Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Cloud Computing

Published byBritney Small Modified over 7 years ago

Similar presentations

Presentation on theme: "Security in Cloud Computing"— Presentation transcript:

1 Security in Cloud Computing
Thanks to Research talk at UA | Ragib Hasan | | UAB CIS 12/02/11 Also, from talk by Calvin Vreeland

2 Security How do you know data in cloud is safe and secure?
Even reputable providers can be hacked

3 What the “experts” are saying?
[Cloud Computing] is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO It’s stupidity. It’s worse than stupidity Richard Stallman GNU

4 Businesses don’t trust clouds (yet)
Almost 75% of business CFOs are still afraid to use clouds for sensitive data due to lack of security

5 Traditional systems security vs Cloud Computing Security
Securing a traditional system Securing a cloud

6 Traditional systems security vs Cloud Computing Security
Analogy Securing a house Securing a motel Owner and user are often the same entity Owner and users are almost invariably distinct entities

7 Traditional systems security vs Cloud Computing Security
Securing a house Securing a motel Biggest user concerns Securing perimeter Checking for intruders Securing assets Biggest user concern Securing room against (the bad guy in next room | hotel owner)

8 Cloud security involves securing across multiple dimensions of the cloud
Data and computation integrity and confidentiality Infrastructure, topology Data Privacy Networking Forensics

9 Research on Cloud Computing Security: A High Level View
Novel attacks Trustworthy cloud architectures Data integrity and availability Computation integrity Data and computation privacy Data forensics Misbehavior detection Malicious use of clouds Economic attacks

10 Co-tenancy in clouds creates new attack vectors
A cloud is shared by multiple users Malicious users can now legally be in the same infrastructure Misusing co-tenancy, attackers can launch side channel attacks on victims any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms. E.g., timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system Example: the Topology attack on Amazon EC2 (“Hey You! Get off of my Cloud …” CCS 2009)

11 Today’s cloud architectures act like big black boxes
Clients have no idea of or control over what is happening inside the cloud Clients are forced to trust cloud providers completely Existing Approaches: TCCP (uses TPM), CloudProof The Trusted Platform Module (TPM) installed on certain motherboards is an extra chip that is designed to aid in the generation of certain types of cryptographic keys to use in various parts of the computer.

12 Today’s clouds provide no guarantee about outsourced data
Problem: Dishonest cloud providers can throw data away or lose data. Malicious intruders can delete or tamper with data. Clients need reassurance that the outsourced data is available, has not been tampered with, and remains confidential. Example Approaches: Provable Data Possession (PDP), Proof of Retrievability (PoR), HAIL

13 Ensuring confidentiality of data in outsourced computation is difficult
Most type of computations require decrypting data before any computations If the cloud provider is not trusted, this may result in breach of confidentiality Existing Approaches: Homomorphic encryption, TCCP

14 Privacy is often the victim when using a cloud …
It is almost impossible to provide privacy of sensitive personal information in computation outsourcing Using Google spreadsheets to maintain SSN Popular distributed computation systems such as MapReduce are NOT designed with privacy in mind

15 Clients have no way of verifying computations outsourced to a Cloud
Scenario User sends her data processing job to the cloud. Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.) Problem: Users have no way of evaluating the correctness of results Existing Approaches: Runtime Attestation, Majority voting, Redundant operations

16 Assessing the Capability of a Cloud Provider is difficult due to the black box model
Availability, fault-tolerance, and resilience are important to clients for mission-critical data But cloud providers do not want to reveal their capability or redundancy So, clients need a way to remotely verify the capability claims

17 Data Forensics in Clouds is difficult
Certain Government regulations mandate the ability to audit and run forensic analysis on critical business or healthcare data Clouds complicate forensic analysis, since the same storage infrastructure is shared by many clients Cloud providers are not willing to open up their entire storage for forensic investigations.

18 Clouds can be used for malicious purposes
Adversaries can rent clouds temporarily to create a large scale botnet very quickly (collection of interconnected programs) Clouds can be used for spamming, Denial of service, brute force password breaking, and other attacks Example: WPACracker.com – Claims to break WPA passwords for $17 in under 20 minutes, using a cloud

19 Economy matters! Sometimes, economic targets are more effective than technical targets Attacks can target economic viability of cloud users (by consuming extra resources), or of cloud providers (by fraudulently consuming cloud resources)

20 Hassan strategy Question: How can we make clouds more accountable?
Approach: By maintaining secure and verifiable provenance chains for all data and computations outsourced to a cloud, clients can get more accountability. Provenance of data What happened to the data object while it was inside the cloud? (i.e., entire history of the data object) Provenance of computations How was a particular result computed inside a cloud? Challenges: How to ensure correct collection of provenance inside a cloud, even when the cloud provider may not be trustworthy?

21 (Largely) Unexplored Areas
Legal/policy issues and regulatory compliance: How does cloud computing fit in with data security laws and regulations such as SOX, HIPAA? Sarbanes Oxley – result of Enron, accuracy of financial reporting data For example, If I store my data in Amazon, can the Govt. subpoena Amazon to access my data without violating 4th amendment? unreasonable search and seizure Will a cloud based storage system comply with SOX?

22 Issues related to users of the cloud
Sensitive Information SLA may allow access and catalog and use info in ways never intended Share data with marketing firm Google’s policy – company will share data with gov if “good faith belief” access is necessary to fulfill lawful requests Government can more easily subpoena 3rd party than privately owned Closed Subpoena – provider legally prohibited from telling customers data has been given to the government Google’s problem or SLA may say not responsible

23 Today’s clouds provide no guarantee about outsourced data
Amazon’s Terms of services Updated

24 The government – yes it can be good
Governmental regulations: If doing business for EU, cannot store in US If credit card data, restrictions on where can store data, cannot allow free block to be included in another customer’s block of storage

25 Examples of problems AOL releated 650k customer search terms on public web page MS released search data to US DOD in child porn case British gov misplaced 25 M taxpayer records Retailers lose credit card numbers

26 Anecdotes “A short account of an interesting or amusing interesting story about a real incident or person”nature” 26

27 Why? Now OneDrive Allows users to upload and sync files to a cloud storage

28 Sorry, your account has been disabled. [?] That’s it.
Locked Out Nick Saber isn’t happy now. Monday afternoon, after lunch, Nick came back from lunch to find out that he couldn’t get into his Gmail account. Further, he couldn’t get into anything that Google made (beside search) where his account credentials once worked. When attempting to log in, Nick got a single line message: Sorry, your account has been disabled. [?] That’s it. No, Google, that’s not it. Somewhere, deep inside the bowels of Google-land, something went wrong and an innocent person suffers the loss of his data. This is serious failure! One point the story highlights is a hard lesson for users: Don’t trust the cloud at this early stage in its evolution. 28

29 Cloud Goes Dark Amazon.com Web Service's hosted storage service went down Friday morning, frustrating many Web site customers and refreshing concerns with the ballyhooed approach of cloud computing. An online forum spiked with customer complaints Friday morning as some people found that content stored on Amazon's Simple Storage Service (S3) was unavailable or performed slowly. The service was restored a few hours later, according to an Amazon technician. The first forum posting was timed at 5 a.m. PT, and the service was back up at just past 9 a.m. The glitch sent a ripple through the blogosphere as Web entrepreneurs, who are increasingly using Amazon's hosted computing services, pondered whether they needed a back-up plan or a more traditional hosting provider. On the forum, some people complained about how the service glitch essentially put them out of business temporarily. 29

30 Google Docs Down Google's Documents and Spreadsheets service went down for approximately 45 minutes earlier this morning. The service, Google's online productivity suite, went from having some features not working, like the log-out button and the document creation drop-down menu, to coming up with a 404 page. The downtime calls into question the importance that online Web applications play in business use, as well as how Google's free document services have come to replace software solutions such as Microsoft Office for some users or teams that use Google's real-time collaboration features. 30

31 Digital Railroad "Everyone is downloading now and their FTP has slowed to a crawl," one Digital Railroad member told News Photographer magazine earlier this afternoon, before the site went dark. It's estimated that there may have been as many as 1,900 client archives on Digital Railroad's servers as of today. 31

32 Security Benefits in the Cloud
Centralized data – can make it more secure Reduced data loss (12K laptops lost in US airports) How secure are laptops? If limit employee downloads, can limit data loss Easier to monitor security if only one location Can move data to another machine Logging is better in the cloud (C2 audit trail) High overhead, but the cloud can handle it

33 Security Benefits in the Cloud
Security bundled in, no need to buy 3rd party security SW Can perform patches and upgrades offline, test off-line versions of production environment Vendors more likely to develop more efficient security SW SaaS/PaaS providers do security testing (lower cost for security testing split amongst all users)

34 Regulatory Issues No existing regulation
Despite its size, Google could still fail (look at GM or those banks that were too big to fail…) Government backed insurance? Should government regulate the cloud? Safe guard for loss or theft? Who owns the data? Law enforcement easier access to cloud than PC?

35 Regulatory Issues Do people really understand privacy and security implications of , Facebook, etc? US courts ruled private data in cloud does not have same level of protection from law enforcement searches 49% concerned if cloud shared files with law 80% concerned if used photos for marketing 68% concerned is used personal information for personalized ads 63% concerned if provider kept data after used deleted

36 Regulatory Issues Should government agencies store data on clouds?
Procurement regulations will have to change GSA pushing for cloud to reduce energy US gov. spends $480 M on electricity for computers

37 Security in Clouds Security hackers:
Sell proprietary info to competition Encrypt storage until pay (ransom/blackmal?) Erase everything to damage business DDOS, botnets attack network Tokyo firm pay $31K to stop it Not even clear who should pay ransom In a cloud at the mercy of their security measures

38 Final Observations: What’s wrong with today’s cloud security research
Failure to look at reality Many security schemes impose unrealistic overheads (e.g., >35%!!) – no one will use them in real life clouds Failure to consider economy Security schemes would cause significant changes to existing cloud infrastructures Many attacks simply don’t make any economic sense Lack of realistic threat models Many papers present unrealistic threat models, (“Solutions in search of a problem”)

39 Clouds can be used for malicious purposes
Adversaries can rent clouds temporarily to create a large scale botnet very quickly Clouds can be used for spamming, Denial of service, brute force password breaking, and other attacks Example: WPACracker.com – Claims to break WPA passwords for $17 in under 20 minutes, using a cloud

40 Cloud Computing...... Design for Disaster?
40

Download ppt "Security in Cloud Computing"

Similar presentations

Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.

Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.

SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.

Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing.
Phishing scams Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal.

Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
IT Security Policy: Case Study March 2008 Copyright 2000-2008, All Rights Reserved.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.

1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.
Computer Security Keeping you and your computer safe in the digital world.

Computer Security Keeping you and your computer safe in the digital world.

Similar presentations

Ads by Google