Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Brighttalk Challenges In Cloud Security


Published on

Talk about Cloud Security on the Brighttalk Summit of Public, Private & Hybrid Clouds (

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Brighttalk Challenges In Cloud Security

  1. 1. Challenges in Cloud Security Public vs Private Clouds Sergio Loureiro
  2. 2. Outline <ul><ul><li>Definitions </li></ul></ul><ul><ul><li>State of the art of cloud attacks </li></ul></ul><ul><ul><li>Roots of security threats </li></ul></ul><ul><ul><li>Challenges ahead </li></ul></ul><ul><ul><li>Conclusion </li></ul></ul>
  3. 3. Public vs Private <ul><ul><li>Public </li></ul></ul><ul><li>&quot;The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.&quot; </li></ul><ul><ul><li>Private </li></ul></ul><ul><li>&quot;The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.&quot; </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>  Source : NIST cloud definition </li></ul>
  4. 4. Public vs Private <ul><ul><li>Security requirements </li></ul></ul><ul><ul><ul><li>What? CIA, e.g. confidentiality, integrity and availability </li></ul></ul></ul><ul><ul><ul><li>Where? Data at rest AND data in transit  </li></ul></ul></ul><ul><ul><ul><li>When?  During the lifecycle </li></ul></ul></ul><ul><ul><li>From whom? </li></ul></ul><ul><ul><ul><li>Public cloud surface of attack </li></ul></ul></ul><ul><ul><ul><ul><li>Cloud provider(s) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Co-tenants </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Users </li></ul></ul></ul></ul><ul><ul><ul><li>  Private cloud surface of attack </li></ul></ul></ul><ul><ul><ul><ul><li>Cloud provider (if managed) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Users </li></ul></ul></ul></ul><ul><li>  </li></ul>
  5. 5. SPI Model <ul><ul><li>Software as a Service (, Google docs) </li></ul></ul><ul><ul><li>Platform as a Service (Google apps engine,, MS Azure) </li></ul></ul><ul><ul><li>Infrastructure as a Service (Amazon EC2, Rackspace) </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Service model has impact in security </li></ul>
  6. 6. State of the art attacks in SaaS/PaaS <ul><ul><li>Nothing New: Web-Service threats are well-understood </li></ul></ul><ul><li>  </li></ul><ul><ul><li>Typical Web-Site attacks (OWASP) </li></ul></ul><ul><ul><ul><li>SQL injection </li></ul></ul></ul><ul><ul><ul><li>Cross Site Scripting (XSS) </li></ul></ul></ul><ul><ul><ul><li>Request Forgery (CSRF) </li></ul></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Bottom line: Audit your provider and check the SLAs </li></ul><ul><li>  </li></ul>
  7. 7. State of the art attacks in IaaS <ul><ul><li>People run tampered images </li></ul></ul><ul><ul><li>Easy and instant access to many machines </li></ul></ul><ul><ul><li>Auto-Scaling: DoS Attacks paid by the customer </li></ul></ul><ul><ul><li>Side Channel Attacks </li></ul></ul><ul><ul><li>Attack based on lack of entropy for random numbers </li></ul></ul><ul><ul><li>Bugs in virtualization software </li></ul></ul><ul><ul><li>Storage data of terminated instance reconstructable </li></ul></ul><ul><ul><li>Single key-pair for EC2 API </li></ul></ul><ul><ul><li>Poor Audit Logs for EC2 API </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line: Higher flexibility but bigger attack surface </li></ul>
  8. 8. Root Causes <ul><ul><li>Outsourcing </li></ul></ul><ul><ul><li>Virtualization </li></ul></ul><ul><ul><li>Multi-tenancy </li></ul></ul><ul><ul><li>Dynamic Infrastucture </li></ul></ul>
  9. 9. Root cause 1 - Outsourcing <ul><li>Challenges </li></ul><ul><ul><li>Responsibility lies with the data owner  </li></ul></ul><ul><ul><li>The line between data owner and data custodian must be drawn: need for clear contracts </li></ul></ul><ul><ul><li>Service Level Agreements must match </li></ul></ul><ul><ul><li>Physical access to the infrastructure </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line:  </li></ul><ul><ul><li>Least impact in traditional outsourcing businesses (for example payroll)   </li></ul></ul><ul><ul><li>Monitoring and audits are needed </li></ul></ul>
  10. 10. Root cause 2 - Virtualization <ul><li>Challenges </li></ul><ul><ul><li>More complexity and new attack surface </li></ul></ul><ul><ul><li>Entropy needed </li></ul></ul><ul><ul><li>Administration consoles have privileged access  </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Bottom line: We need to integrate virtualization updates in our vulnerability management systems </li></ul><ul><li>  </li></ul>
  11. 11. Root cause 3 - Multi-tenancy <ul><li>Challenges </li></ul><ul><ul><li>Side channel attacks </li></ul></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Fairness in resource allocation / utilization </li></ul></ul><ul><ul><li>Data reminiscence </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>Bottom line: </li></ul><ul><ul><li>Need for isolation (VPN, encryption and access control) </li></ul></ul><ul><ul><li>Need for transparency </li></ul></ul>
  12. 12. Root cause 4 - Dynamic Infrastructure <ul><li>Challenges </li></ul><ul><ul><li>Automation is mandatory, allocation algorithms should be transparent </li></ul></ul><ul><ul><li>Auto scaling may cost you money (DoS) </li></ul></ul><ul><ul><li>VM Sprawl </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>  Bottom line: Control is needed (discovery and logs) </li></ul><ul><li>  </li></ul>
  13. 13. Security challenges <ul><ul><li>Trust establishment in a dynamic way (brokers?) </li></ul></ul><ul><ul><li>Transparency / Visibility </li></ul></ul><ul><ul><li>Isolation between environments  </li></ul></ul><ul><ul><li>Security automation and monitoring </li></ul></ul><ul><ul><li>Compliance </li></ul></ul>
  14. 14. Conclusion <ul><ul><li>New challenges </li></ul></ul><ul><ul><li>Security depends on the delivery model (SPI) </li></ul></ul><ul><ul><li>Security depends on the deployment model </li></ul></ul><ul><ul><ul><li>Public presents more challenges to cope with </li></ul></ul></ul><ul><ul><ul><li>Enhancements from public providers needed </li></ul></ul></ul><ul><li>  </li></ul>
  15. 15. Resources <ul><ul><li>Cloud Security Alliance </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><ul><li>Blog </li></ul></ul><ul><ul><li>ENISA risk management study </li></ul></ul><ul><ul><li>NIST definitions </li></ul></ul><ul><ul><li>&quot;Cloud Security and Privacy&quot; by Mather, Kumaraswamy and Latif </li></ul></ul>
  16. 16. Questions? Sergio Loureiro