A Taxonomy of Cloud Attack Consequences and Mitigation Strategies The Role of Access Control and Privileged Access Management.

Slides:

Advertisements

Similar presentations

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Advertisements

Mr C Johnston ICT Teacher

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

Tunis, Tunisia, 28 April 2014 Business Values of Virtualization Mounir Ferjani, Senior Product Manager, Huawei Technologies 2.

Security Issues and Challenges in Cloud Computing

System and Network Security Practices COEN 351 E-Commerce Security.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Computer Security: Principles and Practice

Cloud Usability Framework

Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Cloud computing Tahani aljehani.

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India DICOM Medical Image Management the Challenges and Solutions – Cloud as a.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Norman SecureSurf Protect your users when surfing the Internet.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Effectively and Securely Using the Cloud Computing Paradigm.

“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Storage Security and Management: Security Framework

HIPAA COMPLIANCE WITH DELL

Computer Science and Engineering 1 Cloud ComputingSecurity.

The Legal Issues Facing Digital Forensic Investigations In A Cloud Environment Presented by Janice Rafraf 15/05/2015Janice Rafraf1.

HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Chapter 6 of the Executive Guide manual Technology.

1 Suronapee Phoomvuthisarn, Ph.D. / NETE4631:Cloud Privacy and Security - Lecture 12.

Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

PaaSport Introduction on Cloud Computing PaaSport training material.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

CLOUD COMPUTING RICH SANGPROM. What is cloud computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Elizabeth Muli Technical University of Kenya & James Kimutai Moi University 1.

IS3220 Information Technology Infrastructure Security

© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.

Advanced cloud infrastructures and services SAULIUS ŽIŪKAS.

Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

CS457 Introduction to Information Security Systems

Secure Software Confidentiality Integrity Data Security Authentication

Cloud Computing Kelley Raines.

Cloud Testing Shilpi Chugh.

I have many checklists: how do I get started with cyber security?

Contact Center Security Strategies

How to Mitigate the Consequences What are the Countermeasures?

Computer Science and Engineering

PLANNING A SECURE BASELINE INSTALLATION

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

A Taxonomy of Cloud Attack Consequences and Mitigation Strategies The Role of Access Control and Privileged Access Management

Overview  Find what are the cloud attack consequences  Find what are the recommended mitigation strategies  Thematic analysis to locate any common strategies  Find the mitigation strategy with the greatest impact  Present a plausible solution

Cloud prevalence  Microsoft Office 360  Dropbox  Number two in the top five areas for increase spending for organizations (IDC Computer World, 2015)

What is cloud?  NIST definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.  Service Models Software as a Service, Platform as a Service, Infrastructure as a service  Deployment Models Public cloud, Private cloud, Community cloud, Hybrid cloud.

Categorisation of Cloud Security Consequences and Mitigation Strategies  Current Cloud Security Alliance’s (CSA) “The Notorious Nine Cloud Computing Top Threats”  We gathered the top threats that cloud service providers and users face and re- categorise to allow effective identification and mitigate the risk presented.  Our categorization differs from the CSA’s paper and places threats into potential consequences

Process Technology People People, Process and Technology  People Employees, individuals who operate the cloud, both from a customer and cloud service provider perspective  Process Processes which govern the operation of the cloud by the customer and service provider  Technology Technology that is used to run and secure the cloud environment to maintain confidentiality, integrity and availability.  Potential causing factor

Confidentiality, Integrity and Availability  Potential result if breached Integrity Confidentiality Availability  Confidentiality Data is only accessible by authorized entities and unauthorized access is prohibited to protected data  Integrity Data can only be altered by authorised parties or through authorized methods  Availability Data and services are accessible to authorized parties as required

Attack Consequences

 Account hijacking  Compromised logs PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability Eavesdropping Manipulation of data Return of falsified information Redirection of Clients to illegitimate sites Unauthorized access to management interfaces Alteration of auditable logs for: - Intrusion detection systems - Accountability management - Digital forensics

Attack Consequences  Data Breach  Data Loss PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability When Sensitive, protected or confidential information is intentionally or unintentionally distributed, transmitted, viewed or stored by an unauthorized individual or organization Technical attacks, such as collecting side channel timing information to extract private keys used by other VM’s on a host and hypervisor vulnerabilities. Associated with undertrained staff who are unequipped to handle the complex storage environments present in cloud products. Physical hardware failures, malware, and software vulnerabilities can result in data loss.

Attack Consequences  Unauthorised Elevation and misuse of privilege  Interception, Injection and Redirection PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability - Circumventing controls, social engineering, malware backdoors, physical theft - Key flaws include unclear roles and responsibilities, poor enforcement of role definitions and not applying the need to know priniciple - Hijacking of data to manipulate, block and eavesdrop - Typically exploit vulnerabilities in internet protocols such as man-in- the-middle attacks, IP spoofing, ARP spoofing, DNS poisoning and RIP attacks.

Attack Consequences  Isolation Failure  Resource Exhaustion PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability Failure of components used for isolation - Disc partitions, CPU caches, Graphics processing units May lead to cross-VM side channel attacks, loss control over the physical resources Over provisioning customers or being under resourced to fulfil requests, resulting in opportunities for DoS or attacks on the cloud system hypervisor DOS, Cloud DNS wars

Mitigation Strategies

PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability  Information Security  Operations Management Software tools, systems technologies dedicated to maintaining confidentiality and integrity. Includes technologies such as encryption to prevent technology based attacks data sniffing and spoofing attacks. Oversees the operation of infrastructure technologies DOS, Cloud DNS wars Virtualisation software isolation installation, configuration, patches, scanning configurations audited. IDS and IPS firewalls are included in the category.

Mitigation Strategies  Resiliency  Process Management PeopleProcessTechnology ConfidentialityIntegrityAvailability PeopleProcessTechnology ConfidentialityIntegrityAvailability Infrastructure technologies and contingency planning to ensure services are available to authorized parties. Development and enforcement of policy Such as Security policies

Mitigation Strategies PeopleProcessTechnology ConfidentialityIntegrityAvailability Access Management Authentication policies for access to infrastructure Authentication and privilege access management

Mitigation Strategies Attack Consequences Account Hijacking Compromised logs Data Breach Data Loss Unauthorized Elevation and Misuse of Privilege Interception, Injection and Redirection Isolation Failure Resource Exhaustion Information Security [1, 2][3, 4] [6] Operation Management [7] [7, 8][7] Resiliency [4, 10] [12] Process Management [3, 10] Access Management[2, 4, 10][1][3, 4][7][2, 15] [8]

What is Privilege Access Management  What is an administrator or a privileged user?  What can occur if administrators are unmanaged and have unlimited access?  What can be done to manage the access privileges?

Research Question  Can a privilege access management system solution be created to provide for finer control and automation over current security solutions in the academic and public space?

Privileged Access Management in IaaS Cloud Computing Conceptual PAM architecture for cloud

Software Used  VMware Workstation build  Microsoft Windows Server 2012 R2 Datacenter x64  Microsoft Windows 10 education x64  Visual Studio 2015  Main programing language: C#

Group Policy  Used for Implement specific configurations for users and computers  Contained in GPOs  Linked to Active Directory directory service containers  Sites  Domains  Orgnaisation units  Based on Hierarchal  Allow the management of users and computer object

Applocker  Built further upon existing Software Restrictions Policies  Prevent unlicensed software from running in the desktop environment if the software is not on the allowed list  Prevent vulnerable, unauthorized applications from running in the desktop environment, including malware  Stop users from running applications that needlessly consume network bandwidth or otherwise affect the enterprise computing environment  Prevent users from running applications that destabilize their desktop environment and increase help desk support costs  Provide more options for effective desktop configuration management  Allow users to run approved applications and software updates based upon policies while preserving the requirement that only users with administrative credentials can install or run applications and software updates  Help to ensure that the desktop environment is in compliance with corporate policies and industry regulations

Proposed Graphical User Interface

Privileged access Managed

Prototyping  Prototyping is currently underway  Testing and metrics procedures are currently under review and are being refined

A Taxonomy of Cloud Attack Consequences and Mitigation Strategies The Role of Access Control and Privileged Access Management IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2015) Kin Suntana Tep Ray Hunt Ben Martini Kim-Kwang Raymond Choo

Conclusion  Cloud prevalence and security concerns  Current threats and consequences outlined  Mitigations strategies to combat  Access management a popular solution  Knowledge gap in Privilege access management

Thank you! Any Questions?