Presd1 10

Cloud Security:
Identifying the Risks
Jim Reavis, Executive Director

May, 2010

About the Cloud Security Alliance
• Global, not-for-profit organization
• Inclusive membership, supporting broad spectrum of
subject matter expertise
• Building best practices and a trusted cloud ecosystem
• CSA Guidance V2.1 – Released Dec 2009
• CSA Top Threats Research – Released March 2010
• CSA Cloud Controls Matrix – Released April 2010
• Trusted Cloud Initiative – Release Q4 2010
• CSA Cloud Metrics Working Group – release TBA
• Consensus Assessment Initiative
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing.”
Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org

Is Cloud Computing Working?
• Eli Lilly
• New drug research project
• IT promised system in 3 months, > $100,000 USD
• Scientist completed in one day in cloud, < $500 USD
• Japanese government agencies
• RFP for custom software development
• Chose PaaS for 25% of cost and deployment time
over traditional software house


What is Cloud Computing?
• Compute as a utility: third major era of computing
• Mainframe
• PC Client/Server
• Cloud computing: On demand model for allocation and consumption
of computing
• Cloud enabled by
• Moore‟s Law: Costs of compute & storage approaching zero
• Hyperconnectivity: Robust bandwidth from dotcom investments
• Service Oriented Architecture (SOA)
• Scale: Major providers create massive IT capabilities
• Disruptive to IT and IT Security
• Challenges many of our IT definitions, e.g. what is data?

Defining Cloud
• On demand provisioning
• Elasticity
• Multi-tenancy
• Key types
• Infrastructure as a Service
(IaaS): basic O/S & storage
• Platform as a Service (PaaS):
IaaS + rapid app development
• Software as a Service (SaaS):
complete application
• Public, Private, Community &
Hybrid Cloud deployments


S-P-I Framework You “RFP”
security in
SaaS
Software as a Service

You build
security in
PaaS
Platform as a Service
IaaS
Infrastructure as a Service


Top Threats to Cloud Computing

Cloud Security Risks / Threats
• Shared Technology Vulnerabilities
• Data Loss/Data Leakage
• Malicious Insiders
• Account Service or Hijacking of Traffic
• Insecure APIs
• Nefarious Use of Service
• Unknown Risk Profile

Shared Technology Vulnerabilities

Description

• Exposed hardware, operating systems, middleware, application stacks and
network components may posses known vulnerabilities

Impact

• Successful exploitation could impact multiple customers

Example

• Cloudburst - Kostya Kortchinksy (Blackhat 2009)
• Arbitrary code execution vulnerability identified in VMware SVGA II device, a
virtualized PCI Display Adapter
• Vulnerable component present on VMware Workstation, VMware Player,
VMware Server and VMware ESX


Data Loss / Data Leakage
Description

• Data compromise due to improper access controls or weak encryption
• Poorly secured data is at greater risk due to the multi-tenant
architecture

Impact

• Data integrity and confidentiality

Example

• Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-
Party Compute Clouds (UCSD/MIT)
• Research detailing techniques to ensure that images are deployed on
the same physical hardware as a victim and then leveraging cross-
VM attacks to identify data leakage


Malicious Insiders
Description

• Employees of the cloud vendor may abuse privileges to access customer
data/functionality
• Reduced visibility into internal processes may inhibit detection of the breach

Impact

• Data confidentiality and integrity
• Reputational damage
• Legal repercussions

Example

• Google Investigates Insider Threat After China Hack (eWeek)
• “Google is investigating whether some of its own staff are behind the
repeated attempts to hack into the Gmail accounts of Chinese human rights
activists”


Interception or Hijacking of Traffic

Description

• Intercept and/or redirect traffic destined for the clients or cloud
• Steal credentials to eavesdrop or manipulate account information /
services

Impact

• Confidentiality and integrity of data
• Damage to reputation
• Consequences (legal) from malicious use of resources

Example

• Twitter DNS account compromise
• Zeus botnet C&Cs on compromised Amazon EC2 accounts


Insecure APIs
Description

• APIs designed to permit access to functionality and data may be
vulnerable or improperly utilized, exposing applications to attack

Impact

• Data confidentiality and integrity
• Denial of service

Example

• P0wning the Programmable Web (Websense – AusCERT 2009_
• 80% of tested applications not using available security in APIs (e.g.
unencrypted traffic and basic authentication)
• Demonstrated CSRF, MITM and data leakage attacks


Nefarious Use of Service
Description

• Attackers are drawn to the cloud for the same reasons as legitimate
consumers – access to massive proceesing power at a low cost

Impact

• Password cracking, DDoS, malware hosting, spam, C&C servers,
CAPTCHA cracking, etc.

Example

• Current search of MalwareDomainList.com for „amazonaws.com‟
returns 21 results
• “In the past three years, ScanSafe has recorded 80 unique malware
incidents involving amazonaws” – ScanSafe blog
• Amazon's EC2 Having Problems With Spam and Malware - Slashdot


Unknown Risk Profile
Description
• A lack of visibility into security controls could leave cloud consumers exposed to
unnecessary risk.

Impact
• Significant data breaches could occur, possibly without the knowledge of the cloud
consumer.

Example
• Heartland Payment Systems was “willing to do only the bare minimum and comply with state
laws instead of taking the extra effort to notify every single customer, regardless of law, about
whether their data [had] been stolen.”
http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html


Survey Results
Top Ranked Threats

RANK THREAT PERCENT

1) Data Loss/Leakage 28.8%
2) Abuse and Nefarious use of Cloud 17.8%
Computing
3) Insecure API‟s 15.1%
4) Malicious Insiders 11.0%
5) Account/Service and Traffic Hijacking 9.6%
6) Unknown Risk Profile 9.6%
7) Shared Technology Vulnerabilities 8.2%

Status
Revisions
• Top threats list will be updated 2x per year

Process
• Recommended changes will be solicited from CSA participants
• Panel of judges will be established with representation from the
security community, solution providers and cloud consumers
• Recommendations will be summarized and solicited to judges
for review
• Judges will vote on any recommended changes
• Contact project team to recommend judges


CSA Guidance Domains
Cloud Architecture

Governance and Enterprise Risk Management

Governing the
Legal and Electronic Discovery

Cloud
• Popular best practices
Compliance and Audit

Information Lifecycle Management
for securing cloud Portability and Interoperability

computing Security, Bus. Cont,, and Disaster Recovery

Operating in the Cloud
Data Center Operations

• 13 Domains of concern – Incident Response, Notification, Remediation

governing & operating Application Security

Encryption and Key Management
groupings Identity and Access Management

Virtualization

Guidance > 100k downloads: cloudsecurityalliance.org/guidance


Summary
• Cloud Computing is real and transformational
• Challenges for People, Process, Technology,
Organizations and Countries
• Broad governance approach needed
• Tactical fixes needed
• Combination of updating existing best practices and
creating completely new best practices
• Common sense not optional


Contact

• Help us secure cloud computing
• www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• LinkedIn: www.linkedin.com/groups?gid=1864210
• Twitter: @cloudsa


Thank you!

www.cloudsecurityalliance.org

Presd1 10

More Related Content

What's hot

Similar to Presd1 10

More from Niels Groeneveld

Recently uploaded

Presd1 10