Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Similar presentations


Presentation on theme: "Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology."— Presentation transcript:

1 Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology "St. Paul the Apostle", Ohrid, Macedonia NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework”, Ohrid, Macedonia, 10-12 June 2013 1

2 Holy Grail of CIO A way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. 2 Cloud Computing?

3 3 Roadblocks Cloud computing Hype

4 4 Compelling economic case Security Issues (Old) Security Issues (New)

5 5 Compelling economic case Security Issues (Old) Security Issues (New)

6 Overview Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions 6

7 Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Zero CAPEX Controlled OPEX 7

8 Cloud Service Models Software as a Service (SaaS) – Use provider’s applications over a network : Google Apps, Microsoft Office 365, Salesforce Platform as a Service (PaaS) – Deploy customer- created applications to a computing platform: OS, DB, and web server. Google App Engine, Windows Azure Cloud Services Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources Amazon EC2, Azure Services Platform, Google Compute Engine 8

9 Cloud Deployment Models Private cloud: enterprise owned or leased Community cloud: shared infrastructure for specific community Public cloud: sold to the public, mega-scale infrastructure Hybrid cloud: composition of two or more cloud types 9

10 Essential Cloud Characteristics On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service 10

11 Overview Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions 11

12 Why rush into cloud computing? $$$ Federal CIO Vivek Kundra (2009-2011): “The government spends a quarter of its $80 billion annual IT budget on basic infrastructure such as hardware, software, electricity, and personnel. … shifting to the cloud could significantly lower those costs.” 12 Info.Apps.gov is a place where agencies can gather information about how Cloud Computing can help create sustainable, more cost-effective IT Services for the Federal Government. Federal IT budget 2013: $82B

13 The cloud market value US$58.6B in 2009 US$68B in 2010 Will reach US$148B by 2014 Source Frank Gens, Robert P Mahowald and Richard L Villars, IDC Cloud Computing 2010. 13

14 Right strategy? Right time? Mature technologies approach a feasible level for developing products and service In periods of economic challenges, businesses look to cut costs and open up possibilities to gain competitive advantages. Governments also see an opportunity to cut costs and add to their agility. 14

15 Benefits of Cloud 15

16 Excitement and Concerns 58% of the general population and 86% of senior business leaders are excited about the potential of cloud computing. > 90% of these same people are concerned about the security, access, and privacy of their own data in the cloud. Security is management’s number one concern 16 Source: Grant Gross. “Microsoft Calls for Cloud Computing Transparency.” IDG News, Jan. 2010. http://www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html http://www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html

17 17 Any analogy between physical world and cyberworld is a fraud?

18 Overview Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions 18

19 Roadblocks: What’s holding cloud computing back? 19

20 Key Issues with Cloud Computing Security Shared responsibility for securing the infrastructure Transparency into provider’s security management Penetration testing Vendor lock-in Gather forensic evidence Hypervisor vulnerabilities Side channel and covert channel Reputation fate-sharing Legal support 20

21 Issue #1: Who is responsible for security? 21 The responsibility for securing the infrastructure is a shared responsibility between the provider and the user of cloud services.

22 Issue #2: Transparency into cloud services provider’s security management Reduced ability to thoroughly analyze the security and continuity risks, and to verify the security measures and processes of cloud computing services. Third-party certifications are immature and unable to address all aspects of cloud computing risk. FedRAMP has been established to provide a standard approach to Assessing and Authorizing cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. 22

23 Issue #3: Penetration testing Penetration testing (pentest) evaluates the security of a computer system or network. We must be able to conduct a pentest in a cloud computing environment without causing loss of cloud service 23

24 Issue #4: Vendor lock-in Possibility for vendor lock-in due to the proprietary nature of many cloud provider services a cloud provider can go out of business Solutions: SLAs and other contractual arrangements can provide effective protection. Use cloud services based on open source and industry standards 24

25 Issue #5: Gathering forensic evidence Intrusions happen! The only system that is truly secure is one that is switched off and unplugged, locked in a titanium lines safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it. Gene Spafford (alt.security FAQs) 25

26 Issue #5: Gathering forensic evidence Intrusions happen! How do we gather forensic evidence when the cloud instance becomes a crime scene? Elastic Block Storage (from Amazon) allows the launching of a virtual machine image from a virtual storage area network (SAN). (IaaS) Things get more complicated as we move up to the PaaS and SaaS levels 26

27 Issue #6: Hypervisor vulnerabilities Hypervisor is a low-level operating system layer which allows multiple operating systems to run concurrently on a host computer. It presents virtual hardware to the software running above the hypervisor layer. 27

28 Issue #6: Hypervisor vulnerabilities New technology = new risks, new vulnerabilities Hypervisor breach = one virtual machine customer can gain access to the data of a different customer 28 NEW

29 Issue #7: Side channel and covert channel An attacker VM is placed on the same physical machine as a targeted VM The activity of one cloud user might appear visible to other cloud users using the same resources, potentially leading to the construction of covert and side channels. Similar to SSH Keystroke Timing Attack Aim: Design cloud servers that optimise performance and power without leaking information 29 NEW

30 Issue# 8: Reputation fate-sharing + Cloud users benefit from a concentration of security expertise at major cloud providers, ensuring that the entire ecosystem employs security best practices. - A single subverter can disrupt many users. Spammers subverted EC2 and caused Spamhaus to blacklist a large fraction of EC2’s IP addresses FBI raided on Texas datacenters in April 2009, based on suspicions of the targeted datacenters facilitating cybercrimes. The agents seized equipment, and many businesses co-located in the same datacenters faced business disruptions or even complete business closures. 30

31 Issue# 8: Reputation fate-sharing Cloud users run brute forcers, botnets, or spam campaigns from the cloud; Cloud providers scan cloud users’ data and sell confidential information to the highest bidder Solution: Mutual auditability Reassures both cloud users and providers that the other is acting in a fashion that is both benign and correct Can assist with incident response and recovery Enables the attribution of blame in search and seizure incidents 31 NEW

32 Mutual auditability Enable cloud providers in search and seizure incidents to demonstrate to law enforcement that they have turned over all relevant evidence, to users that they have turned over only the necessary evidence and nothing more. A third-party auditor requires a setup quite different than today’s practice, in which cloud providers record and maintain all the audit logs. 32

33 Issue #9: Legal support Email eavesdropping: System administrator can be prosecuted for incorrect setting of server’s parameters You can imagine the legal support for security issues in cloud computing! NIST Cloud Computing Program Accelerate the Federal government’s adoption of cloud computing http://www.nist.gov/itl/cloud 33 NEW

34 NIST Cloud Computing Related Publications NIST Special Publication 500 Series: NIST Special Publication 500-291, NIST Cloud Computing Standards Roadmap, July 2011 NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011 NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011 NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November 2011 NIST Special Publication 500-291, NIST Cloud Computing Standards Roadmap, July 2011 NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011 NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011 NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November 2011 NIST Special Publication 800 Series: NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010 NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January 2011 NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 NIST Special Publication 800-145, NIST Definition of Cloud Computing, September 2011 NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012 NIST Cloud Computing Research Papers: NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010 NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January 2011 NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 NIST Special Publication 800-145, NIST Definition of Cloud Computing, September 2011 NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012 NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012 NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012 34

35 Overview Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions 35

36 Human Factor Historically, human users are the weakest link in cryptographic systems Bribery Ignorance Take easier path and don’t follow security procedures 36

37 Human Factors in Cloud Computing Security Cloud Concentration of security expertise in cloud computing providers. $M in lost reputation and business Your solution Your own security admin Loyal, trained, familiar Lot less than $M for SMEs =>You will employ not a security expert, More prone to bribery 37 At stake in case of security intrusion

38 Tough questions 1. Who manages the data, and how is their access controlled? 2. External audits and security certifications? 3. Where is the data hosted? Can the data be stored and processed in a specific jurisdiction? 4. Data segregation in a shared environment from other customers. 5. How is data and service recovered in case of a disaster? 6. Support for investigation of illegal activities? 7. If the cloud computing provider goes broke, how will your data remain available? 38

39 Overview Definition, Model, Architecture The rationale Main obstacles/Security issues Human Factor Solutions 39

40 Solutions No new cryptographic challenge Tools for security auditing of procedures and practices gathering forensic evidence Legal and technical framework for mutual auditability Education of cloud service providers and users Legislation 40

41 Conclusion Many cloud computing security problems are not new, but require modifications to existing solutions. As always with outsourcing, transparency is a problem. Research areas: Specific intrusion detection tools for the cloud (e.g. OSSEC) Forensic tools for cloud services models PaaS and SaaS. Develop policies, procedures, and standards that may shape new laws Mutual auditability instead of one-way auditability in existing systems 41

42 Conclusion 42 Security will become a significant cloud computing business differentiator Time-to-market and undercutting prices can greatly sway customers even in the absence of sound security underpinnings If the economic case prevails, then not even security concerns may prevent cloud computing from becoming a consumer commodity.

43 43


Download ppt "Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology."

Similar presentations


Ads by Google