1 Suronapee Phoomvuthisarn, Ph.D. / NETE4631:Cloud Privacy and Security - Lecture 12

Characteristics of Cloud (NIST) 2

Statistical Challenges in the Cloud 3

Security & Privacy Challenges 4  Outsourcing Data and Applications  Extensibility and Shared Responsibility  Service-Level Agreements (SLAs)  Virtualization and Hypervisors  Heterogeneity  Compliance and Regulations  Three kinds of issues in standards and regulations  “How” issues – how an application of specific type should operate in order to protect certain concerns specific to its problem domain  “Where” issues – where you can store certain information  “What“ issues – standards that prescribe specific components to your infrastructure

The Life Cycle of a Modern Attack 5

Functional Traits of Botnets 6

Key Components and Tools in the Modern Attack Strategy 7

Data Security 8  Physical security  Data control  Encryption (both in transit and storage)  Off-side backups regularly  Data segmentation  Minimize the impact of the compromise of specific nodes

Network security  Firewall  Firewall-like traffic rules to govern which traffic can reach which virtual servers, such as security groups in Amazon EC2  Network Intrusion Detection  monitor local traffic for anything that looks irregular 9

Firewall rules 10 A firewall rules in AmazonTraditional firewall

Brokered Cloud Storage Access 11

Network Intrusion Detection Systems (NIDS)  NIDS  to monitor local traffic for anything that looks irregular  scans/ Denial-of-service attacks/known vulnerability exploit attempts 12

Host Security  Host security describes how your server is set up for the following tasks  Preventing attacks  Minimizing the impact of a successful attack on the overall system  Responding to attacks when they occurs 13

Host Security (2)  Security patches  In cloud environments, rolling out a patch across the infrastructure takes three simple steps:  Patch you machine images with the new security fixes  Test the results  Re-launch your virtual servers  System hardening  The process of disabling or removing unnecessary services and eliminate unimportant user accounts  Antivirus protection  Selection criteria – (1) how wide the known exploits does it covers (2) time when a virus is released and recovered  Host Intrusion Detection Systems (HIDS) 14

Host Intrusion Detection Systems (HIDS) 15

Identity Management  What is the identity?  Things you are  Things you know  Things you have  Things you relate to  They can be used to authenticate client requests for services and preventing unauthorized uses  Maintain user roles  Use secure approach such as SSH and public private keys pair rather than password-based method (brute force attack) to access virtual servers  Encryption in transit  Only user that have an operational needs in certain time period 16

Defining Identity as a Service (IDaaS) 17  Store the information that associates with a digital entity used in electronic transactions  Core functions  Data store  Query engine  Policy engine

Core IDaaS applications 18

Authentication Protocol Standards 19  OpenID  OAuth

Auditing 20  Auditing is the ability to monitor the events to understand performance  Challenges  Proprietary log formats  Might not be co-located

Auditing (2) 21 Picture from Alexandra Institute

Security Mapping 22  Determine which resources you are planning to move to the cloud  Determine the sensitivity of the resources to risk  Determine the risk associated with the particular cloud deployment type (public, private, or hybrid models) of a resource  Take into account the particular cloud service model that you will be using  If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud

The AWS Security Center 23

Security Responsibilities 24  Cloud Deployment Models (NIST)  Public clouds  Private clouds  Hybrid clouds

Security Service Boundary 25 By Cloud Security Alliance (CSA)

Regulatory Compliance 26  All regulations were written without keeping Cloud Computing in mind.  Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place.  Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).

Regulatory Compliance (2) 27  You have to ensure the followings:  Contracts reviewed by your legal staff  The right to audit in your SLA  Review cloud service providers their security and regulatory compliance  Understand the scope of the regulations that apply to your cloud-based applications  Consider what steps to take to comply with the demand of regulations that apply and/ or adjusting your procedures to this matter  Collect and maintain the evidence of your compliance with regulations

Defining Compliance as a Service (CaaS) 28  CaaS needs to  Serve as a trusted party  Be able to manage cloud relationships  Be able to understand security policies and procedures  Be able to know how to handle information and administer policy  Be aware of geographic location  Provide an incidence response, archive, and allow for the system to be queried, all to a level that can be captured in a SLA

Defining Compliance as a Service (CaaS) (2) 29  Examples of clouds that advertise CaaS capabilities include the following:  Athenahealth for the medical industry  Bankserv for the banking industry  ClearPoint PCI for mechant transactions  FedCloud for goverment

Techniques for securing resources 30 Picture from Alexandra Institute

Virtualized Data Center Network Security Challenges  The major network security challenges in the virtualized data center include  Hypervisor integrity.  A successful attack against a host’s hypervisor can compromise all of the workloads being delivered by the host.  Intra-host communications.  Communications traffic between different VMs on the same physical host is often not visible and therefore cannot be controlled by traditional physical firewalls and IPS.  VM migration.  When VMs migrate from one physical host to another or from one physical site to another, they tend to break network security tools that rely on physical and/or network-layer attributes. 31

Data center evolution and security requirements 32

Criteria for Network Security in the Virtualized Data Center  Safe Application Enablement of Data Center Applications  Identification Based on Users, Not IP Addresses  Comprehensive Threat Protection  Flexible, Adaptive Integration  High-Throughput, Low-Latency Performance  Secure Access for Mobile and Remote Users  One Comprehensive Policy, One Management Platform 33

References 34  Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc.  Chapter 6, Cloud Application Architectures, building applications and infrastructure in the cloud, O’Reilly, Reese, G., 2009  Network Security in Virtualized Data Centers For DUMMIES, Lawrence C. Miller, John Wiley& Sons  Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh