“The cloud is for everyone.The cloud is a democracy.”
Cloud computing is a model for enabling convenient, on-demandnetwork access to a shared pool of configurable computing resources(e.g., networks, servers, storage, applications, and services) that canbe rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models In Simple English,I can get my data when I want, over some kind of network, and even though the data might be coming from different places and my computing power shared with others, somehow the back end is going to scale up or down to fulfill my needs, and interestingly, bills me for only what I use.
On-Demand • Unilaterally provision computing capabilities as needed automatically, without requiring human interaction with a Self-Service service provider Resource • The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Pooling • Shared pools are assigned and reallocated as per requirement • Upgrade? More memory required? New software version?Rapid Elasticity Incompatibility with current version? • “The Cloud Almighty” has it all…Broad Network • Available over the network and accessed through standard Access mechanisms Measured • Metering capability • Resource usage can be monitored, controlled, and reported — Service providing transparency for both the provider and consumer
•Servers and Network •Cloud OS and Platforms •User gets the software as connections. •All the user needs is to a web service.•User needs to install put up his applications. •Eg : Google Docs, Office Required OS and Platform •Eg : Windows Hyper V 365, Amazon S3 and Applications.(some Cloud, Amazon EC2 vendors provide OS)•Eg: Windows AzureInfrastructure Platform as a Software as aas a Service Service Service[IaaS] [PaaS] [SaaS] Processor Runtime Application Operating Memory API Web Service System Storage Web Server Web UI
Public Cloud Community CloudPrivate Cloud Hybrid Cloud
• Scale vs. Cost • Lack of ControlPros Cons • Multiplatform • Reliability support Issues • Encapsulated • Lock In Change • Data out of Management Premises • Next-Gen • Security Architecture
“Theyre certainly a threat, and would be easy to make malicious.” “The technology demands of the cybersecurity advisers job are relatively trivial..”
* Cloud is a relatively newer technology. So, its security domains are not fully known.* Cloud based Security Risks => CRISKS * Hardware * Data * Applications * (in short, everything in the cloud)Some major security Issues are discussed in the following slides
• Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform may affect the other tenants and associated stake holders.• Eg : Blocking of IP Ranges, Confiscation of resources etc• Sudden increase in the resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure.
• Migrating from cloud is difficult, as different cloud providers use various OS n middleware and APIs• Also, sudden change of provider policies may make the user stuck with the cloud.• The user may want to quit, but he cannot as his data is in the cloud.• Lock-In Situation
• Handled by the Provider• User rarely has information about the protection facilities.• Prevent unauthorized access by the priviledged employees of Service Provider
• The service provider may be following good security procedures, but it is not visible to the customers and end users.• May be due to security reasons.• End user questions remains un-answered: • how the data is backed up, who back up the data,whether the cloud service provider does it or has they outsourced to some third party,
• Confidential data remains confidential.• The information deleted by the customer may be available to the cloud solution provider as part of their regular backups.• Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users.
• Vulnerabilities applicable to programs running in the conventional systems & networks are also applicable to cloud infrastructure.• It also requires application security measures (application- level firewalls) be in place in the production environment.
• The cloud provider maintains logs of none/some/all of the cloud activities• The end user has no access to these logs,neither are they aware of what exactly are being logged.
• Security testing is a process to determine that an information system protects data and maintains functionality as intended.• Cloud security testing is futile, due to the following reasons. Permission Issues If a user traverse through unauthorised areas of a cloud, he may reach a black hole. An application is tested today and found vulnerable or not, how do you know that the app tested tomorrow is the same one that was tested yesterday?
“Who protects my data?” “Are we to skip on-site inspections, discoverability, and complex encryption schemes..”
• Although Cloud can be considered a failure in terms of Security, there are still many takers for it.• This is mainly due to the Multi-tenancy(cost sharing) aspect.• A risk based approach needs to be adopted, after considering the profit and loss involved in moving the assets to the cloud. An RA Framework is presented in the coming slides…
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models • Assets can be Data or Applications. Choose which all needs to be migrated to the cloud. • In cloud, data and application need not reside at the same location. • Thus,even parts of functions can be shifted to the cloud. • Make the choice based upon current data usage, and potential data usage.
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models • Determine how Important and sensitive the asset is to the organisation. • In short, evaluate the asset on the basis of Confidentiality and availability.
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models • Determine which deployment model is good for the organizational requirement • Decide whether the organization can accept the risks implicit to the various deployment models (private, public, community, or hybrid).
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models • Determine which service deployment model is good for the organizational requirement • Decide whether the organization is competent enough to implement the extra layers (in case of IaaS or PaaS)
Map the Evaluate asset to Cloud Sketch the Identify Evaluate Existing Service Potentialthe Asset The Asset cloud Models and Data Flow Deployment Providers Models • Required to analyse how and when data will move In and Out the cloud..
“Theyre certainly a threat, and would be easy to make malicious.” “Quiet as the forest”
DEFINITION: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose offacilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”Cloud Forensics refers to the usage of Digital Forensics Science in Cloud computing models.
• Cloud forensics is more cost effective than conventional Digital forensic methodologies.• In case a cloud need to be shut down for data collection,it can be implemented with very less extra work (transfering data to another data center within the same cloud)• Forensics may be implemented as a Cloud Service.
Legal Regulations Legal & regulatory requirements and compliances may be lacking in the location(s) where the data is actually stored.Record Retention Policies There exists no standardized logging format for the cloud. Each provider logs in different formats, making log crunching for forensics difficult in case of Cloud.Identity Management There exists no proper KYC norms in case of Cloud Providers. Anyone with a credit card can purchase a cloud account.
Continously Overwriten Logs The cloud keeps working, and its logs are replicated and overwritten continously. So it poses a great challenge to the forensic scientist to spot the state of the log file at the time of an attempted crime..Admissibility Along with finding the evidence, the scientist must also prove it to a legal non technical person. This part is worser than the real forensics process.Privacy Someone hacked something somewhere. Why should a Forensic guy check the data that i have put in my cloud ..?
• Cloud is changing the way systems and services are provided and utilized.• The more informed IT departments are about the cloud, the better the position they will be in when making decisions about deploying, developing, and maintaining systems in the cloud.• With so many different cloud deployment and service models, and their hybrid permutations - no list of security controls can cover all these circumstances.• Cloud has just crossed its inception states, and Researches on cloud security are still going on.
• Use a Risk Assesment framework before data is put on the cloud.• Cloud forensics, being younger than Cloud computing, has very less to offer as of now.• Watch your activities, keep in touch with your cloud service provider, read the user manual carefully.
• Cloud Security Alliance, a non Profit Cloud Evangelists Group https://cloudsecurityalliance.org/• Microsoft Corporation, Windows Azure http://www.microsoft.com/windowsazure• IEEE Paper “Cloud Computing: The impact on digital forensic investigations “• IEEE Paper “Cloud computing: Forensic challenges for law enforcement “• Cyber Forensics by Albert J Marcella and Robert greenfield