Brighttalk Challenges In Cloud Security


Published on

Talk about Cloud Security on the Brighttalk Summit of Public, Private & Hybrid Clouds (

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Brighttalk Challenges In Cloud Security

    1. 1. Challenges in Cloud Security Public vs Private Clouds Sergio Loureiro
    2. 2. Outline <ul><ul><li>Definitions </li></ul></ul><ul><ul><li>State of the art of cloud attacks </li></ul></ul><ul><ul><li>Roots of security threats </li></ul></ul><ul><ul><li>Challenges ahead </li></ul></ul><ul><ul><li>Conclusion </li></ul></ul>
    3. 3. Public vs Private <ul><ul><li>Public </li></ul></ul><ul><li>&quot;The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.&quot; </li></ul><ul><ul><li>Private </li></ul></ul><ul><li>&quot;The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.&quot; </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>  Source : NIST cloud definition </li></ul>
    4. 4. Public vs Private <ul><ul><li>Security requirements </li></ul></ul><ul><ul><ul><li>What? CIA, e.g. confidentiality, integrity and availability </li></ul></ul></ul><ul><ul><ul><li>Where? Data at rest AND data in transit  </li></ul></ul></ul><ul><ul><ul><li>When?  During the lifecycle </li></ul></ul></ul><ul><ul><li>From whom? </li></ul></ul><ul><ul><ul><li>Public cloud surface of attack </li></ul></ul></ul><ul><ul><ul><ul><li>Cloud provider(s) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Co-tenants </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Users </li></ul></ul></ul></ul><ul><ul><ul><li>  Private cloud surface of attack </li></ul></ul></ul><ul><ul><ul><ul><li>Cloud provider (if managed) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Users </li></ul></ul></ul></ul><ul><li>  </li></ul>
    5. 5. SPI Model <ul><ul><li>Software as a Service (, Google docs) </li></ul></ul><ul><ul><li>Platform as a Service (Google apps engine,, MS Azure) </li></ul></ul><ul><ul><li>Infrastructure as a Service (Amazon EC2, Rackspace) </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Service model has impact in security </li></ul>
    6. 6. State of the art attacks in SaaS/PaaS <ul><ul><li>Nothing New: Web-Service threats are well-understood </li></ul></ul><ul><li>  </li></ul><ul><ul><li>Typical Web-Site attacks (OWASP) </li></ul></ul><ul><ul><ul><li>SQL injection </li></ul></ul></ul><ul><ul><ul><li>Cross Site Scripting (XSS) </li></ul></ul></ul><ul><ul><ul><li>Request Forgery (CSRF) </li></ul></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Bottom line: Audit your provider and check the SLAs </li></ul><ul><li>  </li></ul>
    7. 7. State of the art attacks in IaaS <ul><ul><li>People run tampered images </li></ul></ul><ul><ul><li>Easy and instant access to many machines </li></ul></ul><ul><ul><li>Auto-Scaling: DoS Attacks paid by the customer </li></ul></ul><ul><ul><li>Side Channel Attacks </li></ul></ul><ul><ul><li>Attack based on lack of entropy for random numbers </li></ul></ul><ul><ul><li>Bugs in virtualization software </li></ul></ul><ul><ul><li>Storage data of terminated instance reconstructable </li></ul></ul><ul><ul><li>Single key-pair for EC2 API </li></ul></ul><ul><ul><li>Poor Audit Logs for EC2 API </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line: Higher flexibility but bigger attack surface </li></ul>
    8. 8. Root Causes <ul><ul><li>Outsourcing </li></ul></ul><ul><ul><li>Virtualization </li></ul></ul><ul><ul><li>Multi-tenancy </li></ul></ul><ul><ul><li>Dynamic Infrastucture </li></ul></ul>
    9. 9. Root cause 1 - Outsourcing <ul><li>Challenges </li></ul><ul><ul><li>Responsibility lies with the data owner  </li></ul></ul><ul><ul><li>The line between data owner and data custodian must be drawn: need for clear contracts </li></ul></ul><ul><ul><li>Service Level Agreements must match </li></ul></ul><ul><ul><li>Physical access to the infrastructure </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line:  </li></ul><ul><ul><li>Least impact in traditional outsourcing businesses (for example payroll)   </li></ul></ul><ul><ul><li>Monitoring and audits are needed </li></ul></ul>
    10. 10. Root cause 2 - Virtualization <ul><li>Challenges </li></ul><ul><ul><li>More complexity and new attack surface </li></ul></ul><ul><ul><li>Entropy needed </li></ul></ul><ul><ul><li>Administration consoles have privileged access  </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Bottom line: We need to integrate virtualization updates in our vulnerability management systems </li></ul><ul><li>  </li></ul>
    11. 11. Root cause 3 - Multi-tenancy <ul><li>Challenges </li></ul><ul><ul><li>Side channel attacks </li></ul></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Fairness in resource allocation / utilization </li></ul></ul><ul><ul><li>Data reminiscence </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line: </li></ul><ul><ul><li>Need for isolation (VPN, encryption and access control) </li></ul></ul><ul><ul><li>Need for transparency </li></ul></ul>
    12. 12. Root cause 4 - Dynamic Infrastructure <ul><li>Challenges </li></ul><ul><ul><li>Automation is mandatory, allocation algorithms should be transparent </li></ul></ul><ul><ul><li>Auto scaling may cost you money (DoS) </li></ul></ul><ul><ul><li>VM Sprawl </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>  Bottom line: Control is needed (discovery and logs) </li></ul><ul><li>  </li></ul>
    13. 13. Security challenges <ul><ul><li>Trust establishment in a dynamic way (brokers?) </li></ul></ul><ul><ul><li>Transparency / Visibility </li></ul></ul><ul><ul><li>Isolation between environments  </li></ul></ul><ul><ul><li>Security automation and monitoring </li></ul></ul><ul><ul><li>Compliance </li></ul></ul>
    14. 14. Conclusion <ul><ul><li>New challenges </li></ul></ul><ul><ul><li>Security depends on the delivery model (SPI) </li></ul></ul><ul><ul><li>Security depends on the deployment model </li></ul></ul><ul><ul><ul><li>Public presents more challenges to cope with </li></ul></ul></ul><ul><ul><ul><li>Enhancements from public providers needed </li></ul></ul></ul><ul><li>  </li></ul>
    15. 15. Resources <ul><ul><li>Cloud Security Alliance </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><ul><li>Blog </li></ul></ul><ul><ul><li>ENISA risk management study </li></ul></ul><ul><ul><li>NIST definitions </li></ul></ul><ul><ul><li>&quot;Cloud Security and Privacy&quot; by Mather, Kumaraswamy and Latif </li></ul></ul>
    16. 16. Questions? Sergio Loureiro