Issues and Opportunities for

lovingbangInternet and Web Development

Nov 3, 2013 (3 years and 7 months ago)

56 views

Security in Cloud Computing:

Issues and Opportunities for

Businesses and Governments

Toni Draganov Stojanovski

University for Information Science and Technology

"St. Paul the Apostle",
Ohrid
, Macedonia


NATO Advanced Research Workshop

Best Practices and Innovative Approaches to
Develop Cyber
Security and
Resiliency Policy Framework
”,

Ohrid
,
Macedonia, 10
-
12
June 2013

1

Holy Grail of CIO


A way to
increase capacity

or add capabilities on the
fly
without investing

in new infrastructure, training
new personnel, or licensing new software.

2

Cloud

Computing?

3

Roadblocks

Cloud

computing

Hype

4

Compelling
economic
case

Security
Issues

(Old)

Security
Issues

(New)

5

Overview


Definition, Model, Architecture


The rationale


Main obstacles/Security issues


Human Factor


Solutions

6

Definition


Cloud computing is a model for enabling convenient,
on
-
demand

network access to a
shared pool

of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can
be
rapidly provisioned

and released with
minimal
management effort

or service provider interaction
.

NIST



Zero CAPEX


Controlled OPEX

7

Cloud Service
Models


Software
as a Service (
SaaS
)



Use
provider’s
applications over a network


: Google Apps, Microsoft Office 365,
Salesforce


Platform
as a Service (
PaaS
)



Deploy customer
-
created applications to a
computing platform: OS,
DB,
and web server
.


Google
App Engine,
Windows
Azure Cloud
Services


Infrastructure
as a Service (
IaaS
)



Rent
processing, storage, network capacity, and other
fundamental computing
resources


Amazon EC2,
Azure
Services
Platform, Google Compute
Engine

8

Cloud Deployment
Models


Private
cloud
: enterprise owned or leased


Community
cloud
: shared infrastructure for specific
community


Public
cloud
: sold to the public, mega
-
scale
infrastructure


Hybrid
cloud
: composition of two or more cloud
types


9

Essential Cloud Characteristics


On
-
demand
self
-
service


Broad
network access


Resource
pooling


Location
independence


Rapid
elasticity


Measured
service


10

Overview


Definition, Model, Architecture


The rationale


Main obstacles/Security issues


Human
Factor


Solutions

11

W
hy rush
into cloud
computing
?


$$$


Federal

CIO

Vivek

Kundra

(
2009
-
2011
)
:

“The

government

spends

a

quarter

of

its

$
80

billion

annual

IT

budget

on

basic

infrastructure

such

as

hardware,

software,

electricity,

and

personnel
.



shifting

to

the

cloud

could

significantly

lower

those

costs
.


12

Info.Apps.gov is a place where agencies can gather
information about how Cloud Computing can help create
sustainable, more cost
-
effective IT Services for the
Federal Government.

Federal IT budget 2013:
$82B

The cloud market value


US
$
58
.
6
B

in

2009


US
$
68
B

in

2010



Will

reach

US
$
148
B

by

2014



Source


Frank Gens, Robert P
Mahowald

and Richard L
Villars,
IDC Cloud Computing 2010
.

13

Right
strategy?
Right
time?











Mature

technologies

approach

a

feasible

level

for

developing

products

and

service


In

periods

of

economic

challenges,

businesses

look

to

cut

costs

and

open

up

possibilities

to

gain

competitive

advantages
.


Governments

also

see

an

opportunity

to

cut

costs

and

add

to

their

agility
.


14

Benefits of Cloud

15

Excitement
and

Concerns


58%
of the general population and
86% of
senior
business leaders are excited about the potential of
cloud
computing.


> 90%
of these same people are concerned about the
security, access, and privacy of their own data in the
cloud
.


Security
is
management’s
number one
concern

16

Source: Grant
Gross. “Microsoft Calls for Cloud Computing Transparency.”
IDG News,
Jan.
2010.
http
://
www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html

17

Any analogy between physical world and
cyberworld

is a fraud?

Overview


Definition, Model, Architecture


The rationale


Main obstacles/Security issues


Human Factor


Solutions

18

Roadblocks: What’s holding
cloud computing
back?

19

Key Issues with Cloud Computing Security


Shared responsibility
for securing the
infrastructure


Transparency into
provider’s
security
management


Penetration testing


Vendor
lock
-
in


Gather forensic
evidence


Hypervisor
vulnerabilities


Side channel and covert
channel


Reputation fate
-
sharing


Legal support

20

Issue #1: Who is responsible for security
?

21

T
he
responsibility for securing the infrastructure is a shared
responsibility between the
provider
and the
user of cloud services.

Issue
#2: Transparency into cloud services
provider’s security management


Reduced ability
to thoroughly analyze the security
and continuity
risks,
and
to verify
the security
measures and processes of
cloud computing services.


Third
-
party
certifications are immature and unable to
address all aspects of cloud computing risk.


FedRAMP

has been established to provide a standard
approach to Assessing and Authorizing
cloud
computing
services and products.
FedRAMP

allows joint
authorizations and continuous security monitoring services
for Government and Commercial cloud computing systems
intended for multi
-
agency use
.

22

Issue
#3: Penetration testing


Penetration testing (
pentest
) evaluates
the security of
a computer system or
network.


We must be able to conduct a
pentest

in a
cloud
computing environment without
causing
loss of
cloud
service

23

Issue #4:
V
endor lock
-
in


Possibility for
vendor lock
-
in due to


the
proprietary nature of many cloud provider
services


a
cloud provider
can go
out of
business


Solutions:


SLAs
and other contractual arrangements can provide
effective protection.


Use cloud services based on
open source and industry
standards

24

Issue #5: Gathering forensic evidence


Intrusions happen!





The
only system that is truly secure is one that is
switched off and unplugged, locked in a titanium
lines safe, buried in a concrete bunker, and is
surrounded by nerve gas and very highly paid armed
guards.
Even then, I wouldn’t stake my life on it.

Gene
Spafford

(
alt.security

FAQs)

25

Issue #5: Gathering forensic evidence


Intrusions happen!


How
do we gather forensic evidence when the cloud
instance becomes a crime scene
?


Elastic
Block Storage
(from Amazon) allows
the launching
of a virtual machine image from a virtual storage area
network (SAN
). (
IaaS
)


T
hings
get more complicated as we move up to the
PaaS

and
SaaS

levels

26

Issue #6: Hypervisor vulnerabilities


Hypervisor is a low
-
level
operating system layer
which
allows multiple operating systems
to
run
concurrently on a host computer.
It presents
virtual
hardware to the software running above the
hypervisor layer.

27

Issue #6: Hypervisor vulnerabilities


New
technology
= new
risks,
new vulnerabilities


H
ypervisor
breach
= one
virtual machine customer
can gain
access to the data of
a different
customer

28

NEW

Issue #7: Side channel and covert channel


An attacker VM is placed on the same physical machine as a
targeted VM


The activity of one cloud user might appear visible to other
cloud users using the same resources,
potentially
leading to
the construction of covert and side channels
.


Similar to SSH Keystroke Timing Attack


Aim: Design cloud servers that
optimise

performance and
power without leaking information

29

NEW

Issue# 8: Reputation
fate
-
sharing

+

Cloud
users
benefit
from a concentration of security
expertise
at major
cloud providers, ensuring that the
entire ecosystem
employs security
best practices
.

-
A
single
subverter

can
disrupt many
users.


Spammers subverted EC2
and caused
Spamhaus

to
blacklist a large fraction
of EC2’s
IP
addresses


FBI raided
on Texas datacenters in April 2009, based on
suspicions
of the
targeted datacenters facilitating
cybercrimes. The agents
seized equipment
, and many
businesses co
-
located in the same
datacenters faced
business disruptions or even complete business closures
.

30

Issue# 8: Reputation
fate
-
sharing


Cloud
users

run
brute forcers, botnets, or spam
campaigns from the cloud;


C
loud
providers

scan
cloud users’ data and sell
confidential information
to the highest
bidder


Solution: Mutual auditability


Reassures both cloud
users and providers
that
the other
is
acting in
a fashion that is both benign and
correct


Can assist
with incident
response and recovery


Enables
the
attribution of blame
in search and seizure
incidents

31

NEW

Mutual auditability


Enable cloud
providers in search and seizure
incidents to
demonstrate


to
law enforcement that they have turned over all relevant
evidence,


to
users that they
have turned
over
only
the
necessary
evidence
and nothing more
.


A
third
-
party
auditor requires
a setup quite different
than today’s practice, in
which cloud
providers record
and maintain all the audit logs
.

32

Issue #9: Legal support


Email eavesdropping:


System administrator can be prosecuted for incorrect
setting of server’s parameters


You can imagine the legal support for security issues
in cloud computing!


NIST Cloud Computing
Program


Accelerate the Federal government’s adoption of cloud
computing


http://
www.nist.gov/itl/cloud

33

NEW

NIST Cloud Computing Related Publications


NIST
Special Publication 500 Series
:

NIST Special Publication 500
-
291, NIST Cloud Computing Standards Roadmap, July
2011

NIST Special Publication 500
-
292, NIST Cloud Computing Reference Architecture, September
2011

NIST Special Publication 500
-
293, US Government Cloud Computing Technology Roadmap,
Release 1.0 (Draft), Volume I High
-
Priority Requirements to Further USG Agency Cloud
Computing Adoption, November
2011

NIST Special Publication 500
-
293, US Government Cloud Computing Technology Roadmap,
Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November
2011


NIST Special Publication 800 Series
:


NIST Special Publication 800
-
53A, Revision 1, Guide for Assessing the Security Controls in
Federal Information Systems and Organizations, June
2010

NIST Special Publication 800
-
125, Guide to Security for Full Virtualization Technologies,
January
2011

NIST Special Publication 800
-
144, Guidelines on Security and Privacy in Public Cloud
Computing, December
2011

NIST Special Publication 800
-
145, NIST Definition of Cloud Computing, September
2011

NIST

Special Publication 800
-
146, Cloud Computing Synopsis and Recommendations, May
2012

NIST Cloud Computing Research Papers
:


NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security
Requirements for US Government Cloud Computing Adoption", December
2012


34

Overview


Definition, Model, Architecture


The rationale


Main obstacles/Security issues


Human
Factor


Solutions

35

Human Factor


Historically,
human

users are the
weakest

link in
cryptographic systems


Bribery


Ignorance


Take easier path and don’t follow security procedures

36

Human Factors in Cloud Computing Security

Cloud


Concentration of security
expertise in cloud computing
providers
.




$M in lost reputation and
business

Your solution


Your own security admin


Loyal, trained, familiar





Lot less than $M for SMEs


=>You will employ not
a
security
expert, More prone
to bribery

37

At stake in case of security
intrusion

Tough questions

1.
W
ho manages the data, and how is their access controlled?

2.
External
audits and security
certifications?

3.
W
here is the data hosted? Can the data be stored and
processed in a specific jurisdiction?

4.
Data
segregation in a shared environment from
other
customers
.

5.
How is data and service recovered in case of a disaster?

6.
Support for investigation of illegal activities?

7.
If the cloud
computing provider
goes broke, how will your
data remain available?

38

Overview


Definition, Model, Architecture


The rationale


Main obstacles/Security issues


Human
Factor


Solutions

39

Solutions


No new cryptographic challenge


Tools for


security auditing of procedures and practices


gathering forensic evidence


Legal and technical framework for mutual
auditability


Education
of cloud service providers and users


Legislation

40

Conclusion


Many
cloud computing security problems are not
new, but require modifications to existing solutions.


As
always with outsourcing, transparency is a
problem.


Research areas:


Specific
intrusion detection tools for the cloud (e.g.
OSSEC)


Forensic
tools for cloud services models
PaaS

and
SaaS
.


Develop policies
, procedures,
and standards
that may shape
new
laws


Mutual auditability instead of one
-
way auditability in
existing systems

41

Conclusion

42

S
ecurity
will become

a significant cloud computing
business differentiator

T
ime
-
to
-
market and
undercutting
prices
can
greatly
sway customers

even in the absence
of
sound security
underpinnings

If the
economic case
prevails, then
not
even
security concerns may prevent
cloud
computing from becoming
a consumer
commodity.

43