1、An Overview of Cloud Security and Privacy,CS 590, Fall 2010,Presenter: YounSun ChoSep. 9, 2010,What we are going to do today,A high-level discussion of the fundamental challenges and issues of cloud computing security and privacy It is impossible to consider all issues today The goal is to give you
2、a big picture rather than focus on a particular topic or a paper Note that some of these slides, especially part I, re-used/modified some slides in the Internet (References are in the last slides),2,Part1: Introduction,Why do you still hesitate to use cloud computing? Threat Model,3,Cloud services d
3、elivery model,4,While cloud-based software services are maturing, Cloud platform and infrastructure offering are still in their early stages !,Impact of cloud computing on the governance structure of IT organizations,5,If cloud computing is so great, why arent everyone doing it?,The cloud acts as a
4、big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject
5、to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks,6,Companies are still afraid to use clouds,7,Chow09ccsw,Taxonomy of Fear,Confidentiality Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential? Wil
6、l cloud compromises leak confidential client data Will the cloud provider itself be honest and wont peek into the data? Integrity How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it?,8,Taxo
7、nomy of Fear (cont.),Availability Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Would cloud scale well-enough? Often-voiced concern Although cloud providers argue their downtime compares we
8、ll with cloud users own data centers,9,Taxonomy of Fear (cont.),Privacy issues raised via massive data mining Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients Increased attack surface Entity outside the organization now st
9、ores and computes data, and so Attackers can now target the communication link between cloud provider and client Cloud provider employees can be phished,10,Taxonomy of Fear (cont.),Auditability and forensics (out of control of data) Difficult to audit data held outside organization in a cloud Forens
10、ics also made difficult since now clients dont maintain data locally Legal quagmire and transitive trust issues Who is responsible for complying with regulations? e.g., SOX, HIPAA, GLBA ? If cloud provider subcontracts to third party clouds, will the data still be secure?,11,Taxonomy of Fear (cont.)
11、,12,Cloud Computing is a security nightmare and it cant be handled in traditional ways. John Chambers CISCO CEO,Security is one of the most difficult task to implement in cloud computing. Different forms of attacks in the application side and in the hardware components Attacks with catastrophic effe
12、cts only needs one security flaw (http:/ Model,A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: Identify attackers, assets, threats and other components Rank the threats Choose mitigation strategies Build solutions based on the strateg
13、ies,13,Threat Model,Basic components Attacker modeling Choose what attacker to consider insider vs. outsider? single vs. collaborator? Attacker motivation and capabilities Attacker goals Vulnerabilities / threats,14,What is the issue?,The core issue here is the levels of trust Many cloud computing p
14、roviders trust their customers Each customer is physically commingling its data with data from anybody else using the cloud while logically and virtually you have your own space The way that the cloud provider implements security is typically focused on they fact that those outside of their cloud ar
15、e evil, and those inside are good. But what if those inside are also evil?,15,Attacker Capability: Malicious Insiders,At client Learn passwords/authentication information Gain control of the VMs At cloud provider Log client communication Can read unencrypted data Can possibly peek into VMs, or make
16、copies of VMs Can monitor network communication, application patterns Why? Gain information about client data Gain information on client behavior Sell the information or use itself,16,Attacker Capability: Outside attacker,What? Listen to network traffic (passive) Insert malicious traffic (active) Pr
17、obe cloud structure (active) Launch DoS Goal? Intrusion Network analysis Man in the middle Cartography,17,Why Cloud Computing brings new threats?,Clouds allow co-tenancy Multiple independent users share the same physical infrastructureThus an attacker can legitimately be in the same physical machine
18、 as the target,18,Challenges for the attacker,How to find out where the target is located? How to be co-located with the target in the same (physical) machine? How to gather information about the target?,19,Part2: Considerations - Big Picture,Infrastructure Security Data Security and Storage Identit
19、y and Access Management (IAM) PrivacyAnd more,20,Infrastructure Security,Infrastructure Security,Network Level Host Level Application Level,22,The Network Level,Ensuring confidentiality and integrity of your organizations data-in-transit to and from your public cloud provider Ensuring proper access
20、control (authentication, authorization, and auditing) to whatever resources you are using at your public cloud provider Ensuring availability of the Internet-facing resources in a public cloud that are being used by your organization, or have been assigned to your organization by your public cloud p
21、roviders Replacing the established model of network zones and tiers with domains,23,The Network Level - Mitigation,Note that network-level risks exist regardless of what aspects of “cloud computing” services are being used The primary determination of risk level is therefore not which *aaS is being
22、used, But rather whether your organization intends to use or is using a public, private, or hybrid cloud.,24,The Host Level,SaaS/PaaS Both the PaaS and SaaS platforms abstract and hide the host OS from end users Host security responsibilities are transferred to the CSP (Cloud Service Provider) You d
23、o not have to worry about protecting hosts However, as a customer, you still own the risk of managing information hosted in the cloud services.,25,The Host Level (cont.),IaaS Host Security Virtualization Software Security Hypervisor (also called Virtual Machine Manager (VMM) security is a key a smal
24、l application that runs on top of the physical machine H/W layer implements and manages the virtual CPU, virtual memory, event channels, and memory shared by the resident VMs Also controls I/O and memory access to devices. Bigger problem in multitenant architectures Customer guest OS or Virtual Serv
25、er Security The virtual instance of an OS Vulnerabilities have appeared in virtual instance of an OS e.g., VMWare, Xen, and Microsofts Virtual PC and Virtual Server Customers have full access to virtual servers.,26,Case study: Amazons EC2 infrastructure,“Hey, You, Get Off of My Cloud: Exploring Info
26、rmation Leakage in Third-Party Compute Clouds” Multiple VMs of different organizations with virtual boundaries separating each VM can run within one physical server “virtual machines“ still have internet protocol, or IP, addresses, visible to anyone within the cloud. VMs located on the same physical
27、 server tend to have IP addresses that are close to each other and are assigned at the same time An attacker can set up lots of his own virtual machines, look at their IP addresses, and figure out which one shares the same physical resources as an intended target Once the malicious virtual machine i
28、s placed on the same server as its target, it is possible to carefully monitor how access to resources fluctuates and thereby potentially glean sensitive information about the victim,27,The Application Level,DoS EDoS(Economic Denial of Sustainability) An attack against the billing model that underli
29、es the cost of providing a service with the goal of bankrupting the service itself. End user security Who is responsible for Web application security in the cloud? SaaS/PaaS/IaaS application security Customer-deployed application security,28,Data Security and Storage,Data Security and Storage,Severa
30、l aspects of data security, including: Data-in-transit Confidentiality + integrity using secured protocol Confidentiality with non-secured protocol and encryption Data-at-rest Generally, not encrypted , since data is commingled with other users data Encryption if it is not associated with applicatio
31、ns? But how about indexing and searching? Then homomorphic encryption vs. predicate encryption? Processing of data, including multitenancy For any application to process data, not encrypted,30,Data Security and Storage (cont.),Data lineage Knowing when and where the data was located w/i cloud is imp
32、ortant for audit/compliance purposes e.g., Amazon AWS Store Process Restore Data provenance Computational accuracy (as well as data integrity) E.g., financial calculation: sum (2*3)*4)/6) -2) = $2.00 ? Correct : assuming US dollar How about dollars of different countries? Correct exchange rate?,31,D
33、ata Security and Storage,Data remanence Inadvertent disclosure of sensitive information is possible Data security mitigation? Do not place any sensitive data in a public cloud Encrypted data is placed into the cloud? Provider data and its security: storage To the extent that quantities of data from
34、many companies are centralized, this collection can become an attractive target for criminals Moreover, the physical security of the data center and the trustworthiness of system administrators take on new importance.,32,Identity and Access Management (IAM),Why IAM?,Organizations trust boundary will
35、 become dynamic and will move beyond the control and will extend into the service provider domain. Managing access for diverse user populations (employees, contractors, partners, etc.) Increased demand for authentication personal, financial, medical data will now be hosted in the cloud S/W applicati
36、ons hosted in the cloud requires access control Need for higher-assurance authentication authentication in the cloud may mean authentication outside F/WLimits of password authentication Need for authentication from mobile devices,34,IAM considerations,The strength of authentication system should be
37、reasonably balanced with the need to protect the privacy of the users of the system The system should allow strong claims to be transmitted and verified w/o revealing more information than is necessary for any given transaction or connection within the service Case Study: S3 outage authentication se
38、rvice overload leading to unavailability 2 hours 2/15/08 http:/ is Privacy?,The concept of privacy varies widely among (and sometimes within) countries, cultures, and jurisdictions. It is shaped by public expectations and legal interpretations; as such, a concise definition is elusive if not impossi
39、ble. Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction of personal data (or Personally Identifiable InformationPII). At the end of the day, privacy is about the accountability of organizations to data subjects, as well as the transparency to an or
40、ganizations practice around personal information.,37,What is the data life cycle?,38,Personal information should be managed as part of the data used by the organization Protection of personal information should consider the impact of the cloud on each phase,What Are the Key Privacy Concerns?,Typical
41、ly mix security and privacy Some considerations to be aware of: Storage Retention Destruction Auditing, monitoring and risk management Privacy Breaches Who is responsible for protecting privacy?,39,Storage,Is it commingled with information from other organizations that use the same CSP? The aggregat
42、ion of data raises new privacy issues Some governments may decide to search through data without necessarily notifying the data owner, depending on where the data resides Whether the cloud provider itself has any right to see and access customer data? Some services today track user behaviour for a r
43、ange of purposes, from sending targeted advertising to improving services,40,Retention,How long is personal information (that is transferred to the cloud) retained? Which retention policy governs the data? Does the organization own the data, or the CSP? Who enforces the retention policy in the cloud
44、, and how are exceptions to this policy (such as litigation holds) managed?,41,Destruction,How does the cloud provider destroy PII at the end of the retention period? How do organizations ensure that their PII is destroyed by the CSP at the right point and is not available to other cloud users? Clou
45、d storage providers usually replicate the data across multiple systems and sitesincreased availability is one of the benefits they provide. How do you know that the CSP didnt retain additional copies? Did the CSP really destroy the data, or just make it inaccessible to the organization? Is the CSP k
46、eeping the information longer than necessary so that it can mine the data for its own use?,42,Auditing, monitoring and risk management,How can organizations monitor their CSP and provide assurance to relevant stakeholders that privacy requirements are met when their PII is in the cloud? Are they reg
47、ularly audited? What happens in the event of an incident? If business-critical processes are migrated to a cloud computing model, internal security processes need to evolve to allow multiple cloud providers to participate in those processes, as needed. These include processes such as security monito
48、ring, auditing, forensics, incident response, and business continuity Transparency, compliance controls, and auditability are key criteria in the evaluation of any cloud service provider,43,Privacy breaches,How do you know that a breach has occurred? How do you ensure that the CSP notifies you when
49、a breach occurs? Who is responsible for managing the breach notification process (and costs associated with the process)?If contracts include liability for breaches resulting from negligence of the CSP? How is the contract enforced? How is it determined who is at fault?,44,Who is responsible for pro
50、tecting privacy?,Data breaches have a cascading effect Full reliance on a third party to protect personal data? In-depth understanding of responsible data stewardship Organizations can transfer liability, but not accountability Risk assessment and mitigation throughout the data life cycle is critical. Many new risks and unknowns The overall complexity of privacy protection in the cloud represents a bigger challenge.,
