Cloud Security
Christoph Hechenblaikner
Johannes Innerbichler
Why Cloud Security?
CC + SP-Sec
• User: “App” = Whole package
• App + Web service
• Smartphone-Security:
• Protect assets on the device
• Clou...
Agenda
• Basics of Cloud Computing
• Cloud Security Basics
• Cloud Services Analysis
• Virtualization Security
• Cloud Cry...
Cloud Computing Basics
What is it about ?
Cloud Computing
• NIST
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured Se...
Cloud Computing
• IDC CC-Forecast Nov 2012:
• 2012: $40 billion
• 2016: $100 billion
• AGR: 26,4% (2012 - 2016)
• 2016: 41...
XaaS
user value

SaaS

End User

PaaS

Developer

IaaS

System Engineers /
Developers
IaaS
• Cloud
• Hardware / Network
• OS (partly) / Virtualization
• User
• Applications / Data
• Runtime / Middleware
• OS ...
IaaS

Provider
Server-VM

Application
Provider managed

User /
Developer

www

.
.
.

M
M
I
Server-VM

Scaleability!

Appl...
IaaS
• Pay as you use
• Own runtimes, ...
• Highly scaleable
• Dynamic application environment
• Application / Developer m...
IaaS
PaaS
• Cloud
• Hardware / Network
• OS / Virtualization
• Runtime / Middleware
• User
• Applications / Data (APIs)
PaaS
Provider
Application
Framework

Users API

User /
Developer

www

Blobstore API
DataQueue API
SSL-access API
Images A...
PaaS
IDE
Client

Application

Provider account

Server

Application
Platform Framework

Deployment Tool

to platform
PaaS
• Developer focuses on application
• “native” application scaling
• Performance
• Pay as you use (CPU time, transferr...
PaaS
SaaS
• Cloud
• Provides the application
• User
• Uses it!
SaaS
• Application delivered through the cloud
• Access via different devices
• Access:
• Web Technology
• Client Applicat...
SaaS
XaaS
Data

Data

Data

Runtime

Runtime

Runtime

Middleware

Middleware

Middleware

OS

OS

OS

Virtualisation

Virtuali...
Cloud Security Basics
What are we afraid of ?
Cloud Security Assets
• Sensitive user data
• Credentials, Keys, SSN
• Military / Business Information,
• Medical Health R...
Security Goals
• As usual:
• Confidentiality
• Integrity
• Availability
• Accountability
Cloud Security
100,00%

75,00%

74,6%

59,2%

63,1%

50,00%

25,00%

0%

Regulatory requirements

Source: IDC Enterprise P...
Security Threads
• CSA “Top threads to Cloud Computing”
• Alliance of Cloud-Computing companies
• Goal: Providing Guidelin...
Security Threads
• #1 “Abuse and Nefarious Use of Cloud
Computing”

• DDoS-Attacks, Botnets
• Cracking Hashes / Keys, Rain...
Example
• Amazon EC2 (AWS)
• 2009 - 2010
• The Botnet behind CrimeWare Zeus

used Amazon E2 Service for “command
and contr...
Security Threads
• #2 “Insecure Interfaces and APIs”
• MMI of Cloud Providers
• APIs to additional services (layered API)
...
Security Threads
• Twitter
• 2009
• Part of API-functions accessible via
HTTP-Authentication

• MITM, CSRF, ...
• Lots of ...
Security Threads
• #3 “Malicious Insiders”
• Hobby hacker, corporate espionage,
nation-state sponsored intrusion

• Transp...
Security Threads
• Roadway D&B (Shanghai)
• 03/2012
• Personal data bought and sold by D&B
• Income, family, car, ...
• 15...
Security Threads
• #4 “Shared Technology Issues”
• Hypervisor Mediated Architectures
(VMs)

• Storage
• Network Security
•...
Security Threads
• VMware
• 2009
• VMware SVGA II exploit
• MMIO used to place and execute code at
host OS

• Many product...
VMware exploit
Host

Guest

vmx-process

OS
SVGA-FIFO

Frame Buffer

Virtual Video Card

SVG_RECT_COPY
Source: http://www....
SVGA_RECT_COPY
Src
Dst

Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst...
SVGA_RECT_COPY

: Normal behavior of the SVGA_RECT_COPY operation

Src

Dst

Source: http://www.blackhat.com/presentations...
SVGA_RECT_COPY
Src

Dst

Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburs...
VMware exploit
Host

Guest

vmx-process

OS
SVGA-FIFO

Frame Buffer

Virtual Video Card

Source: http://www.blackhat.com/p...
Security Threads
• #5 “Data Loss or Leakage”
• Deletion, Alteration, Storage System
Failure

• Deleting encryption keys, w...
Security Threads
• Heartland Payment Systems
• May 2008
• 130,000,000 records ($2.5 Million
damage)

• credit card numbers...
Security Threads
• United States Army
• December 28th 2012
• 36, 000 records
• SSN, names, dates of birth, ...
Source: htt...
Security Threads
• #6 “Account or Service Hijacking”
• Getting control over account (without
the user noticing it!)

• phi...
Security Threads
• #7 “Unknown Risk Profile”
• Versions of software, Security design,
Intrusion attempts, ...

• Competitor...
Security Threads
• Heartland Payment Systems
• Used known vulnerable software

components (did not disclosure them)

• Did...
Cloud Service Analysis
(How) is it done ?
SaaS
• Dropbox
• Ubuntu1
• iCloud
• Wuala

• GoogleDrive
• Spideroak
• MS SkyDrive
• Mozy
Google Drive
• Initial free 5 GB
• Provides optional free two-factor

authentication via SMS or Google
Authenticator app

...
GDrive: Terms of
Service

"Your Content in our Services:

When you upload or otherwise submit content to our Services, you...
SkyDrive
• Initial free 7 GB
• Access of every file on that PC it is
installed in.

• Microsoft Web Apps
• Privacy concerns...
SkyDrive - Security
• “Secure Sockets Layer (SSL) to encrypt

your files when you upload or download
them.”

• “Sophisticat...
Security concerns in
SkyDrive Hotmail
•
•

Person A want to send a sensitive document to Person B.

•

Now, person B reads...
Wuala
• Free 2 GB
• Upload by drag-and-drop into client application
• Versioning: 10 most recent versions
• Sharing Functi...
Wuala - Security
• No Email confirmation after registration
• Transport Security
• proprietary client/server communication
...
Wuala - Convergent
Encryption I
Client

Server

file

filename on server

enck(file)

key for decryption

encs(k)

filename on...
Wuala - Convergent
Encryption II
• Properties
• Identical clear texts are identical crypto
texts (user independent)

• ser...
Mozy
•
•
•
•

•

Free 2 GB
No specific drive
Transport security: TLS and HTTPS
File encryption:

•
•
•
•

Encrypted on clie...
Dropbox
• Up to 2GB free space (but Spacerace, ...)
• Clients available for almost all OS
• Powerful versioning of files (f...
Dropbox Security
• Server-side AES-256 (their key)
• Server-side per user de-duplication (see
later)

• Transfer: SSL (HTT...
De-duplication sharing
• earlier versions of DB:
• Client side de-duplication
• Based on hash of chunks
• Exploited to dow...
De-duplication sharing
Dropbox Server
File-Pool

Dropbox Client

User-Storage

User-Storage

...

OpenSSL

replace hash

=...
De-duplication sharing
• thepiratebay.org top 100 torrents
• Downloaded copyright free content
(.sfv, .nfo, ...)

• 97 % (...
Ubuntu 1
• 5GB free (Amazon EC2)
• Clients for Linux/Windows/Android/iOS
• Supports music streaming and contact
synchroniz...
iCloud
• 5GB for free
• Used for Contacts, Calendars, Bookmarks,
Reminder, Mails, Photos, Documents,
Backups, ...

• No Se...
iCloud Security
• Server-side encryption (their key) - “At
minimum AES-128”

• Transfer: SSL
• Backup-Keybag like in iTune...
iCloud Security

Source: http://support.apple.com/kb/HT4865
Spideroak
• 2GB for free
• Clients for Mac/Linux/Windows
• Web-Access (security!!)
• “Zero Knowledge” Principle
• Versioni...
Spideroak Security
• Client-Side AES-256 + Server-Side
RSA-2048

• Key password derived:
• PBDF2 - 16384 rounds - sha256
•...
PaaS / IaaS
• AWS
• (Microsoft Azure)
Amazon Web Services
(AWS)
• Flexible, scalable, low-cost cloud IaaS
• Several certifications and accreditations
regarding s...
AWS Architecture

Source: http://d36cz9buwru1tt.cloudfront.net/AWS_Cloud_Best_Practices.pdf
AWS Cloud Security I
Certifications and Accreditations

• SOC 2 Type II Security
• ISO 27001 Certification
• PCI DSS Level I...
AWS Cloud Security II
• Network security
•
•
•

DDoS attacks
MITM attacks
Port scanning

• Account security features
• Ser...
Identity and Access
Management (IAM)
• Who?, What actions? Which resources?
• Additional granularity: When?, Where?, How?
...
Multi-Factor
Authentication
• Two-factor authentication
• AWS MFA device
• Virtual MFA device (smartphone)
• Hardware MFA ...
Amazon S3
• Online web storage service
• REST, SOAP, and BitTorrent
• Objects (files) are organized in buckets
• Free limit...
Amazon S3 - Security
• HMAC-SHA1 signature
• Access Control List (ACL) of bucket and
object

• Versioning
S3 - Server Side Encryption
Amazon Elastic Compute
Cloud (EC2)
• Amazon Machine Image (Linux, Windows)
• Manually creating and terminated additional
s...
Amazon EC2 - Security I

• Multiple Levels of Security:
• Host operating system
• Guest operating system
• Firewall
• Full...
Amazon EC2 - Security II
• Hypervisor (Xen)
• Instance Isolation

Source: http://media.amazonwebservices.com/pdf/AWS_Secur...
Windows Azure
Platform
• Microsoft's application platform for the
public cloud.

• Base for Microsoft Online Services
Windows Azure Platform
Architecture

Fabric
Controller

Fabric
Computation

Storage
BLOBS

Queries

Web Role
Instance
Virt...
Windows Azure Platform
Security
• Subscription via Windows LiveID grants full
control to virtual machine and storage

• Pr...
Virtualization Security
Isolation please !
Full Virtualization
VM
OS

VM
OS

VM
OS

App

App

App

Hypervisor or Virtual Machine Manager
Host OS or Bootstrap
Hardwar...
Virtualization Security Threats
• Communication blind spots
• Inter-VM attacks and hypervisor
compromises

• Mixed trust l...
Virtualization - Security
• Guest OS isolation
• Mitigation of side-channel attacks
• Guest OS Monitoring
• Full auditing ...
Future Cloud
Cryptography
Due to the suspicious nature of crypto users I have a feeling DES will be
with us forever, we wi...
New Crypto Schemas
for the Cloud
• Encrypted data is vulnerable while
processing time

• Process encrypted data without en...
Searchable Encryption (SE)
•

Server executes queries without decrypting
data.

•
•

Cryptographic primitives and trapdoor...
SE Schemes
•

Symmetric SE
SSE assume that the data is encrypted with the same
master key that will be used during searchi...
Homomorphic Encryption
(HE)
• Encrypted data is processes
• Limited operations available (yet)
Proxy Re-Encryption (PRE)
•

Allows Bob to decrypt data from Alice without her
secret key

•
•
•
•

Use of semi-trusted se...
Thanks! Q&A
Upcoming SlideShare
Loading in …5
×

Cloud Security

1,995 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,995
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cloud Security

  1. 1. Cloud Security Christoph Hechenblaikner Johannes Innerbichler
  2. 2. Why Cloud Security?
  3. 3. CC + SP-Sec • User: “App” = Whole package • App + Web service • Smartphone-Security: • Protect assets on the device • Cloud-Security • Protect assets in the cloud
  4. 4. Agenda • Basics of Cloud Computing • Cloud Security Basics • Cloud Services Analysis • Virtualization Security • Cloud Cryptography
  5. 5. Cloud Computing Basics What is it about ?
  6. 6. Cloud Computing • NIST • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity • Measured Service Source: http://pre-developer.att.com/home/learn/enablingtechnologies/The_NIST_Definition_of_Cloud_Computing.pdf
  7. 7. Cloud Computing • IDC CC-Forecast Nov 2012: • 2012: $40 billion • 2016: $100 billion • AGR: 26,4% (2012 - 2016) • 2016: 41% of total IT growth Source: http://www.idc.com/getdoc.jsp?containerId=prUS23684912#.UOiFdYnjlgw
  8. 8. XaaS user value SaaS End User PaaS Developer IaaS System Engineers / Developers
  9. 9. IaaS • Cloud • Hardware / Network • OS (partly) / Virtualization • User • Applications / Data • Runtime / Middleware • OS (limited)
  10. 10. IaaS Provider Server-VM Application Provider managed User / Developer www . . . M M I Server-VM Scaleability! Application Provider managed
  11. 11. IaaS • Pay as you use • Own runtimes, ... • Highly scaleable • Dynamic application environment • Application / Developer manages scaling
  12. 12. IaaS
  13. 13. PaaS • Cloud • Hardware / Network • OS / Virtualization • Runtime / Middleware • User • Applications / Data (APIs)
  14. 14. PaaS Provider Application Framework Users API User / Developer www Blobstore API DataQueue API SSL-access API Images API Security API Memcache API . . .
  15. 15. PaaS IDE Client Application Provider account Server Application Platform Framework Deployment Tool to platform
  16. 16. PaaS • Developer focuses on application • “native” application scaling • Performance • Pay as you use (CPU time, transferred data, ...)
  17. 17. PaaS
  18. 18. SaaS • Cloud • Provides the application • User • Uses it!
  19. 19. SaaS • Application delivered through the cloud • Access via different devices • Access: • Web Technology • Client Applications • Future Software Distribution Channel
  20. 20. SaaS
  21. 21. XaaS Data Data Data Runtime Runtime Runtime Middleware Middleware Middleware OS OS OS Virtualisation Virtualisation Virtualisation Hardware Hardware Hardware Storage Storage Storage Networking Networking Networking IaaS Applications PaaS Applications SaaS Applications
  22. 22. Cloud Security Basics What are we afraid of ?
  23. 23. Cloud Security Assets • Sensitive user data • Credentials, Keys, SSN • Military / Business Information, • Medical Health Records • Control over Cloud-System • Computational Power
  24. 24. Security Goals • As usual: • Confidentiality • Integrity • Availability • Accountability
  25. 25. Cloud Security 100,00% 75,00% 74,6% 59,2% 63,1% 50,00% 25,00% 0% Regulatory requirements Source: IDC Enterprise Panel, August 2008 n=244 Availability Security % responding 4 or 5
  26. 26. Security Threads • CSA “Top threads to Cloud Computing” • Alliance of Cloud-Computing companies • Goal: Providing Guidelines Source: cloudsecurityalliance.org/research/top-threats/
  27. 27. Security Threads • #1 “Abuse and Nefarious Use of Cloud Computing” • DDoS-Attacks, Botnets • Cracking Hashes / Keys, Rainbow Tables • CAPTCHA solving farms • Solutions: User registration, Signatures, ...
  28. 28. Example • Amazon EC2 (AWS) • 2009 - 2010 • The Botnet behind CrimeWare Zeus used Amazon E2 Service for “command and control” purposes. • 3,600,000 bots (Bank of America, NASA, Cisco, Oracle, Amazon, ...) Source: http://www.zdnet.com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-control-server/5110
  29. 29. Security Threads • #2 “Insecure Interfaces and APIs” • MMI of Cloud Providers • APIs to additional services (layered API) • Must prevent policy circumventions
  30. 30. Security Threads • Twitter • 2009 • Part of API-functions accessible via HTTP-Authentication • MITM, CSRF, ... • Lots of bad mashups! Source: http://securitylabs.websense.com/content/Blogs/3402.aspx Source: www.theprogrammableweb.com
  31. 31. Security Threads • #3 “Malicious Insiders” • Hobby hacker, corporate espionage, nation-state sponsored intrusion • Transparency of providers • Solutions: Contracts, Compliance monitoring, ...
  32. 32. Security Threads • Roadway D&B (Shanghai) • 03/2012 • Personal data bought and sold by D&B • Income, family, car, ... • 150,000,000 records from (IT) insiders at banks, issuance groups, real estates agencies, ... Source: http://datalossdb.org/incidents/5883-firm-may-have-illegally-bought-and-sold-150-million-customers-information
  33. 33. Security Threads • #4 “Shared Technology Issues” • Hypervisor Mediated Architectures (VMs) • Storage • Network Security • Solutions: Regular audits, Monitoring, ...
  34. 34. Security Threads • VMware • 2009 • VMware SVGA II exploit • MMIO used to place and execute code at host OS • Many products affected (Workstation, ESX-Server)
  35. 35. VMware exploit Host Guest vmx-process OS SVGA-FIFO Frame Buffer Virtual Video Card SVG_RECT_COPY Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  36. 36. SVGA_RECT_COPY Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  37. 37. SVGA_RECT_COPY : Normal behavior of the SVGA_RECT_COPY operation Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  38. 38. SVGA_RECT_COPY Src Dst Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  39. 39. VMware exploit Host Guest vmx-process OS SVGA-FIFO Frame Buffer Virtual Video Card Source: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf
  40. 40. Security Threads • #5 “Data Loss or Leakage” • Deletion, Alteration, Storage System Failure • Deleting encryption keys, weak keys • Leakage of data to third parties
  41. 41. Security Threads • Heartland Payment Systems • May 2008 • 130,000,000 records ($2.5 Million damage) • credit card numbers, ... Source: http://datalossdb.org/incidents/1518-malicious-software-hackcompromises-unknown-number-of-credit-cards-at-fifth-largest-credit-card-processor
  42. 42. Security Threads • United States Army • December 28th 2012 • 36, 000 records • SSN, names, dates of birth, ... Source: http://datalossdb.org/incidents/8680-social-security-numbers-of-36-000-who-workedat-or-visited-fort-monmouth-as-well-as-some-of-their-names-dates-and-places-ofbirth-home-addresses-and-salaries-accessed-by-hacker
  43. 43. Security Threads • #6 “Account or Service Hijacking” • Getting control over account (without the user noticing it!) • phishing, social engineering, tampered images, ... • constant / hidden business manipulation
  44. 44. Security Threads • #7 “Unknown Risk Profile” • Versions of software, Security design, Intrusion attempts, ... • Competitors using the service? • Bad attempt: Security by obscurity • Solutions: Disclosure of {infrastructure, software, logs,...}, Customer notification / alerts, ...
  45. 45. Security Threads • Heartland Payment Systems • Used known vulnerable software components (did not disclosure them) • Did not provide their customers with appropriate logs / alerts • Did inform their customers too late!
  46. 46. Cloud Service Analysis (How) is it done ?
  47. 47. SaaS • Dropbox • Ubuntu1 • iCloud • Wuala • GoogleDrive • Spideroak • MS SkyDrive • Mozy
  48. 48. Google Drive • Initial free 5 GB • Provides optional free two-factor authentication via SMS or Google Authenticator app • Search functionality • optical character recognition (OCR) • Optional disabled automatic deletion • Files are stored unencrypted. Transfer: SSL • But who own the data after uploading?
  49. 49. GDrive: Terms of Service "Your Content in our Services: When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights that you grant in this license are for the limited purpose of operating, promoting and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps)." http://www.google.co.uk/intl/en/policies/terms/regional.html
  50. 50. SkyDrive • Initial free 7 GB • Access of every file on that PC it is installed in. • Microsoft Web Apps • Privacy concerns • No two-factor authentication offered • Files are stored unencrypted Transfer: SSL
  51. 51. SkyDrive - Security • “Secure Sockets Layer (SSL) to encrypt your files when you upload or download them.” • “Sophisticated physical and electronic security measures on the servers to help keep your files safe.” • “Multiple copies of each file saved on different servers and hard drives to help protect your data from hardware failure.” http://windows.microsoft.com/en-US/skydrive/any-file-anywhere#1TC=t1
  52. 52. Security concerns in SkyDrive Hotmail • • Person A want to send a sensitive document to Person B. • Now, person B reads the email in a public computer, access the file from SkyDrive, Signs out from his mail and goes away. • Now person C comes to the same computer. He simply checks the URLs accessed by the previous user in the browser and finds the links to the file in SkyDrive. He visit the file in SkyDrive, downloads it and sends to some business competitors. Now person A log in to his Hotmail account, types a brief email to person B and adds the file to be sent. The file is automatically added to the SkyDrive and the link is shared through the email to person B.
  53. 53. Wuala • Free 2 GB • Upload by drag-and-drop into client application • Versioning: 10 most recent versions • Sharing Functionality • with other subscribers • with non-subscribers (https://www.wuala. com/username/folder/?key=value) • with everybody
  54. 54. Wuala - Security • No Email confirmation after registration • Transport Security • proprietary client/server communication • no SSL / TLS • no detailed Information • Convergent file encryption
  55. 55. Wuala - Convergent Encryption I Client Server file filename on server enck(file) key for decryption encs(k) filename on user’s disk encs(fname’) k encrypt hash hash(enck(file)) file content hash fname’ enck(file) • Symmetric root key r derived from user password • Random key s, can be accessed via r
  56. 56. Wuala - Convergent Encryption II • Properties • Identical clear texts are identical crypto texts (user independent) • server can not decrypt crypto texts without copy of clear texts • Drawbacks • Check for a file possible • Disclosure of connection between users
  57. 57. Mozy • • • • • Free 2 GB No specific drive Transport security: TLS and HTTPS File encryption: • • • • Encrypted on client 448-bit Blowfish (key provided by Mozy) 256-bit AES (personal key) Filenames and paths stored unencrypted Cross-user vs. single user deduplication
  58. 58. Dropbox • Up to 2GB free space (but Spacerace, ...) • Clients available for almost all OS • Powerful versioning of files (free account 30 days) • Sync based on 4MB chunks
  59. 59. Dropbox Security • Server-side AES-256 (their key) • Server-side per user de-duplication (see later) • Transfer: SSL (HTTPS) • Account-lockdown: to many login attempts • Registration: Email not verified • Sharing: predictable URL’s for non registered (after some URLs)
  60. 60. De-duplication sharing • earlier versions of DB: • Client side de-duplication • Based on hash of chunks • Exploited to download illegal content (Dropship, ...)
  61. 61. De-duplication sharing Dropbox Server File-Pool Dropbox Client User-Storage User-Storage ... OpenSSL replace hash == i link
  62. 62. De-duplication sharing • thepiratebay.org top 100 torrents • Downloaded copyright free content (.sfv, .nfo, ...) • 97 % (n=368) retrievable • 20% not older than 24 hours
  63. 63. Ubuntu 1 • 5GB free (Amazon EC2) • Clients for Linux/Windows/Android/iOS • Supports music streaming and contact synchronization • Transfer: SSL (HTTPS) • De-duplication on file base (not chunks) on server • No encryption at all
  64. 64. iCloud • 5GB for free • Used for Contacts, Calendars, Bookmarks, Reminder, Mails, Photos, Documents, Backups, ... • No Security Enhancement Tools
  65. 65. iCloud Security • Server-side encryption (their key) - “At minimum AES-128” • Transfer: SSL • Backup-Keybag like in iTunes backups (ECC-class keys: Background backup) • “One account to rule them all”
  66. 66. iCloud Security Source: http://support.apple.com/kb/HT4865
  67. 67. Spideroak • 2GB for free • Clients for Mac/Linux/Windows • Web-Access (security!!) • “Zero Knowledge” Principle • Versioning
  68. 68. Spideroak Security • Client-Side AES-256 + Server-Side RSA-2048 • Key password derived: • PBDF2 - 16384 rounds - sha256 • 32 Bytes salt • Web-Access: Key stored in encrypted memory area, wiped afterwards
  69. 69. PaaS / IaaS • AWS • (Microsoft Azure)
  70. 70. Amazon Web Services (AWS) • Flexible, scalable, low-cost cloud IaaS • Several certifications and accreditations regarding security
  71. 71. AWS Architecture Source: http://d36cz9buwru1tt.cloudfront.net/AWS_Cloud_Best_Practices.pdf
  72. 72. AWS Cloud Security I Certifications and Accreditations • SOC 2 Type II Security • ISO 27001 Certification • PCI DSS Level I Compliance • MIPAA compliant • MPAA compliant architecture • DIACAP MAC III-Sensitive • Audit, supporting SOX compliance • Aligned to CSA’S control matrix Physical Security • Multi-level, multi-factor controlled access environment • Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access • Multi-factor, controlled access to administrative host • All access logged, monitored, and reviewed • AWS administrators DO NOT have logical access inside customers VM (including applications and data) VM Security Network Security • Multi-factor access to Amazon account • Instance Isolation • Customer-controlled firewall at the hypervisor • Instance firewalls can be configured in security groups • The traffic may be restricted by protocol, by service port, as well level • Neighboring instances prevented access • Virtualized disk management layer ensure only account owners can access storage disks • Support for SSL end point encryption for all API calls as by source IP address (individual or CIDR) • Virtual Private Cloud (VPC) provides IPSec VPN
  73. 73. AWS Cloud Security II • Network security • • • DDoS attacks MITM attacks Port scanning • Account security features • Service specific security features
  74. 74. Identity and Access Management (IAM) • Who?, What actions? Which resources? • Additional granularity: When?, Where?, How? • Distributed roles between instances (EC2)
  75. 75. Multi-Factor Authentication • Two-factor authentication • AWS MFA device • Virtual MFA device (smartphone) • Hardware MFA device ($12.99)
  76. 76. Amazon S3 • Online web storage service • REST, SOAP, and BitTorrent • Objects (files) are organized in buckets • Free limited usage tier • Afterwards pricing per storage, request, and datatransfer
  77. 77. Amazon S3 - Security • HMAC-SHA1 signature • Access Control List (ACL) of bucket and object • Versioning
  78. 78. S3 - Server Side Encryption
  79. 79. Amazon Elastic Compute Cloud (EC2) • Amazon Machine Image (Linux, Windows) • Manually creating and terminated additional servers instances (elastic) • Paying by the hour for active servers • Control of geographic location
  80. 80. Amazon EC2 - Security I • Multiple Levels of Security: • Host operating system • Guest operating system • Firewall • Fully controlled by customer Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
  81. 81. Amazon EC2 - Security II • Hypervisor (Xen) • Instance Isolation Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
  82. 82. Windows Azure Platform • Microsoft's application platform for the public cloud. • Base for Microsoft Online Services
  83. 83. Windows Azure Platform Architecture Fabric Controller Fabric Computation Storage BLOBS Queries Web Role Instance Virtual Machine Tables Drives Worker Role Instance Virtual Machine
  84. 84. Windows Azure Platform Security • Subscription via Windows LiveID grants full control to virtual machine and storage • Programmatically through SMAPI • Windows Azure storage is governed through an storage access key • no SSE
  85. 85. Virtualization Security Isolation please !
  86. 86. Full Virtualization VM OS VM OS VM OS App App App Hypervisor or Virtual Machine Manager Host OS or Bootstrap Hardware
  87. 87. Virtualization Security Threats • Communication blind spots • Inter-VM attacks and hypervisor compromises • Mixed trust level VMs • Instant-on gaps Reactivated Cloned Out of Date Imagesource: http://la.trendmicro.com/media/misc/virtualization-cloud-computing-threat-report-en.pdf
  88. 88. Virtualization - Security • Guest OS isolation • Mitigation of side-channel attacks • Guest OS Monitoring • Full auditing capabilities • Image and Snapshot Management • Forensic
  89. 89. Future Cloud Cryptography Due to the suspicious nature of crypto users I have a feeling DES will be with us forever, we will just keep adding keys and cycles...”Colin Dooley”
  90. 90. New Crypto Schemas for the Cloud • Encrypted data is vulnerable while processing time • Process encrypted data without encryption • Searchable encryption • Homomorphic encryption • Proxy re-encryption
  91. 91. Searchable Encryption (SE) • Server executes queries without decrypting data. • • Cryptographic primitives and trapdoors query + trapdoor SE issues • • • Data owner ship Trapdoor revocation Query type: single keywords, multiple keywords, conjunctive and ranked queries query results
  92. 92. SE Schemes • Symmetric SE SSE assume that the data is encrypted with the same master key that will be used during searching and that the owner of the data is the one who triggers the queries. • • • Multiple parties are able to search over data of a single user. Asymmetric SE • Any party that knows the public key is able to encrypt and add data to the server, but only the party in possession of the private key can generate trapdoors.
  93. 93. Homomorphic Encryption (HE) • Encrypted data is processes • Limited operations available (yet)
  94. 94. Proxy Re-Encryption (PRE) • Allows Bob to decrypt data from Alice without her secret key • • • • Use of semi-trusted server Bidirectional vs. unidirectional Single hop vs. multi hop Used in Digital Rights Management rA-B Alice EA(M) Proxy EB(M) Bob
  95. 95. Thanks! Q&A

×