Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Post on 14-Sep-2014
2102 Views
Preview:
DESCRIPTION
Transcript
“…dare to dream; care to win…”
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Venkateswar Reddy MelachervuAssociate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
Cloud Computing and SafetyLet’s Secure Cloud!
20th July 2013
In God we trust; All others, we virus scan
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards”
- Unknown
Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
“Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources”
Disclaimer
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Agenda
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
In 1988 a "worm program“ – Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks
First National Bank of Chicago is the victim of $70-million computer theft
Cyber Crime – The Beginning
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Heartland Payment Systems
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
March 2008
Incident Few Years Back
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
2012 Global Cyber Attacks Stats
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Revenue loss
Customer data loss and liabilities
Embarrassment to yourself and/or the University
Having to recreate lost data
Identity theft
Data corruption or destruction
Loss of patient, employee, and public trust
Costly reporting requirements and penalties
Disciplinary action (up to expulsion or termination)
Unavailability of vital data
Security Violation Consequences
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
What’s Computing Security?
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Protection of computing systems and the data that they store or access
To prevent theft of or damage to the hardware, Software etc. - Confidentiality
To prevent theft of or damage to the information and to protect privacy –Privacy and Integrity
To prevent disruption of service -Availability/Denial of Service
What Is Computing/IT Security?
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Isn’t this just an IT Problem?
Why Do I Need to Learn About Computer Security?
Everyone who uses a computer needs to understand how to keep his or her computer and data secure
IT Security is a not a product, but a process
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
No major operating system has ever worked perfectly
No OS vendor has dared offer a warranty against malfunctions
It is far easier to build a secure system than to build a correct system
You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out
Securing a system has traditionally been a battle of wits
The problem is people/exploitation - not computers
Why Computers Are Not Secure?
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing – NIST Definition
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
13
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing - Business Definition
“A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet”
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
On demand computational services over web
Spiky compute needs of the scientists
Horizontal and dynamic scaling with no additional cost
Increased throughput
Multi-tenant
Accessed over a network
Only pay for what you use
Shared internally or with other customers
Resources - storage, computing, services, etc.
Internal network or Internet
Similar to Timesharing
Rent IT resources vs. buy
Cloud Computing Demystified
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Multi-Tenancy
16
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Service Layers and Models
17
IaaS
PaaS
SaaSModelsLayers
AutonomousMore Control/ Flexibility
IaaS PaaS
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Conventional Data Centre
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Modelled Data Centre
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Public, Private, Hybrid Clouds
20
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud ComputingEnablers and Inhibitors
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Why Cloud Computing Brings New Security Challenges?
Data, applications, resources are located with provider
User identity management is handled by the cloud provider
User access control rules, security policies and enforcement are managed by the cloud provider
Multi-tenancy
Consumer relies on provider to ensure Data security and privacy
Resource availability
Monitoring and repairing of services/resources
Self-managed or Private Clouds overcome most of the above new threats
22
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Dimensions – The CIA Triad
Secured
Hardware
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Confidentiality
The need for keeping information secret Protecting proprietary designs from
competitors
Protecting a company’s personnel records
Protecting personal financial/ID info against ID theft
Applies to resource hiding System configuration data
Resources - Systems, Equipment, Services etc.
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Integrity
Preventing improper or unauthorized change or access
Data integrity and system integrity
Non-repudiation Example : Digital Cert of the Origin Source
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Availability Reliability and system design
To prevent Denial of Service Attacks - The attempts to block the availability of systems or services
System designs usually assume a statistical model to analyze expected patterns of use
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Example 1: C vs. I+A
Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
Example 2: I vs. C+A
Have extensive data checks by different people/systems to increase integrity
Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)
Need to Balance CIA Triad
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Scope of Cloud Security
Cloud
Data Center
LAN/WAN/Wifi/PLMN/
PAN
LAN/WAN/Wifi/PLMN/
PAN
Cloud Eco-system
C
I
A C
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Challenge Eco-system
Ph
ysi
cal L
og
ical
Environmental
Operational
Hardware Software
HumansData
Network
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Vulnerability A weakness in a security system
Threat Circumstances that have a potential to
cause harm
Exposure Points External access points that can be taken
advantage compromising security by most advanced attacker
Attack - materialization of a vulnerability/threat/compromised exposure point or combination)
Attack may be: Successful a.k.a. an exploit - Resulting in
a breach of security, a system penetration, etc.
Unsuccessful - When controls block a threat trying to exploit a vulnerability
Vulnerabilities, Threats, and Exposure Points
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Software Deletion Easy to delete needed software by mistake
To prevent this: use configuration management software
Software Modification Worms, Trojan Horses, Viruses, Logic
Bombs, Trapdoors, Information Leaks ...
Software Theft Unauthorized copying
via P2P, etc.
Software Vulnerabilities
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Add or remove a hardware device Ex: Snooping, wiretapping
Ex: Modification, alteration of a system
Physical attacks on hardware Accidental or voluntary Theft / destruction
Damage the machine (spilled coffe, mice, realbugs)
Steal the machine
Hardware Vulnerabilities
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Network/Web Vulnerabilities
Phishing An evil website pretends to be a trusted website
Example: You type, by mistake, “mibank.com” instead of
“mybank.com”
mibank.com designs the site to look like mybank.com so the user types in their info as usual
BAD! Now an evil person has your info!
SQL Injection
Cross Site Scripting Writing a complex Javascript program that steals
data left by other sites that you have visited in same browsing session
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Kinds of Threats
Interception An unauthorized party (human or not) gains
access to an asset
Interruption an asset becomes lost, unavailable, or
unusable
Modification an unauthorized party changes the state of an
asset
Fabrication an unauthorized party counterfeits an asset
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Over the Internet
Over LAN
Locally
Offline
Theft
Deception
Modes of Attacks
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Not all hackers are evil wrongdoers trying to steal your info
Classification 1 Amateurs
Opportunistic attackers (use a password theyfound)
Script kiddies
Hackers - nonmalicious In broad use beyond security community: also
malicious
Crackers – malicious
Career criminals
State-supported spies and information warriors
Classification 2 Recreational hackers / Institutional hackers
Organized criminals / Industrial spies / Terrorists
National intelligence gatherers / Info warriors
Types of Attackers
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Common Attacks
Network Attacks Packet sniffing, man-in-the-middle, DNS
hacking
Web attacks Phishing, SQL Injection, Cross Site Scripting
OS, applications and software attacks Virus, Trojan, Worms, Rootkits, Buffer
Overflow
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Network Attacks
Packet Sniffing Internet traffic consists of data “packets”, and these
can be “sniffed”
Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing
Man in the Middle Insert a router in the path between client and server,
and change the packets as they pass through
DNS hijacking Insert malicious routes into DNS tables to send traffic
for genuine sites to malicious sites
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Bacterium A specialized form of virus which does not attach to a specific file. Usage
obscure.
Logic bomb Malicious logic that activates when specified conditions are met. Usually
intended to cause denial of service or otherwise damage system resources.
Trapdoor A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms
Trojan horse A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Malicious SW Attacks
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Virus A hidden, self-replicating section of computer software, usually malicious logic,
that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Worm A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume computer resources destructively.
Malicious SW Attacks
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues
The Notorious NineCloud Computing Top Threats in 2013
Source : Cloud Security Alliance
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Castle in Middle Ages
Location with natural obstacles
Surrounding moat
Drawbridge
Heavy walls
Strong gate
Tower
Guards
Computers Today Encryption
Software controls
Hardware controls
Policies and procedures
Multiple controls – physical and computational
System perimeter – defines inside/outside
Pre-emption – attacker scared away
Deterrence – attacker could not overcome defences
Faux environment – attack deflected towards a worthless target
Tenets of Security Defence and Control
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Policy vs. Procedure
Policy: What is/what is not allowed
Procedure: How you enforce policy
Policy - must consider Alignment with users’ legal and ethical standards
Probability of use Inconvenient: 200 character password, change
password every week
Periodic reviews A given control usually becomess less effective with time
Need to replace ineffective/inefficient controls with better ones
Advantages of policy and procedural controls
Can replace hardware, software controls
Can be least expensive
Tenets of Security Control
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Prevent attack Block attack / Close vulnerability
Deter attack Make attack harder (can’t make
it impossible )
Detect attack During or after
Deflect attack Make another target more
attractive than this target
Recover from attack
Security
Methods of Defence
IT Defense consists of:
Encryption
Software controls
Hardware controls
Policies
Physical controls
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Life Cycle
Analyze Threats
Policy
Specification
Design
Implementation
Operation and Maintenance
Go
ve
rna
nce
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Analysis Process
Identify Assets Which assets are we trying to protect?
What properties of these assets must be maintained?
Identify Threats What attacks can be mounted?
What other threats are there (natural disasters, etc.)?
Identify Countermeasures How can we counter those attacks?
Independent Analysis
46
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and Virtual Networks
Cloud Security Components
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Organize Threats – STRIDE Model
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
48
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Legal
Functional Which functions & services in the Cloud have
legal implications for both parties
Jurisdictional Which governments administer laws and
regulations impacting services, stakeholders, data assets
Contractual Terms & conditions
49
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Governance
Identify, implement process, controls to maintain effective governance, risk mgt, compliance
Provider security governance should be assessed for sufficiency, maturity, consistency
50
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Tiered Cloud Security Handling Framework
Physical Infrastructure
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Insulate information from cloud providers’
employees
Insulate information from other
tenants
Insulate infrastructure from Malware, Trojans
and cybercriminals
Segregate and control user
access
Control and isolate VM in the
virtual infrastructure
Federate identities with public clouds
Identity federation
Virtual network security
Access Mgmt
Cybercrime intelligence
Strong authentication
Data loss prevention
Encryption & key mgmt
Tokenization
Governance
Anti-malware
Enable end to end view of security events and compliance and control across infrastructures
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
CCSK - Cloud Security Alliance Certifications
CISSP – (ISC)2
CPTC – Certified Penetration Testing Consultant
CPTE – Certified Penetration Testing Engineer
CompTIA – Security+
CSTA – Certified Security Testing Associate
GPEN – GIAC Certified Penetration Tester
OSCP – Offensive Security Certified Professional
CEH – Certified Ethical Hacker
ECSA – EC-Council Certified Security Analyst
CEPT – Certified Expert Penetration Tester
Security Certifications
Source : http://www.concise-courses.com/security/certifications-list/
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Bottom Line
Engage in full risk management process for each case
For small and medium organizations Cloud security may be a big improvement!
Cost savings may be large (economies of scale)
For large organizations Already have large, secure data centers
Main sweet spots: Elastic services
Internet-facing services
Employ countermeasures
53
© 2010. All rights reserved.
Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.
Take-Aways
Policy defines security and mechanisms enforce security Confidentiality
Integrity
Availability
Trust and knowing assumptions
Importance of assurance
The human factor
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing and SafetyLet’s Secure Cloud!
20th July 2013
Venkateswar Reddy MelachervuAssociate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
In God we trust; All others, we virus scan
Thank You
“…dare to dream; care to win…”
top related