Top Banner
Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology "St. Paul the Apostle", Ohrid, Macedonia NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework”, Ohrid, Macedonia, 10-12 June 2013 1
43

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Dec 16, 2015

Download

Documents

Amy Melton
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Security in Cloud Computing: Issues and Opportunities for Businesses and Governments

Toni Draganov StojanovskiUniversity for Information Science and Technology

"St. Paul the Apostle", Ohrid, Macedonia

NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework”,

Ohrid, Macedonia, 10-12 June 2013

1

Page 2: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

2

Holy Grail of CIO• A way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software.

CloudComputing?

Page 3: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

3

Roadblocks

Cloud computingHype

Page 4: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

4

Compelling economic

case

Security Issues(Old)

Security Issues(New)

Page 5: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

5

Compelling

economic

case

Security

Issues

(Old)

Security

Issues

(New)

Page 6: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

6

Page 7: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Definition• Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

NIST

• Zero CAPEX• Controlled OPEX

7

Page 8: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Cloud Service Models• Software as a Service (SaaS) – Use provider’s applications over a network • : Google Apps, Microsoft Office 365, Salesforce

• Platform as a Service (PaaS) – Deploy customer-created applications to a computing platform: OS, DB, and web server.• Google App Engine, Windows Azure Cloud Services

• Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources• Amazon EC2, Azure Services Platform, Google Compute

Engine 8

Page 9: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Cloud Deployment Models• Private cloud: enterprise owned or leased • Community cloud: shared infrastructure for specific community

• Public cloud: sold to the public, mega-scale infrastructure

• Hybrid cloud: composition of two or more cloud types

9

Page 10: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Essential Cloud Characteristics • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service

10

Page 11: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

11

Page 12: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Why rush into cloud computing?• $$$• Federal CIO Vivek Kundra (2009-2011): “The government spends a quarter of its $80 billion annual IT budget on basic infrastructure such as hardware, software, electricity, and personnel. … shifting to the cloud could significantly lower those costs.”

12

Info.Apps.gov is a place where agencies can gather information about how Cloud Computing can help create sustainable, more cost-effective IT Services for the Federal Government.

Federal IT budget 2013: $82B

Page 13: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

The cloud market value• US$58.6B in 2009• US$68B in 2010 • Will reach US$148B by 2014

• Source• Frank Gens, Robert P Mahowald and Richard L Villars,

IDC Cloud Computing 2010.

13

Page 14: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Right strategy? Right time?

• Mature technologies approach a feasible level for developing products and service

• In periods of economic challenges, businesses look to cut costs and open up possibilities to gain competitive advantages.

• Governments also see an opportunity to cut costs and add to their agility.

14

Page 15: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Benefits of Cloud

15

Page 16: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Excitement and Concerns• 58% of the general population and 86% of senior business leaders are excited about the potential of cloud computing.

• > 90% of these same people are concerned about the security, access, and privacy of their own data in the cloud.

• Security is management’s number one concern

16Source: Grant Gross. “Microsoft Calls for Cloud Computing Transparency.” IDG News, Jan. 2010. http://www.pcworld.com/article/187294/microsoft_calls_for_cloud_computing_transparency.html

Page 17: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

17

Any analogy between physical world and cyberworld is a fraud?

Page 18: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

18

Page 19: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Roadblocks: What’s holding cloud computing back?

19

Page 20: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

20

Key Issues with Cloud Computing Security • Shared responsibility for securing the infrastructure• Transparency into provider’s security management• Penetration testing• Vendor lock-in• Gather forensic evidence• Hypervisor vulnerabilities• Side channel and covert channel• Reputation fate-sharing• Legal support

Page 21: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue #1: Who is responsible for security?

21

The responsibility for securing the infrastructure is a shared responsibility between the provider and the user of cloud services.

Page 22: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

22

Issue #2: Transparency into cloud services provider’s security management

• Reduced ability to thoroughly analyze the security and continuity risks, and to verify the security measures and processes of cloud computing services.

• Third-party certifications are immature and unable to address all aspects of cloud computing risk. • FedRAMP has been established to provide a standard

approach to Assessing and Authorizing cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.

Page 23: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

23

Issue #3: Penetration testing• Penetration testing (pentest) evaluates the security of a computer system or network.

• We must be able to conduct a pentest in a cloud computing environment without causing loss of cloud service

Page 24: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue #4: Vendor lock-in• Possibility for vendor lock-in due to

• the proprietary nature of many cloud provider services• a cloud provider can go out of business

• Solutions:• SLAs and other contractual arrangements can provide

effective protection. • Use cloud services based on open source and industry

standards

24

Page 25: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

25

Issue #5: Gathering forensic evidence• Intrusions happen!

The only system that is truly secure is one that is switched off and unplugged, locked in a titanium lines safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.

Gene Spafford (alt.security FAQs)

Page 26: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

26

Issue #5: Gathering forensic evidence• Intrusions happen!• How do we gather forensic evidence when the cloud instance becomes a crime scene?• Elastic Block Storage (from Amazon) allows the launching

of a virtual machine image from a virtual storage area network (SAN). (IaaS)

• Things get more complicated as we move up to the PaaS and SaaS levels

Page 27: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue #6: Hypervisor vulnerabilities• Hypervisor is a low-level operating system layer which allows multiple operating systems to run concurrently on a host computer. It presents virtual hardware to the software running above the hypervisor layer.

27

Page 28: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue #6: Hypervisor vulnerabilities• New technology = new risks, new vulnerabilities• Hypervisor breach = one virtual machine customer can gain access to the data of a different customer

28

NEW

Page 29: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

29

Issue #7: Side channel and covert channel• An attacker VM is placed on the same physical machine as a

targeted VM• The activity of one cloud user might appear visible to other

cloud users using the same resources, potentially leading to the construction of covert and side channels.• Similar to SSH Keystroke Timing Attack

• Aim: Design cloud servers that optimise performance and power without leaking information

NEW

Page 30: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue# 8: Reputation fate-sharing+ Cloud users benefit from a concentration of security expertise at major cloud providers, ensuring that the entire ecosystem employs security best practices.

- A single subverter can disrupt many users.• Spammers subverted EC2 and caused Spamhaus to

blacklist a large fraction of EC2’s IP addresses• FBI raided on Texas datacenters in April 2009, based on

suspicions of the targeted datacenters facilitating cybercrimes. The agents seized equipment, and many businesses co-located in the same datacenters faced business disruptions or even complete business closures.

30

Page 31: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue# 8: Reputation fate-sharing• Cloud users run brute forcers, botnets, or spam campaigns from the cloud;

• Cloud providers scan cloud users’ data and sell confidential information to the highest bidder

• Solution: Mutual auditability• Reassures both cloud users and providers that the other is

acting in a fashion that is both benign and correct• Can assist with incident response and recovery• Enables the attribution of blame in search and seizure

incidents

31

NEW

Page 32: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Mutual auditability• Enable cloud providers in search and seizure incidents to demonstrate • to law enforcement that they have turned over all relevant

evidence,• to users that they have turned over only the necessary

evidence and nothing more.

• A third-party auditor requires a setup quite different than today’s practice, in which cloud providers record and maintain all the audit logs.

32

Page 33: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Issue #9: Legal support• Email eavesdropping:

• System administrator can be prosecuted for incorrect setting of server’s parameters

• You can imagine the legal support for security issues in cloud computing!

• NIST Cloud Computing Program• Accelerate the Federal government’s adoption of cloud

computing• http://www.nist.gov/itl/cloud

33

NEW

Page 34: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

NIST Cloud Computing Related Publications• NIST Special Publication 500 Series:

NIST Special Publication 500-291, NIST Cloud Computing Standards Roadmap, July 2011NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011NIST Special Publication 500-293, US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft), Volume II Useful Information for Cloud Adopters, November 2011

• NIST Special Publication 800 Series:• NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in

Federal Information Systems and Organizations, June 2010NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January 2011NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011NIST Special Publication 800-145, NIST Definition of Cloud Computing, September 2011NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012NIST Cloud Computing Research Papers:

• NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012

34

Page 35: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

35

Page 36: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Human Factor• Historically, human users are the weakest link in cryptographic systems• Bribery• Ignorance• Take easier path and don’t follow security procedures

36

Page 37: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Human Factors in Cloud Computing Security

Cloud

• Concentration of security expertise in cloud computing providers.

• $M in lost reputation and business

Your solution

• Your own security admin• Loyal, trained, familiar

• Lot less than $M for SMEs• =>You will employ not a

security expert, More prone to bribery

37

At stake in case of security intrusion

Page 38: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Tough questions1. Who manages the data, and how is their access controlled?

2. External audits and security certifications?

3. Where is the data hosted? Can the data be stored and processed in a specific jurisdiction?

4. Data segregation in a shared environment from other customers.

5. How is data and service recovered in case of a disaster?

6. Support for investigation of illegal activities?

7. If the cloud computing provider goes broke, how will your data remain available?

38

Page 39: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Overview• Definition, Model, Architecture• The rationale• Main obstacles/Security issues• Human Factor• Solutions

39

Page 40: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Solutions• No new cryptographic challenge• Tools for

• security auditing of procedures and practices• gathering forensic evidence

• Legal and technical framework for mutual auditability

• Education of cloud service providers and users• Legislation

40

Page 41: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Conclusion• Many cloud computing security problems are not new, but require modifications to existing solutions.• As always with outsourcing, transparency is a problem.

• Research areas:• Specific intrusion detection tools for the cloud (e.g.

OSSEC) • Forensic tools for cloud services models PaaS and SaaS.• Develop policies, procedures, and standards that may shape

new laws• Mutual auditability instead of one-way auditability in

existing systems41

Page 42: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

Conclusion

42

Security will becomea significant cloud computing business differentiator

Time-to-market and undercutting prices can greatly sway customerseven in the absence of sound security underpinnings

If the economic case prevails, then not even security concerns may prevent cloud

computing from becoming a consumer commodity.

Page 43: Security in Cloud Computing: Issues and Opportunities for Businesses and Governments Toni Draganov Stojanovski University for Information Science and Technology.

43