Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security 2014 AASNET

Paper presentation "State-of-the-art Survey on Cloud Computing Security Challenges, Approaches and Solutions"

  • Login to see the comments

  • Be the first to like this

Cloud Security 2014 AASNET

  1. 1. State-of-the-art Survey on Cloud Computing Security Challenges, Practices and Solutions Farrukh Shahzad King Fahd University of Petroleum and Minerals, Dhahran, KSA September 2014 The 6th International Symposium on Applications of Ad hoc and Sensor Networks (AASNET’14)
  2. 2. OUTLINE  Introduction  Cloud Computing Models  Security in the Cloud  Cloud Storage Security  Case Study: Amazon’s AWS Security  Implementation/Demo of SAFE  Conclusion 2
  3. 3. INTRODUCTION Cloud Computing: Highly scalable, technology-enabled services easily consumed over the Internet on an as-needed basis. Big Players: Amazon, Google, Microsoft, Yahoo, Sun, Salesforce.  Different implementation depends on type of Services: SAAS ,PAAS, IAAS, etc.  User data is processed and/or stored remotely in machines owned and operated by someone else.  Pros : Convenience, efficiency  Cons : Users’ fear of confidential data leakage and loss of privacy in the cloud.  Three main challenges in adapting Cloud Services:  How to identify a cloud provider that meet user’s privacy requirements?  How to establish a common privacy policy between the user and the provider?  Is the user’s data is actually handled as agreed by the parties? 3
  5. 5. C L O U D C O M P U T I N G M O D E L 5 Essential Characteristics Service Models Deployment Models
  6. 6. C L O U D C O M P U T I N G C H A R A C T E R I S T I C S  Resource Pooling  Broad Network Access  Rapid Elasticity  Measured Service  On-demand Self-service 6
  7. 7. C L O U D S E R V I C E M O D E L S 7
  8. 8. C L O U D D E P L O Y M E N T M O D E L S  Public Cloud (Amazon AWS)  Private Cloud  Hybrid Cloud  Community Cloud 8
  9. 9. C L O U D S E C U R I T Y R I S K F A C T O R S  Outsourcing  Extensibility and Shared Responsibility  Virtualization  Multi-tenancy  Service Level Agreement  Heterogeneity 9
  10. 10. C L O U D S E C U R I T Y M AT R I X  Application & Interface Security  Audit Assurance & Compliance  Business Continuity Management & Operational Resilience  Change Control & Configuration Management  Data Security & Information Life-cycle Management  Data-center Security  Encryption & Key Management  Governance and Risk Management  Human Resources  Identity & Access Management  Infrastructure & Virtualization Security  Interoperability & Portability  Mobile Security  Security Incident Management, E-Discovery & Cloud  Forensics  Supply Chain Management, Transparency and Accountability  Threat and Vulnerability Management 10
  11. 11. S E C U R I T Y A S A S E R V I C E  Identity Services and Access Management Services  Data Loss Prevention (DLP)  Web Security  Email Security  Security Assessments  Intrusion Management, Detection, and Prevention  (IDS/IPS)  Security Information and Event Management (SIEM)  Encryption  Business Continuity and Disaster Recovery  Network Security 11
  12. 12. S O M E C L O U D S E C U R I T Y I S S U E S  The eDDoS (economic Distributed Denial of Service)  Economic Denial of Sustainability (EDoS)  Cloud Storage Security and Privacy 12
  13. 13. EDDO S  Distributed Denial of Service (DDoS) attacks target web sites, hosted applications or network infrastructures by absorbing all available bandwidth and disrupting access for legitimate customers and partners.  The eDDoS (economic Distributed Denial of Service) in cloud is due to the DDoS attack, where the service to the legitimate user is never restricted. This leads to Economic Denial of Sustainability (EDoS) as user will be billed for this undesired resources. 13
  14. 14. CLOUD STORAGE Cloud Storage Model  New business solution for remote backup outsourcing  Reduces data management costs  APIs, web based user interfaces, and cloud storage gateways. Cloud Storage Providers for individuals  iCloud  Dropbox  Google Drive  Amazon S3 14
  15. 15. CLOUD STORAGE Advantages of Cloud Storage  Fault tolerance  Immediate access  Streaming Problems  Access control  Assured deletion?  Multiple copies for fault tolerance 15
  16. 16. SECURITY GOALS  Threat Model:  Active files: Oscar should not be able to access the file.  Deleted files: if the files are actually deleted by the provider if requested.  Avoid unauthorized access  policy-based access control  Unrecoverable deleted files  policy based assured deletion 16
  17. 17. C A S E S T U D Y : A M A Z O N W E B S E R V I C E S  Compute (Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic MapReduce (Amazon EMR), Auto Scaling, Elastic Load Balancing)  Networking (Amazon Virtual Private Cloud (Amazon VPC), Amazon Route 53, AWS Direct Connect)  Storage (Amazon S3, Amazon Glacier, Amazon Elastic Block Storage (EBS), AWS Storage Gateway, AWS Import/Export)  Content Delivery - Amazon CloudFront  Database (Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon ElastiCache, Amazon Redshift)  Deployment & Management (AWS Identity and Access Management (IAM), Amazon CloudWatch, AWS Elastic Beanstalk, AWS CloudFormation, AWS Data Pipeline, AWS OpsWorks)  Application Services (Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), Amazon Simple Workflow Service (Amazon SWF), Amazon Simple Email Service (Amazon SES), Amazon CloudSearch, Amazon Elastic Transcoder) 17
  18. 18. A W S G E N E R A L S E C U R I T Y M E A S U R E S  Certifications and accreditations  Physical security  Secure services  Data privacy 18
  19. 19. A W S I N F R A S T R U C T U R E S E C U R I T Y ( S H A R E D R E S P O N S I B I L I T Y )  AWS Compliance Program (SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), HIPAA)  Physical and Environmental Security  Fire detection, Power, temperature Control, Storage Device Decommissioning  Business Continuity Management (Availability, Incident Reporting, Communication)  Network Security  Secure Network Architecture  Fault‐Tolerant Design  Network Monitoring and Protection (protection against, DDoS, MITM, IP Spoofing, Port scanning)  AWS Access (Account Review and Audit, background checks, Password policy)  Secure Design Principles  Change Management  AWS Account Security Features  AWS Identity and Access Management (AWS IAM)  Key Management and Rotation  Temporary Security Credentials  AWS Multi‐Factor Authentication (AWS MFA) 19
  20. 20. A W S S E C U R I T Y B E S T P R A C T I C E S  Protect your data in transit  Protect your stored data  Protect your cloud account (AWS) credentials  Manage multiple users with IAM  Secure your Applications 20
  21. 21. C O N C L U S I O N  The revolution of cloud computing has provided opportunities for research in all aspects of cloud computing.  Research in the secure cloud storage is compounded by the fact that users data may be kept at several locations for either redundancy/fault tolerance or because the service is provided through a chain of service providers.  We explored the security measures adopted by the largest cloud service provider (Amazon web services or AWS) including their infrastructure security and security best practices followed by AWS. 21
  22. 22. A C K N O W L E D G E M E N T The support provided by the department of Information and Computer Science and Deanship of Scientific Research at King Fahd University of Petroleum and Minerals (KFUPM). 22
  23. 23. R E F E R E N C E S 23
  24. 24. SAFE(DEMO) SUMMARY  The Secure Access controlled File Encryption (SAFE) system is an overlay which works seamlessly over the existing cloud storage services without any changes on the cloud side. Furthermore, the implementation only requires basic data access API functions like put (upload) and get (download).  In SAFE, a file is encrypted with a data key by the owner of the file, using the SAFE client. The data key is further encrypted with a secret key which is in turn is encrypted with a control key, based on the access control policy selected by the owner, with the help of a separate key server. The encrypted keys are stored as a separate metadata file, along with the encrypted data file.  The purpose of SAFE is to achieve policy-based access control and assured deletion. 24
  25. 25. SAFE OVERVIEW 25  SAFE client: This is an interface application between client’s or user’s storage system and the cloud storage. It communicates with Key server securely (SSL protocol) to request appropriate cryptographic operations. The application performs all required upload, download, encryption and decryption functions.  Key Server: This is a multi-threaded server application which provides all needed backend services to SAFE clients. It utilizes SSL socket to communicates with SAFE clients securely. It provides storage for users, policies and corresponding public/private key pair.
  26. 26. POLICY MANAGEMENT The owner of the file needs to select proper policy for the file which needs to be uploaded to the cloud. There are two types of policies: 1) Individual. Each user of the SAFE system is assigned a unique individual policy at the time he/she register with the Key server. 2) Group Policy. Separate policies can be added for a group of users. For example, a department in a company can have a group policy so that the employees of that department can share files on the cloud, if the owner of the file, uploads the file with the group policy assigned to that department. Similarly, there could be group policy for a team project so all members can share files related to the project. 26
  27. 27. CRYPTOGRAPHIC KEYS SAFE uses three types of cryptographic keys to protect the data files stored on the cloud. 1) Data key. A data key is a random secret that is generated by a SAFE client. It is used for encrypting or decrypting data files via symmetric (AES) key encryption. 2) Secret key. Similar to the data key, a secret key is generated by a SAFE client. It is used for encrypting or decrypting the data key via symmetric (AES) key encryption. 3) Policy key. This key is associated with a particular policy. It is represented by a public- private key pair, which is maintained by the key server. It is used to encrypt/decrypt the secret key of the file via RSA. To ensure file deletion (inaccessibility), the corresponding policy can be revoked. 27
  28. 28. UPLOAD OPERATION OF SAFE 28  The file upload function is shown below. The client first requests the public key Ppub of policy P from the key server. Then the client generates two random keys K and S and perform the encryption eS(K), ePpub(S) and eK(F). Finally, the client sends eK(F) i.e. the encrypted file and P, eS(K) , ePpub(S) (as metadata) to the cloud. The client should discard K and S. There will be two objects on the cloud: One the encrypted client’s file and the other is the corresponding metadata text file containing policy and related keys (encrypted).
  29. 29. DOWNLOAD OPERATION OF SAFE 29 The client fetches the metadata file to get P, eS(K) , ePpub(S) from the storage system. Then the client sends ePpub(S) to the key server for decryption. The key server decrypts using the policy’s private key and returns S = dPprv(ePpub(S)) to the client. The client can now decrypt eS(K) to get K. The client finally fetches the actual encrypted file eK(F) and decrypt with K to get the original file F. The client should immediately discard K and S.
  30. 30. UPDATE POLICY 30 • Only needs to download the corresponding metadata file. • Update the last line (secret key encrypted with new policy key) . • Write back the modified metadata file. • There is no need to access the actual encrypted data file.
  31. 31. IMPLEMENTATION  The SAFE is implemented purely in Java based on design framework presented in the previous section.. All the libraries used are third party or built in Java libraries including the following:  javax.swing (for SAFE GUI)  com.amazonaws (for amazon S3 APIs)  com.dropbox (for Dropbox APIs)  org.apache.log4j (for interactive on-screen and file logging)  javax.crypto and javax.Security for crypto-graphical operations like AES/RSA encryption/decryption, Key generation, etc.  Many other built-in libraries for File I/O, SSL socket programming. There are also other external Java libraries which are used by Amazon and Dropbox APIs. 31
  32. 32. IMPLEMENTATION - METADATA  Here is an example of a metadata file generated after an upload to the cloud:  SAFE0001  6B6C379A35A8A17CF005F8CE850D0F45A24C86747DB1D83E167A46ADBBF8CF03  4A31EAF4FFC824ADD69D327D551705F2CB164D23AC47D0B85E47D1BCFEBA342F7 C886C3292DBDB590348FC900F210D56DEC21E1177A0CFC17138ACB41193AC9DEE CCC74D0B72A1599026A3FD1A0BEBA1E08DA716CE7C58BA77BD79E42E1E85033EA 1F1A2B785F939F47BE421A9A2EA82005AFB81B50D628ABDA43AEFC989B788  This metadata file is saved along with the encrypted file on the cloud with extension ‘.safe’. 32
  33. 33. IMPLEMENTATION - UPLOAD  2013-05-21 14:22:36 File will be uploaded from: C:Users  2013-05-21 14:22:36 Encrypting ..  2013-05-21 14:22:36 Uploading a new object to S3 ..  2013-05-21 14:22:38 Uploading the corresponding metadata ..  2013-05-21 14:22:39 Uploaded file: abc.pdf Done. 33
  34. 34. IMPLEMENTATION - DOWNLOAD  2013-05-22 05:51:26 Downloading the object metadata.  2013-05-22 05:51:24 Downloading the object  2013-05-22 05:51:26 File Name: abc.pdf  2013-05-22 05:51:27 Decrypting ..  2013-05-22 05:52:13 File will be saved to: C:abc.pdf 34