Research in Cloud Computing

Bharat Bhargava Anya Kim YounSun Cho

[email protected] [email protected] [email protected]
Computer Science Naval Research Lab Computer Science
Purdue University Purdue University
 Talk Objectives
• A high-level discussion of the
fundamental challenges and
issues/characteristics of cloud computing
• Identify a few security and privacy
issues within this framework
• Propose some approaches to addressing
these issues
– Preliminary ideas to think about
 Security and Privacy Issues
in Cloud Computing - Big Picture
• Infrastructure Security
• Data Security and Storage
• Identity and Access Management (IAM)
• Privacy

• And more…

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

3
 Infrastructure Security
• Network Level
• Host Level
• Application Level

4
 The Network Level
• Ensuring confidentiality and integrity of your
organization’s data-in-transit to and from your
public cloud provider
• Ensuring proper access control (authentication,
authorization, and auditing) to whatever
resources you are using at your public cloud
provider
• Ensuring availability of the Internet-facing
resources in a public cloud that are being used
by your organization, or have been assigned to
your organization by your public cloud providers
• Replacing the established model of network
zones and tiers with domains
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

5
 The Network Level - Mitigation
• Note that network-level risks exist
regardless of what aspects of “cloud
computing” services are being used
• The primary determination of risk level
is therefore not which *aaS is being
used,
• But rather whether your organization
intends to use or is using a public,
private, or hybrid cloud.
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

6
 The Host Level
• SaaS/PaaS
– Both the PaaS and SaaS platforms abstract and
hide the host OS from end users
– Host security responsibilities are transferred to
the CSP (Cloud Service Provider)
• You do not have to worry about protecting hosts
– However, as a customer, you still own the risk of
managing information hosted in the cloud
services.
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

7
 The Host Level (cont.)
• IaaS Host Security
– Virtualization Software Security
• Hypervisor (also called Virtual Machine Manager (VMM)) security is
a key
– a small application that runs on top of the physical machine
H/W layer
– implements and manages the virtual CPU, virtual memory, event
channels, and memory shared by the resident VMs
– Also controls I/O and memory access to devices.
• Bigger problem in multitenant architectures
– Customer guest OS or Virtual Server Security
• The virtual instance of an OS
• Vulnerabilities have appeared in virtual instance of an OS
• e.g., VMWare, Xen, and Microsoft’s Virtual PC and Virtual Server
• Customers have full access to virtual servers.

8
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
 Case study: Amazon's EC2
infrastructure
• “Hey, You, Get Off of My Cloud: Exploring Information Leakage in
Third-Party Compute Clouds”
– Multiple VMs of different organizations with virtual boundaries
separating each VM can run within one physical server
– "virtual machines" still have internet protocol, or IP, addresses,
visible to anyone within the cloud.
– VMs located on the same physical server tend to have IP
addresses that are close to each other and are assigned at the
same time
– An attacker can set up lots of his own virtual machines, look at
their IP addresses, and figure out which one shares the same
physical resources as an intended target
– Once the malicious virtual machine is placed on the same server
as its target, it is possible to carefully monitor how access to
resources fluctuates and thereby potentially glean sensitive
information about the victim

9
 Local Host Security
• Are local host machines part of the cloud infrastructure?
– Outside the security perimeter
– While cloud consumers worry about the security on the cloud
provider’s site, they may easily forget to harden their own
machines
• The lack of security of local devices can
– Provide a way for malicious services on the cloud to attack
local networks through these terminal devices
– Compromise the cloud and its resources for other users
 Local Host Security (Cont.)
• With mobile devices, the threat may be even stronger
– Users misplace or have the device stolen from them
– Security mechanisms on handheld gadgets are often times
insufficient compared to say, a desktop computer
– Provides a potential attacker an easy avenue into a cloud
system.
– If a user relies mainly on a mobile device to access cloud
data, the threat to availability is also increased as mobile
devices malfunction or are lost
• Devices that access the cloud should have
– Strong authentication mechanisms
– Tamper-resistant mechanisms
– Strong isolation between applications
– Methods to trust the OS
– Cryptographic functionality when traffic confidentiality is
required

11
 The Application Level
• DoS
• EDoS(Economic Denial of Sustainability)
– An attack against the billing model that
underlies the cost of providing a service with
the goal of bankrupting the service itself.
• End user security
• Who is responsible for Web application
security in the cloud?
• SaaS/PaaS/IaaS application security
• Customer-deployed application security
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

12
 Data Security and Storage
• Several aspects of data security, including:
– Data-in-transit
• Confidentiality + integrity using secured protocol
• Confidentiality with non-secured protocol and
encryption
– Data-at-rest
• Generally, not encrypted , since data is commingled
with other users’ data
• Encryption if it is not associated with applications?
– But how about indexing and searching?
– Then homomorphic encryption vs. predicate encryption?
– Processing of data, including multitenancy
• For any application to process data, not encrypted
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
13
 Data Security and Storage (cont.)
– Data lineage
• Knowing when andWhere
where theofdata wassystem?
is (or was) that system located?
What was the state that physical located w/i
cloud is important
Howforwouldaudit/compliance purposes
a customer or auditor verify that
• e.g., Amazon AWS info?

– Store <d1, t1, ex1.s3.amazonaws.com>

– Process <d2, t2, ec2.compute2.amazonaws.com>
– Restore <d3, t3, ex2.s3.amazonaws.com>
– Data provenance
• Computational accuracy (as well as data integrity)
• E.g., financial calculation: sum ((((2*3)*4)/6) -2) =
$2.00 ?
– Correct : assuming US dollar
– How about dollars of different countries?
– Correct exchange rate?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

14
 Data Security and Storage
• Data remanence
– Inadvertent disclosure of sensitive information is possible
• Data security mitigation?
– Do not place any sensitive data in a public cloud
– Encrypted data is placed into the cloud?
• Provider data and its security: storage
– To the extent that quantities of data from many
companies are centralized, this collection can become an
attractive target for criminals
– Moreover, the physical security of the data center and the
trustworthiness of system administrators take on new
importance.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

15
 Why IAM?
• Organization’s trust boundary will become dynamic and will move
beyond the control and will extend into the service provider
domain.
• Managing access for diverse user populations (employees,
contractors, partners, etc.)
• Increased demand for authentication
– personal, financial, medical data will now be hosted in the
cloud
– S/W applications hosted in the cloud requires access control
• Need for higher-assurance authentication
– authentication in the cloud may mean authentication outside
F/W
– Limits of password authentication
• Need for authentication from mobile devices
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
16
 IAM considerations
• The strength of authentication system should be
reasonably balanced with the need to protect the privacy
of the users of the system
– The system should allow strong claims to be
transmitted and verified w/o revealing more
information than is necessary for any given transaction
or connection within the service
• Case Study: S3 outage
– authentication service overload leading to unavailability
• 2 hours 2/15/08
• http://www.centernetworks.com/amazon-s3-downtime-
update

17
 What is Privacy?
• The concept of privacy varies widely among (and sometimes
within) countries, cultures, and jurisdictions.
• It is shaped by public expectations and legal
interpretations; as such, a concise definition is elusive if
not impossible.
• Privacy rights or obligations are related to the collection,
use, disclosure, storage, and destruction of personal data
(or Personally Identifiable Information—PII).
• At the end of the day, privacy is about the accountability
of organizations to data subjects, as well as the
transparency to an organization’s practice around personal
information.

18 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 What is the data life cycle?

• Personal information should be

managed as part of the data used by
the organization
• Protection of personal information
should consider the impact of the
cloud on each phase

19 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 What Are the Key Privacy
Concerns?
• Typically mix security and privacy
• Some considerations to be aware of:
– Storage
– Retention
– Destruction
– Auditing, monitoring and risk management
– Privacy breaches
– Who is responsible for protecting privacy?

20 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 Storage
• Is it commingled with information from other
organizations that use the same CSP?
• The aggregation of data raises new privacy issues
– Some governments may decide to search through data
without necessarily notifying the data owner, depending
on where the data resides
• Whether the cloud provider itself has any right to
see and access customer data?
• Some services today track user behaviour for a
range of purposes, from sending targeted
advertising to improving services

21 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 Retention
• How long is personal information (that is
transferred to the cloud) retained?
• Which retention policy governs the data?
• Does the organization own the data, or
the CSP?
• Who enforces the retention policy in the
cloud, and how are exceptions to this
policy (such as litigation holds) managed?
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
22
 Destruction
• How does the cloud provider destroy PII at the end of the
retention period?
• How do organizations ensure that their PII is destroyed by
the CSP at the right point and is not available to other cloud
users?
• Cloud storage providers usually replicate the data across
multiple systems and sites—increased availability is one of
the benefits they provide.
– How do you know that the CSP didn’t retain additional
copies?
– Did the CSP really destroy the data, or just make it
inaccessible to the organization?
– Is the CSP keeping the information longer than necessary
so that it can mine the data for its own use?
23 From [6] Cloud Security and Privacy by Mather and Kumaraswamy
 Auditing, monitoring and risk
management
• How can organizations monitor their CSP and provide
assurance to relevant stakeholders that privacy
requirements are met when their PII is in the cloud?
• Are they regularly audited?
• What happens in the event of an incident?
• If business-critical processes are migrated to a cloud
computing model, internal security processes need to
evolve to allow multiple cloud providers to participate
in those processes, as needed.
– These include processes such as security monitoring,
auditing, forensics, incident response, and business
continuity

24 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 Privacy breaches
• How do you know that a breach has occurred?
• How do you ensure that the CSP notifies you
when a breach occurs?
• Who is responsible for managing the breach
notification process (and costs associated with
the process)?
• If contracts include liability for breaches
resulting from negligence of the CSP?
– How is the contract enforced?
– How is it determined who is at fault?

25 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

 Who is responsible for protecting
privacy?
• Data breaches have a cascading effect
e.g., Suppose a hacker breaks into Cloud Provider A and steals data from Company X.
Assume that the compromised server also contained data from Companies Y and Z.

• Full reliance
• Who investigates onthisacrime?
third party to protect personal
data?• Istheit the Cloud Provider, even though Company X may fear that
provider will try to absolve itself from responsibility?
• In-depth understanding of responsible data
• Is it Company X and, if so, does it have the right to see other data on that server,
including logs that may show access to the data of Companies Y and Z?
stewardship
• Organizations can transfer liability, but not
accountability
• Risk assessment and mitigation throughout the data
life cycle is critical.
• Many new risks and unknowns
– The overall complexity of privacy protection in the cloud
represents a bigger challenge.

26 From [6] Cloud Security and Privacy by Mather and Kumaraswamy