cloud computing security
TRANSCRIPT
Cloud Security Issues/Concerns ¨ Faced by providers
¤ Ensure that infrastructure is secure
¤ Client data and apps are protected
¨ Faced by clients ¤ Ensure that provider
has taken proper measures to protect info
3
Security and Privacy Compliance
Legal/Contractual
issues
Security and Privacy ¨ Data Protection
¤ Data stored securely n when at rest and n while in motion
¨ Identity Management ¤ ID Federation ¤ Single Sign On ¤ Other Identity Management that
Clients dictate
¨ Physical and Personnel Security ¤ Access is secured and documented
¨ Availability ¤ Regular and predictable access to
data and applications ¨ Application Security
¤ Testing and acceptance procedure for 3rd party code/outsourced code
¤ App level firewalls ¨ Privacy
¤ Only authorized users access information
¤ Digital identity protection
4
Compliance Cloud providers must enable clients to comply with regulations ¨ Laws and Regulations
¤ Depends on geography and laws of the land
¤ e.g., Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SarbOx)
¨ Industry Standards ¤ e.g., Payment Card Industry Data Security
Standard (PCI DSS)
¨ Regular reporting requirements ¨ Audit Trails
¨ Business Continuity and Data Recovery ¤ Services continue even in case of
a disaster ¤ Plan for recovery of lost data
¨ Logs and Audit Trails ¤ eDiscovery ¤ Forensic Investigation
¨ Client specific compliance requirements
¨ Data isolation requirements
5
Legal/Contractual Issues ¨ Liability Terms ¨ Intellectual Property ¨ End of service
obligations
¨ Public records ¤ Record keeping ¤ Retain and make data
available ¤ May be stipulated by
law
6
Computer Security 7
Secure OS Secure Architecture
Security by design Secure coding practise
Vulnerability Eavesdropping
Exploits Trojans/Virus/DOS
Payloads Backdoors/Rootkits/Key loggers
Com
pute
r Se
curit
y C
omputer Insecurity
Security by Design 8
¨ Principle of least privilege ¤ An entity has only the privileges it needs to function ¤ Hacker gaining access to one part would find it equally difficult to access other
parts ¨ Breaking modules into small individual components simplifies correct design
of crucial software subsystems ¨ Rigorous code review and unit testing ¨ Smart Secure Default Settings
¤ Fail to a secure state. Not fail to an insecure state ¤ A secure system should require deliberate, conscious, knowledgeable and free
decision on part of legitimate authority in order to make it insecure
Security Architecture ¨ Design artifacts that
describe how security controls are positioned to ensure system quality attributes
9 Confidentiality
Integrity
Availability Accountability
Assurance
Hardware Mechanisms for Security 10
¨ Hardware based or hardware assisted compliments software based security, e.g, ¤ Trusted Platform Modules (TPM) ¤ Devices/Dongles that require physical access
Secure OS 11
¨ Ultra-strong secure OS ¤ Based on kernel that guarantee certain security policies are
absolutely enforced in an operating environment ¤ e.g., Bell-LaPadula model ¤ Such OS are not widely known ¤ Used primarily to protect
n National security/Military secrets ¤ e.g., NSA Blacker, Honeywell SCOMP ¤ Achieve the orange book standard
Microprocessor Hardware Features
such as memory management
Correctly implemented
OS kernel
Secure Coding 12
¨ Most commercial OS fall in a “low security” category so applications must make themselves resistant to malicious subversion
¨ Common software defects include ¤ buffer overflows ¤ format string vulnerabilities ¤ integer overflow ¤ code/command injection ¤ dangling pointers
Application Threats/Attacks ¨ Input Validation
¤ Buffer overflow, cross site scripting, SQL injection
¨ Authentication ¤ Eavesdropping, brute force attack, dictionary
attach, cookie replay, credential theft
¨ Authorization ¤ Elevation of privilege, disclosure of confidential
info, data tampering
¨ Configuration Management ¤ Unauth access to admin interfaces, retrieval of
config data in clear text, lack of individual accountability
¨ Sensitive Information ¤ Unauth access to stored data
¨ Session Management ¤ Session hijacking, session replace, man in the
middle attacks
¨ Cryptography ¤ Poor key generation, weak encryption, improper
key management practices
¨ Parameter Manipulation ¤ Query string manipulation, Form field
manipulation, cookie manipulation, HTTP header manipulation
¨ Exception management ¤ Improper info disclosure, denial of service
¨ Auditing and logging ¤ User denies performing an operation, attacker
exploits without a trace or covers the tracks
13