related Publications NIST Special Publication 500 Series:NIST Special Publication 500-291, NIST Cloud Computing Standards Roadmap, July 2011NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November 2011 NIST Special Publication 800 Series: NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January 2011NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011NIST Special Publication 800-145, NIST Definition of Cloud Computing, September 2011NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012NIST Cloud Computing Research Papers: NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012

  35. Overview Image source: http://www.infraserve.com.au/resources/what-is-cloud-computing.aspx Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions

  36. Human Factor • Historically, human users are the weakest link in cryptographic systems • Bribery • Ignorance • Take easier path and don’t follow security procedures

  37. Human Factors in Cloud Computing Security Cloud Your solution Your own security admin Loyal, trained, familiar Lot less than $M for SMEs =>You will employ not a security expert, More prone to bribery • Concentration of security expertise in cloud computing providers. • $M in lost reputation and business At stake in case of security intrusion

  38. Tough questions Source: http://www.idi.ntnu.no/emner/tdt60/papers/Cloud_Computing_Security_Risk.pdf Who manages the data, and how is their access controlled? External audits and security certifications? Where is the data hosted? Can the data be stored and processed in a specific jurisdiction? Data segregation in a shared environment from other customers. How is data and service recovered in case of a disaster? Support for investigation of illegal activities? If the cloud computing provider goes broke, how will your data remain available?

  39. Overview Image source: http://www.infraserve.com.au/resources/what-is-cloud-computing.aspx Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions

  40. Solutions • No new cryptographic challenge • Tools for • security auditing of procedures and practices • gathering forensic evidence • Legal and technical framework for mutual auditability • Education of cloud service providers and users • Legislation

  41. Conclusion • Many cloud computing security problems are not new, but require modifications to existing solutions. • As always with outsourcing, transparency is a problem. • Research areas: • Specific intrusion detection tools for the cloud (e.g. OSSEC) • Forensic tools for cloud services models PaaSand SaaS. • Develop policies, procedures, and standards that may shape new laws • Mutual auditability instead of one-way auditability in existing systems

  42. Conclusion Security will become a significant cloud computing business differentiator Time-to-market and undercutting prices can greatly sway customers even in the absence of sound security underpinnings If the economic case prevails, then not even security concerns may prevent cloud computing from becoming a consumer commodity.

More Related