professor: dr. kazem akbari hamed pishvayazdi, autumn 1391 1
TRANSCRIPT
![Page 1: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/1.jpg)
Professor: Dr. Kazem AkbariHamed Pishvayazdi, Autumn 1391
1
![Page 2: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/2.jpg)
Cloud Definition
![Page 3: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/3.jpg)
Cloud Characteristics
oOn demand
o Pay-per-use : less investmento Pay-as-you-go
oElastic Capacity & Infinite Resources & ScalabilityoSelf-Service Interface & ManageabilityoSeparating user applications from the underlying infrastructure (usually via virtualization)
Resources that are abstract and virtualizedoUtility ComputingoBetter resource utilizationoReduce power (Green IT computing)oUbiquity of access (anywhere, anytime, …)oEase of management & Self-serviceoCustomization: More in IaaS and less in PaaS and SaaS
![Page 4: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/4.jpg)
Cloud Security: Advantages & disadvantages
![Page 5: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/5.jpg)
General Security Advantages
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery
5
![Page 6: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/6.jpg)
Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks
6
![Page 7: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/7.jpg)
Cloud Security Advantages (Cont.)Simplification of Compliance AnalysisData Held by Unbiased Party (cloud vendor
assertion)Low-Cost Disaster Recovery and Data Storage
SolutionsOn-Demand Security ControlsReal-Time Detection of System TamperingRapid Re-Constitution of ServicesAdvanced Honeynet Capabilities
7
![Page 8: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/8.jpg)
“Ultimately, you can outsource responsibility but you can’t outsource accountability.”
8
![Page 9: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/9.jpg)
Companies are still afraid to use clouds
9[Chow09ccsw]
![Page 10: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/10.jpg)
10
Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%21%15%12% 9% 8% 6% 3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
![Page 11: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/11.jpg)
Lots of Governance Issues Cloud Provider going out of business
Provider not achieving SLAs
Provider having poor business continuity planning
Data Centers in countries with unfriendly laws
Proprietary lock-in with technology, data formats
Mistakes made by internal IT security – several orders of magnitude more serious
11
![Page 12: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/12.jpg)
12
![Page 13: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/13.jpg)
Problems Associated with Cloud ComputingMost security problems stem from:
Loss of controlLack of trust (mechanisms)Multi-tenancy
These problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues,
but not related to above
13
![Page 14: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/14.jpg)
Possible SolutionsMinimize Lack of Trust
Policy LanguageCertification
Minimize Loss of Control MonitoringUtilizing different cloudsAccess control managementIdentity Management (IDM)
Minimize Multi-tenancy
14
![Page 15: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/15.jpg)
Cloud Forcing Key Issues
Separation between data owners and data processors
Anonymity of geography Anonymity of providerPhysical vs virtual controlsIdentity management
15
![Page 16: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/16.jpg)
Key Problems of Tomorrow
Keeping pace with cloud changesGlobally incompatible legislation and policy
Non-standard Private & Public cloudsLack of continuous Risk Mgt & Compliance monitoring
Incomplete Identity Mgt implementationsResponse to security incidents
16
![Page 17: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/17.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Cloud Deployment ModelPublic Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that interoperate
or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and supporting
a specific community
NIST Deployment Models 17
![Page 18: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/18.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal Resources
All cloud resources owned by or dedicated to enterprise
External Resources
All cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing between Ownership and Control
18
![Page 19: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/19.jpg)
19
Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )
![Page 20: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/20.jpg)
20
We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.
Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?
Of enterprises consider security #1 inhibitor to cloud adoptions
80%
Of enterprises are concerned about the reliability of clouds48%
Of respondents are concerned with cloud interfering with their ability to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
![Page 21: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/21.jpg)
governance structure of IT organizations
21From [6] Cloud Security and Privacy by Mather and Kumaraswamy
![Page 22: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/22.jpg)
Assessment responsibility
![Page 23: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/23.jpg)
23
Password
SAML
KerberosPKI
Smart CardToken
LSPP/EAL4+ Digital CertificateThin Clients
Biometrics
HIPPA
VPN IPSEC
Accreditation
MILS
SSL
MLS
TCP Wrapper
Hardening
Cloud
XML Gateways
Secure Collaboration
Physical Access
Compliance
Secure Blades
H/W Crypto
SOX
Tripwire
Identity ManagementDAC
MAC
Cross Domain Systems
RSBAC
FIPS 140-2 PCIDSS
Trusted OS
Trusted Computing
GuardsSABI/TSABI
Cyber Security
SOA Security
SaaSLap
top Encryptio
n
Wireless
FederationFISM
A
* Not a complete collection
![Page 24: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/24.jpg)
Security Implications of the Delivery Models
Service Security by Cloud Provider
Extensibility
SaaS Greatest Least
IaaS Least Greatest
PaaS Middle Middle
24
The lower down the stack the cloud provider stops, the more security youare tactically responsible for implementing and managing yourself
![Page 25: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/25.jpg)
25
High-level cloud security concerns
ComplianceComplying with SOX, HIPPA
and other regulations may prohibit the use of clouds for some applications.
Comprehensive auditing capabilities are essential.
25
Less ControlMany companies and governments are uncomfortable with the idea of their
information located on systems they do not control. Providers must offer a high degree of
security transparency to help put customers at ease.
ReliabilityHigh availability will be a key concern. IT
departments will worry about a loss of service should outages occur. Mission critical
applications may not run in the cloud without strong availability guarantees.
Security ManagementProviders must supply easy, visual controls
to manage firewall and security settings for applications and runtime
environments in the cloud.
Data SecurityMigrating workloads to a shared network and compute infrastructure increases the
potential for unauthorized exposure. Authentication and access technologies
become increasingly important.
![Page 26: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/26.jpg)
Attack CategoriesUnsafe ProgramsMisconfigured ProgramsBuggy Programs
Buffer Overflows Parsing Errors Formatting Errors Bad input to cgi bin
Malicious Programs Trojans Virus Worms Rootkits Botnets
Identity Theft
Applications Cross site scripting Injection flaws Malicious file execution
EavesdroppingSpamming IP SpoofingDoS/DDoSPeople
Social Engineering Weak passwords
26
![Page 27: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/27.jpg)
Customer Pain PointsP - Privacy (Confidentiality)A - Authorization (Authentication)
I - IntegrityN - Non-Repudiation
27
The fundamentals of security haven’t changed for a long time.However, in the last few years due to viruses, worms, intrusions & DDoSattacks, another one has been added called “Assured Information Access”.
![Page 28: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/28.jpg)
Threat ModelRisk 1: Resource Exhaustion*Risk 2: Customer Isolation Failure*Risk 3: Management Interface CompromiseRisk 4: Interception of Data in TransmissionRisk 5: Data leakage on Upload/Download,
Intra-cloud
28
![Page 29: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/29.jpg)
Threat ModelRisk 6: Insecure or Ineffective Deletion of
Data*Risk 7: Distributed Denial of Service (DDoS)Risk 8: Economic Denial of Service*Risk 9: Loss or Compromise of Encryption
KeysRisk 10: Malicious Probes or Scans
29
![Page 30: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/30.jpg)
Threat ModelRisk 11: Compromise of Service
Engine/Hypervisor*Risk 12: Conflicts between customer
hardening procedures and cloud environmentRisk 13: Subpoena and E-Discovery*Risk 14: Risk from Changes of Jurisdiction*Risk 15: Licensing Risks*
30
![Page 31: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/31.jpg)
Threat ModelRisk 16: Network FailureRisk 17: Networking ManagementRisk 18: Modification of Network TrafficRisk 19: Privilege Escalation*Risk 20: Social Engineering Attacks
31
![Page 32: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/32.jpg)
Threat ModelRisk 21: Loss or Compromise of Operation
LogsRisk 22: Loss or compromise of Security LogsRisk 23: Backups Lost or StolenRisk 23: Unauthorized Access to Premises,
Including Physical Access to Machines and Other Facilities
Risk 25: Theft of Computer Equipment.*
32
![Page 33: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/33.jpg)
Overview
33
![Page 34: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/34.jpg)
34
![Page 35: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/35.jpg)
Mapping the Model to the Metal
Physical Physical Plant Security, CCTV, Guards
Compute & StorageHost-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trusted ComputingHardware & Software RoT & API’s
Security Control Model
Cloud Model
Compliance Model
PCI
HIPAA
GLBA
FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...
SOX
Find the Gaps!
35
![Page 36: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/36.jpg)
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
![Page 37: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/37.jpg)
CSA Guidance Domains
Governing in the Cloud2. Governance & Risk
Mgt
3. Legal
4. Electronic Discovery
5. Compliance & Audit
6. Information Lifecycle Mgt
7. Portability & Interoperability
Operating in the Cloud2. Traditional, BCM, DR
3. Data Center Operations
4. Incident Response
5. Application Security
6. Encryption & Key Mgt
7. Identity & Access Mgt
8. Storage
9. Virtualization
1. Understand Cloud Architecture
37
![Page 38: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/38.jpg)
Legalbetween the laws the cloud provider must comply
with and those governing the cloud customerGain a clear expectation of the cloud provider’s
response to legal requests for information.Cross-border data transfers
38
![Page 39: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/39.jpg)
Legal IssuesLiability
Contractual responsibilityFinancial compensationnot meeting SLALegal requests for informationProhibit data use by providerRestrict cross border transfer
Intellectual PropertyAll data including copies owned by clientState data rights in SLA clearly
39
![Page 40: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/40.jpg)
Electronic DiscoveryOrganizations have control over the data they are
legally responsible for.Preserve data as authentic and reliable.
MetadataLogfiles
Mutual understanding of roles and responsibilities
40
![Page 41: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/41.jpg)
Compliance & Audit
Classify data and systems to understand compliance requirements
Understand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive
certification scoping to beef up SAS 70 II, ISO 2700X
41
![Page 42: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/42.jpg)
Information Lifecycle Mgtlogical segregation of information and
protective controls implementedUnderstand the privacy restrictions inherent
in dataData retention assurance easy, data
destruction may be very difficult.
42
![Page 43: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/43.jpg)
Information Lifecycle ManagementInformation must be managed throughout the life
of the data (creation to destruction)Data classification should be put in placeData confidentialityData integrity Provider access needs to be defined and enforcedData retentionData destruction (harder to prove by CP)Cross-jurisdictional issuesNegotiate penalties for data breachesRBAC required
43
![Page 44: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/44.jpg)
Portability & InteroperabilityUnderstand and implement layers of abstractionFor SaaS:
regular data extractions and backups to a usable formatFor IaaS:
deploy applications abstracted from the machine image.For PaaS:
“loose coupling” using SOA principlesUnderstand who the competitors are to your cloud
providers and what their capabilities are to assist in migration.
Advocate open standards.
44
![Page 45: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/45.jpg)
Traditional, BCM/DRGreatest concern: insider threat
Onsite inspections of cloud provider facilities whenever possible.
BCP/DRP
Identify physical interdependencies in provider infrastructure.
45
![Page 46: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/46.jpg)
Business ContinuityDisaster recovery plan
Is it comparable to client’s data center?
Can we do a BC audit?Location of recovery data centersSLA Guarantee Data Portability
46
![Page 47: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/47.jpg)
Incident ResponseAny data classified private:
should always be encrypted
Application layer logging frameworks to:granular narrowing of incidents to a specific customer.
Cloud providers and customers need defined collaboration for incident response.
47
![Page 48: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/48.jpg)
Application SecuritySecure software Development Lifecycle (SDL)
IaaS, PaaS and SaaS: differing trust boundaries for SDL
For IaaS, need trusted virtual machine images
Apply best practices available to harden DMZ host systems to virtual machines
Securing inter-host communications:no assumption of a secure channel between hosts
Understand malicious actors techniques
48
![Page 49: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/49.jpg)
Encryption & Key MgtApplication providers not controlling backend
systems:Assure data is encrypted being stored on the backend
Use encryption : separate data holding from data usage.
Segregate the key management from the cloud provider hosting the data, creating a chain of separation.
49
![Page 50: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/50.jpg)
50
![Page 51: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/51.jpg)
51
![Page 52: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/52.jpg)
Identity & Access MgtRobust federated identity management
Insist upon standards : primarily SAML, WS-Federation and Liberty ID-FF federation
Validate that cloud provider support: strong authentication natively via delegation support robust password policies
Consider implementing Single Sign-on (SSO)
Using cloud-based “Identity as a Service” providers may be a useful tool for
52
![Page 53: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/53.jpg)
53
![Page 54: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/54.jpg)
StorageStorage architecture and abstraction layers:
verify that the storage subsystem does not span domain trust boundaries
knowing storage geographical location is possible
Cloud provider’s data search capabilities
Storage retirement processes.
storage can be seized by a third party or government entity?
How encryption is managed on multi-tenant storage?
Long term archiving, will the data be available several years later?
54
![Page 55: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/55.jpg)
VirtualizationVirtualized operating systems should be augmented by
third party security technology
Risk of insecure machine images provisioning.
Virtualization advantages :creating isolated environments better defined memory space, :minimize application instability
and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
55
![Page 56: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/56.jpg)
56
![Page 57: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/57.jpg)
Data Security in the Cloud Data will be
multi-tenant environments
Spanning multiple layers in the cloud stack
Accessed by various users, tenants, privileged cloud admins
various geographical locations
various contractual obligations/SLAs
various regulations and industry best practices
Secured by multiple technologies and services
57
A Shared, multi-tenant infrastructure increases potential for unauthorized exposure
![Page 58: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/58.jpg)
58
Cyber Security (DPI) DPI refers to the ability to inspect all packet contents
Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)
MAC Header IP Header TCP/UDP Payload
DPI Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP
Switch
Servers
MAC Header IP Header TCP/UDP Payload
Router MAC Header IP Header TCP/UDP Payload
Firewall MAC Header IP Header TCP/UDP Payload
MAC Header IP Header TCP/UDP Payload
Traditional Network Devices
![Page 59: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/59.jpg)
Governance & Enterprise Risk ManagementCSPs accept no responsibility for data they store in their
infrastructureBe clear on who owns the data SLAs include
availability service quality resolution times critical success factors, key performance indicators, etc.
Regular 3rd party risk assessments Require listings of all 3rd party relationshipsFor mission critical situations & PII examine creating a
private or hybrid cloudRisk Management
59
![Page 60: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/60.jpg)
Physical/Personnel SecurityProtection against internal attacks
Ensure internal people can’t exploit the information to their gain
Restricted & Monitored access 24x7Background checks for all relevant
personnelAudit privileged users?Coordination of Admins (Hybrid Cloud)
60
![Page 61: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/61.jpg)
PrivacyPrivate data
What is collected?Where is it stored?How is it stored?How is it used?How long is it stored?
Tagging of PII dataAccess control of PII dataProtection of digital identities & credentialsAccess policy for 3rd parties (e.g. Govt.
agency)How will 3rd parties protect my privacy?
61
![Page 62: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/62.jpg)
Infrastructure Security
Network LevelHost LevelApplication Level
62
![Page 63: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/63.jpg)
The Host LevelSaaS/PaaS
Both the PaaS and SaaS platforms abstract and hide the host OS from end users
Host security responsibilities are transferred to the CSP (Cloud Service Provider) You do not have to worry about protecting hosts
However, as a customer, you still own the risk of managing information hosted in the cloud services.
63
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
![Page 64: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/64.jpg)
The Host Level (cont.) IaaS Host Security
Virtualization Software Security Hypervisor (also called Virtual Machine Manager (VMM))
security is a key a small application that runs on top of the physical machine
H/W layer implements and manages the virtual CPU, virtual memory,
event channels, and memory shared by the resident VMs Also controls I/O and memory access to devices.
Bigger problem in multitenant architecturesCustomer guest OS or Virtual Server Security
The virtual instance of an OS Vulnerabilities have appeared in virtual instance of an OS e.g., VMWare, Xen, and Microsoft’s Virtual PC and Virtual
Server Customers have full access to virtual servers.
64From [6] Cloud Security and Privacy by Mather and Kumaraswamy
![Page 65: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/65.jpg)
What Are the Key Privacy Concerns?Typically mix security and privacySome considerations to be aware of:
StorageRetentionDestructionAuditing, monitoring and risk managementPrivacy breachesWho is responsible for protecting privacy?
65From [6] Cloud Security and Privacy by Mather and
Kumaraswamy
![Page 66: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/66.jpg)
Network levelConfidentiality and integrity of data-in-transitLess or no system logging /monitoringReassigned IP address
Expose services unexpectedly Spammers using EC2 are difficult to identify
Availability of cloud resources Some factors, such as DNS, controlled by the cloud
provider. Physically separated tiers become logically
separated E.g., 3 tier web applications
66
![Page 67: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/67.jpg)
Host level (IaaS)Hypervisor security
“zero-day vulnerability” in VM, if the attacker controls hypervisor
Virtual machine securitySSH private keys (if mode is not appropriately
set)VM images (especially private VMs)Vulnerable Services
67
![Page 68: Professor: Dr. Kazem Akbari Hamed Pishvayazdi, Autumn 1391 1](https://reader037.vdocuments.site/reader037/viewer/2022110103/56649de45503460f94ada92f/html5/thumbnails/68.jpg)
Thank you !!!
68