0% found this document useful (0 votes)
32 views40 pages

Cloud Security and Security As A Service

The document provides an overview of cloud security, focusing on infrastructure, data security, identity management, and security as a service. It outlines key concerns such as governance, compliance, incident response, and the importance of data security in cloud environments. Additionally, it discusses the trade-offs of cloud security and the various services available to address security needs.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
32 views40 pages

Cloud Security and Security As A Service

The document provides an overview of cloud security, focusing on infrastructure, data security, identity management, and security as a service. It outlines key concerns such as governance, compliance, incident response, and the importance of data security in cloud environments. Additionally, it discusses the trade-offs of cloud security and the various services available to address security needs.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Cloud Security: Infrastructure, Data

Security, and Security as a Service

Adapted from slides by Keke Chen


Suggested Readings
• Reference book: “Cloud Security and Privacy: An
Enterprise Perspective on Risks and Compliance
(Theory in Practice)”, Tim Mather et al.
http://www.amazon.com/Cloud-Security-Privacy-
Enterprise-Perspective/dp/0596802765
• Security Guidance for Critical Areas of Focus in Cloud
Computing V3.0,
https://cloudsecurityalliance.org/guidance/csaguide.
v3.0.pdf
– Cloud Security Alliance
Outline
• Overview
• Infrastructure Security
• Data Security
• Identity and access management
• Audit, compliance and federation of clouds
• Security and privacy concerns
• Security as a service
• Network security, policies (research)
Dimensions of Security
Tradeoffs and Security Provisions
Cloud Alliance 7 Concerns
Domain GUIDANCE DEALING WITH SECURITY
Governance and Enterprise Risk Govern and measure enterprise risk
Management
Legal Issues: Contracts and Electronic Protection requirements, security breach
Discovery disclosure laws, regulatory requirements,
privacy requirements, international laws
Compliance and Audit Proving compliance during audit
Information Management and Data Identification and control of data in cloud.
Security CAI
Portability and Interoperability Move data services from one provider to
another, interoperability
Traditional Security, Business Continuity Security of operational processes and
and Disaster Recovery procedures (security, business continuity
and disaster recovery
Data Center Operations Evaluation of Stability, On-going services
Cloud Alliance 7 Concerns (Contd…)
Domain GUIDANCE DEALING WITH SECURITY
Incident Response, Notification and Provider and user levels to enable proper
Remediation incident handling and forensics
Application Security +Application migration
Encryption and Key Management Appropriate encryption and scalable key
management
Identity and Access Management Organization’s identity, access controls
Virtualization Multi-tenancy, VM isolation, VM co-
residence, hypervisor vulnerabilities
Security as a Service Third part facilitated security assurance,
incident management, compliance
attestation, identity and access oversight
NIST
• Guidelines on Security and Privacy in Public
Cloud Computing, Wayne Jansen and Timothy
Grance, NIST, January 2011
http://csrc.nist.gov/publications/drafts/800-
144/Draft-SP-800-144_cloud-computing.pdf
Security: Pros v Cons of Cloud
• Staff Specialization. • System Complexity.
• Platform Strength. • Shared Multi-tenant
• Resource Availability. Environment.
• Backup and Recovery. • Internet-facing Services
• Mobile Endpoints. • Loss of Control.
• Data Concentration. • Botnets.
• Data Center Oriented. • Mechanism Cracking
• Cloud Oriented.
Infrastructure Security
• Infrastructure
– IaaS, PaaS, and SaaS
• Focus on public clouds
– No special security problems with private
clouds – traditional security problems only
• Different levels
– Network level
– Host level
– Application level
Network level
• Confidentiality and integrity of data-in-transit
– Amazon had security bugs with digital signature on
SimpleDB, EC2, and SQS accesses (in 2008)
• Less or no system logging /monitoring
– Only cloud provider has this capability
– Thus, difficult to trace attacks
• Reassigned IP address
– Expose services unexpectedly
– Spammers using EC2 are difficult to identify
• Availability of cloud resources
– Some factors, such as DNS, controlled by the cloud
provider.
• Physically separated tiers become logically
separated
– E.g., 3 tier web applications
Private Cloud Network Security
Host level (IaaS)
• Hypervisor security
– “zero-day vulnerability” in VM, if the
attacker controls hypervisor

• Virtual machine security


– SSH private keys (if mode is not
appropriately set)
– VM images (especially private VMs)
– Vulnerable Services
Application level
• SaaS application security
– Example: In an accident, Google Docs
access control failed. All users can access
all documents
Data Security
• Data-in-transit
• Data-at-rest
• Processing of data, including
multitenancy
• Data lineage
• Data provenance
• Data remanence
Data Security
• Data-in-transit
– Confidentiality and integrity
• Data-at-rest & processing data
– Possibly encrypted for static storage
– Cannot be encrypted for most PaaS and
SaaS (such as Google Apps) → prevents
indexing or searching
• Research on indexing/searching encrypted
data
• Fully homomorphic encryption?
Data lineage
• Definition: tracking and managing data
• For audit or compliance purpose
• Data flow or data path visualization
– E.g. data transferred to AWS on date x1 at time y1 and
stored in a bucket on S3 example.s3.amazonaws.com,
then processed on date x2 at time y2 on EC2 in ec2-
67-202-51-223.compute-1.amazonaws.com, then
stored in another bucket,
example2.s3.amazonaws.com, then brought back
locally on date x3 at time y3, …
• Time-consuming process even for inhouse data
center
– Not possible for a public cloud
Data provenance
• Origin/ownership of data
– Verify the authority of data
– Trace the responsibility
– e.g., financial and medical data
• Difficult to prove data provenance in a
cloud computing scenario
Data remanence
• Data left intact by a nominal delete
operation
– In many DBMSs and file systems, data is
deleted by flagging it.
• Lead to possible disclosure of sensitive
information
• Department of Defense: National
Industrial security program operating
manual
– Defines data clearing and sanitization
Provider’s data and its security
• The provider collects a huge amount
of security-related data
– Data possibly related to service users
– If not managed well, it is a big threat to
users’ security
Identity and Access Management
• IAM components
– Authentication
– Authorization
– Auditing
• IAM processes
– User management
– Authentication management
– Authorization management
– Access management – access control
– Propagation of identity to resources
– Monitoring and auditing
Key Security and Privacy Issues
• Governance -- control and oversight over
policies, procedures, and standards for
application development, as well as the
design, implementation, testing, and
monitoring of deployed services.
Key Security and Privacy Issues
• Compliance -- conformance with an
established specification, standard, regulation,
or law.
– Data location --- trans-border data flows include whether
the laws in the jurisdiction where the data was collected permit
the flow, whether those laws continue to apply to the data post
transfer, and whether the laws at the destination present
additional risks or benefits
– Laws and Regulations --- OMB, Clinger-Cohen Act,
FISMA, NARA (archives), HIPPA, PCI DSS (cards)
– Electronic Discovery --- FOIA, litigation
Key Security and Privacy Issues
• Trust
– Insider Access --- (esp. DOS)
– Data Ownership --- Privacy versus data ownership.
– Composite Services --- Nesting and layering of
services, trust is not transitive, liability and
performance guarantees
– Visibility --- detailed network and system level
monitoring, oversight
– Risk Management
Security as a Service
• Origins: Email Spam
• Today
– Email Filtering
– Web Content Filtering
– Vulnerability Management
– Identity Management as a service
– Etc.
• Naming: SaaS
– NOT to be confused with Software as a Service!
SecaaS: Security as a Service (Cloud Security Alliance)
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
SaaS Categorization by CSA
CSA: Cloud Security Alliance
1. Identity and Access Management
2. Data Loss Prevention
3. Web Security
4. Email Security
5. Security Assessments
6. Intrusion Management
7. Security Information and Event Management (SIEM)
8. Encryption
9. Business Continuity and Disaster Recovery
10. Network Security
Identity and Access Management
(IAM)
• SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active
Directory Federated Services (ADFS2), WS- Federation
• Commercial Cloud Examples
– CA Arcot Webfort
– CyberArk Software Privileged Identity Manager
– Novell Cloud Security Services
– ObjectSecurity OpenPMF (authorization policy automation, for
private cloud only)
– Symplified
• Threats addressed
– Identity theft, Unauthorized access, Privilege escalation, Insider
threat, Non-repudiation, Excess privileges / Excessive access,
Delegation of authorizations / Entitlements, Fraud
Data Loss Prevention
• Monitoring, protecting, and verifying the security of data
• by running as a client on desktops / servers and running rules
– “No FTP” or “No uploads” to web sites
– “No documents with numbers that look like credit cards can be
emailed”
– “Anything saved to USB storage is automatically encrypted and can
only be unencrypted on another office owned machine with a
correctly installed DLP client”
– “Only clients with functioning DLP software can open files from the
fileserver”
• Related to IAM
• Threats Addressed
– Data loss/leakage, Unauthorized access, Malicious compromises of
data integrity, Data sovereignty issues, Regulatory sanctions and fines
Web Security
• Real-time protection
– On-premise through software/appliance installation
– Proxying or redirecting web traffic to the cloud provider
• Prevent malware from entering the enterprise via
activities such as web browsing
• Mail Server, Anti-virus, Anti-spam, Web Filtering, Web
Monitoring, Vulnerability Management, Anti-phishing
• Threats addressed
– Keyloggers, Domain Content, Malware, Spyware, Bot
Network, Phishing, Virus, Bandwidth consumption, Data
Loss Prevention, Spam
Email Security
• Control over inbound and outbound email
• Enforce corporate polices such as acceptable use and
spam
• Policy-based encryption of emails
• Digital signatures enabling identification and non-
repudiation
• Services
– Content security, Anti- virus/Anti-malware, Spam filtering,
Email encryption, DLP for outbound email, Web mail, Anti-
phishing
• Threats addressed
– Phishing, Intrusion, Malware, Spam, Address spoofing
Security Assessments
• Third-party audits of cloud services or assessments of local systems via
cloud-provided solutions
• Well defined and supported by multiple standards such as NIST, ISO, and
CIS
• Additional Cloud Challenges
– Virtualization awareness of the tool
– Support for common web frameworks in PaaS applications
– Compliance Controls for IaaS, PaaS, and SaaS platforms
• Services
– Internal and / or external penetration test, Application penetration test, Host
and guest assessments, Firewall / IPS (security components of the
infrastructure) assessments, Virtual infrastructure assessment
• Threats addressed
– Inaccurate inventory, Lack of continuous monitoring, Lack of correlation
information, Lack of complete auditing, Failure to meet/prove adherence to
Regulatory/Standards Compliance, Insecure / vulnerable configurations,
Insecure architectures, Insecure processes / processes not being followed
Intrusion Management
• Using pattern recognition to detect and react to
statistically unusual events
• IM tools are mature, however
– virtualization and massive multi-tenancy is creating
new targets for intrusion
– raises many questions about the implementation of
the same protection in cloud environments
• Services
– Packet Inspection, Detection, Prevention
• Threats addressed
– Intrusion, Malware
Security Information and Event
Management (SIEM)
• Accept log and event information
• Correlate and analyze to provide real-time reporting
and alerting on incidents / events
• Services
– Log management, Event correlation, Security/Incident
response, Scalability, Log and Event Storage, Interactive
searching and parsing of log data, Logs immutable (for
legal investigations)
• Threats addressed
– Abuse, Insecure Interfaces and APIs, Malicious Insiders,
Shared Technology Issues, Data Loss and Leakage, Account
or Service Hijacking, Unknown Risk Profile, Fraud
Encryption
• The process of obfuscating/encoding data using
cryptographic algorithms
– Algorithm(s) that are computationally difficult to break
• Services
– VPN services, Encryption Key Management, Virtual Storage
Encryption, Communications Encryption, Application
Encryption, Database Encryption, digital signatures, Integrity
validation
• Threats addressed
– Failure to meet Regulatory Compliance requirements, Mitigating
insider and external threats to data, Intercepted clear text
network traffic, Clear text data on stolen / disposed of
hardware, Reducing the risk or and potentially enabling cross-
border business opportunities, Reducing perceived risks and
thus enabling Cloud's Adoption by government
Business Continuity and Disaster
Recovery
• Ensure operational resiliency in the event of any
service interruptions
• Flexible and reliable failover
• Utilize cloud’s flexibility to minimize cost and maximize
benefits
• Services
– File recovery provider, File backup provider, Cold site,
Warm site, Hot site, Insurance, Business partner
agreements, Replication (e.g. Databases)Threats addressed
– Natural disaster, Fire, Power outage, Terrorism/sabotage,
Data corruption, Data deletion, Pandemic/biohazard
Network Security
• Services that allocate access, distribute, monitor, and protect the
underlying resource services
– Address security controls at the network in aggregate, Or
– Specifically address at the individual network of each underlying
resource
• In Clouds, likely to be provided by virtual devices alongside
traditional physical devices
– Tight integration with the hypervisor to ensure full visibility of all
traffic on the virtual network layer is key
• Services
– Firewall (perimeter and server tier), Web application firewall, DDOS
protection/mitigation, DLP, IR management, IDS / IPS
• Threats addressed
– Data Threats, Access Control Threats, Application Vulnerabilities,
Cloud Platform Threats, Regulatory, Compliance & Law Enforcement

Network Security (Research)
Policies about the configurations of the infrastructure are used for specifying security and
availability requirements

• A critical device should be placed within a security perimeter


• Unprotected devices should not communicate with machines running critical services
• Computation on confidential data must performed on hosts under the control of DoD

• Policy-driven approach has been taken by FISMA, PCI-DSS, NERC

Scalability
Real-time detection of violations

Requirements Monitoring itself needs to be secure

Information needs to be shared


across cloud providers
37
Middleware for Assured Clouds
DORA Subsystem

External
Event Odessa Agent
Aggregator
Formal Design and

Trustworthiness of Workflows
Reaction analysis of Assured

Policy Distribution
Agent
Mission Critical
Computations

Odessa Agent
Reaction
Agent

External
NetOdessa
Event Evaluation on a
Agent
Aggregator distributed networked
test-bed

Trust Calculation Distance from


Module Compliance
Calculation

Risk Assessment Modules


38
Reaction Agents are part of the
Middleware
When a policy violation is detected
• Security, availability, or timeliness requirements might not be
satisfied
• We need to reconfigure the system

We implemented a cloud-based OpenFlow reaction agent

OpenFlow
controller

Reaction
Agent

39
To Read Further
• Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for
Assured Clouds, Journal of Internet Services and Applications,
2011 [pdf]
• Kroske, E. ; Farivar, R. ; Montanari, M. ; Larson, K. ; Campbell,
R.H., NetODESSA: Dynamic Policy Enforcement in Cloud Networks,
30th IEEE Symposium on Reliable Distributed Systems - Workshops
(SRDSW), 2011
• Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance
Monitoring for Large Distributed Infrastructure Systems, IEEE
International Conference on Network and System Security (NSS),
Sept 2011. [pdf]
• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H.
Campbell, "Distributed Security Policy Conformance," IFIP SEC
2011, Lucerne, Switzerland, June 2011. [pdf]

You might also like