Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.

Similar presentations

Presentation on theme: "Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen."— Presentation transcript:

1 Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen

2 Suggested Readings Reference book: “Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)”, Tim Mather et al. Enterprise-Perspective/dp/ Enterprise-Perspective/dp/ Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, v3.0.pdf v3.0.pdf – Cloud Security Alliance

3 Outline Overview Infrastructure Security Data Security Identity and access management Audit, compliance and federation of clouds Security and privacy concerns Security as a service Network security, policies (research)

4 What makes Cloud Security different from Normal Cyber Security Systems? How Does Cloud Security Differ?

5 Cloud Security Standards Cloud Security Alliance – Security Guidance for Critical Areas of Focus in Cloud Computing – Top Threats to Cloud Computing – Cloud Audit (A6  Automated Audit,Assertion,Assessment,and Assurance API) NIST Cloud Security Initiative – Guidelines on Security and Privacy in Public Cloud Computing Military  IASE standards from DISA-CSD Federal Government – FedRAMP(2011) – Evolved from NIST , from 2009 – Assessment procedures OASIS Identity in the cloud – Open standards for identity deployment, provisioning and management

6 Different Kinds of Clouds (NIST)

7 Private versus Public Cloud Security

8 Security and Who Owns a Cloud?

9 Dimensions of Security

10 Tradeoffs and Security Provisions

11 Cloud Alliance 7 Concerns DomainGUIDANCE DEALING WITH SECURITY Governance and Enterprise Risk Management Govern and measure enterprise risk Legal Issues: Contracts and Electronic Discovery Protection requirements, security breach disclosure laws, regulatory requirements, privacy requirements, international laws Compliance and AuditProving compliance during audit Information Management and Data Security Identification and control of data in cloud. CAI Portability and InteroperabilityMove data services from one provider to another, interoperability Traditional Security, Business Continuity and Disaster Recovery Security of operational processes and procedures (security, business continuity and disaster recovery Data Center OperationsEvaluation of Stability, On-going services

12 DomainGUIDANCE DEALING WITH SECURITY Incident Response, Notification and Remediation Provider and user levels to enable proper incident handling and forensics Application Security+Application migration Encryption and Key ManagementAppropriate encryption and scalable key management Identity and Access ManagementOrganization’s identity, access controls VirtualizationMulti-tenancy, VM isolation, VM co- residence, hypervisor vulnerabilities Security as a ServiceThird part facilitated security assurance, incident management, compliance attestation, identity and access oversight

13 NIST Guidelines on Security and Privacy in Public Cloud Computing, Wayne Jansen and Timothy Grance, NIST, January /Draft-SP _cloud-computing.pdf 144/Draft-SP _cloud-computing.pdf

14 Security: Pros v Cons of Cloud Staff Specialization. Platform Strength. Resource Availability. Backup and Recovery. Mobile Endpoints. Data Concentration. Data Center Oriented. Cloud Oriented. System Complexity. Shared Multi-tenant Environment. Internet-facing Services Loss of Control. Botnets. Mechanism Cracking

15 Overview

16 Infrastructure – IaaS, PaaS, and SaaS Focus on public clouds – No special security problems with private clouds – traditional security problems only Different levels – Network level – Host level – Application level Infrastructure Security

17 Confidentiality and integrity of data-in-transit – Amazon had security bugs with digital signature on SimpleDB, EC2, and SQS accesses (in 2008) Less or no system logging /monitoring – Only cloud provider has this capability – Thus, difficult to trace attacks Reassigned IP address – Expose services unexpectedly – Spammers using EC2 are difficult to identify Availability of cloud resources – Some factors, such as DNS, controlled by the cloud provider. Physically separated tiers become logically separated – E.g., 3 tier web applications Network level

18 Private Cloud Network Security

19 Hypervisor security – “zero-day vulnerability” in VM, if the attacker controls hypervisor Virtual machine security – SSH private keys (if mode is not appropriately set) – VM images (especially private VMs) – Vulnerable Services Host level (IaaS)

20 SaaS application security – Example: In an accident, Google Docs access control failed. All users can access all documents Application level

21 Data-in-transit Data-at-rest Processing of data, including multitenancy Data lineage Data provenance Data remanence Data Security

22 Data-in-transit – Confidentiality and integrity Data-at-rest & processing data – Possibly encrypted for static storage – Cannot be encrypted for most PaaS and SaaS (such as Google Apps)  prevents indexing or searching Research on indexing/searching encrypted data Fully homomorphic encryption? Data Security

23 Definition: tracking and managing data For audit or compliance purpose Data flow or data path visualization – E.g. data transferred to AWS on date x1 at time y1 and stored in a bucket on S3, then processed on date x2 at time y2 on EC2 in ec, then stored in another bucket,, then brought back locally on date x3 at time y3, … Time-consuming process even for inhouse data center – Not possible for a public cloud Data lineage

24 Origin/ownership of data – Verify the authority of data – Trace the responsibility – e.g., financial and medical data Difficult to prove data provenance in a cloud computing scenario Data provenance

25 Data left intact by a nominal delete operation – In many DBMSs and file systems, data is deleted by flagging it. Lead to possible disclosure of sensitive information Department of Defense: National Industrial security program operating manual – Defines data clearing and sanitization Data remanence

26 The provider collects a huge amount of security-related data – Data possibly related to service users – If not managed well, it is a big threat to users’ security Provider’s data and its security

27 What kinds of protocols and techniques are needed/used? What Do You know about Identity and Access Management?

28 Traditional trust boundary reinforced by network control – VPN, Intrusion detection, intrusion prevention Loss of network control in cloud computing Have to rely on higher-level software controls – Application security – User access controls - IAM Identity and Access Management

29 IAM components – Authentication – Authorization – Auditing IAM processes – User management – Authentication management – Authorization management – Access management – access control – Propagation of identity to resources – Monitoring and auditing Identity and Access Management

30 IAM functional architecture

31  Avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience  SAML(Security Assertion Markup Lang). protocols pdf protocols pdf  Automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning  SPML (service provisioning markup lang).  Provision user accounts with appropriate privileges and manage entitlements  XACML (extensible access control markup lang).  Authorize cloud service X to access my data in cloud service Y without disclosing credentials  Oauth (open authentication). IAM standards and specifications

32 SAML Example ACS: Assertion Consumer Service SSO : single sign-on

33 SPML example

34 XACML Example PEP: policy enforcement point (app interface) PDP: policy decision point

35 OAuth example

36 OpenID Information Cards Open Authentication (OATH) Issues for OpenID – Phishing – malicious relying party forwards end-user to bogus identity provider authentication page – Allows sniffing of certificate and replay IAM standards/protocols

37 Difference Open ID versus Oauth (Thanks to Wikipedia)

38 Dealing with heterogeneous, dynamic, loosely coupled trust relationships Enabling “Login once, access different systems within the trust boundary” – Single sign-on (SSO) – Centralized access control services – Yahoo! OpenID IAM practice- Identity federation

39 Audit, compliance and federation of clouds

40 NIST: Interactions between Actors in Cloud Computing 40 Cloud Provider Cloud Broker Cloud Auditor The communication path between a cloud provider & a cloud consumer The communication paths for a cloud auditor to collect auditing information The communication paths for a cloud broker to provide service to a cloud consumer Cloud Carrier

41 The Combined Conceptual Reference Diagram 41 Cloud Carrier Cloud Consumer Cloud Auditor Cloud Broker Cloud Broker Security Audit Privacy Impact Audit Performance Audit Cloud Service Management Service Layer Business Support Privacy Service Arbitrage Service Aggregation Service Intermediation Security Provisioning/ Configuration Portability/ Interoperability Physical Resource Layer IaaS SaaS PaaS Resource Abstraction and Control Layer Hardware Facility

42 Cloud Provider: Service Orchestration 42 Service Layer Physical Resource Layer IaaS SaaS PaaS Resource Abstraction and Control Layer Hardware Facility Cloud Provider Biz Process/ Operations App/Svc Usage Scenarios Software as a Service Application Development Develop, Test, Deploy and Manage Usage Scenarios Platform as a Service Infrastructure as a Service IT Infrastructure & Operation Develop, Test, Deploy and Manage Usage Scenarios

43 Federation of Clouds/Hybrid Clouds 1. Using multiple clouds for different applications to match needs (local cloud and cloud bursting) Allocating components of an application to different environments (e.g., compute vs database tiers), whether internal or external (“application stretching”) Moving an application to meet requirements at specific stages in its lifecycle, from early development through unit test, scale testing, pre- production and ultimately full production scenarios

44 Federation of Clouds/Hybrid Clouds 2. Moving workloads closer to end users across geographic locations, including user groups within the enterprise, partners and external customers Meeting peak demands efficiently in the cloud while the low steady-state is handled internally Keeping large data within country, geography or organization while allowing global distributed computation Maintaining confidential data on better protected clouds while allowing distributed computation on more computationally efficient ones.

45 Key Security and Privacy Issues Governance -- control and oversight over policies, procedures, and standards for application development, as well as the design, implementation, testing, and monitoring of deployed services.

46 Key Security and Privacy Issues Compliance -- conformance with an established specification, standard, regulation, or law. – Data location --- trans-border data flows include whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits – Laws and Regulations --- OMB, Clinger-Cohen Act, FISMA, NARA (archives), HIPPA, PCI DSS (cards) – Electronic Discovery --- FOIA, litigation

47 Key Security and Privacy Issues Trust – Insider Access --- (esp. DOS) – Data Ownership --- Privacy versus data ownership. – Composite Services --- Nesting and layering of services, trust is not transitive, liability and performance guarantees – Visibility --- detailed network and system level monitoring, oversight – Risk Management

48 Security as a Service Origins: Spam Today – Filtering – Web Content Filtering – Vulnerability Management – Identity Management as a service – Etc. Naming: SaaS – NOT to be confused with Software as a Service! SecaaS: Security as a Service (Cloud Security Alliance)

49 SaaS Categorization by CSA CSA: Cloud Security Alliance 1.Identity and Access Management 2.Data Loss Prevention 3.Web Security 4. Security 5.Security Assessments 6.Intrusion Management 7.Security Information and Event Management (SIEM) 8.Encryption 9.Business Continuity and Disaster Recovery 10.Network Security

50 Identity and Access Management (IAM) SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS- Federation Commercial Cloud Examples – CA Arcot Webfort – CyberArk Software Privileged Identity Manager – Novell Cloud Security Services – ObjectSecurity OpenPMF (authorization policy automation, for private cloud only) – Symplified Threats addressed – Identity theft, Unauthorized access, Privilege escalation, Insider threat, Non-repudiation, Excess privileges / Excessive access, Delegation of authorizations / Entitlements, Fraud

51 Data Loss Prevention Monitoring, protecting, and verifying the security of data by running as a client on desktops / servers and running rules – “No FTP” or “No uploads” to web sites – “No documents with numbers that look like credit cards can be ed” – “Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client” – “Only clients with functioning DLP software can open files from the fileserver” Related to IAM Threats Addressed – Data loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines

52 Web Security Real-time protection – On-premise through software/appliance installation – Proxying or redirecting web traffic to the cloud provider Prevent malware from entering the enterprise via activities such as web browsing Mail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing Threats addressed – Keyloggers, Domain Content, Malware, Spyware, Bot Network, Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam

53 Security Control over inbound and outbound Enforce corporate polices such as acceptable use and spam Policy-based encryption of s Digital signatures enabling identification and non- repudiation Services – Content security, Anti- virus/Anti-malware, Spam filtering, encryption, DLP for outbound , Web mail, Anti- phishing Threats addressed – Phishing, Intrusion, Malware, Spam, Address spoofing

54 Security Assessments Third-party audits of cloud services or assessments of local systems via cloud-provided solutions Well defined and supported by multiple standards such as NIST, ISO, and CIS Additional Cloud Challenges – Virtualization awareness of the tool – Support for common web frameworks in PaaS applications – Compliance Controls for IaaS, PaaS, and SaaS platforms Services – Internal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment Threats addressed – Inaccurate inventory, Lack of continuous monitoring, Lack of correlation information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed

55 Intrusion Management Using pattern recognition to detect and react to statistically unusual events IM tools are mature, however – virtualization and massive multi-tenancy is creating new targets for intrusion – raises many questions about the implementation of the same protection in cloud environments Services – Packet Inspection, Detection, Prevention Threats addressed – Intrusion, Malware

56 Security Information and Event Management (SIEM) Accept log and event information Correlate and analyze to provide real-time reporting and alerting on incidents / events Services – Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations) Threats addressed – Abuse, Insecure Interfaces and APIs, Malicious Insiders, Shared Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud

57 Encryption The process of obfuscating/encoding data using cryptographic algorithms – Algorithm(s) that are computationally difficult to break Services – VPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation Threats addressed – Failure to meet Regulatory Compliance requirements, Mitigating insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross- border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government

58 Business Continuity and Disaster Recovery Ensure operational resiliency in the event of any service interruptions Flexible and reliable failover Utilize cloud’s flexibility to minimize cost and maximize benefits Services – File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressed – Natural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard

59 Network Security Services that allocate access, distribute, monitor, and protect the underlying resource services – Address security controls at the network in aggregate, Or – Specifically address at the individual network of each underlying resource In Clouds, likely to be provided by virtual devices alongside traditional physical devices – Tight integration with the hypervisor to ensure full visibility of all traffic on the virtual network layer is key Services – Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS Threats addressed – Data Threats, Access Control Threats, Application Vulnerabilities, Cloud Platform Threats, Regulatory, Compliance & Law Enforcement

60 Network Security (Research) Policies about the configurations of the infrastructure are used for specifying security and availability requirements A critical device should be placed within a security perimeter Unprotected devices should not communicate with machines running critical services Computation on confidential data must performed on hosts under the control of DoD Policy-driven approach has been taken by FISMA, PCI-DSS, NERC 60 Scalability Real-time detection of violations Monitoring itself needs to be secure Information needs to be shared across cloud providers Requirements

61 61 Policy Distribution Reaction Agent Odessa Agent NetOdessa Agent DORA Subsystem Trustworthiness of Workflows Trust Calculation Module External Event Aggregator External Event Aggregator Formal Design and analysis of Assured Mission Critical Computations Evaluation on a distributed networked test-bed Middleware for Assured Clouds Risk Assessment Modules Distance from Compliance Calculation

62 Reaction Agents are part of the Middleware 62 When a policy violation is detected Security, availability, or timeliness requirements might not be satisfied We need to reconfigure the system We implemented a cloud-based OpenFlow reaction agent OpenFlow controller Flow information reconfigurations Reaction Agent violation

63 To Read Further Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf][pdf] Kroske, E. ; Farivar, R. ; Montanari, M. ; Larson, K. ; Campbell, R.H., NetODESSA: Dynamic Policy Enforcement in Cloud Networks, 30th IEEE Symposium on Reliable Distributed Systems - Workshops (SRDSW), 2011 Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept [pdf][pdf] Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June [pdf][pdf]

Download ppt "Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen."

Similar presentations

Ads by Google