Post on 12-Jan-2016
1
Suronapee Phoomvuthisarn, Ph.D.Email: suronape@mut.ac.th / Q305
NETE4631:Cloud Privacy and Security - Lecture 12
Characteristics of Cloud (NIST)
2
Statistical Challenges in the Cloud
3
Security & Privacy Challenges
4
Outsourcing Data and Applications Extensibility and Shared Responsibility Service-Level Agreements (SLAs) Virtualization and Hypervisors Heterogeneity Compliance and Regulations
Three kinds of issues in standards and regulations “How” issues – how an application of specific type should
operate in order to protect certain concerns specific to its problem domain
“Where” issues – where you can store certain information “What“ issues – standards that prescribe specific
components to your infrastructure
The Life Cycle of a Modern Attack
5
Functional Traits of Botnets
6
Key Components and Tools in the Modern Attack Strategy
7
Data Security
8
Physical security Data control
Encryption (both in transit and storage) Off-side backups regularly
Data segmentation Minimize the impact of the compromise of
specific nodes
Network security Firewall
Firewall-like traffic rules to govern which traffic can reach which virtual servers, such as security groups in Amazon EC2
Network Intrusion Detection monitor local traffic for anything that looks
irregular
9
Firewall rules
10
A firewall rules in AmazonTraditional firewall
Brokered Cloud Storage Access
11
Network Intrusion Detection Systems (NIDS) NIDS
to monitor local traffic for anything that looks irregular scans/ Denial-of-service attacks/known vulnerability
exploit attempts
12
Host Security Host security describes how your server is set
up for the following tasks Preventing attacks Minimizing the impact of a successful attack on
the overall system Responding to attacks when they occurs
13
Host Security (2) Security patches
In cloud environments, rolling out a patch across the infrastructure takes three simple steps: Patch you machine images with the new security fixes Test the results Re-launch your virtual servers
System hardening The process of disabling or removing unnecessary
services and eliminate unimportant user accounts Antivirus protection
Selection criteria – (1) how wide the known exploits does it covers (2) time when a virus is released and recovered
Host Intrusion Detection Systems (HIDS)
14
Host Intrusion Detection Systems (HIDS)
15
Identity Management What is the identity?
Things you are Things you know Things you have Things you relate to
They can be used to authenticate client requests for services and preventing unauthorized uses
Maintain user roles Use secure approach such as SSH and public private
keys pair rather than password-based method (brute force attack) to access virtual servers Encryption in transit Only user that have an operational needs in certain time
period 16
Defining Identity as a Service (IDaaS)
17
Store the information that associates with a digital entity used in electronic transactions
Core functions Data store Query engine Policy engine
Core IDaaS applications
18
Authentication Protocol Standards
19
OpenID 2.0 http://openid.net OAuth http://oauth.net
Auditing
20
Auditing is the ability to monitor the events to understand performance
Challenges Proprietary log formats Might not be co-located
Auditing (2)
21 Picture from Alexandra Institute
Security Mapping
22
Determine which resources you are planning to move to the cloud
Determine the sensitivity of the resources to risk Determine the risk associated with the particular
cloud deployment type (public, private, or hybrid models) of a resource
Take into account the particular cloud service model that you will be using
If you have selected a particular cloud provider, you need to evaluate its system to understand how data is transferred, where it is stored, and how to move data both in and out of the cloud
The AWS Security Center
23
Security Responsibilities
24
Cloud Deployment Models (NIST) Public clouds Private clouds Hybrid clouds
Security Service Boundary
25 By Cloud Security Alliance (CSA)
Regulatory Compliance
26
All regulations were written without keeping Cloud Computing in mind.
Clients are held responsible for compliance under the laws that apply to the location where the processing or storage takes place.
Security laws that requires companies providing sensitive personal information have to encrypt data transmitted and stored on their systems (Massachusetts March, 2012).
Regulatory Compliance (2)
27
You have to ensure the followings: Contracts reviewed by your legal staff The right to audit in your SLA Review cloud service providers their security and
regulatory compliance Understand the scope of the regulations that
apply to your cloud-based applications Consider what steps to take to comply with the
demand of regulations that apply and/ or adjusting your procedures to this matter
Collect and maintain the evidence of your compliance with regulations
Defining Compliance as a Service (CaaS)
28
CaaS needs to Serve as a trusted party Be able to manage cloud relationships Be able to understand security policies and
procedures Be able to know how to handle information and
administer policy Be aware of geographic location Provide an incidence response, archive, and allow
for the system to be queried, all to a level that can be captured in a SLA
Defining Compliance as a Service (CaaS) (2)
29
Examples of clouds that advertise CaaS capabilities include the following: Athenahealth for the medical industry Bankserv for the banking industry ClearPoint PCI for mechant transactions FedCloud for goverment
Techniques for securing resources
30 Picture from Alexandra Institute
Virtualized Data Center NetworkSecurity Challenges The major network security challenges in the
virtualized data center include Hypervisor integrity.
A successful attack against a host’s hypervisor can compromise all of the workloads being delivered by the host.
Intra-host communications. Communications traffic between different VMs on the same
physical host is often not visible and therefore cannot be controlled by traditional physical firewalls and IPS.
VM migration. When VMs migrate from one physical host to another or
from one physical site to another, they tend to break network security tools that rely on physical and/or network-layer attributes.
31
Data center evolution and security requirements
32
Criteria for Network Security in the Virtualized Data Center Safe Application Enablement of Data Center
Applications Identification Based on Users, Not IP
Addresses Comprehensive Threat Protection Flexible, Adaptive Integration High-Throughput, Low-Latency Performance Secure Access for Mobile and Remote Users One Comprehensive Policy, One Management
Platform
33
References
34
Chapter 4, 12 of Course Book: Cloud Computing Bible, 2011, Wiley Publishing Inc.
Chapter 6, Cloud Application Architectures, building applications and infrastructure in the cloud, O’Reilly, Reese, G., 2009
Network Security in Virtualized Data Centers For DUMMIES, Lawrence C. Miller, John Wiley& Sons
Research paper - Security and Privacy Challenges in Cloud Computing Environments, Hassan Takabi and James B.D. Joshi, University of Pittsburgh