Your SlideShare is downloading. ×
Cloud Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security

1,667

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,667
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloud Security Christoph Hechenblaikner Johannes Innerbichler
  • 2. Why Cloud Security?
  • 3. CC + SP-Sec • User: “App” = Whole package • App + Web service • Smartphone-Security: • Protect assets on the device • Cloud-Security • Protect assets in the cloud
  • 4. Agenda • Basics of Cloud Computing • Cloud Security Basics • Cloud Services Analysis • Virtualization Security • Cloud Cryptography
  • 5. Cloud Computing Basics What is it about ?
  • 6. Cloud Computing • NIST • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity • Measured Service Source: http://pre-developer.att.com/home/learn/enablingtechnologies/The_NIST_Definition_of_Cloud_Computing.pdf
  • 7. Cloud Computing • IDC CC-Forecast Nov 2012: • 2012: $40 billion • 2016: $100 billion • AGR: 26,4% (2012 - 2016) • 2016: 41% of total IT growth Source: http://www.idc.com/getdoc.jsp?containerId=prUS23684912#.UOiFdYnjlgw
  • 8. XaaS user value SaaS End User PaaS Developer IaaS System Engineers / Developers
  • 9. IaaS • Cloud • Hardware / Network • OS (partly) / Virtualization • User • Applications / Data • Runtime / Middleware • OS (limited)
  • 10. IaaS Provider Server-VM Application Provider managed User / Developer www . . . M M I Server-VM Scaleability! Application Provider managed
  • 11. IaaS • Pay as you use • Own runtimes, ... • Highly scaleable • Dynamic application environment • Application / Developer manages scaling
  • 12. IaaS
  • 13. PaaS • Cloud • Hardware / Network • OS / Virtualization • Runtime / Middleware • User • Applications / Data (APIs)
  • 14. PaaS Provider Application Framework Users API User / Developer www Blobstore API DataQueue API SSL-access API Images API Security API Memcache API . . .
  • 15. PaaS IDE Client Application Provider account Server Application Platform Framework Deployment Tool to platform
  • 16. PaaS • Developer focuses on application • “native” application scaling • Performance • Pay as you use (CPU time, transferred data, ...)
  • 17. PaaS
  • 18. SaaS • Cloud • Provides the application • User • Uses it!
  • 19. SaaS • Application delivered through the cloud • Access via different devices • Access: • Web Technology • Client Applications • Future Software Distribution Channel
  • 20. SaaS
  • 21. XaaS Data Data Data Runtime Runtime Runtime Middleware Middleware Middleware OS OS OS Virtualisation Virtualisation Virtualisation Hardware Hardware Hardware Storage Storage Storage Networking Networking Networking IaaS Applications PaaS Applications SaaS Applications
  • 22. Cloud Security Basics What are we afraid of ?
  • 23. Cloud Security Assets • Sensitive user data • Credentials, Keys, SSN • Military / Business Information, • Medical Health Records • Control over Cloud-System • Computational Power
  • 24. Security Goals • As usual: • Confidentiality • Integrity • Availability • Accountability
  • 25. Cloud Security 100,00% 75,00% 74,6% 59,2% 63,1% 50,00% 25,00% 0% Regulatory requirements Source: IDC Enterprise Panel, August 2008 n=244 Availability Security % responding 4 or 5
  • 26. Security Threads • CSA “Top threads to Cloud Computing” • Alliance of Cloud-Computing companies • Goal: Providing Guidelines Source: cloudsecurityalliance.org/research/top-threats/
  • 27. Security Threads • #1 “Abuse and Nefarious Use of Cloud Computing” • DDoS-Attacks, Botnets • Cracking Hashes / Keys, Rainbow Tables • CAPTCHA solving farms • Solutions: User registration, Signatures, ...
  • 28. Example • Amazon EC2 (AWS) • 2009 - 2010 • The Botnet behind CrimeWare Zeus used Amazon E2 Service for “command and control” purposes. • 3,600,000 bots (Bank of America, NASA, Cisco, Oracle, Amazon, ...) Source: http://www.zdnet.com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-control-server/5110
  • 29. Security Threads • #2 “Insecure Interfaces and APIs” • MMI of Cloud Providers • APIs to additional services (layered API) • Must prevent policy circumventions
  • 30. Security Threads • Twitter • 2009 • Part of API-functions accessible via HTTP-Authentication • MITM, CSRF, ... • Lots of bad mashups! Source: http://securitylabs.websense.com/content/Blogs/3402.aspx Source: www.theprogrammableweb.com
  • 31. Security Threads • #3 “Malicious Insiders” • Hobby hacker, corporate espionage, nation-state sponsored intrusion • Transparency of providers • Solutions: Contracts, Compliance monitoring, ...
  • 32. Security Threads • Roadway D&B (Shanghai) • 03/2012 • Personal data bought and sold by D&B • Income, family, car, ... • 150,000,000 records from (IT) insiders at banks, issuance groups, real estates agencies, ... Source: http://datalossdb.org/incidents/5883-firm-may-have-illegally-bought-and-sold-150-million-customers-information
  • 33. Security Threads • #4 “Shared Technology Issues” • Hypervisor Mediated Architectures (VMs) • Storage • Network Security • Solutions: Regular audits, Monitoring, ...
  • 34. Security Threads • VMware • 2009 • VMware SVGA II exploit • MMIO used to place and execute code at host OS • Many products affected (Workstation, ESX-Server)
  • 35. VMware exploit Host Guest vmx-process OS SVGA-FIFO Frame Buffer Virtual Video Card SVG_RECT_COPY Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  • 36. SVGA_RECT_COPY Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  • 37. SVGA_RECT_COPY : Normal behavior of the SVGA_RECT_COPY operation Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  • 38. SVGA_RECT_COPY Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  • 39. VMware exploit Host Guest vmx-process OS SVGA-FIFO Frame Buffer Virtual Video Card Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  • 40. Security Threads • #5 “Data Loss or Leakage” • Deletion, Alteration, Storage System Failure • Deleting encryption keys, weak keys • Leakage of data to third parties
  • 41. Security Threads • Heartland Payment Systems • May 2008 • 130,000,000 records ($2.5 Million damage) • credit card numbers, ... Source: http://datalossdb.org/incidents/1518-malicious-software-hackcompromises-unknown-number-of-credit-cards-at-fifth-largest-credit-card-processor
  • 42. Security Threads • United States Army • December 28th 2012 • 36, 000 records • SSN, names, dates of birth, ... Source: http://datalossdb.org/incidents/8680-social-security-numbers-of-36-000-who-workedat-or-visited-fort-monmouth-as-well-as-some-of-their-names-dates-and-places-ofbirth-home-addresses-and-salaries-accessed-by-hacker
  • 43. Security Threads • #6 “Account or Service Hijacking” • Getting control over account (without the user noticing it!) • phishing, social engineering, tampered images, ... • constant / hidden business manipulation
  • 44. Security Threads • #7 “Unknown Risk Profile” • Versions of software, Security design, Intrusion attempts, ... • Competitors using the service? • Bad attempt: Security by obscurity • Solutions: Disclosure of {infrastructure, software, logs,...}, Customer notification / alerts, ...
  • 45. Security Threads • Heartland Payment Systems • Used known vulnerable software components (did not disclosure them) • Did not provide their customers with appropriate logs / alerts • Did inform their customers too late!
  • 46. Cloud Service Analysis (How) is it done ?
  • 47. SaaS • Dropbox • Ubuntu1 • iCloud • Wuala • GoogleDrive • Spideroak • MS SkyDrive • Mozy
  • 48. Google Drive • Initial free 5 GB • Provides optional free two-factor authentication via SMS or Google Authenticator app • Search functionality • optical character recognition (OCR) • Optional disabled automatic deletion • Files are stored unencrypted. Transfer: SSL • But who own the data after uploading?
  • 49. GDrive: Terms of Service "Your Content in our Services: When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights that you grant in this license are for the limited purpose of operating, promoting and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps)." http://www.google.co.uk/intl/en/policies/terms/regional.html
  • 50. SkyDrive • Initial free 7 GB • Access of every file on that PC it is installed in. • Microsoft Web Apps • Privacy concerns • No two-factor authentication offered • Files are stored unencrypted Transfer: SSL
  • 51. SkyDrive - Security • “Secure Sockets Layer (SSL) to encrypt your files when you upload or download them.” • “Sophisticated physical and electronic security measures on the servers to help keep your files safe.” • “Multiple copies of each file saved on different servers and hard drives to help protect your data from hardware failure.” http://windows.microsoft.com/en-US/skydrive/any-file-anywhere#1TC=t1
  • 52. Security concerns in SkyDrive Hotmail • • Person A want to send a sensitive document to Person B. • Now, person B reads the email in a public computer, access the file from SkyDrive, Signs out from his mail and goes away. • Now person C comes to the same computer. He simply checks the URLs accessed by the previous user in the browser and finds the links to the file in SkyDrive. He visit the file in SkyDrive, downloads it and sends to some business competitors. Now person A log in to his Hotmail account, types a brief email to person B and adds the file to be sent. The file is automatically added to the SkyDrive and the link is shared through the email to person B.
  • 53. Wuala • Free 2 GB • Upload by drag-and-drop into client application • Versioning: 10 most recent versions • Sharing Functionality • with other subscribers • with non-subscribers (https://www.wuala. com/username/folder/?key=value) • with everybody
  • 54. Wuala - Security • No Email confirmation after registration • Transport Security • proprietary client/server communication • no SSL / TLS • no detailed Information • Convergent file encryption
  • 55. Wuala - Convergent Encryption I Client Server file filename on server enck(file) key for decryption encs(k) filename on user’s disk encs(fname’) k encrypt hash hash(enck(file)) file content hash fname’ enck(file) • Symmetric root key r derived from user password • Random key s, can be accessed via r
  • 56. Wuala - Convergent Encryption II • Properties • Identical clear texts are identical crypto texts (user independent) • server can not decrypt crypto texts without copy of clear texts • Drawbacks • Check for a file possible • Disclosure of connection between users
  • 57. Mozy • • • • • Free 2 GB No specific drive Transport security: TLS and HTTPS File encryption: • • • • Encrypted on client 448-bit Blowfish (key provided by Mozy) 256-bit AES (personal key) Filenames and paths stored unencrypted Cross-user vs. single user deduplication
  • 58. Dropbox • Up to 2GB free space (but Spacerace, ...) • Clients available for almost all OS • Powerful versioning of files (free account 30 days) • Sync based on 4MB chunks
  • 59. Dropbox Security • Server-side AES-256 (their key) • Server-side per user de-duplication (see later) • Transfer: SSL (HTTPS) • Account-lockdown: to many login attempts • Registration: Email not verified • Sharing: predictable URL’s for non registered (after some URLs)
  • 60. De-duplication sharing • earlier versions of DB: • Client side de-duplication • Based on hash of chunks • Exploited to download illegal content (Dropship, ...)
  • 61. De-duplication sharing Dropbox Server File-Pool Dropbox Client User-Storage User-Storage ... OpenSSL replace hash == i link
  • 62. De-duplication sharing • thepiratebay.org top 100 torrents • Downloaded copyright free content (.sfv, .nfo, ...) • 97 % (n=368) retrievable • 20% not older than 24 hours
  • 63. Ubuntu 1 • 5GB free (Amazon EC2) • Clients for Linux/Windows/Android/iOS • Supports music streaming and contact synchronization • Transfer: SSL (HTTPS) • De-duplication on file base (not chunks) on server • No encryption at all
  • 64. iCloud • 5GB for free • Used for Contacts, Calendars, Bookmarks, Reminder, Mails, Photos, Documents, Backups, ... • No Security Enhancement Tools
  • 65. iCloud Security • Server-side encryption (their key) - “At minimum AES-128” • Transfer: SSL • Backup-Keybag like in iTunes backups (ECC-class keys: Background backup) • “One account to rule them all”
  • 66. iCloud Security Source: http://support.apple.com/kb/HT4865
  • 67. Spideroak • 2GB for free • Clients for Mac/Linux/Windows • Web-Access (security!!) • “Zero Knowledge” Principle • Versioning
  • 68. Spideroak Security • Client-Side AES-256 + Server-Side RSA-2048 • Key password derived: • PBDF2 - 16384 rounds - sha256 • 32 Bytes salt • Web-Access: Key stored in encrypted memory area, wiped afterwards
  • 69. PaaS / IaaS • AWS • (Microsoft Azure)
  • 70. Amazon Web Services (AWS) • Flexible, scalable, low-cost cloud IaaS • Several certifications and accreditations regarding security
  • 71. AWS Architecture Source: http://d36cz9buwru1tt.cloudfront.net/AWS_Cloud_Best_Practices.pdf
  • 72. AWS Cloud Security I Certifications and Accreditations • SOC 2 Type II Security • ISO 27001 Certification • PCI DSS Level I Compliance • MIPAA compliant • MPAA compliant architecture • DIACAP MAC III-Sensitive • Audit, supporting SOX compliance • Aligned to CSA’S control matrix Physical Security • Multi-level, multi-factor controlled access environment • Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access • Multi-factor, controlled access to administrative host • All access logged, monitored, and reviewed • AWS administrators DO NOT have logical access inside customers VM (including applications and data) VM Security Network Security • Multi-factor access to Amazon account • Instance Isolation • Customer-controlled firewall at the hypervisor • Instance firewalls can be configured in security groups • The traffic may be restricted by protocol, by service port, as well level • Neighboring instances prevented access • Virtualized disk management layer ensure only account owners can access storage disks • Support for SSL end point encryption for all API calls as by source IP address (individual or CIDR) • Virtual Private Cloud (VPC) provides IPSec VPN
  • 73. AWS Cloud Security II • Network security • • • DDoS attacks MITM attacks Port scanning • Account security features • Service specific security features
  • 74. Identity and Access Management (IAM) • Who?, What actions? Which resources? • Additional granularity: When?, Where?, How? • Distributed roles between instances (EC2)
  • 75. Multi-Factor Authentication • Two-factor authentication • AWS MFA device • Virtual MFA device (smartphone) • Hardware MFA device ($12.99)
  • 76. Amazon S3 • Online web storage service • REST, SOAP, and BitTorrent • Objects (files) are organized in buckets • Free limited usage tier • Afterwards pricing per storage, request, and datatransfer
  • 77. Amazon S3 - Security • HMAC-SHA1 signature • Access Control List (ACL) of bucket and object • Versioning
  • 78. S3 - Server Side Encryption
  • 79. Amazon Elastic Compute Cloud (EC2) • Amazon Machine Image (Linux, Windows) • Manually creating and terminated additional servers instances (elastic) • Paying by the hour for active servers • Control of geographic location
  • 80. Amazon EC2 - Security I • Multiple Levels of Security: • Host operating system • Guest operating system • Firewall • Fully controlled by customer Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
  • 81. Amazon EC2 - Security II • Hypervisor (Xen) • Instance Isolation Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
  • 82. Windows Azure Platform • Microsoft's application platform for the public cloud. • Base for Microsoft Online Services
  • 83. Windows Azure Platform Architecture Fabric Controller Fabric Computation Storage BLOBS Queries Web Role Instance Virtual Machine Tables Drives Worker Role Instance Virtual Machine
  • 84. Windows Azure Platform Security • Subscription via Windows LiveID grants full control to virtual machine and storage • Programmatically through SMAPI • Windows Azure storage is governed through an storage access key • no SSE
  • 85. Virtualization Security Isolation please !
  • 86. Full Virtualization VM OS VM OS VM OS App App App Hypervisor or Virtual Machine Manager Host OS or Bootstrap Hardware
  • 87. Virtualization Security Threats • Communication blind spots • Inter-VM attacks and hypervisor compromises • Mixed trust level VMs • Instant-on gaps Reactivated Cloned Out of Date Imagesource: http://la.trendmicro.com/media/misc/virtualization-cloud-computing-threat-report-en.pdf
  • 88. Virtualization - Security • Guest OS isolation • Mitigation of side-channel attacks • Guest OS Monitoring • Full auditing capabilities • Image and Snapshot Management • Forensic
  • 89. Future Cloud Cryptography Due to the suspicious nature of crypto users I have a feeling DES will be with us forever, we will just keep adding keys and cycles...”Colin Dooley”
  • 90. New Crypto Schemas for the Cloud • Encrypted data is vulnerable while processing time • Process encrypted data without encryption • Searchable encryption • Homomorphic encryption • Proxy re-encryption
  • 91. Searchable Encryption (SE) • Server executes queries without decrypting data. • • Cryptographic primitives and trapdoors query + trapdoor SE issues • • • Data owner ship Trapdoor revocation Query type: single keywords, multiple keywords, conjunctive and ranked queries query results
  • 92. SE Schemes • Symmetric SE SSE assume that the data is encrypted with the same master key that will be used during searching and that the owner of the data is the one who triggers the queries. • • • Multiple parties are able to search over data of a single user. Asymmetric SE • Any party that knows the public key is able to encrypt and add data to the server, but only the party in possession of the private key can generate trapdoors.
  • 93. Homomorphic Encryption (HE) • Encrypted data is processes • Limited operations available (yet)
  • 94. Proxy Re-Encryption (PRE) • Allows Bob to decrypt data from Alice without her secret key • • • • Use of semi-trusted server Bidirectional vs. unidirectional Single hop vs. multi hop Used in Digital Rights Management rA-B Alice EA(M) Proxy EB(M) Bob
  • 95. Thanks! Q&A

×