Matthias Jung Cloud Security New Problem Or New Context

Cloud Security: New Problem or New Context? Presentation for CloudCamp 2009 (Frankfurt) Matthias Jung elastic-security.com

Introduction
Security is cited as most important obstacle to adoption
Hype: anybody sells his product as cloud computing
But which cloud are we are talking about?
SaaS/PaaS (e.g. GMail, Salesforce)
IaaS (e.g. Amazon EC2)

Security for SaaS/PaaS
Nothing New: Web-Service threats are well-understood
Typical Web-Site attacks (OWASP)
SQL injection
Cross Site Scripting (XSS)
Request Forgery (CSRF)
Trust your provider / SLAs

IaaS: Some Old Friends
Privacy
Storage (dm-crypt)
Database encryption
Communication (EC2 built-in, ssh et al., openvpn)
Intrusion Prevention and Detection
Firewall (EC2 built-in, iptables)
File Integrity Checks (tripwire)
Availability
Backup (bacula)
Fallback (EC2 built-in, cluster)

IaaS: New Form of Attacks
Growing Popularity might attract Hackers
People run tampered images
Easy and instant access to many machines
Auto-Scaling: DoS Attacks paid by the customer
Side Channel Attacks
predicting load by measuring cache responses
Attack based on lack of entropy for random numbers
Bugs in Virtualization software (XEN)
Storage data of terminated instance reconstructable
Single key-pair for EC2 API
Poor Audit Logs for EC2 API

Conclusions
IaaS more or less secure than SaaS/PaaS?
More
since we have a higher level of control
Less
since there are new forms of attacks
And Cloud Security Then?
Some New Problems
Some Provider Enhancements needed (please ask!)
Many Well-understood Problems with Solutions (OWASP, CSA)

Matthias Jung Cloud Security New Problem Or New Context

by Cloudcamp on Sep 29, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 3

Statistics

Matthias Jung Cloud Security New Problem Or New Context — Presentation Transcript