Cybersecurity Governance

ITSS 4362

Cloud Security

Professor Khan
Introduction

Learning Objectives
• Understand and apply Cloud Technology
• What is it?
• How can it be used?
• Pros and Cons
• Understand and apply Cloud Security Principles
• Security concepts
• How to protect
• Threat vectors
Cloud Computing

• Cloud computing is the on-

demand availability of
computer system resources,
especially data storage and
computing power, without
direct active management by
the user.

• The term is generally used to

describe data centers
available to many users over
the Internet.
 Cloud Computing Potential Advantages

Increased Reliability – Duplicated data, logs, better maintenance

Reduction in IT operating costs (Pay-as-you-Go)

Scalability and Agility

Ubiquitous Accessibility – Internet, and perform same task from any where and using any network device

Levels the playing field

Fast request-driven provisioning (On Demand)

Improves collaboration

Security ***
Cloud Computing Potential Disadvantages

To be fair we need to mention disadvantages however most can be

overcome
• Hard to establish clear governance
• Unclear documentation and specifications
• Vendor lock-in
• Limited control
• Security ****
What Are the Security Advantages of Using the Cloud?

Platform unity

Data
Platform
concentration
strength
for mobile users

Uniform, Specialized
secured technical
endpoints resources

Backup, Recovery
Resource
and Incident
Availability
Processes
What Comprises Cloud Computing?

NIST definition of cloud Computing:

• Five essential cloud characteristics
• Three cloud service models
• Four cloud deployment models.
NIST Model of Cloud
5 Cloud Computing Elements
1. Broad network access: Capabilities
are available over the network and
accessed through standard mechanisms.
2. Rapid elasticity: Cloud computing gives
you the ability to expand and reduce
resources according to your specific
service requirement.
3. Measured service: Cloud systems
automatically control and optimize
resource use by leveraging a
metering capability at some level of
abstraction appropriate to the type of
service
4. On-demand self-service: A cloud
service consumer (CSC) can unilaterally
provision computing capabilities,
such as server time and network storage,
as needed
5. Resource pooling: The provider’s
computing resources are pooled to
serve multiple customers using a
multitenant model, with different
physical and virtual resources
3 Cloud Service Models

Infrastructure as a Service (IaaS)

• To provision processing, storage,
networks, and other fundamental
computing resources

Platform as a Service (PaaS)

• To deploy customer-created and
acquired applications

Software as a Service (SaaS)

• To use the provider’s applications
IaaS – Infrastructure as a Service
• It delivers computer infrastructure as a service, along with raw storage and
networking
• Rather than purchasing servers, software, datacenter space, or network
equipment, clients buy them as a fully outsourced service
PaaS – Platform as a Service
• It delivers a computing platform and solution stack as a service. PaaS offering
facilitate deployment of applications without the cost and complexity of
buying and managing the underlying hardware and software and provisioning
hosting capabilities
SaaS Software as a Service
• Cloud computing services, such as Amazon’s AWS and Google Apps, are
booming.
• With Software as a Service, you’re not writing an app, just using someone
else’s.
• Changes the dynamic of pricing the software (pay on a per-use basis).
Service Model Summaries
4 Cloud Deployment Models
Public Clouds
• Run by 3rd parties such as Amazon, Google or Microsoft.

• Employ statistical multiplexing to provide hardware and software

resources.

• Are hosted away from user premises.

• For security, other applications running on the same clouds are

transparent to cloud users

• Public clouds guarantee improved performance, considerable &

scalable resources, and growth flexibility

Pros:

– Reliability

– Cost Efficiency

– Scalability and Agility

Cons:

– Security

– Control
Private Clouds
• Built for only one client.

• Provide complete control over data, security and QoS.

• Deployed on enterprise datacenter or co-location facility.

• Built by companies own IT organization or cloud service

provider.

• Hosted private model- high level of control + technical

expertise to establish and operate the cloud.

Pros:

– Control / Security

– Availability

– Speed of Access

Cons:

– Scalability

– Maintenance
Community Cloud

• In a community cloud Multiple organizations

and infrastructures from the same community

share the cloud infrastructure.

• They all have similar concerns and goals which

helps to agree on the same cloud policies.

Pros

– Security

– Legal/compliance

– Same Policy and Concerns

Cons

– Development

– Cost
Hybrid Clouds

• Combines both private and public clouds.

• Private clouds are augmented with resources of

public cloud.

• More suitable for handling small data transfer or

applications are stateless, than if large amount of data

Pros: were transferred for small amount of processing.

– High performance:

– Expanded capacity

– Scalability

– Security

– Low cost

Cons:

– Complex SLAs

– Complex networking
Market Domination
If cloud computing is so great, why isn’t everyone doing it?

• Uncertainty:
– The cloud acts as a big black box, nothing inside the cloud is visible to the clients

– Clients have no idea or control over what happens inside a cloud

• Malicious Actors:
– Even if the cloud provider is honest, it can have malicious system admins who
can tamper with the VMs and violate confidentiality and integrity

• Threats:
– Clouds are still subject to traditional data confidentiality, integrity,
availability, and privacy issues, plus some additional attacks
Causes of Problems Associated with Cloud Computing

Most security problems stem from:

• Loss of control
• Lack of trust (mechanisms)
• Multi-tenancy

These problems exist mainly in 3rd party management models

• Self-managed clouds still have security issues, but not related to above
Loss of Control in the Cloud

Consumer’s loss of control

• Data, applications, resources are located with provider

• User identity management is handled by the cloud

• User access control rules, security policies and enforcement are managed by

the cloud provider

• Consumer relies on provider to ensure

– Data security and privacy

– Resource availability

– Monitoring and repairing of services/resources

Taxonomy of Fear
Confidentiality
• Fear of loss of control over data
– Will the sensitive data stored on a cloud remain confidential?
– Will cloud compromises leak confidential client data
• Will the cloud provider itself be honest and won’t peek into the data?

Integrity
• How do I know that the cloud provider is doing the computations correctly?
• How do I ensure that the cloud provider really stored my data without tampering
with it?

Availability
• Will critical systems go down at the client, if the provider is attacked in a Denial of
Service attack?
• What happens if cloud provider goes out of business?
• Would cloud scale well-enough?
Taxonomy of Fear (cont.)

Privacy issues raised via massive data mining

• Cloud now stores data from a lot of clients, and can run data mining
algorithms to get large amounts of information on clients

Increased attack surface

• Entity outside the organization now stores and computes data, and so
• Attackers can now target the communication link between cloud
provider and client
• Cloud provider employees can be phished

Auditability and forensics (out of control of data)

• Difficult to audit data held outside organization in a cloud
• Forensics also made difficult since now clients don’t maintain data locally
Model for Holistic Cloud Security
Cloud Computing: who should use it?

Cloud computing makes sense if your own security is weak, missing

features, or below average.
Ultimately, if
• the cloud provider’s security people are “better” than yours (and
leveraged at least as efficiently),
• the web-services interfaces don’t introduce too many new
vulnerabilities, and
• the cloud provider aims at least as high as you do, at security goals,

then cloud computing has better security.

Delivery model Security Issues
The Notorious Nine

The CSA(Cloud Security Alliance) has identified "The Notorious Nine", the
top 9 cloud computing threats

1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
Data Breaches/Loss

Deletion or alteration of records without a backup,

Loss of an encoding key are some of the common
examples which leads to data loss.

As the data resides on the third parties data centers,

security of data is becoming the main concern for
cloud adoption.

Thus it is the duty of Cloud security provider to

prevent the unauthorized parties from gaining access
to the sensitive data
Data Loss Remediation

Implementing strong access controls

Strong encryption and decryption for data.

Implement strong key generation, storage and

management, and destruction practices.

Maintaining back up for the data and updating the

changes timely.
Account, Service and Traffic Hijacking

Threat:
• If an attacker gains access to the credentials, they can eavesdrop on your activities and
transactions, manipulate data, return falsified information, and redirect your clients to
illegitimate sites.
• Using the credentials and passwords for longer time without changing and reusing the
same for different accounts makes this type of attack easy.

Remediation:
• Following the password rules to create strong passwords
• Changing the passwords timely
• Prohibiting the use of passwords on unknown machines and sharing of the passwords
with other users
• Multi Factor Authentication
Insecure APIs

Threat:
• The security of the cloud services is dependent on how secure is their Application
Programming Interface API’s
• Accidental and malicious attempts must be taken into consideration when designing
the APIs
• Organizations are facing a variety of authenticity, confidentiality, and integrity, issues
due to their dependence on a weak set of APIs

Remediation:
• Analyze the security model of cloud provider interfaces.
• Ensure strong authentication and access controls are implemented in concert with
encrypted transmission
Denial of Service

Threat:
• Distributed Denial of Service (DDoS) Attacks
• Preventing users from accessing cloud services.
• Using resource exhaustion attacks or software vulnerability attacks.
• The cloud becomes irresponsive or legal users will pay more for using more resources

Remediation:
• Anomalous Behavior Analysis (ABA)
• Intrusion Tolerance by using diversity and redundancy
Malicious Insiders

Threat:
• Malicious insider threat is well-known to most organizations.
• A provider may not reveal how it grants employees access to physical and virtual
assets, how it monitors these employees, or how it analyzes and reports on policy
compliance.
• This kind of situation clearly creates an attractive opportunity for hobbyist hacker.

Remediation:
• Human resource required specifications should be part of legal contract.
• Cloud Service Provider should provide transparently all security and management
• practices
Abuse of Cloud Services

Threat:
• The registration process for cloud resources has become so easy that anyone with a
valid credit card can register and immediately begin using services.
• Thus, spammers, malicious code authors, and other criminals have been able to
conduct their activities with relative impunity
• Thus PaaS and IaaS providers are suffering from these kind of attacks.

Remediation:
• Strict initial registration and validation
• Enhanced credit card fraud monitoring and coordination
• Constant monitoring of customer network traffic.
• Monitoring public blacklists for one’s own network blocks
Insufficient Due Diligence

Threat:
• Organizations moving fast toward the cloud for its cost reductions, operational
• efficiencies and improved security.
• However, without a full understanding of the cloud service provider environment
• and responsibilities, they are increasing their risk.

Remediation:
• Organizations need to understand the risk of moving to the cloud.
• 24/7 Continuous Monitoring, Analysis, and Mitigation
Shared Technology Vulnerabilities

Threat:
• Cloud Service Providers deliver their services in a scalable way by sharing
infrastructure.
• Cloud services depend on utilizing virtualization.
• Virtualization Hypervisors, like any other software, have flaws that allow attackers
with access to the guest operating system to attack the host.
• This impacts the operations of other cloud customers and allow attackers to gain
access to unauthorized data.

Remediation:
• Implementing and applying security best practices for both the installation and
configuration processes
• Continuously monitoring for the environment to detect unauthorized activities.
• Enforcing strict access control and strong authentication for all critical operations.
• Continuously searching for vulnerabilities and threats
Unknown Risk Profile

The features and functionality of the cloud services are well informed to the customer, but
the details of internal security procedures, auditing, logging, internal access control
remains unanswered leaving customers with an unknown risk profile

1. Protection of Data in Transit and Data at Rest

2. Asset Protection
3. Visibility and Control
4. Trusted Security Marketplace and Partner Network
5. Secure User Management
6. Compliance and Security Integration
7. Identity and Authentication
8. Operational Security
9. Personnel Security
10. Secure Use of the Service
Responsibility Changes Based on Service Type
Model for Holistic Cloud Security
Conclusion

• Cloud computing & security is a booming field of technology

• Contains all the traditional threats, as well as new ones

• Strong info sec practices allow for better integrations and utility

• Help mitigate risks associated with:

– Loss of control
– Lack of trust
– Multi-tenancy problems