Wave of the Future…Presented by:Ahmed Taha Abdel_kariemMahmoud Mohamed Abd El SalamAhmed KandilSupervised

by:Dr. Ashraf Tamam

03/01/15

Demo ContentsINTRODUCTION

DEFINITION – HISTORY – ATTRIBUTES – CHARCTERSITICS – ADVANTAGE – DISADVENTAGE

CLOUD MODELSDELIVERY MODEL – DEPLOYMENT MODEL

CLOUD SECURITY AND PRIVACYSECURITY – PRIVACY – THREAT - TAXNOMY OF FEAR –

PROBLEM – SOLUTIONCOMMENTS OTHER ISSUE

WHY CC IMPORTANT – FUTURE WORK – CONCLUSION

What is Cloud Computing?new class of network based computing that

takes place over the Internet. hide the complexity and details of the underlying

infrastructure.

• Shared pool of configurable computing resources • Just a web browser and your account with password!

– Once you login, the device is “yours”.

What is Cloud Computing(Other)?

History of Cloud Computing?concept dated in

1960’s . term ‘Cloud’ used in early 1990’s.IBM detailed it in

2001.Amazon datacenters in 2005.

In 2007 Google, IBM stated large scale CC research project .in

2008 CC gained popularity.

Components of Cloud Computing :

Attributes Rapid deployment Low startup costs Costs based on usage Multi-tenant sharing

Cost (Sold on Demand) Ubiquitous:“always on!,anywhere,any place” Device and Location Independence Reliability Scalability Security

Cloud Computing characteristics

Sustainability Service is fully managed by the provider Homogeneity Virtualization Resilient Computing

Cloud Computing characteristics

Lower computer costs Improved performance(boot & run)Reduced software costsLatest version availability

Instant software updates Increased data reliability(sys crash &data)Improved document format compatibilityUniversal document access

Requires constant Internet – intranet connectionFeatures might be limitedStored data might not be secure Stored data can be lostGeneral Concerns(different protocols):

Infrastructure as a Service (IaaS) : Consumers gets access to the infrastructure to

deploy their stuff.

Platform as a Service (PaaS) :User Deploys customer-created applications to a cloud .

Software as a Service (SaaS) : Use provider’s applications over a network .

Public : Cloud infrastructure is available to the general public, owned by org selling cloud services

Private : Cloud infrastructure for single org only, may be managed by the organization or a 3rd party

Hybrid : Combo of >=2 clouds bound by standard technology (composition of two or more clouds )

Community : Cloud infrastructure shared by several orgs, managed by org or 3rd party

Public Cloud Cloud infrastructure made available to the general public.

Private CloudCloud infrastructure operated solely for an organization.

Hybrid Cloud Cloud infrastructure composed of two or more clouds

Community CloudCloud infrastructure shared by several organizations and supporting a specific community

Security is the necessary steps to protect a person or property from harm. (direct action - indirect action). [Reference: Lecture Notes]

Privacy rights are related to collection, use, disclosure, storage, and destruction of personal data , PII (Personally Identifiable Information).

1. Storage.2. Retention.3. Destruction.4. Auditing, monitoring and risk management.5. Privacy Breaches.

40

You can Full reliance on a third party to protect personal data (Data breaches have a cascading effects)

Many new risks and unknowns appears (complexity)

41

42

• Personal information should be managed as part of the data used by the organization

• Protection of personal information should consider the impact of the cloud on each phase

Research conducted by Cloud Security Alliance (CSA) in 2010 and 2013.The aim was to aid both cloud customers and cloud providers is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies.

43

1. Threat #1: Abuse and Nefarious Use of Cloud Computing2. Threat #2: Insecure Interfaces and APIs3. Threat #3: Malicious Insiders4. Threat #4: Shared Technology Issues5. Threat #5: Data Loss or Leakage6. Threat #6: Account or Service Hijacking7. Threat #7: Unknown Risk Profile

[Reference: CSA: Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010]

44

Problem: Criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities

Affected Layers:

Suggested Solutions:1. Stricter initial registration and validation processes.2. Enhanced credit card fraud monitoring and coordination.3. Comprehensive introspection of customer network traffic.4. Monitoring public blacklists for one’s own network blocks.

45

46

Problem: CSP expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption.

Affected Layers:

Suggested Solutions:1. Analyze the security model of cloud provider interfaces.2. Ensure strong authentication and access controls are 3. Implemented in concert with encrypted transmission.4. Understand the dependency chain associated with the API.

47

Problem: A CSP may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees.

Affected Layers:

Suggested Solutions:1. Enforce strict supply chain management and conduct a

comprehensive supplier assessment.2. Specify human resource requirements as part of legal contracts.3. Require transparency into overall information security and

management practices, as well as compliance reporting.4. Determine security breach notification processes.

48

Problem: IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g.CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture.

Affected Layers:

Suggested Solutions:1. Implement security best practices for installation/configuration.2. Monitor environment for unauthorized changes/activity.3. Promote strong authentication and access control for administrative

access and operations.4. Enforce service level agreements for patching and vulnerability

remediation.5. Conduct vulnerability scanning and configuration audits

49

Problem: There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media.

Affected Layers:

Suggested Solutions:1. Implement strong API access control.2. Encrypt and protect integrity of data in transit.3. Analyzes data protection at both design and run time.4. Implement strong key generation, storage and management, and

destruction practices.5. Contractually demand providers wipe persistent media before it is

released into the pool.6. Contractually specify provider backup and retention strategies.

50

Problem: Account and service hijacking, usually with stolen credentials, remains a top threat. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks.

Affected Layers:

Suggested Solutions:1. Prohibit the sharing of account credentials between users and

services.2. Leverage strong two-factor authentication techniques where

possible.3. Employ proactive monitoring to detect unauthorized activity.4. Understand cloud provider security policies and SLAs.

Problem: When adopting a cloud service, the features and functionality may be well advertised, but what about details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of a security incident?

Affected Layers:

Suggested Solutions:1. Disclosure of applicable logs and data.2. Partial/full disclosure of infrastructure details (e.g., patch levels,

firewalls, etc.).3. Monitoring and alerting on necessary information.

1. Threat #1: Data Breaches (aka: Leakage)2. Threat #2: Data Loss3. Threat #3: Account or Service Hijacking 4. Threat #4: Insecure Interfaces and APIs5. Threat #5: Denial of Service6. Threat #6: Malicious Insiders7. Threat #7: Abuse and Nefarious Use of Cloud Computing8. Threat #8: Unknown Risk Profile9. Threat #9: Shared Technology Issues

[Reference: CSA, Top Threats Working Group, "The Notorious Nine", Cloud Computing Top Threats in 2013, February 2013]

52

Problem: Denial of Service attacks to prevent the users from using/accessing the Cloud Service either their data or applications.

Affected Layers:

Controls:1. CCM IS-04: Information Secuirty - Baseline Requirements2. CCM OP-03: Operations Management - Capacity/Resource

Planning3. CCM RS-07: Resiliency - Equipment Power Failures4. CCM SA-04: Security Archtecture - Application Se.

ConfidentialityFear of loss of control over dataWill sensitive data stored on a cloud remain confidential? Will the cloud provider itself be honest and won’t peek

into the data?

55

IntegrityHow do I know that the cloud provider is doing

the computations correctly?How do I ensure that the cloud provider really

stored my data without tampering with it?

56

AvailabilityWill critical systems go down at the client, if the

provider is attacked in a Denial of Service attack?What happens if cloud provider goes out of business?Would cloud scale well-enough?

57

Auditability and forensics it is Difficult to audit data held outside organization in a cloud also Forensics made difficult

•Privacy issues raised via massive data miningCloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients

• Increased attack surfaceo Attackers can now target the communication link

between cloud provider and client

60

Legal quagmire and transitive trust issuesIf cloud provider subcontracts to third party clouds,

will the data still be secure? (complying with regulations)

Most security problems comes from 3 reasons:Loss of controlLack of trust Multi-tenancy

Consumer’s loss of control :Data, applications, resources , User access

control rules, security policies are managed by CSP

Consumer relies on provider to ensure :Data security and privacy - Resource availability -

Monitoring and repairing of services/resources

People only trust when it pays Need for trust arises only in risky situations Trusting a third party requires taking risks

Cloud Computing brings new threats science users share same physical infrastructure so attacker can be in same physical machine as target

There is Conflict between tenants’ opposing goals so How to provide strong separation between tenants?

Minimize Loss of Control Monitoring - Utilizing different clouds -

Access control managementMinimize Lack of TrustPolicy Language - Certification

Minimize Multi-tenancyPrivate cloud - Strong separation

68

Requires an application-specific run-time monitoring and management tool for the consumer ( Enable both the provider and tenants to monitor the components in the cloud that are under their control)

Propose a multi-cloud (use services from different clouds) in which users Spread the risk - Increase redundancy - Increase chance of mission completion for critical apps.

Issues :Policy incompatibility - Data dependency between clouds - Data redundancy - spread your sensitive data .

Many possible layers of access control ( access to the cloud - access to servers - access to services .. etc )

Federated Identity Management: access control management burden still lies with the provider .

Consumer-managed access control : requiring less trust of the provider.

User on Amazon Cloud

1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card

1. Name2. E-mail3. Shipping Address

1. Name2. Billing Address3. Credit Card

1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card

1. Name2. E-mail3. Shipping Address

User on Amazon Cloud

1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card

1. Name2. Billing Address3. Credit Card

Create policy language which is :(Machine-understandable - Easy to combine/merge and compare - Need a validation tool to check that the policy created in the standard language correctly reflects the policy creator’s intentions

• Create Some Certification : Some form of reputable, independent, comparable assessment and description of security features and assurance.• Risk assessment : Performed by certified third parties

Can’t really force the provider to accept less tenants Use Private cloud Use Strong isolation techniques. increase trust in the tenants Use SLAs (A service level agreement ) to enforce

trusted behavior

Big black box, nothing is visible , complexity.CSP can have malicious system admins who can violate

confidentiality and integrityconfidentiality, integrity, availability, and privacy issues.

78

79

Future worksThe mainstream adoption of cloud computing could cause

many problems for usersTrend of large vendors entering CC will accelerate rapidly. Still have to look for too many areas in open researches

like security, management … etc. Commercial offerings are proprietary and usually not open

for cloud systems research and development

Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model, However, it has too many attributes ,characteristics , advantages and disadvantages.

Cloud delivery models are Saas , Paas and Iaas, while Cloud deployment models are Public , Private , Hybrid and Community.

In Cloud computing security issues it may be helpful to identify the problems and approaches in terms of : Loss of control - Lack of trust - Multi-tenancy problems

Future works in CC are still have big issue in terms of security – management ….etc.

82