security in cloud computing - msu...

.

1

Security in Cloud Computing

Chapter #8:

CIS 4500

Outline

n  Identify cloud computing concepts

n  Understand basic elements of cloud security

n  Identify cloud security tools

Security in Cloud Computing 2

CIS 4500

Cloud

n  Salesforce hit the markets in 1999

n  In 2002, Amazon Web Services opened for business,

providing cloud-based storage and data computation

services

n  These days HPE offers cloud services, as does AT&T, IBM,

Century Link, Cisco, Microsoft

Security in Cloud Computing 3 CIS 4500

Cloud - Advantages


.

2

CIS 4500

Cloud - Disadvantages


Cloud Services

n  Infrastructure as a Service (IaaS) basically provides

virtualized computing resources over the Internet.

n  A third-party provider hosts infrastructure components,

applications and services, with a hypervisor (such as

VMware, Oracle VirtualBox, Xen, or KVM).

n  IaaS is a good choice not just for day-to-day infrastructure

service, but also for temporary or experimental workloads

that may change unexpectedly.

n  IaaS subscribers typically pay on a per-use basis Security in Cloud Computing 6

CIS 4500

Cloud Services

n  Platform as a Service (PaaS) provides a development

platform that allows subscribers to develop applications

without building the infrastructure.

n  Hardware and software is hosted by the provider on its own

infrastructure so customers do not have to install or build

homegrown hardware and software for development work.

n  PaaS doesn’t usually replace an organization’s actual

infrastructure—instead it just offers key services the

organization may not have onsite. Security in Cloud Computing 7 CIS 4500

Cloud Services

n  Software as a Service (SaaS) is simply a software

distribution model—the provider offers on-demand

applications to subscribers over the Internet.

n  SaaS may be able to take that workload off your plate.

n  SaaS benefits include easier administration, automated

patch management, compatibility, and version control.


.

3

CIS 4500

Cloud Services


Cloud Services

Cloud Category Examples Iaas (infrastructure as service) Amazon EC2 (Elastic Cloud 2)

Amazon S3 (Simple Storage Service) Paas (platform as a service) Microsoft Azure

Oracle in Demand Saas (software as service) Salesforce.com

iCloud Office365


CIS 4500

Cloud Deployment Models

n  Public, private, community, and hybrid.

n  A public cloud model is one where services are provided

over a network that is open for public use (like the

Internet). Public cloud is generally used when security and

compliance requirements found in large organizations isn’t

a major issue.


Cloud Deployment Models


n  A private cloud model is private in nature. The cloud is

operated solely for a single organization (a.k.a. single-

tenant environment) and is usually not a pay-as-you-go

operation.

n  Private clouds are usually preferred by larger organizations,

because the hardware is dedicated, and security and

compliance requirements can be more easily met. Security in Cloud Computing 12

.

4

CIS 4500


n  A community cloud model is one where the infrastructure is

shared by several organizations, usually with the same

policy and compliance considerations. For example, multiple

different state-level organizations may get together and

take advantage of a community cloud for services they

require.



n  The hybrid cloud model is a composition of two or more

cloud deployment models.


CIS 4500

NIST Cloud Framework


Cloud Security

n  Cloud security is really talking about two sides of the same

coin …

n  you must be concerned with the security of the provider as

well as that of the subscriber, and both are responsible for it.


.

5

CIS 4500

Cloud Control Layesr


Threats

n  Data breaches

n  financial information, health information, trade secrets, and

intellectual property

n  indirect effects, such as brand damage and loss of business,

can impact organizations for years

n  cloud providers typically deploy security controls to protect

their environments, but ultimately, organizations are

responsible for protecting their own data in the cloud


CIS 4500

Threats

n  Compromised credentials and broken authentication

n  lax authentication, weak passwords, and poor key or certificate

management

n  multifactor authentication systems such as one-time passwords,

phone-based authentication, and smartcards protect cloud

services

n  many developers make the mistake of embedding credentials and

cryptographic keys in source code and leaving them in public-

facing repositories such as GitHub; they also need to be rotated

periodically


Threats

n  Hacked interfaces and APIs

n  every cloud service and application now offers APIs

n  the security and availability of cloud services -- from

authentication and access control to encryption and activity

monitoring -- depend on the security of the API

n  weak interfaces and APIs expose organizations to security

issues related to confidentiality, integrity, availability, and

accountability

n  they're usually accessible from the open Internet


.

6

CIS 4500

Threats

n  Exploited system vulnerabilities

n  system vulnerabilities, or exploitable bugs in programs

n  organizations share memory, databases, and other resources

in close proximity to one another, creating new attack surfaces

n  best practices include regular vulnerability scanning, prompt

patch management, and quick follow-up on reported system

threats

n  the costs of mitigating system vulnerabilities “are relatively

small compared to other IT expenditures


Threats

n  Account hijacking

n  phishing, fraud, and software exploits are still successful, and

cloud services add a new dimension to the threat because

attackers can eavesdrop on activities, manipulate transactions,

and modify data; attackers may also be able to use the cloud

application to launch other attacks

n  common defense-in-depth protection strategies can contain the

damage incurred by a breach; prohibit the sharing of account

credentials between users and services, as well as enable

multifactor authentication schemes; monitoring and auditing


CIS 4500

Threats

n  Malicious insiders

n  a current or former employee, a system administrator, a

contractor, or a business partner

n  malicious agenda ranges from data theft to revenge, destroy

whole infrastructures or manipulate data; do not depend solely on

the cloud service provider for security, such as encryption

n  organizations should control the encryption process and keys,

segregating duties and minimizing access given to users effective

logging, monitoring, and auditing administrator activities are also

critical; proper training and management Security in Cloud Computing 23 CIS 4500

Threats

n  The APT parasite

n  APTs infiltrate systems to establish a foothold, then stealthily exfiltrate

data and intellectual property over an extended period of time

n  APTs typically move laterally through the network and blend in with

normal traffic, so they're difficult to detect; major cloud providers

apply advanced techniques to prevent APTs from infiltrating their

infrastructure

n  common points of entry include spear phishing, direct attacks, USB

drives preloaded with malware, and compromised third-party networks

n  training users, regularly reinforced awareness programs


.

7

CIS 4500

Threats

n  Permanent data loss

n  malicious hackers have been known to permanently delete cloud data to harm

businesses, and cloud data centers are as vulnerable to natural disasters as any

facility

n  providers recommend distributing data and applications across multiple zones for

added protection; adequate data backup measures are essential, as well as

adhering to best practices in business continuity and disaster recovery

n  Compliance policies often stipulate how long organizations must retain audit

records and other documents

n  new EU data protection rules also treat data destruction and corruption of

personal data as data breaches requiring appropriate notification


Threats

n  Inadequate diligence

n  understand the environment and its associated risks, a “myriad of

commercial, financial, technical, legal, and compliance risks”

n  due diligence also applies whether the organization is trying to

migrate to the cloud or merging (or working) with another

company in the cloud

n  operational and architectural issues arise if a company's

development team lacks familiarity with cloud technologies as

apps are deployed to a particular cloud


CIS 4500

Threats

n  Cloud service abuses

n  cloud services can be commandeered to support nefarious

activities, such as using cloud computing resources to break an

encryption key in order to launch an attack, DDoS attacks,

sending spam and phishing emails, and hosting malicious content

n  providers need to recognize types of abuse – such as scrutinizing

traffic to recognize DDoS attacks – and offer tools for customers to

monitor the health of their cloud environments; also have a

mechanism for reporting abuse


Threats

n  DoS attacks

n  they have been around for years, but they've gained

prominence again because they often affect availability

n  consume large amounts of processing power, a bill the

customer may ultimately have to pay

n  high-volume DDoS attacks are very common, organizations

should be aware of asymmetric, application-level DoS attacks,

which target Web server and database vulnerabilities

n  cloud providers tend to be better poised to handle DoS attacks


.

8

CIS 4500

Threats

n  Shared technology, shared dangers

n  vulnerabilities in shared technology pose a significant threat to cloud

computing – providers share infrastructure, platforms, and applications,

and if a vulnerability arises in any of these layers, it affects everyone

n  if a hypervisor, a shared platform component, or an application -- it

exposes the entire environment to potential compromise and breach

n  defense-in-depth strategy – including multifactor authentication on all

hosts, host-based and network-based intrusion detection systems, applying

the concept of least privilege, network segmentation, and patching shared

resources


Attacks

n  Social engineering

n  SQL injection and cross-site scripting

n  DNS poisoning

n  Session hijacking


CIS 4500

Attacks

n  Session riding

n  Cross-Site Request Forgery under a different name and deals

with cloud services instead of traditional data centers

n  Side channel attacks

n  also known as a cross-guest VM breach and deals with the

virtualization itself – if an attacker can somehow gain control

of an existing VM (or place his own) on the same physical host

as the target, he may be able to pull off lots of naughty

activities


Stay Alert!

There is no 100 percent secure system,

and there is nothing that is foolproof!

security in cloud computing - msu...

Documents