Security in the CloudAn Introduction to Issues Regarding Data Integrity & Virtual Machine Security
Outline
What is Cloud Computing? Data Management Issues
Data Integrity Data Provenance Data Remanence Data Availability
Virtual Machine Security Cloud Mapping Co-Residence Side-Channeling
What Is Cloud Computing?
Confusion Exists, Not Without Reason
The Future Of Computing for Business & Home
An Old Concept Revisited
“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do… I don’t understand what we would de differently in the light of cloud computing other than change the wording of some of our ads.” - Larry Ellison
What Is Cloud Computing?
Remote Access To Centrally Stored Data & Applications
Flexibility in Resource Sharing and Allocation
Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service
(IaaS)
Cloud Computing is a method in which the internet is used as a medium to enable resource and application sharing
IBM XForce Report
2013 Figure 2 – H1 (encrypted and locked!)2012 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
IBM
Coverage20,000+ devices
under contract
3,700+ managed clients worldwide
13B+ events managed per day
133 monitored countries (MSS)
1,000+ security related patents
Depth14B analyzed web pages & images
40M spam & phishing attacks
64K documented vulnerabilities
Billions of intrusion attempts daily
Millions of unique malware samples
Data Concerns in the Cloud Data Integrity
Cloud Service Provider (CSP) Concerns Third Party Auditing (TPA) Encryption and Multitenancy
Data Provenance Data Remanence Data Availability
Elasticity CSP Related Downtime Malicious Attacks
Data Integrity
Cloud Service Provider (CSP) Concerns CSP Security
▪ Data Transfer▪ Data-at-Rest
CSP Data Loss▪ Unintentional▪ Intentional
Third Party Auditing▪ The Auditor▪ Support for Dynamic Data
Data Integrity
Encryption & Multitenancy Multitenancy – Storage of data from
multiple clients in a single repository Inability to use encryption in order to
support indexing Encryption largely irrelevant if data is
analyzed on the cloud, as analysis requires decryption.
Data Provenance & Remanence
Data Provenance – Calculation Accuracy Shared resources mean shared
responsibility Difficulty / Impossibility in tracking
involved machines
Data Remanence – Data Cleansing “Ghost Data” – Left behind after deletion No remanence security plan for any
major CSP
Availability
Total Downtime (HH:MM:SS)
Availability Per Day Per Month Per Year
99.999% 00:00:00.4 00:00:26 00:05:15
99.99% 00:00:08 00:04:22 00:52:35
99.9% 00:01:26 00:43:49 08:45:56
99% 00:14:23 07:18:17 87:39:29
Mather, Tim; Kumaraswamy, Subra; Latif, Shahed; Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media, Inc., 2009
Cloud Service Provider (CSP) Concerns
Availability + Elasticity
http://blog.bkis.com/en/korea-and-us-ddos-attacks-the-attacking-source-located-in-united-kingdom/
Malicious Attacker Concerns
Distributed Denial of Service (DDoS)
Uses Port Flooding to Slow Systems or Force Server Resets.
• External Attack Models• Similar to Traditional
Strikes• Cloud Usage as Attacker
• Internal Attack Models• Protection Responsibility
Lies on the User• CSP Would Need to Detect
Contractual/Legal Agreements Up-Time Jurisdiction Data Ownership
Escrow Data? Metadata? Exit Clause Testing for
Disaster Recovery Incident Response E-Discovery
Right to Audit
Current Open Questions
Cloud Mapping Co-Residence Side-Channeling Certificate Management
Virtual Machine Security
Cloud Mapping
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.
Co-Residence
Virtual Machine Security
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.
Side-Channeling
Virtual Machine Security
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.
Cloud Security
Works Cited Armbrust, Michael; Fox, Armando; Griffith, Rean; Joseph, Anthony D.; Katz, Randy; Konwinski,
Andy; Lee, Gunho; Patterson, David; Rabkin, Ariel; Stoica, Ion; Zaharia, Matei. 2010. A view of cloud computing. Commun. ACM 53, 4 (April 2010), 50-58. DOI=10.1145/1721654.1721672 http://0-doi.acm.org.catalog.library.colostate.edu/10.1145/1721654.1721672
Brodkin, Jon; Gartner: Seven cloud-computing security risks. Network World. July 02, 2008 03:48 PM ET. http://www.networkworld.com/news/2008/070208-cloud.html"
Christodorescu, Mihai; Sailer, Reiner; Schales, Douglas Lee; Sgandurra, Daniele; Zamboni, Diego. 2009. Cloud security is not (just) virtualization security: a short paper. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 97-102. DOI=10.1145/1655008.1655022 http://doi.acm.org/10.1145/1655008.1655022
Cong Wang; Qian Wang; Kui Ren; Wenjing Lou; , "Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1-9, 14-19 March 2010 doi: 10.1109/INFCOM.2010.5462173 URL: http://0-ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=5462173&isnumber=5461899
Cong Wang; Qian Wang; Kui Ren; Wenjing Lou; Dept. of ECE, Illinois Inst. of Technol., Chicago, IL, USA This paper appears in: Quality of Service, 2009. IWQoS. 17th International Workshop on Issue Date: 13-15 July 2009 On page(s): 1 - 9 Location: Charleston, SC ISSN: 1548-615X E-ISBN: 978-1-4244-3876-1 Print ISBN: 978-1-4244-3875-4 INSPEC Accession Number: 10834827 Digital Object Identifier: 10.1109/IWQoS.2009.5201385 Date of Current Version: 18 August 2009
Furht, Borko. “Cloud Computing Fundamentals.” Ed. B Furht & A Escalante. Handbook of Cloud Computing May (2010) : 3-19.
Works Cited cont. Grossman, R.L.; , "The Case for Cloud Computing," IT Professional , vol.11, no.2, pp.23-27,
March-April 2009 doi: URL: http://0-ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=4804045&isnumber=480403410.1109/MITP.2009.40
Jaeger, Paul T; Lin, Jimmy; Grimes, Justin M. Cloud Computing and Information Policy: Computing in a Policy Cloud? 933-1681, 2008, 5, 3, 269-283
Jensen, Meiko; Schwenk, Jörg; Gruschka, Nils; Lo Iacono, Luigi. "On Technical Security Issues in Cloud Computing," cloud, pp.109-116, 2009 IEEE International Conference on Cloud Computing, 2009
Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. 2009. Managing security of virtual machine images in a cloud environment. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 91-96. DOI=10.1145/1655008.1655021 http://doi.acm.org/10.1145/1655008.1655021
Kaufman, L.M.; , "Data Security in the World of Cloud Computing," Security & Privacy, IEEE , vol.7, no.4, pp.61-64, doi: 10.1109/MSP.2009.87 July-Aug. 2009 URL: http://0-ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=5189563&isnumber=5189548
Krautheim, John F. 2009. Private virtual infrastructure for cloud computing. In Proceedings of the 2009 conference on Hot topics in cloud computing (HotCloud'09). USENIX Association, Berkeley, CA, USA, 5-5.
Leavitt, Neal. 2009. Is Cloud Computing Really Ready for Prime Time?. Computer 42, 1 (January 2009), 15-20. DOI=10.1109/MC.2009.20 http://dx.doi.org/10.1109/MC.2009.20
Works Cited cont.
Lizhe Wang; Jie Tao; Kunze, M.; Castellanos, A.C.; Kramer, D.; Karl, W.; Res. Center Karlsruhe Hermann-von-Helmholtz-Platz 1, Inst. for Sci. Comput., Karlsruhe Scientific Cloud Computing: Early Definition and Experience.
Mather, Tim; Kumaraswamy, Subra; Latif, Shahed; Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media, Inc., 2009
Reference Type: Book Chapter Editor: Backes, Michael Editor: Ning, Peng Author: Wang, Qian Author: Wang, Cong Author: Li, Jin Author: Ren, Kui Author: Lou, Wenjing Primary Title: Enabling Public Verifiability and Data Dynamics for Storage Security in Cloud Computing Book Title: Computer Security – ESORICS 2009 Book Series Title: Lecture Notes in Computer Science Copyright: 2009 Publisher: Springer Berlin / HeidelbergIsbn: Start Page: 355 End Page: 370 Volume: 5789 Url: http://dx.doi.org/10.1007/978-3-642-04444-1_22 Doi: 10.1007/978-3-642-04444-1_22
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.
Santos, Nuno. Gummadi, Krishna P.; Rodrigues, Rodrigo. 2009. Towards trusted cloud computing. In Proceedings of the 2009 conference on Hot topics in cloud computing(HotCloud'09). USENIX Association, Berkeley, CA, USA, 3-3.
White Paper: Author – Trend Micro Security. Cloud Computing Security: Making Virtual Machines Cloud-Ready. May, 2010.
Questions?