0
Cloud Security:  New Problem or New Context? Presentation for CloudCamp 2009 (Frankfurt) Matthias Jung elastic-security.com
Introduction <ul><ul><li>Security is cited as most important obstacle to adoption  </li></ul></ul><ul><ul><li>Hype: anybod...
Security for SaaS/PaaS <ul><ul><li>Nothing New: Web-Service threats are well-understood </li></ul></ul><ul><ul><li>Typical...
IaaS: Some Old Friends <ul><ul><li>Privacy  </li></ul></ul><ul><ul><ul><li>Storage (dm-crypt) </li></ul></ul></ul><ul><ul>...
IaaS: New Form of Attacks <ul><ul><li>Growing Popularity might attract Hackers  </li></ul></ul><ul><ul><ul><li>People run ...
Conclusions <ul><ul><li>IaaS more or less secure than SaaS/PaaS? </li></ul></ul><ul><ul><ul><li>More </li></ul></ul></ul><...
Upcoming SlideShare
Loading in...5
×

Matthias Jung Cloud Security New Problem Or New Context

939

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
939
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • &amp;quot;cloud security must be taken serious. but the tools and procedures are there and just need to be intelligently applied to the new context&amp;quot;
  • Transcript of "Matthias Jung Cloud Security New Problem Or New Context"

    1. 1. Cloud Security:  New Problem or New Context? Presentation for CloudCamp 2009 (Frankfurt) Matthias Jung elastic-security.com
    2. 2. Introduction <ul><ul><li>Security is cited as most important obstacle to adoption </li></ul></ul><ul><ul><li>Hype: anybody sells his product as cloud computing </li></ul></ul><ul><ul><li>But which cloud are we are talking about? </li></ul></ul><ul><ul><ul><li>SaaS/PaaS (e.g. GMail, Salesforce) </li></ul></ul></ul><ul><ul><ul><li>IaaS (e.g. Amazon EC2) </li></ul></ul></ul><ul><li>  </li></ul>
    3. 3. Security for SaaS/PaaS <ul><ul><li>Nothing New: Web-Service threats are well-understood </li></ul></ul><ul><ul><li>Typical Web-Site attacks (OWASP) </li></ul></ul><ul><ul><ul><li>SQL injection </li></ul></ul></ul><ul><ul><ul><li>Cross Site Scripting (XSS) </li></ul></ul></ul><ul><ul><ul><li>Request Forgery (CSRF) </li></ul></ul></ul><ul><ul><li>Trust your provider / SLAs </li></ul></ul>
    4. 4. IaaS: Some Old Friends <ul><ul><li>Privacy  </li></ul></ul><ul><ul><ul><li>Storage (dm-crypt) </li></ul></ul></ul><ul><ul><ul><li>Database encryption </li></ul></ul></ul><ul><ul><ul><li>Communication (EC2 built-in, ssh et al., openvpn) </li></ul></ul></ul><ul><ul><li>  Intrusion Prevention and Detection </li></ul></ul><ul><ul><ul><li>Firewall (EC2 built-in, iptables) </li></ul></ul></ul><ul><ul><ul><li>File Integrity Checks (tripwire) </li></ul></ul></ul><ul><ul><li>  Availability </li></ul></ul><ul><ul><ul><li>Backup (bacula)  </li></ul></ul></ul><ul><ul><ul><li>Fallback (EC2 built-in, cluster) </li></ul></ul></ul>
    5. 5. IaaS: New Form of Attacks <ul><ul><li>Growing Popularity might attract Hackers </li></ul></ul><ul><ul><ul><li>People run tampered images </li></ul></ul></ul><ul><ul><ul><li>Easy and instant access to many machines </li></ul></ul></ul><ul><ul><ul><li>Auto-Scaling: DoS Attacks paid by the customer </li></ul></ul></ul><ul><ul><ul><li>Side Channel Attacks </li></ul></ul></ul><ul><ul><ul><ul><li>predicting load by measuring cache responses </li></ul></ul></ul></ul><ul><ul><ul><li>Attack based on lack of entropy for random numbers </li></ul></ul></ul><ul><ul><ul><li>Bugs in Virtualization software (XEN) </li></ul></ul></ul><ul><ul><ul><li>Storage data of terminated instance reconstructable </li></ul></ul></ul><ul><ul><ul><li>Single key-pair for EC2 API </li></ul></ul></ul><ul><ul><ul><li>Poor Audit Logs for EC2 API </li></ul></ul></ul>
    6. 6. Conclusions <ul><ul><li>IaaS more or less secure than SaaS/PaaS? </li></ul></ul><ul><ul><ul><li>More </li></ul></ul></ul><ul><ul><ul><ul><li>since we have a higher level of control </li></ul></ul></ul></ul><ul><ul><ul><li>Less </li></ul></ul></ul><ul><ul><ul><ul><li>since there are new forms of attacks  </li></ul></ul></ul></ul><ul><ul><li>And Cloud Security Then? </li></ul></ul><ul><ul><ul><li>Some New Problems </li></ul></ul></ul><ul><ul><ul><li>Some Provider Enhancements needed (please ask!) </li></ul></ul></ul><ul><ul><ul><li>Many Well-understood Problems with Solutions (OWASP, CSA) </li></ul></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×