SlideShare a Scribd company logo

Cloud Security

Hi-Tech College
Hi-Tech College

Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity. * Private clouds arcitechture, with focusing on Microsoft technologies * Description of threats on cloud systems * Secure developing & ways to penetrate and attack systems hosted on cloud environment

Technology
1 of 45
Download to read offline
Cloud Security Nimrod Luria CTO | Q.rity Information Security Lead | Hi-Tech Nimrod@Qrity.com
It can be confusing Technical Institutional, Business Model and Usage System DC Operation & Management Security of the cloud architecture Operation Management Security of data center facility - virtualized environment - Operator access control - location, natural hazard, utility services - hypervisor - system privilege control Information Security - physical access control, monitoring - large distributed system (grif) - Unauthorized access control - isolation of processes - Incident response Communication security between user and cloud Security of data storage - patch and vulnerability management -reliability of communication path, QOS - physical location of storage for disaster - Antiviral software management -confidentiality and security of communication recovery, backup and geopolitical risks - Application management - isolation between data Information Lifecycle Management Information Lifecycle Management Data encryption and key management Client device security Cryptographic solution for communication, data and operation User authentication, access control, user monitoring hardware reliability and redundancy Business Continuit Cloud provider resiliency Disaster recovery planning and operation y Management and governance of cloud provider Availability and dependability of the system and the services BCP of cloud provider Compliance Laws and regulations conformity - Internal control Auditability and inquiry accommodation to users, third parties, administration and law enforcement - Personal data protection law Digital forensics - FISMA, HIPAA and others Data storage location and effect from local laws and regulations and privacy requirement SLA standards and guidelines Service level assurance Usability Portability/lock-in of data and applications - Process capability and scalability - Storage capacity and scalability Interoperability and the standardization (cloud to cloud, cloud to on-premise) Copyright © 2009-2010 Bottlenecks in data transfer Information-Technology 16/03/2010 3 Promotion Agency
www.cloudsecurityalliance.org
Agenda • Private cloud architecture • Microsoft Private Cloud Solutions • Top Cloud Computing Threats • Trust in the Cloud • Cloud Security: the challenges • Cloud Security Frame • Secure cloud architecture Q&A
NIST working definition
What Constitutes cloud computing? SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE
1 2 3 Standardize Identity with Standardize Management with Active Directory Virtualize with Hyper-V System Center 4 5 Enable Self Service with the Deploy One App on the Windows Free Self Service Portal Azure Platform
Consuming and Delivering IT as a Service Compose Service Type Image Deploy Image SLA Requirements Attach Network Compliance Configure Image Requirements Service Self Service Configure Service Model Access Portal Requirements Configure Monitoring Load Estimates Configure Application Reporting Owner Configure Billing Backup Info Configure Security Reporting Monitor Compliance
User App VM VM VM VM Virtual FW 1 2 3 4 Secure VDI Hypervisor CLIENTS Support POLICY Virtual Machines Internet SSL VPN HR ZONE DMZ Virtualized Security Services FINANCE ZONE Services DoS Protection .1 NAT .5 Firewall .2 Intrusion prevention .6 Policies Reporting Authentication .3 Real-time visibility .7 Encryption .4 Management & Compliance Traffic prioritization .8
Microsoft Private Cloud Components SELF-SERVICE MANAGEMENT VIRTUALIZATION IDENTITY
Trust in the Cloud Compliance and Risk Management Identity and Access Management Information Protection Service Integrity Endpoint Integrity
Security is the Major Issue 13
Cloud computing Risks • LOCK-IN UNDERTAKING MALICIOUS PROBES OR • • LOSS OF GOVERNANCE SCANS. • COMPLIANCE CHALLENGES DISTRIBUTED DENIAL OF SERVICE • • LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS) ACTIVITIES ECONOMIC DENIAL OF SERVICE (EDOS) • • CLOUD SERVICE TERMINATION OR FAILURE LOSS OF ENCRYPTION KEYS • • CLOUD PROVIDER ACQUISITION CONFLICTS BETWEEN CUSTOMER • • SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD • RESOURCE EXHAUSTION ENVIRONMENT • ISOLATION FAILURE COMPROMISE SERVICE ENGINE • • CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY • • MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION • • INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS • • DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD • INSECURE OR INEFFECTIVE DELETION OF DATA
Commonly referenced cloud security Issues Amazon: Hey Spammers, Get Off My Cloud! Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html Bitbucket's Amazon DDoS - what went wrong Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/ Many eggs Lightning Zaps Amazon Cloud – In-cloud federated One basket http://news.cnet.com/8301-1001_3-10263425-92.html Identity Management Entitlement Security issues with Google Docs Lack of Standards Management http://peekay.org/2009/03/26/security-issues-with-google-docs/ Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine in VM http://eprint.iacr.org/2009/474 Data Provanence Data Remanence Location & Privacy Where did the data come from? You can check out but can’t leave Who looks at/after your data? And where? Jurisdictions?
Demo • Configuring Baseline Security for the Private cloud
Top Cloud Computing Threats Threat 1: Abuse and Nefarious Use of Cloud Computing Threat 2: Insecure Interfaces and APIs Threat 3: Malicious Insiders Threat 4: Shared Technology Issues Threat 5: Data Loss or Leakage Threat 6: Account or Service Hijacking Threat 7: Unknown Risk Profile
Abuse and Nefarious Use of Cloud Computing Description Examples Criminals continue to leverage IaaS offerings have hosted the Zeus new technologies to improve botnet, InfoStealer trojan horses, their reach, avoid detection, and downloads for Microsoft Office and improve the effectiveness and Adobe PDF exploits. of their activities. Cloud Additionally, botnets have used Computing providers are IaaS servers for command and actively being targeted, control partially because their functions. Spam continues to be a relatively weak registration problem — as a defensive measure, systems facilitate anonymity, entire blocks of IaaS network and providers’ fraud detection addresses have been publicly capabilities are limited. blacklist Remediation Iaas PaaS SaaS • Stricter initial registration and validation processes. • Enhanced credit card fraud monitoring and coordination. • Comprehensive introspection of customer network traffic. • Monitoring public blacklists for one’s own network blocks.
Insecure Interfaces and APIs Description Examples Reliance on a weak set of interfaces Anonymous access and/or reusable and APIs exposes organizations to tokens or passwords, clear-text a variety of security issues related authentication or transmission of to confidentiality, integrity, content, inflexible access controls availability and accountability. or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies. Remediation Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS Ensure strong authentication and access controls are implemented in concert with encrypted transmission. Understand the dependency chain associated with the API.
Malicious Insiders Description Examples The level of access granted No public examples are available at could enable such an adversary to this time. harvest confidential data or gain complete control over the cloud services with little or no risk of detection. Remediation • Enforce strict supply chain management and conduct a comprehensive supplier assessment. • Specify human resource requirements as part of legal contracts. • Require transparency into overall information security and management practices, as well as compliance reporting. Iaas PaaS SaaS • Determine security breach notification processes.
Description Shared Technology Issues Attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments. Disk partitions, CPU caches, GPUs, and other Examples shared elements were never designed • Joanna Rutkowska’s Red and for strong compartmentalization. As a Blue Pill exploits result, attackers focus on how to impact • Kortchinksy’s CloudBurst the operations of other cloud presentations. customers, and how to gain unauthorized access to data. Remediation • Implement security best practices for installation/configuration. • Monitor environment for unauthorized changes/activity. • Promote strong authentication and access control for administrative access and operations. • Enforce service level agreements for patching and vulnerability • remediation. Iaas PaaS SaaS • Conduct vulnerability scanning and configuration audits.
Data Loss or Leakage Description The threat of data compromise increases in the cloud, due to the Examples number of and interactions between risks and challenges which Insufficient authentication, are either unique to cloud, or more authorization, and audit (AAA) dangerous because of the controls; inconsistent use of architectural encryption and software keys. or operational characteristics of the cloud environment Remediation • Implement strong API access control. • Encrypt and protect integrity of data in transit. • Analyzes data protection at both design and run time. • Implement strong key generation, storage and management, and destruction practices. • Contractually demand providers wipe persistent media before it is released into the pool. • Contractually specify provider backup and retention strategies. Iaas PaaS SaaS
Account or Service Hijacking Description Examples Account and service hijacking, Amazon EC2 Zeus Password stealing. usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services Remediation • Prohibit the sharing of account credentials between users an services. • Leverage strong two-factor authentication techniques where possible. • Employ proactive monitoring to detect unauthorized activity. • Understand cloud provider security policies and SLAs. Iaas PaaS SaaS
Unknown Risk Profile Description Examples When adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A; functionality may be well Amazon refused. advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester- the internal security procedures, configuration cloud-computingqa. hardening, Html patching, auditing, and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of a security incident? Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. Remediation • Disclosure of applicable logs and data. • Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). • Monitoring and alerting on necessary information. Iaas PaaS SaaS
Fraud as a service What’s Required? • Buy the malware • Choose a server (“bulletproof hosting”) • Install malware on a server • Infect PCs • Keep the malware up-to-date
Beyond Architecture: The Areas Of Critical Focus • Governance and Enterprise Risk Management • Legal and Electronic Discovery • Compliance and Audit • Information Lifecycle Management • Portability and Interoperability • Traditional Security, Business Continuity and Disaster Recovery • Data Center Operations • Incident Response, Notification and Remediation • Application Security • Encryption and Key Management • Identity and Access Management • Virtualization
Analyzing Cloud Security • Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units 33
Cloud Security: the challenges Law & Compliance Provider & resource / data location Multi-tenancy Risks Cross-border data movement Security of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA) Process isolation Limited audit ability Poor quality of evidence Data segregation Regulatory violation Auditing and compliance (PCI, ISO 27001) ‘Data sharding ‘ (fragmentation across images) No risk transference for data Identity & Access Management Infrastructure misuse / break in Data Location & Mobility EU vs. US vs. China regulations Data Commingling (Government access). In-cloud segregation of data: difficult Differences in data protection Accidental seizure of customer data between regions during forensic investigations Cost of keeping data hosting in EU Resilience & Availability Cloud Audit data is legally owned by Latency sensitive applications CSP and not client. Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand Insufficient capabilities to cater for over audit logs’. critical data Security Extremely difficult to involve law enforcement with CSP activities - Cloud lock in breach investigation/litigation. Lack of standards Security at multiple layers Lack of interoperability Virtual image provided by Limited service portability IaaS provider Incompatible management Platform stack provided processes by PaaS provider IaaS,PaaS issues + application security
Cloud Security: the challenges Isolation Data risks CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation classify data. • Robust at system level (modulo kernel bugs) CSP’s cannot offer different levels • Issues at management plane of security based upon data • Memory hijacking sensitivity. No DLP – data leakage protection services offered. Virtual VM Security Infrastructure Guest OS needs security protection Physical 2 virtual mapping • at massive scale Crypto doesn’t like virtual Security resilient VM life-cycle Current algorithms set to • secure, scalable, dynamic optimise resource pooling Can’t always use specialised HW Encryption key management. Reliance on VM vendor security Issues with guest OS Security Can VMWare, Microsoft be trusted to implement kernel security correctly ?…
Private Clouds and User Roles VMM Admin Delegated Admin VMM Admin Cloud Manager Scope: Everything Delegated Admin Scope cannot be Scope: Host groups and Cloud Manager modified Clouds Self-Service User Can take any action Scope: Clouds only Create cloud from Self-Service User physical capacity Subdivides clouds Scope: Clouds only Access to cloud Delegates clouds automatically gives Manages services and Includes all Self-Service VMs access to host groups User rights Includes all Cloud Authors templates Manager rights Shares resources Actions can be revoked Quota: Per-user limit
User Roles and Scope VMM Admin Delegated Admin Self Service Cloud User Manager
Private Cloud Usage Scenarios VMM Admin creates a private cloud VMM Admin delegates the cloud to Cloud Manager Cloud Manager sub-divides the cloud and assigns it to Self-Service User Self Service User creates VMs and services in the cloud
Security as a service
Identity as a service (IDaaS)
IAM Protocols and Standards • SAML • XACML • OAuth • OpenID • OATH • OpenAuth
Demo Set Cloud CSRF (oneClick) to Stop machine
The future of cloud computing security • Infrastructure security – Greater transparency of security capabilities. • Data security and storage – Predicate encryption • Identity and access management – Hybrid IAM strategy • Security management – Unified Management function across CSP’s
resources • http://www.cloudsecurityalliance.org/Research.html • http://csrc.nist.gov/groups/SNS/cloud- computing/index.html • Microsoft Security Compliance Manager – http://www.microsoft.com/downloads/en/details.aspx?FamilyI D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en • Build Your Own Private Cloud – http://www.microsoft.com/virtualization/en/us/private-cloud- get-started.aspx • http://blogs.technet.com/b/ddcalliance/archive/2010/02/1 6/dynamic-infrastructure-toolkit-for-system-center-dit-sc- sneak-peek-into-on-boarding.aspx
Thank You ! Nimrod@Qrity.com
Cloud Security

Recommended

Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
Cloud computing and its security issues
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
Jyoti Srivastava
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
Shamsundar Machale (CISSP, CEH)
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
Sudsanguan Ngamsuriyaroj
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 

Recommended

Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
Cloud computing and its security issues
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
Jyoti Srivastava
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
Shamsundar Machale (CISSP, CEH)
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
Sudsanguan Ngamsuriyaroj
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Venkateswar Reddy Melachervu
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
acijjournal
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
Jim Geovedi
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
bhanu krishna
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
ijfcstjournal
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
Stelios Krasadakis
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
Discover Cloud Computing
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
Cloud security
Cloud security Cloud security
Cloud security
Mohamed Shalash
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
Brian K. Dickard
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
Hoang Nguyen
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Nithin Raj
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
CloudSmartz
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
Epoch Universal, Inc.
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 

More Related Content

What's hot

SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
acijjournal
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
Hoang Nguyen
 

What's hot (20)

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 

Viewers also liked

Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Dhaval Dave
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
OpSource
 
Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web Services Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web Services
Amazon Web Services
 

Viewers also liked (17)

Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10
 
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Cloud Economics: Optimising for Cost
Cloud Economics: Optimising for CostCloud Economics: Optimising for Cost
Cloud Economics: Optimising for Cost
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
Cloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesCloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabilies
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introduction
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Getting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicmGetting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicm
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 
Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web Services Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web Services
 
Cloud Computing and Enterprise Architecture
Cloud Computing and Enterprise ArchitectureCloud Computing and Enterprise Architecture
Cloud Computing and Enterprise Architecture
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 

Similar to Cloud Security

Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
Indu Kodukula
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
Satish Hemachandran
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
Lenin Aboagye
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
Ajay Rathi
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
Interop
 
Managed vs customer presentation
Managed vs customer presentationManaged vs customer presentation
Managed vs customer presentation
hemanth102030
 
Avensus Corporate Presentation
Avensus Corporate PresentationAvensus Corporate Presentation
Avensus Corporate Presentation
Parth Agrawal
 
Meraki 2012 Corporate Brochure
Meraki 2012 Corporate BrochureMeraki 2012 Corporate Brochure
Meraki 2012 Corporate Brochure
guillaumepays
 

Similar to Cloud Security (20)

Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Securityinsideout
SecurityinsideoutSecurityinsideout
Securityinsideout
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTAR
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
Managed vs customer presentation
Managed vs customer presentationManaged vs customer presentation
Managed vs customer presentation
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
Avensus Corporate Presentation
Avensus Corporate PresentationAvensus Corporate Presentation
Avensus Corporate Presentation
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012
 
Meraki 2012 Corporate Brochure
Meraki 2012 Corporate BrochureMeraki 2012 Corporate Brochure
Meraki 2012 Corporate Brochure
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Cloud Security

  • 1. Cloud Security Nimrod Luria CTO | Q.rity Information Security Lead | Hi-Tech Nimrod@Qrity.com
  • 2.
  • 3. It can be confusing Technical Institutional, Business Model and Usage System DC Operation & Management Security of the cloud architecture Operation Management Security of data center facility - virtualized environment - Operator access control - location, natural hazard, utility services - hypervisor - system privilege control Information Security - physical access control, monitoring - large distributed system (grif) - Unauthorized access control - isolation of processes - Incident response Communication security between user and cloud Security of data storage - patch and vulnerability management -reliability of communication path, QOS - physical location of storage for disaster - Antiviral software management -confidentiality and security of communication recovery, backup and geopolitical risks - Application management - isolation between data Information Lifecycle Management Information Lifecycle Management Data encryption and key management Client device security Cryptographic solution for communication, data and operation User authentication, access control, user monitoring hardware reliability and redundancy Business Continuit Cloud provider resiliency Disaster recovery planning and operation y Management and governance of cloud provider Availability and dependability of the system and the services BCP of cloud provider Compliance Laws and regulations conformity - Internal control Auditability and inquiry accommodation to users, third parties, administration and law enforcement - Personal data protection law Digital forensics - FISMA, HIPAA and others Data storage location and effect from local laws and regulations and privacy requirement SLA standards and guidelines Service level assurance Usability Portability/lock-in of data and applications - Process capability and scalability - Storage capacity and scalability Interoperability and the standardization (cloud to cloud, cloud to on-premise) Copyright © 2009-2010 Bottlenecks in data transfer Information-Technology 16/03/2010 3 Promotion Agency
  • 5. Agenda • Private cloud architecture • Microsoft Private Cloud Solutions • Top Cloud Computing Threats • Trust in the Cloud • Cloud Security: the challenges • Cloud Security Frame • Secure cloud architecture Q&A
  • 7. What Constitutes cloud computing? SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE
  • 8. 1 2 3 Standardize Identity with Standardize Management with Active Directory Virtualize with Hyper-V System Center 4 5 Enable Self Service with the Deploy One App on the Windows Free Self Service Portal Azure Platform
  • 9. Consuming and Delivering IT as a Service Compose Service Type Image Deploy Image SLA Requirements Attach Network Compliance Configure Image Requirements Service Self Service Configure Service Model Access Portal Requirements Configure Monitoring Load Estimates Configure Application Reporting Owner Configure Billing Backup Info Configure Security Reporting Monitor Compliance
  • 10. User App VM VM VM VM Virtual FW 1 2 3 4 Secure VDI Hypervisor CLIENTS Support POLICY Virtual Machines Internet SSL VPN HR ZONE DMZ Virtualized Security Services FINANCE ZONE Services DoS Protection .1 NAT .5 Firewall .2 Intrusion prevention .6 Policies Reporting Authentication .3 Real-time visibility .7 Encryption .4 Management & Compliance Traffic prioritization .8
  • 11. Microsoft Private Cloud Components SELF-SERVICE MANAGEMENT VIRTUALIZATION IDENTITY
  • 12. Trust in the Cloud Compliance and Risk Management Identity and Access Management Information Protection Service Integrity Endpoint Integrity
  • 13. Security is the Major Issue 13
  • 14. Cloud computing Risks • LOCK-IN UNDERTAKING MALICIOUS PROBES OR • • LOSS OF GOVERNANCE SCANS. • COMPLIANCE CHALLENGES DISTRIBUTED DENIAL OF SERVICE • • LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS) ACTIVITIES ECONOMIC DENIAL OF SERVICE (EDOS) • • CLOUD SERVICE TERMINATION OR FAILURE LOSS OF ENCRYPTION KEYS • • CLOUD PROVIDER ACQUISITION CONFLICTS BETWEEN CUSTOMER • • SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD • RESOURCE EXHAUSTION ENVIRONMENT • ISOLATION FAILURE COMPROMISE SERVICE ENGINE • • CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY • • MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION • • INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS • • DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD • INSECURE OR INEFFECTIVE DELETION OF DATA
  • 15. Commonly referenced cloud security Issues Amazon: Hey Spammers, Get Off My Cloud! Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html Bitbucket's Amazon DDoS - what went wrong Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/ Many eggs Lightning Zaps Amazon Cloud – In-cloud federated One basket http://news.cnet.com/8301-1001_3-10263425-92.html Identity Management Entitlement Security issues with Google Docs Lack of Standards Management http://peekay.org/2009/03/26/security-issues-with-google-docs/ Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine in VM http://eprint.iacr.org/2009/474 Data Provanence Data Remanence Location & Privacy Where did the data come from? You can check out but can’t leave Who looks at/after your data? And where? Jurisdictions?
  • 16.
  • 17. Demo • Configuring Baseline Security for the Private cloud
  • 18. Top Cloud Computing Threats Threat 1: Abuse and Nefarious Use of Cloud Computing Threat 2: Insecure Interfaces and APIs Threat 3: Malicious Insiders Threat 4: Shared Technology Issues Threat 5: Data Loss or Leakage Threat 6: Account or Service Hijacking Threat 7: Unknown Risk Profile
  • 19. Abuse and Nefarious Use of Cloud Computing Description Examples Criminals continue to leverage IaaS offerings have hosted the Zeus new technologies to improve botnet, InfoStealer trojan horses, their reach, avoid detection, and downloads for Microsoft Office and improve the effectiveness and Adobe PDF exploits. of their activities. Cloud Additionally, botnets have used Computing providers are IaaS servers for command and actively being targeted, control partially because their functions. Spam continues to be a relatively weak registration problem — as a defensive measure, systems facilitate anonymity, entire blocks of IaaS network and providers’ fraud detection addresses have been publicly capabilities are limited. blacklist Remediation Iaas PaaS SaaS • Stricter initial registration and validation processes. • Enhanced credit card fraud monitoring and coordination. • Comprehensive introspection of customer network traffic. • Monitoring public blacklists for one’s own network blocks.
  • 20.
  • 21. Insecure Interfaces and APIs Description Examples Reliance on a weak set of interfaces Anonymous access and/or reusable and APIs exposes organizations to tokens or passwords, clear-text a variety of security issues related authentication or transmission of to confidentiality, integrity, content, inflexible access controls availability and accountability. or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies. Remediation Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS Ensure strong authentication and access controls are implemented in concert with encrypted transmission. Understand the dependency chain associated with the API.
  • 22. Malicious Insiders Description Examples The level of access granted No public examples are available at could enable such an adversary to this time. harvest confidential data or gain complete control over the cloud services with little or no risk of detection. Remediation • Enforce strict supply chain management and conduct a comprehensive supplier assessment. • Specify human resource requirements as part of legal contracts. • Require transparency into overall information security and management practices, as well as compliance reporting. Iaas PaaS SaaS • Determine security breach notification processes.
  • 23. Description Shared Technology Issues Attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments. Disk partitions, CPU caches, GPUs, and other Examples shared elements were never designed • Joanna Rutkowska’s Red and for strong compartmentalization. As a Blue Pill exploits result, attackers focus on how to impact • Kortchinksy’s CloudBurst the operations of other cloud presentations. customers, and how to gain unauthorized access to data. Remediation • Implement security best practices for installation/configuration. • Monitor environment for unauthorized changes/activity. • Promote strong authentication and access control for administrative access and operations. • Enforce service level agreements for patching and vulnerability • remediation. Iaas PaaS SaaS • Conduct vulnerability scanning and configuration audits.
  • 24. Data Loss or Leakage Description The threat of data compromise increases in the cloud, due to the Examples number of and interactions between risks and challenges which Insufficient authentication, are either unique to cloud, or more authorization, and audit (AAA) dangerous because of the controls; inconsistent use of architectural encryption and software keys. or operational characteristics of the cloud environment Remediation • Implement strong API access control. • Encrypt and protect integrity of data in transit. • Analyzes data protection at both design and run time. • Implement strong key generation, storage and management, and destruction practices. • Contractually demand providers wipe persistent media before it is released into the pool. • Contractually specify provider backup and retention strategies. Iaas PaaS SaaS
  • 25.
  • 26. Account or Service Hijacking Description Examples Account and service hijacking, Amazon EC2 Zeus Password stealing. usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services Remediation • Prohibit the sharing of account credentials between users an services. • Leverage strong two-factor authentication techniques where possible. • Employ proactive monitoring to detect unauthorized activity. • Understand cloud provider security policies and SLAs. Iaas PaaS SaaS
  • 27.
  • 28. Unknown Risk Profile Description Examples When adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A; functionality may be well Amazon refused. advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester- the internal security procedures, configuration cloud-computingqa. hardening, Html patching, auditing, and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of a security incident? Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. Remediation • Disclosure of applicable logs and data. • Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). • Monitoring and alerting on necessary information. Iaas PaaS SaaS
  • 29. Fraud as a service What’s Required? • Buy the malware • Choose a server (“bulletproof hosting”) • Install malware on a server • Infect PCs • Keep the malware up-to-date
  • 30. Beyond Architecture: The Areas Of Critical Focus • Governance and Enterprise Risk Management • Legal and Electronic Discovery • Compliance and Audit • Information Lifecycle Management • Portability and Interoperability • Traditional Security, Business Continuity and Disaster Recovery • Data Center Operations • Incident Response, Notification and Remediation • Application Security • Encryption and Key Management • Identity and Access Management • Virtualization
  • 31. Analyzing Cloud Security • Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units 33
  • 32. Cloud Security: the challenges Law & Compliance Provider & resource / data location Multi-tenancy Risks Cross-border data movement Security of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA) Process isolation Limited audit ability Poor quality of evidence Data segregation Regulatory violation Auditing and compliance (PCI, ISO 27001) ‘Data sharding ‘ (fragmentation across images) No risk transference for data Identity & Access Management Infrastructure misuse / break in Data Location & Mobility EU vs. US vs. China regulations Data Commingling (Government access). In-cloud segregation of data: difficult Differences in data protection Accidental seizure of customer data between regions during forensic investigations Cost of keeping data hosting in EU Resilience & Availability Cloud Audit data is legally owned by Latency sensitive applications CSP and not client. Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand Insufficient capabilities to cater for over audit logs’. critical data Security Extremely difficult to involve law enforcement with CSP activities - Cloud lock in breach investigation/litigation. Lack of standards Security at multiple layers Lack of interoperability Virtual image provided by Limited service portability IaaS provider Incompatible management Platform stack provided processes by PaaS provider IaaS,PaaS issues + application security
  • 33. Cloud Security: the challenges Isolation Data risks CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation classify data. • Robust at system level (modulo kernel bugs) CSP’s cannot offer different levels • Issues at management plane of security based upon data • Memory hijacking sensitivity. No DLP – data leakage protection services offered. Virtual VM Security Infrastructure Guest OS needs security protection Physical 2 virtual mapping • at massive scale Crypto doesn’t like virtual Security resilient VM life-cycle Current algorithms set to • secure, scalable, dynamic optimise resource pooling Can’t always use specialised HW Encryption key management. Reliance on VM vendor security Issues with guest OS Security Can VMWare, Microsoft be trusted to implement kernel security correctly ?…
  • 34.
  • 35. Private Clouds and User Roles VMM Admin Delegated Admin VMM Admin Cloud Manager Scope: Everything Delegated Admin Scope cannot be Scope: Host groups and Cloud Manager modified Clouds Self-Service User Can take any action Scope: Clouds only Create cloud from Self-Service User physical capacity Subdivides clouds Scope: Clouds only Access to cloud Delegates clouds automatically gives Manages services and Includes all Self-Service VMs access to host groups User rights Includes all Cloud Authors templates Manager rights Shares resources Actions can be revoked Quota: Per-user limit
  • 36. User Roles and Scope VMM Admin Delegated Admin Self Service Cloud User Manager
  • 37. Private Cloud Usage Scenarios VMM Admin creates a private cloud VMM Admin delegates the cloud to Cloud Manager Cloud Manager sub-divides the cloud and assigns it to Self-Service User Self Service User creates VMs and services in the cloud
  • 38. Security as a service
  • 39. Identity as a service (IDaaS)
  • 40. IAM Protocols and Standards • SAML • XACML • OAuth • OpenID • OATH • OpenAuth
  • 41. Demo Set Cloud CSRF (oneClick) to Stop machine
  • 42. The future of cloud computing security • Infrastructure security – Greater transparency of security capabilities. • Data security and storage – Predicate encryption • Identity and access management – Hybrid IAM strategy • Security management – Unified Management function across CSP’s
  • 43. resources • http://www.cloudsecurityalliance.org/Research.html • http://csrc.nist.gov/groups/SNS/cloud- computing/index.html • Microsoft Security Compliance Manager – http://www.microsoft.com/downloads/en/details.aspx?FamilyI D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en • Build Your Own Private Cloud – http://www.microsoft.com/virtualization/en/us/private-cloud- get-started.aspx • http://blogs.technet.com/b/ddcalliance/archive/2010/02/1 6/dynamic-infrastructure-toolkit-for-system-center-dit-sc- sneak-peek-into-on-boarding.aspx
  • 44. Thank You ! Nimrod@Qrity.com