Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

4,095 views

Published on

Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways

Published in: Business, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,095
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
285
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

  1. 1. “…dare to dream; care to win…” © Venkateswar Reddy Melachervu 2013. All rights reserved. Venkateswar Reddy Melachervu Associate Vice President – IT www.linkedin.com/in/vmelachervu vmelachervu@gmail.com Cloud Computing and Safety Let’s Secure Cloud! 20th July 2013 In God we trust; All others, we virus scan
  2. 2. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards” - Unknown Only the Paranoid Survive - Andy Grove, Former Chairman, Intel Inc.
  3. 3. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. “Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources” Disclaimer
  4. 4. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Agenda  Global Cyber Attacks Stats  What is Computing Security?  Cloud Computing, Models and Security Demystified  New Security Challenges of Cloud Computing  Security Dimensions – The CIA Triad  Scope of Cloud Computing Security  Security Challenge Eco-system  Vulnerabilities, Threats and Exposure Points  Attacks – Modes and Types  The Notorious Nine – Cloud Security Threats  Methods of Defence  Tenets of Security Control  Security Life Cycle  Cloud Security Components and Governance  Tiered Cloud Security Handling Framework  Bottom-line  Take-aways
  5. 5. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  In 1988 a "worm program“ – Morris Worm - written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks  First National Bank of Chicago is the victim of $70-million computer theft Cyber Crime – The Beginning
  6. 6. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Heartland Payment Systems  Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.  March 2008 Incident Few Years Back
  7. 7. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. 2012 Global Cyber Attacks Stats
  8. 8. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Revenue loss  Customer data loss and liabilities  Embarrassment to yourself and/or the University  Having to recreate lost data  Identity theft  Data corruption or destruction  Loss of patient, employee, and public trust  Costly reporting requirements and penalties  Disciplinary action (up to expulsion or termination)  Unavailability of vital data Security Violation Consequences
  9. 9. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. What’s Computing Security?
  10. 10. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Protection of computing systems and the data that they store or access  To prevent theft of or damage to the hardware, Software etc. - Confidentiality  To prevent theft of or damage to the information and to protect privacy – Privacy and Integrity  To prevent disruption of service - Availability/Denial of Service What Is Computing/IT Security?
  11. 11. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Isn’t this just an IT Problem? Why Do I Need to Learn About Computer Security? Everyone who uses a computer needs to understand how to keep his or her computer and data secure IT Security is a not a product, but a process
  12. 12. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  No major operating system has ever worked perfectly  No OS vendor has dared offer a warranty against malfunctions  It is far easier to build a secure system than to build a correct system  You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out  Securing a system has traditionally been a battle of wits  The problem is people/exploitation - not computers Why Computers Are Not Secure?
  13. 13. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Computing – NIST Definition “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 13
  14. 14. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Computing - Business Definition “A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet”
  15. 15. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  On demand computational services over web  Spiky compute needs of the scientists  Horizontal and dynamic scaling with no additional cost  Increased throughput  Multi-tenant  Accessed over a network  Only pay for what you use  Shared internally or with other customers  Resources - storage, computing, services, etc.  Internal network or Internet  Similar to Timesharing  Rent IT resources vs. buy Cloud Computing Demystified
  16. 16. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Multi-Tenancy 16
  17. 17. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Service Layers and Models 17 IaaS PaaS SaaSModelsLayers AutonomousMore Control/ Flexibility IaaS PaaS
  18. 18. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Conventional Data Centre
  19. 19. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Modelled Data Centre
  20. 20. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Public, Private, Hybrid Clouds 20
  21. 21. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Computing Enablers and Inhibitors
  22. 22. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Why Cloud Computing Brings New Security Challenges?  Data, applications, resources are located with provider  User identity management is handled by the cloud provider  User access control rules, security policies and enforcement are managed by the cloud provider  Multi-tenancy  Consumer relies on provider to ensure  Data security and privacy  Resource availability  Monitoring and repairing of services/resources  Self-managed or Private Clouds overcome most of the above new threats 22
  23. 23. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Security Dimensions – The CIA Triad Secured Hardware
  24. 24. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Confidentiality  The need for keeping information secret  Protecting proprietary designs from competitors  Protecting a company’s personnel records  Protecting personal financial/ID info against ID theft  Applies to resource hiding  System configuration data  Resources - Systems, Equipment, Services etc.
  25. 25. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Integrity  Preventing improper or unauthorized change or access  Data integrity and system integrity  Non-repudiation  Example : Digital Cert of the Origin Source
  26. 26. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Availability  Reliability and system design  To prevent Denial of Service Attacks - The attempts to block the availability of systems or services  System designs usually assume a statistical model to analyze expected patterns of use
  27. 27. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Example 1: C vs. I+A  Disconnect computer from Internet to increase confidentiality  Availability suffers, integrity suffers due to lost updates  Example 2: I vs. C+A  Have extensive data checks by different people/systems to increase integrity  Confidentiality suffers as more people see data, availability suffers due to locks on data under verification) Need to Balance CIA Triad
  28. 28. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Scope of Cloud Security Cloud Data Center LAN/WAN/ Wifi/PLMN/ PAN LAN/WAN/ Wifi/PLMN/ PAN Cloud Eco-system C I A C
  29. 29. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Security Challenge Eco-system Physical Logical Environmental Operational Hardware Software HumansData Network
  30. 30. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Vulnerability  A weakness in a security system  Threat  Circumstances that have a potential to cause harm  Exposure Points  External access points that can be taken advantage compromising security by most advanced attacker  Attack - materialization of a vulnerability/threat/compromised exposure point or combination)  Attack may be:  Successful a.k.a. an exploit - Resulting in a breach of security, a system penetration, etc.  Unsuccessful - When controls block a threat trying to exploit a vulnerability Vulnerabilities, Threats, and Exposure Points
  31. 31. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Software Deletion  Easy to delete needed software by mistake  To prevent this: use configuration management software  Software Modification  Worms, Trojan Horses, Viruses, Logic Bombs, Trapdoors, Information Leaks ...  Software Theft  Unauthorized copying  via P2P, etc. Software Vulnerabilities
  32. 32. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Add or remove a hardware device  Ex: Snooping, wiretapping Ex: Modification, alteration of a system  Physical attacks on hardware  Accidental or voluntary  Theft / destruction  Damage the machine (spilled coffe, mice, real bugs)  Steal the machine Hardware Vulnerabilities
  33. 33. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Network/Web Vulnerabilities  Phishing  An evil website pretends to be a trusted website  Example:  You type, by mistake, “mibank.com” instead of “mybank.com”  mibank.com designs the site to look like mybank.com so the user types in their info as usual  BAD! Now an evil person has your info!  SQL Injection  Cross Site Scripting  Writing a complex Javascript program that steals data left by other sites that you have visited in same browsing session
  34. 34. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Kinds of Threats  Interception  An unauthorized party (human or not) gains access to an asset  Interruption  an asset becomes lost, unavailable, or unusable  Modification  an unauthorized party changes the state of an asset  Fabrication  an unauthorized party counterfeits an asset
  35. 35. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Over the Internet  Over LAN  Locally  Offline  Theft  Deception Modes of Attacks
  36. 36. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Not all hackers are evil wrongdoers trying to steal your info  Classification 1  Amateurs  Opportunistic attackers (use a password they found)  Script kiddies  Hackers - nonmalicious  In broad use beyond security community: also malicious  Crackers – malicious  Career criminals  State-supported spies and information warriors  Classification 2  Recreational hackers / Institutional hackers  Organized criminals / Industrial spies / Terrorists  National intelligence gatherers / Info warriors Types of Attackers
  37. 37. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Common Attacks  Network Attacks  Packet sniffing, man-in-the-middle, DNS hacking  Web attacks  Phishing, SQL Injection, Cross Site Scripting  OS, applications and software attacks  Virus, Trojan, Worms, Rootkits, Buffer Overflow
  38. 38. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Network Attacks  Packet Sniffing  Internet traffic consists of data “packets”, and these can be “sniffed”  Leads to other attacks such as password sniffing, cookie stealing session hijacking, information stealing  Man in the Middle  Insert a router in the path between client and server, and change the packets as they pass through  DNS hijacking  Insert malicious routes into DNS tables to send traffic for genuine sites to malicious sites
  39. 39. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Bacterium  A specialized form of virus which does not attach to a specific file. Usage obscure.  Logic bomb  Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources.  Trapdoor  A hidden computer flaw known to an intruder, or a hidden computer mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms  Trojan horse  A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. Malicious SW Attacks
  40. 40. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Virus  A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.  Worm  A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. Malicious SW Attacks
  41. 41. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Data Breaches  Data Loss  Account Hijacking  Insecure APIs  Denial of Service  Malicious Insiders  Abuse of Cloud Services  Insufficient Due Diligence  Shared Technology Issues The Notorious Nine Cloud Computing Top Threats in 2013 Source : Cloud Security Alliance
  42. 42. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Castle in Middle Ages  Location with natural obstacles  Surrounding moat  Drawbridge  Heavy walls  Strong gate  Tower  Guards  Computers Today  Encryption  Software controls  Hardware controls  Policies and procedures  Multiple controls – physical and computational  System perimeter – defines inside/outside  Pre-emption – attacker scared away  Deterrence – attacker could not overcome defences  Faux environment – attack deflected towards a worthless target Tenets of Security Defence and Control
  43. 43. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Policy vs. Procedure  Policy: What is/what is not allowed  Procedure: How you enforce policy  Policy - must consider  Alignment with users’ legal and ethical standards  Probability of use  Inconvenient: 200 character password, change password every week  Periodic reviews  A given control usually becomess less effective with time  Need to replace ineffective/inefficient controls with better ones  Advantages of policy and procedural controls  Can replace hardware, software controls  Can be least expensive Tenets of Security Control
  44. 44. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Prevent attack  Block attack / Close vulnerability  Deter attack  Make attack harder (can’t make it impossible )  Detect attack  During or after  Deflect attack  Make another target more attractive than this target  Recover from attack Security Methods of Defence  IT Defense consists of:  Encryption  Software controls  Hardware controls  Policies  Physical controls
  45. 45. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Security Life Cycle Analyze Threats Policy Specification Design Implementation Operation and Maintenance Governance
  46. 46. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Security Analysis Process  Identify Assets  Which assets are we trying to protect?  What properties of these assets must be maintained?  Identify Threats  What attacks can be mounted?  What other threats are there (natural disasters, etc.)?  Identify Countermeasures  How can we counter those attacks?  Independent Analysis 46
  47. 47. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  Cloud Provisioning Services  Cloud Data Storage Services  Cloud Processing Infrastructure  Cloud Support Services  Cloud Network and Perimeter Security  Elastic Elements: Storage, Processing, and Virtual Networks Cloud Security Components
  48. 48. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Organize Threats – STRIDE Model  Spoofing identity  Tampering with data  Repudiation  Information disclosure  Denial of service  Elevation of privilege 48
  49. 49. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Legal  Functional  Which functions & services in the Cloud have legal implications for both parties  Jurisdictional  Which governments administer laws and regulations impacting services, stakeholders, data assets  Contractual  Terms & conditions 49
  50. 50. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Governance  Identify, implement process, controls to maintain effective governance, risk mgt, compliance  Provider security governance should be assessed for sufficiency, maturity, consistency 50
  51. 51. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Tiered Cloud Security Handling Framework Physical Infrastructure Tenant #2 APP OS APP OS Virtual Infrastructure Physical Infrastructure Cloud Provider APP OS APP OS Virtual Infrastructure Tenant #1 Insulate information from cloud providers’ employees Insulate information from other tenants Insulate infrastructure from Malware, Trojans and cybercriminals Segregate and control user access Control and isolate VM in the virtual infrastructure Federate identities with public clouds Identity federation Virtual network security Access Mgmt Cybercrime intelligence Strong authentication Data loss prevention Encryption & key mgmt Tokenization Governance Anti-malware Enable end to end view of security events and compliance and control across infrastructures
  52. 52. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved.  CCSK - Cloud Security Alliance Certifications  CISSP – (ISC)2  CPTC – Certified Penetration Testing Consultant  CPTE – Certified Penetration Testing Engineer  CompTIA – Security+  CSTA – Certified Security Testing Associate  GPEN – GIAC Certified Penetration Tester  OSCP – Offensive Security Certified Professional  CEH – Certified Ethical Hacker  ECSA – EC-Council Certified Security Analyst  CEPT – Certified Expert Penetration Tester Security Certifications Source : http://www.concise-courses.com/security/certifications-list/
  53. 53. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Bottom Line  Engage in full risk management process for each case  For small and medium organizations  Cloud security may be a big improvement!  Cost savings may be large (economies of scale)  For large organizations  Already have large, secure data centers  Main sweet spots:  Elastic services  Internet-facing services  Employ countermeasures 53
  54. 54. © 2010. All rights reserved. Cloud Computing and Security © Venkateswar Reddy Melachervu 2013. All rights reserved. Take-Aways  Policy defines security and mechanisms enforce security  Confidentiality  Integrity  Availability  Trust and knowing assumptions  Importance of assurance  The human factor
  55. 55. © Venkateswar Reddy Melachervu 2013. All rights reserved. Cloud Computing and Safety Let’s Secure Cloud! 20th July 2013 Venkateswar Reddy Melachervu Associate Vice President – IT www.linkedin.com/in/vmelachervu vmelachervu@gmail.com In God we trust; All others, we virus scan Thank You “…dare to dream; care to win…”

×