security in cloud computing - msu...
TRANSCRIPT
.
1
Security in Cloud Computing
Chapter #8:
CIS 4500
Outline
n Identify cloud computing concepts
n Understand basic elements of cloud security
n Identify cloud security tools
Security in Cloud Computing 2
CIS 4500
Cloud
n Salesforce hit the markets in 1999
n In 2002, Amazon Web Services opened for business,
providing cloud-based storage and data computation
services
n These days HPE offers cloud services, as does AT&T, IBM,
Century Link, Cisco, Microsoft
Security in Cloud Computing 3 CIS 4500
Cloud - Advantages
Security in Cloud Computing 4
.
2
CIS 4500
Cloud - Disadvantages
Security in Cloud Computing 5 CIS 4500
Cloud Services
n Infrastructure as a Service (IaaS) basically provides
virtualized computing resources over the Internet.
n A third-party provider hosts infrastructure components,
applications and services, with a hypervisor (such as
VMware, Oracle VirtualBox, Xen, or KVM).
n IaaS is a good choice not just for day-to-day infrastructure
service, but also for temporary or experimental workloads
that may change unexpectedly.
n IaaS subscribers typically pay on a per-use basis Security in Cloud Computing 6
CIS 4500
Cloud Services
n Platform as a Service (PaaS) provides a development
platform that allows subscribers to develop applications
without building the infrastructure.
n Hardware and software is hosted by the provider on its own
infrastructure so customers do not have to install or build
homegrown hardware and software for development work.
n PaaS doesn’t usually replace an organization’s actual
infrastructure—instead it just offers key services the
organization may not have onsite. Security in Cloud Computing 7 CIS 4500
Cloud Services
n Software as a Service (SaaS) is simply a software
distribution model—the provider offers on-demand
applications to subscribers over the Internet.
n SaaS may be able to take that workload off your plate.
n SaaS benefits include easier administration, automated
patch management, compatibility, and version control.
Security in Cloud Computing 8
.
3
CIS 4500
Cloud Services
Security in Cloud Computing 9 CIS 4500
Cloud Services
Cloud Category Examples Iaas (infrastructure as service) Amazon EC2 (Elastic Cloud 2)
Amazon S3 (Simple Storage Service) Paas (platform as a service) Microsoft Azure
Oracle in Demand Saas (software as service) Salesforce.com
iCloud Office365
Security in Cloud Computing 10
CIS 4500
Cloud Deployment Models
n Public, private, community, and hybrid.
n A public cloud model is one where services are provided
over a network that is open for public use (like the
Internet). Public cloud is generally used when security and
compliance requirements found in large organizations isn’t
a major issue.
Security in Cloud Computing 11 CIS 4500
Cloud Deployment Models
n Public, private, community, and hybrid.
n A private cloud model is private in nature. The cloud is
operated solely for a single organization (a.k.a. single-
tenant environment) and is usually not a pay-as-you-go
operation.
n Private clouds are usually preferred by larger organizations,
because the hardware is dedicated, and security and
compliance requirements can be more easily met. Security in Cloud Computing 12
.
4
CIS 4500
n Public, private, community, and hybrid.
n A community cloud model is one where the infrastructure is
shared by several organizations, usually with the same
policy and compliance considerations. For example, multiple
different state-level organizations may get together and
take advantage of a community cloud for services they
require.
Security in Cloud Computing 13 CIS 4500
n Public, private, community, and hybrid.
n The hybrid cloud model is a composition of two or more
cloud deployment models.
Security in Cloud Computing 14
CIS 4500
NIST Cloud Framework
Security in Cloud Computing 15 CIS 4500
Cloud Security
n Cloud security is really talking about two sides of the same
coin …
n you must be concerned with the security of the provider as
well as that of the subscriber, and both are responsible for it.
Security in Cloud Computing 16
.
5
CIS 4500
Cloud Control Layesr
Security in Cloud Computing 17 CIS 4500
Threats
n Data breaches
n financial information, health information, trade secrets, and
intellectual property
n indirect effects, such as brand damage and loss of business,
can impact organizations for years
n cloud providers typically deploy security controls to protect
their environments, but ultimately, organizations are
responsible for protecting their own data in the cloud
Security in Cloud Computing 18
CIS 4500
Threats
n Compromised credentials and broken authentication
n lax authentication, weak passwords, and poor key or certificate
management
n multifactor authentication systems such as one-time passwords,
phone-based authentication, and smartcards protect cloud
services
n many developers make the mistake of embedding credentials and
cryptographic keys in source code and leaving them in public-
facing repositories such as GitHub; they also need to be rotated
periodically
Security in Cloud Computing 19 CIS 4500
Threats
n Hacked interfaces and APIs
n every cloud service and application now offers APIs
n the security and availability of cloud services -- from
authentication and access control to encryption and activity
monitoring -- depend on the security of the API
n weak interfaces and APIs expose organizations to security
issues related to confidentiality, integrity, availability, and
accountability
n they're usually accessible from the open Internet
Security in Cloud Computing 20
.
6
CIS 4500
Threats
n Exploited system vulnerabilities
n system vulnerabilities, or exploitable bugs in programs
n organizations share memory, databases, and other resources
in close proximity to one another, creating new attack surfaces
n best practices include regular vulnerability scanning, prompt
patch management, and quick follow-up on reported system
threats
n the costs of mitigating system vulnerabilities “are relatively
small compared to other IT expenditures
Security in Cloud Computing 21 CIS 4500
Threats
n Account hijacking
n phishing, fraud, and software exploits are still successful, and
cloud services add a new dimension to the threat because
attackers can eavesdrop on activities, manipulate transactions,
and modify data; attackers may also be able to use the cloud
application to launch other attacks
n common defense-in-depth protection strategies can contain the
damage incurred by a breach; prohibit the sharing of account
credentials between users and services, as well as enable
multifactor authentication schemes; monitoring and auditing
Security in Cloud Computing 22
CIS 4500
Threats
n Malicious insiders
n a current or former employee, a system administrator, a
contractor, or a business partner
n malicious agenda ranges from data theft to revenge, destroy
whole infrastructures or manipulate data; do not depend solely on
the cloud service provider for security, such as encryption
n organizations should control the encryption process and keys,
segregating duties and minimizing access given to users effective
logging, monitoring, and auditing administrator activities are also
critical; proper training and management Security in Cloud Computing 23 CIS 4500
Threats
n The APT parasite
n APTs infiltrate systems to establish a foothold, then stealthily exfiltrate
data and intellectual property over an extended period of time
n APTs typically move laterally through the network and blend in with
normal traffic, so they're difficult to detect; major cloud providers
apply advanced techniques to prevent APTs from infiltrating their
infrastructure
n common points of entry include spear phishing, direct attacks, USB
drives preloaded with malware, and compromised third-party networks
n training users, regularly reinforced awareness programs
Security in Cloud Computing 24
.
7
CIS 4500
Threats
n Permanent data loss
n malicious hackers have been known to permanently delete cloud data to harm
businesses, and cloud data centers are as vulnerable to natural disasters as any
facility
n providers recommend distributing data and applications across multiple zones for
added protection; adequate data backup measures are essential, as well as
adhering to best practices in business continuity and disaster recovery
n Compliance policies often stipulate how long organizations must retain audit
records and other documents
n new EU data protection rules also treat data destruction and corruption of
personal data as data breaches requiring appropriate notification
Security in Cloud Computing 25 CIS 4500
Threats
n Inadequate diligence
n understand the environment and its associated risks, a “myriad of
commercial, financial, technical, legal, and compliance risks”
n due diligence also applies whether the organization is trying to
migrate to the cloud or merging (or working) with another
company in the cloud
n operational and architectural issues arise if a company's
development team lacks familiarity with cloud technologies as
apps are deployed to a particular cloud
Security in Cloud Computing 26
CIS 4500
Threats
n Cloud service abuses
n cloud services can be commandeered to support nefarious
activities, such as using cloud computing resources to break an
encryption key in order to launch an attack, DDoS attacks,
sending spam and phishing emails, and hosting malicious content
n providers need to recognize types of abuse – such as scrutinizing
traffic to recognize DDoS attacks – and offer tools for customers to
monitor the health of their cloud environments; also have a
mechanism for reporting abuse
Security in Cloud Computing 27 CIS 4500
Threats
n DoS attacks
n they have been around for years, but they've gained
prominence again because they often affect availability
n consume large amounts of processing power, a bill the
customer may ultimately have to pay
n high-volume DDoS attacks are very common, organizations
should be aware of asymmetric, application-level DoS attacks,
which target Web server and database vulnerabilities
n cloud providers tend to be better poised to handle DoS attacks
Security in Cloud Computing 28
.
8
CIS 4500
Threats
n Shared technology, shared dangers
n vulnerabilities in shared technology pose a significant threat to cloud
computing – providers share infrastructure, platforms, and applications,
and if a vulnerability arises in any of these layers, it affects everyone
n if a hypervisor, a shared platform component, or an application -- it
exposes the entire environment to potential compromise and breach
n defense-in-depth strategy – including multifactor authentication on all
hosts, host-based and network-based intrusion detection systems, applying
the concept of least privilege, network segmentation, and patching shared
resources
Security in Cloud Computing 29 CIS 4500
Attacks
n Social engineering
n SQL injection and cross-site scripting
n DNS poisoning
n Session hijacking
Security in Cloud Computing 30
CIS 4500
Attacks
n Session riding
n Cross-Site Request Forgery under a different name and deals
with cloud services instead of traditional data centers
n Side channel attacks
n also known as a cross-guest VM breach and deals with the
virtualization itself – if an attacker can somehow gain control
of an existing VM (or place his own) on the same physical host
as the target, he may be able to pull off lots of naughty
activities
Security in Cloud Computing 31
Stay Alert!
There is no 100 percent secure system,
and there is nothing that is foolproof!