Download presentation
Presentation is loading. Please wait.
1
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing
2
Data Forensics in a Cloud Goal: Examine the data forensics problem in cloud computing Assignment #6: Lu et al., Secure Provenance: The Essential Bread and Butter of Forensics in Cloud Computing, AsiaCCS 2010 09/22/20112Fall 2011 Lecture 10 | UAB | Ragib Hasan
3
Cloud Forensics: An overview Related reading: Ruan et al., “Cloud Forensics: An Overview”, 2011. 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan3
4
Digital Forensics Digital Forensics is the “application of science to the – identification, – collection, – examination, and – analysis of data while preserving the integrity of information and maintaining a strict chain of custody for the data.” [Kent 2006] 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan4
![Digital Forensics Digital Forensics is the application of science to the – identification, – collection, – examination, and – analysis of data while preserving the integrity of information and maintaining a strict chain of custody for the data. [Kent 2006] 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan4](http://images.slideplayer.com/25/7789596/slides/slide_4.jpg "Digital Forensics Digital Forensics is the application of science to the – identification, – collection, – examination, and – analysis of data while preserving the integrity of information and maintaining a strict chain of custody for the data. [Kent 2006] 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan4")
5
Cloud Forensics Cloud forensics is a cross-disciplinary subject – an overlapping of cloud computing and digital forensics 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan5
6
Modeling crime in a cloud Cloud crime is any crime involving cloud computing [Ruan et al., 2011] Cloud can be the subject, object, or tool of crime – Subject: Cloud is attacked by external attackers – Object: Cloud provider attacks clients – Tool: Cloud computing used to attack external parties 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan6
![Modeling crime in a cloud Cloud crime is any crime involving cloud computing [Ruan et al., 2011] Cloud can be the subject, object, or tool of crime – Subject: Cloud is attacked by external attackers – Object: Cloud provider attacks clients – Tool: Cloud computing used to attack external parties 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan6](http://images.slideplayer.com/25/7789596/slides/slide_6.jpg "Modeling crime in a cloud Cloud crime is any crime involving cloud computing [Ruan et al., 2011] Cloud can be the subject, object, or tool of crime – Subject: Cloud is attacked by external attackers – Object: Cloud provider attacks clients – Tool: Cloud computing used to attack external parties 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan6")
7
Cloud forensics is useful for … Investigation – Cloud crime and policy violations – Reconstructing events in the cloud 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan7
8
Cloud forensics is useful for … Troubleshooting – Pinpointing the physical location of data and hosts in a cloud – Unearthing the root cause of problems – Security incidence handling 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan8
9
Key Goals of Cloud Forensics Identifying data related to a particular user Attributing data to its creator/owner Identifying intrusions/reconstructing events 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan9
10
Many issues complicate cloud forensics Technical issues Organizational issues Legal issues Question: Why is cloud computing different? 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan10
11
Recap: Why is cloud forensics different? Data stored in different jurisdictions Data is replicated many times for redundancy Separation/segregation of duties/control between client and cloud provider is not clear Clouds are multi-tenant environments 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan11
12
Multi-tenancy and Multi-jurisdicions create complicated scenarios No longer possible to grab the disk and image it for suspect’s data Sophisticated collaboration with cloud provider and possibly international law enforcement departments needed The law is not clear yet 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan12
13
Technical issues [see Ruan et al.] Data collection: – Finding, labeling, recording, and mining forensic data from a cloud is difficult – Information resides in many different locations, some of which may be offshore – Data collection from a cloud provider may violate privacy laws protecting other customers 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan13
![Technical issues [see Ruan et al.] Data collection: – Finding, labeling, recording, and mining forensic data from a cloud is difficult – Information resides in many different locations, some of which may be offshore – Data collection from a cloud provider may violate privacy laws protecting other customers 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan13](http://images.slideplayer.com/25/7789596/slides/slide_13.jpg "Technical issues [see Ruan et al.] Data collection: – Finding, labeling, recording, and mining forensic data from a cloud is difficult – Information resides in many different locations, some of which may be offshore – Data collection from a cloud provider may violate privacy laws protecting other customers 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan13")
14
Technical issues Data Collection – Access to cloud data / forensic logs may vary according to cloud model IaaS – easy access to data for forensic investigation PaaS – less flexible access through the cloud API SaaS – Almost no access from client side 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan14
15
Technical issues Elastic, Static, and Live Forensics – Time Synchronization is very difficult when data resides in multiple locations, machines, data centers – Log format unification is difficult – Recovering deleted data is almost impossible 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan15
16
Technical issues Evidence segregation – Very difficult to identify only the data belonging to a particular suspect – Separating log files per client is a huge management overhead – Weak registration allows criminals to use cloud almost anonymously – Tools do not exist yet 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan16
17
Technical issues Investigating virtual machines – Clients don’t use physical hardware directly, rather use virtualized hardware and virtual machines – The evidence may be spread across the client’s machine – Even clients cannot locate the physical position of a piece of data at any time 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan17
18
Legal issues Multi-jurisdiction and tenancy – One of the top legal concerns in digital forensics in clouds SLAs – Service level agreements still do not include support for cloud forensics 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan18
19
Clouds do provide some new opportunities for forensics Cost effectiveness: Cloud can be used for forensics as a service Data abundance: There are many replicas of a data object in a cloud. So, deletion does not remove all traces of data 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan19
20
Clouds do provide some new opportunities for forensics Performance: – Faster data processing, even for smaller law enforcement departments – Reduced total cost of investigation 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan20
21
Open Problems Creating a framework for a regulatory compliant cloud – i.e., a cloud that allows same level of forensic scrutiny as required by regulations such as Sarbanes-Oxley act, HIPAA, GLB, etc. Creating a privacy-preserving forensic audit framework 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan21
Similar presentations
