CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access...
Transcript of CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access...
![Page 1: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/1.jpg)
CLOUD SECURITYUnderstanding Cloud Security
and Threats
![Page 2: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/2.jpg)
AGENDA
• Overview of Cloud Computing• What is Cloud Computing?• Benefits of Cloud Computing• Cloud Computing Models
• Service Models• Deployment Models• Billing Models
• Cloud Security• Threats, Vulnerabilities and Attacks• Countermeasures• Legal Challenges
• Research Challenges
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 2
![Page 3: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/3.jpg)
INSTRUCTOR
• Malek Al-Zewairi
• PhD. Computer Science / Security at PSUT, Class 2015
• MSc. Information Systems Security and Digital Criminology
• Technical Certificates:• ISO 27001:2013 Certified LI (PECB)• ISO 27001:2013 Certified LA (IRCA) • ISO 27001:2005 LA/LI• CEI, CEH, CHFI, COSFE, CCFP, …
• Co-Founder of the Jordan Information Security & Digital Forensics (JISDF) Research Group, http://JISDF.org
• EC-Council CHFIv9 Advisory Board Member
• Head of Information Security at the University of Jordan
• Security Trainer & Pen-Tester at NSQAC
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 3
![Page 4: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/4.jpg)
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
![Page 5: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/5.jpg)
OVERVIEW OF CLOUD COMPUTING
PART 1
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 5
![Page 6: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/6.jpg)
WHAT IS CLOUD COMPUTING?
• Outsourcing the management & delivery ofcomputational resources to a third-party
• Hardware (Servers, Workstations, Printers, …)
• Software (Email, CRM, MS Office 365, …)
• Network (AWS VPC, IoT, …)
• Storage (Amazon S3, Dropbox, OneDrive, …)
• Service (Security, DBMS, …)
• …
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 6
![Page 7: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/7.jpg)
NIST 5 CHARACTERISTICS OF CLOUD
On-Demand Self-Service
• Is the ability to scale the cloud resources up or down whenever need without disrupting the operation.
Broad Network Access
• Is the ability to access and mange the cloud resources from multiple device types (e.g. smart phone, PC, laptop, …)
Resource Pooling
• Is the ability to dynamically assign the cloud resources to multiple tenants based on the client demand.
Rapid Elasticity
• Is the ability to resize the cloud resources in real time both Vertically and Horizontally.
Measured Services
• Is the ability to monitor, control and generate reports of the cloud resources usage.
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 7
![Page 8: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/8.jpg)
BENEFITS OF CLOUD COMPUTING
High Accessibility
Dynamic Scalability
Improved Reliability
Increased Sustainability
Save MoneyRapid
DevelopmentEnergy Saving
Higher Productivity
Zero Maintenance
Elasticity 24/7 Support Security
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 8
![Page 9: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/9.jpg)
CLOUD COMPUTING MODELS
Cloud Computing Models
Service ModelsDeployment
ModelsPayment Models
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 9
![Page 10: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/10.jpg)
CLOUD MODELS: SERVICE MODELS
IaaS
• Infrastructure as a Service
• E.g. AWS EC2, Azure, Google CE, CDN
PaaS
• Platform as a Service
• E.g. Google App Engine
SaaS
• Software as a Service
• E.g. Gmail, Office 365, WebEx
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 10
![Page 11: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/11.jpg)
CLOUD MODELS: SERVICE MODELS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 11
Infrastructure as a ServiceIaaS• Provides virtual machines and other abstracted hardware and operating systems (i.e. processing, storage,
networks and other computing resources)
• The customer is able to deploy and run arbitrary software. In addition to self-provision this infrastructure
Platform as a ServicePaaS• Simply, PaaS is an operating system in the cloud
• Provides a platform on which the customer’s applications can run
• Typically combines Web Server + Database + Programming Execution Environment
Software as a ServiceSaaS• Provides service to the customers in the form of software running on and accessible in the cloud
• Enables the customer to use the cloud provider applications running on the cloud provider infrastructure
• Email services and office applications are example of SaaS
![Page 12: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/12.jpg)
SEPARATION OF RESPONSIBILITIES IN CLOUD
OPERATION
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 12
![Page 13: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/13.jpg)
OTHER SERVICE MODELS
XaaS: Anything as a Service• DRaaS: Disaster Recovery as a Service
• DSaaS: Data Storage as a Service
• DaaS: Database as a Service
• ITaaS: IT as a Service
• NaaS: Network as a Service
• CaaS: Crime as a Service
• …
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 13
![Page 14: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/14.jpg)
CLOUD MODELS: DEPLOYMENT MODELS
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 14
![Page 15: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/15.jpg)
CLOUD MODELS: DEPLOYMENT MODELS
Public Cloud
• Cloud infrastructure is made available to the general public
Private Cloud
• Cloud infrastructure is implemented within the internal IT environment of the organization
Community Cloud
• Cloud infrastructure is shared between several organizations from a specific community
Hybrid Cloud
• Cloud infrastructure is a composition of two or more clouds (private, community, or public)
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 15
![Page 16: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/16.jpg)
CLOUD MODELS: BILLING MODELS
On-Demand Model: Pay as you Use
• Clients are charged by what they used (CPU, memory, storage, …)
Subscription-based Model
• Clients pays a steady monthly fees
Spot-Pricing Model
• Market forces drives the spot-pricing model. Clients can bargain for the cloud resources price
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 16
![Page 17: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/17.jpg)
CLOUD SECURITY
PART 2
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 17
![Page 18: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/18.jpg)
“Through 2020, 80% of cloud breacheswill be due to customer misconfiguration,mismanaged credentials or insider theft,not cloud provider vulnerabilities.” –Gartner 2016
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 18
![Page 19: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/19.jpg)
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 19
![Page 20: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/20.jpg)
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 20
![Page 21: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/21.jpg)
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 21
Shared Technology, Shared Dangers
• A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud
DoS Attacks
• Being part of or victim of DoS attack both will consume large amounts of processing power, a bill the customer may ultimately have to pay
Cloud Service Abuses
• Using shared cloud computing resources to launch Phishing campaign for example
Changes of Jurisdiction
• Requires compliance with different regulatory & legal requirements
![Page 22: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/22.jpg)
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 22
Malicious Insiders
• A malicious insider, espionage, or disgruntle employee can do prominent damage
Insecure or Incomplete Data Deletion
• Secure Data deletion is extremely hard, as it is probably stored on multiple disks and in different geographical locations that are shared with other customers
Data Breaches
• iCloud, Yahoo, DropBox, …
Cloud Isolation Failure
• In a multi-tenant environment, isolation failure can result in influencing another tenant's resources or even resources starvation
![Page 23: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/23.jpg)
THREATS, VULNERABILITIES AND ATTACKS
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 23
Cloud Provider Acquisition
• E.g. Rackspace acquisition Aug 2016
Lock-In
• Inability to change the cloud service provider
Compliance Risk
• It might be hard for organizations to provide evidence of compliance. Client auditing might not be permitted
Hypervisor Vulnerabilities
• Successful exploitation of a hypervisor vulnerability breaks the isolation of untrusted code, and provides the attacker with access to all the resources available to the hypervisor
![Page 24: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/24.jpg)
COUNTERMEASURES
Client-side Data Encryption
Server-side Encryption (FS and/or Data)
Network Traffic Protection
API Secure Access (Authentication, Encryption, Integrity)
Built-in Firewalls
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 24
![Page 25: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/25.jpg)
COUNTERMEASURES
Rule-based Access Control
Multi-Factor Authentication
Private Subnets
Cloud-based HSM
Dedicated Connection
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 25
![Page 26: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/26.jpg)
COUNTERMEASURES
Understand the Cloud Service Provider Global Infrastructure
Use of Different Cloud Provider for Backup/DR
Review Cloud Provider SLA and Security Policies
Perform Regular Security and Risk Assessment
Monitoring, Alerting, Audit Trail and Incident Response
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 26
![Page 27: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/27.jpg)
LEGAL CHALLENGES
• Which legislation applies?
• Which agencies can access the data?
• It’s harder to provide evidence of compliance
• Performing penetration testing and security assessment become more complex task.
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 27
![Page 28: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/28.jpg)
RESEARCH CHALLENGES
PART 3
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 28
![Page 29: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/29.jpg)
RESEARCH CHALLENGES
• Cloud Forensics
• Alternatives to MapReduce
• Managing Trust in the Cloud
• Software Defined Networking in cloud environment
• Energy-aware resource allocation in cloud data centers
• e-Health data CIA in the cloud
• High availability across multiple clouds
• Big Data computing and clouds
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 29
![Page 30: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/30.jpg)
THANK YOU
![Page 31: CLOUD SECURITY - securejordan.com › 2016 › Files › Cloud Security.pdf · Broad Network Access •Is the ability to access and mange the cloud resources from multiple device](https://reader034.fdocuments.us/reader034/viewer/2022042322/5f0bd9927e708231d4328509/html5/thumbnails/31.jpg)
REFERENCES
• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
• http://www.rightscale.com/lp/2016-state-of-the-cloud-report?campaign=701700000015euW
• http://www.datacenterjournal.com/top-cloud-security-trends-for-2016/
• http://www.gartner.com/newsroom/id/3143718
• http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html
• http://www.lybrary.com/cloud-computing-security-foundations-and-challenges-p-872988.html
• https://aws.amazon.com/webinars/emea-journey-through-the-aws-cloud/
Oct 2016 (CC BY-SA 3.0 - Al-Zewairi, M.) 31