Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments

Toni Draganov StojanovskiUniversity for Information Science and Technology

"St. Paul the Apostle", Ohrid, Macedonia

NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework”,

Ohrid, Macedonia, 10-12 June 2013

1

2

Holy Grail of CIO• A way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software.

CloudComputing?

3

Roadblocks

Cloud computingHype

4

Compelling economic

case

Security Issues(Old)

Security Issues(New)

5

Compelling

economic

case

Security

Issues

(Old)

Security

Issues

(New)

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

6

Definition• Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

NIST

• Zero CAPEX• Controlled OPEX

7

Cloud Service Models• Software as a Service (SaaS) – Use provider’s applications over a network • : Google Apps, Microsoft Office 365, Salesforce

• Platform as a Service (PaaS) – Deploy customer-created applications to a computing platform: OS, DB, and web server.• Google App Engine, Windows Azure Cloud Services

• Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources• Amazon EC2, Azure Services Platform, Google Compute

Engine 8

Cloud Deployment Models• Private cloud: enterprise owned or leased • Community cloud: shared infrastructure for specific community

• Public cloud: sold to the public, mega-scale infrastructure

• Hybrid cloud: composition of two or more cloud types

9

Essential Cloud Characteristics • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service

10

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

11

Why rush into cloud computing?• $$$• Federal CIO Vivek Kundra (2009-2011): “The government spends a quarter of its $80 billion annual IT budget on basic infrastructure such as hardware, software, electricity, and personnel. … shifting to the cloud could significantly lower those costs.”

12

Info.Apps.gov is a place where agencies can gather information about how Cloud Computing can help create sustainable, more cost-effective IT Services for the Federal Government.

Federal IT budget 2013: $82B

The cloud market value• US$58.6B in 2009• US$68B in 2010 • Will reach US$148B by 2014

• Source• Frank Gens, Robert P Mahowald and Richard L Villars,

IDC Cloud Computing 2010.

13

Right strategy? Right time?

• Mature technologies approach a feasible level for developing products and service

• In periods of economic challenges, businesses look to cut costs and open up possibilities to gain competitive advantages.

• Governments also see an opportunity to cut costs and add to their agility.

14

Benefits of Cloud

15

Excitement and Concerns• 58% of the general population and 86% of senior business leaders are excited about the potential of cloud computing.

• > 90% of these same people are concerned about the security, access, and privacy of their own data in the cloud.

• Security is management’s number one concern

16Source: Grant Gross. “Microsoft Calls for Cloud Computing Transparency.” IDG News, Jan. 2010. http://www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html

17

Any analogy between physical world and cyberworld is a fraud?

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

18

Roadblocks: What’s holding cloud computing back?

19

20

Key Issues with Cloud Computing Security • Shared responsibility for securing the infrastructure• Transparency into provider’s security management• Penetration testing• Vendor lock-in• Gather forensic evidence• Hypervisor vulnerabilities• Side channel and covert channel• Reputation fate-sharing• Legal support

Issue #1: Who is responsible for security?

21

The responsibility for securing the infrastructure is a shared responsibility between the provider and the user of cloud services.

22

Issue #2: Transparency into cloud services provider’s security management

• Reduced ability to thoroughly analyze the security and continuity risks, and to verify the security measures and processes of cloud computing services.

• Third-party certifications are immature and unable to address all aspects of cloud computing risk. • FedRAMP has been established to provide a standard

approach to Assessing and Authorizing cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.

23

Issue #3: Penetration testing• Penetration testing (pentest) evaluates the security of a computer system or network.

• We must be able to conduct a pentest in a cloud computing environment without causing loss of cloud service

Issue #4: Vendor lock-in• Possibility for vendor lock-in due to

• the proprietary nature of many cloud provider services• a cloud provider can go out of business

• Solutions:• SLAs and other contractual arrangements can provide

effective protection. • Use cloud services based on open source and industry

standards

24

25

Issue #5: Gathering forensic evidence• Intrusions happen!

The only system that is truly secure is one that is switched off and unplugged, locked in a titanium lines safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.

Gene Spafford (alt.security FAQs)

26

Issue #5: Gathering forensic evidence• Intrusions happen!• How do we gather forensic evidence when the cloud instance becomes a crime scene?• Elastic Block Storage (from Amazon) allows the launching

of a virtual machine image from a virtual storage area network (SAN). (IaaS)

• Things get more complicated as we move up to the PaaS and SaaS levels

Issue #6: Hypervisor vulnerabilities• Hypervisor is a low-level operating system layer which allows multiple operating systems to run concurrently on a host computer. It presents virtual hardware to the software running above the hypervisor layer.

27

Issue #6: Hypervisor vulnerabilities• New technology = new risks, new vulnerabilities• Hypervisor breach = one virtual machine customer can gain access to the data of a different customer

28

NEW

29

Issue #7: Side channel and covert channel• An attacker VM is placed on the same physical machine as a

targeted VM• The activity of one cloud user might appear visible to other

cloud users using the same resources, potentially leading to the construction of covert and side channels.• Similar to SSH Keystroke Timing Attack

• Aim: Design cloud servers that optimise performance and power without leaking information

NEW

Issue# 8: Reputation fate-sharing+ Cloud users benefit from a concentration of security expertise at major cloud providers, ensuring that the entire ecosystem employs security best practices.

- A single subverter can disrupt many users.• Spammers subverted EC2 and caused Spamhaus to

blacklist a large fraction of EC2’s IP addresses• FBI raided on Texas datacenters in April 2009, based on

suspicions of the targeted datacenters facilitating cybercrimes. The agents seized equipment, and many businesses co-located in the same datacenters faced business disruptions or even complete business closures.

30

Issue# 8: Reputation fate-sharing• Cloud users run brute forcers, botnets, or spam campaigns from the cloud;

• Cloud providers scan cloud users’ data and sell confidential information to the highest bidder

• Solution: Mutual auditability• Reassures both cloud users and providers that the other is

acting in a fashion that is both benign and correct• Can assist with incident response and recovery• Enables the attribution of blame in search and seizure

incidents

31

NEW

Mutual auditability• Enable cloud providers in search and seizure incidents to demonstrate • to law enforcement that they have turned over all relevant

evidence,• to users that they have turned over only the necessary

evidence and nothing more.

• A third-party auditor requires a setup quite different than today’s practice, in which cloud providers record and maintain all the audit logs.

32

Issue #9: Legal support• Email eavesdropping:

• System administrator can be prosecuted for incorrect setting of server’s parameters

• You can imagine the legal support for security issues in cloud computing!

• NIST Cloud Computing Program• Accelerate the Federal government’s adoption of cloud

computing• http://www.nist.gov/itl/cloud

33

NEW

NIST Cloud Computing Related Publications• NIST Special Publication 500 Series:

NIST Special Publication 500-291, NIST Cloud Computing Standards Roadmap, July 2011NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November 2011

• NIST Special Publication 800 Series:• NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in

Federal Information Systems and Organizations, June 2010NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January 2011NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011NIST Special Publication 800-145, NIST Definition of Cloud Computing, September 2011NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012NIST Cloud Computing Research Papers:

• NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012

34

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

35

Human Factor• Historically, human users are the weakest link in cryptographic systems• Bribery• Ignorance• Take easier path and don’t follow security procedures

36

Human Factors in Cloud Computing Security

Cloud

• Concentration of security expertise in cloud computing providers.

• $M in lost reputation and business

Your solution

• Your own security admin• Loyal, trained, familiar

• Lot less than $M for SMEs• =>You will employ not a

security expert, More prone to bribery

37

At stake in case of security intrusion

Tough questions1. Who manages the data, and how is their access controlled?

2. External audits and security certifications?

3. Where is the data hosted? Can the data be stored and processed in a specific jurisdiction?

4. Data segregation in a shared environment from other customers.

5. How is data and service recovered in case of a disaster?

6. Support for investigation of illegal activities?

7. If the cloud computing provider goes broke, how will your data remain available?

38

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

39

Solutions• No new cryptographic challenge• Tools for

• security auditing of procedures and practices• gathering forensic evidence

• Legal and technical framework for mutual auditability

• Education of cloud service providers and users• Legislation

40

Conclusion• Many cloud computing security problems are not new, but require modifications to existing solutions.• As always with outsourcing, transparency is a problem.

• Research areas:• Specific intrusion detection tools for the cloud (e.g.

OSSEC) • Forensic tools for cloud services models PaaS and SaaS.• Develop policies, procedures, and standards that may shape

new laws• Mutual auditability instead of one-way auditability in

existing systems41

Conclusion

42

Security will becomea significant cloud computing business differentiator

Time-to-market and undercutting prices can greatly sway customerseven in the absence of sound security underpinnings

If the economic case prevails, then not even security concerns may prevent cloud

computing from becoming a consumer commodity.

43