�ݺ�ߣ

Data Security In The Cloud
Presented by:
Gary Dischner
TxMQ Enterprise Architect
© Copyright 2014 TxMQ, Inc.
Materials may not be reproduced in whole or in part without prior written permission of TxMQ.
LOGO

Agenda
• What is the cloud
• Delivery Models / Deployment Models
• Who is the attacker
• Why cloud brings new threats
• Security Issues in the cloud
• Data Issues In the Cloud
• Techniques for Mitigating Risk
© 2013 TxMQ, Inc, 1430B Millersport Highway, Amherst, NY 14221 | 716-636-0070 | www.txmq.com

What is the Cloud

What Is The Cloud?
NIST – 800-145
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.
networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with
minimal management effort or service-provider
interaction. This cloud model is composed of five
essential characteristics, three service models, and four
deployment models.

Essential Characteristics
• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as
server time and network storage, as needed automatically without requiring human interaction
with each service provider.
• Broad network access. Capabilities are available over the network and accessed through standard
mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones,
tablets, laptops, and workstations).
• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources dynamically assigned and
reassigned according to consumer demand. There is a sense of location independence because the
customer generally has no control or knowledge over the exact location of the provided resources
but may be able to specify location at a higher level of abstraction (e.g. country, state, or
datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
• Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases
automatically, to scale rapidly outward and inward commensurate with demand. To the consumer,
the capabilities available for provisioning often appear to be unlimited and can be appropriated in
any quantity at any time.
• Measured service. Cloud systems automatically control and optimize resource use by leveraging a
metering capability at some level of abstraction appropriate to the type of service (e.g. storage,
processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled,
and reported to provide transparency for both the provider and consumer of the utilized service.

CSA’s Definition
• Cloud computing is a model for enabling on-demand access to a shared
pool of computer resources such as server, application & service.
• In other words, cloud computing is a model for delivering IT services.
Instead of a direct connection to the server, the resources are retrieved
from the Internet though web-based tools and applications.
• These services are broadly divided into three categories / delivery models:
– Infrastructure-as-a-Service (IaaS)
– Platform-as-a-Service (PaaS) (GoogleApps are examples of PaaS)
– Software-as-a-Service (SaaS)
Data and software packages are stored in servers. The cloud computing
structure allows access to information as long as an electronic device has
access to the web. This allows employees to work remotely

Delivery / Deployment Models

Software as a Service (SaaS) is a cloud delivery model that has actually existed
for a long time.
• An SaaS is an implementation of a business application or process that is
developed on a cloud platform and hosted in a cloud infrastructure.
• SaaS providers deliver domain-specific applications or services over the
Internet and charge end users on a pay-per-usage basis.
A Platform as a Service (PaaS) cloud lies directly upon an IaaS layer with a
solution stack summarising everything required for the entire software-
engineering lifecycle (design, development, debugging, testing, and deployment).
• The potential consumers of a PaaS cloud service are therefore software
developers and testers.
• Most PaaS vendors lock developers into particular development platforms and
debugging tools, and do not allow direct communication with lower
computing infrastructures, although certain programming APIs might be
provided with limited functionalities of infrastructure control and
management.

Infrastructure as a Service (IaaS)
• According to the different types of resources offered, IaaS cloud can
be further divided into three sub-categories:
• Computing as a Service (CaaS) offers customers access to raw
computing power on virtual servers or virtual-machine instances.
CaaS provides self-service interfaces for on-demand provisioning
and management (i.e. start, stop, reboot, destroy) of virtual-
machine instances.
• A CaaS provider may also provide self-management interfaces for
auto-scaling and other automatic management facilities.
• Storage as a Service offers online storage services allowing on-
demand storing and access to data on third-party storage spaces.
• Database as a service (DaaS) includes standardized processes for
accessing and manipulating (writing, updating, deleting) data
through database management systems (DBMS) that are hosted in
the cloud.

Deployment Models

CIA

CIA Aspects of Security
Confidentiality: Prevent unauthorized disclosure of sensitive information
Integrity: Prevent unauthorized modification of systems and information
Availability: Prevent disruption of service and productivity

Who is the attacker

Who is the attacker?
Insider?
– Malicious employees at client
– Malicious employees at Cloud provider
– Cloud provider itself
Outsider?
– Intruders
– Network attackers?

Why cloud brings new threats

Why Cloud Computing Brings New Threats?
• Cloud Security problems are coming from:
– Loss of control
– Lack of trust (mechanisms)
– Multi-tenancy
• These problems exist mainly in third-party-
management models
• Self-managed clouds still have security issues,
but not related to above

Why Cloud Computing Brings New Threats?
– Data, applications, and resources are located with
provider
– User identity management is handled by the cloud
– User access control rules, security policies and
enforcement are managed by the cloud provider
– Consumer relies on provider to ensure
• Data security and privacy
• Resource availability
• Monitoring and repairing of services/resources

Security Issues Associated with
Cloud

Cloud computing will not be accepted by common users unless the trust and
dependability issues are resolved satisfactorily [1].
Cloud Service Models And Their Security Demands

Security Issues In The Cloud
• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

Perimeter Security Model

Security Issues From Virtualization
• Virtualization providers offer
– Use of ParaVirtualization or full-system virtualization.
• Instance Isolation: Ensuring that different instances running on the
same physical machine are isolated from each other.
– Control of Administrator on Host O/S and Guest O/S.
– Current VMs do not offer perfect isolation: Many bugs have been
found in all popular VMMs that allow escape.
• Virtual machine monitor should be “root secure” – meaning that no
level of privilege within the virtualized guest environment permits
interference with the host system.

Security Best Practices For Virtual Machines
• Plan for a network firewall or an additional VM-based
IPS protection if needed
– VMware virtual machines communicate with each via a
network switch, just as with any physical server, so there is
no reason for increased rate of infection
• Keep signatures, filters and rules updated for offline
VMs
– VMware is actively working about patching offline images
• Protect invisible internal network traffic
– Place a "network-based IPS" inside of the server (a host-
based network IPS that monitors internal virtual network
traffic) to inspect this traffic

• Algorithms
– Proprietary vs. standards
• Key size
• Key management
– Ideally by customer
– Does CSP have decryption keys?
– E.g. Apple uses master key to decrypt iCloud data
to screen “objectionable” content*
Encryption Management

Data Issues

Data Issue: Confidentiality
• Transit between cloud and intranet
– Example: Use HTTPS
• Possible for simple storage
– Example: Data in Amazon S3 encrypted with AES-256
• Difficult for data processed by cloud
– Overhead of searching, indexing etc.
• iCloud does not encrypt data on mail server*
– If encrypted, data decrypted before processing
• Is it possible to perform computations on encrypted data?^

Data Issue: Comingled Data
• Cloud uses multi-tenancy
– Data comingled with other users’ data
• Application vulnerabilities may allow
unauthorized access
– E.g. Google docs unauthorized sharing, Mar 2009
– “identified and fixed a bug which may have caused
you to share some of your documents without
your knowledge.”

Privacy Challenges
• Protect PII
• Ensure conformance to FIPs principles
• Compliance with laws and regulations
– GLBA, HIPAA, PCI-DSS, Patriot Act etc.
• Multi-jurisdictional requirements
– EU Directive, EU-US Safe Harbor

Key FIPs Requirements
Use limitation
– It is easier to combine data from multiple sources in the cloud. How do
we ensure data is used for originally specified purposes?
Retention
– Is CSP retention period consistent with company needs? Does CSP
have proper backup and archival?
Deletion
– Does CSP delete data securely and from all storage sources?
Security
– Does CSP provide reasonable security for data, e.g., encryption of PII,
access control and integrity?
Accountability
– Company can transfer liability to CSP, but not accountability. How
does company identify privacy breaches and notify its users?
Access
– Can company provide access to data on the cloud?

Compliance & Audit
– Hard to maintain with your sec/reg requirements,
harder to demonstrate to auditors
– Right to Audit clause
– Analyze compliance scope
– Regulatory impact on data security
– Evidence requirements are met
Does Provider have SAS 70 Type II, SSAE 16

Techniques for Mitigating Risk

Streamlined Security Analysis Process
• Identify Assets
– Which assets are we trying to protect?
– What properties of these assets must be maintained?
• Identify Threats
– What attacks can be mounted?
– What other threats are there (natural disasters, etc.)?
• Identify Countermeasures
– How can we counter those attacks?
• Appropriate for Organization-Independent Analysis
– We have no organizational context or policies

Identify Asset
How would we be harmed if:
– The asset became widely public & widely distributed?
– An employee of our cloud provider accessed the asset?
– The process of function were manipulated by an outsider?
– The process or function failed to provide expected results?
– The info/data was unexpectedly changed?
– The asset were unavailable for a period of time?

Identifying Threats
• Failures in Provider Security
– Attacks by Other Customers
– Availability and Reliability Issues
– Legal and Regulatory Issues
– Perimeter Security Model Broken
– Integrating Provider and Customer Security
Systems

Map Asset to Models
• 4 Cloud Models
– Public
– Private (internal, external)
– Community
– Hybrid
Which cloud model addresses your security
concerns?

Introduction to Cloud Computing , Prof. Yeh-Ching Chung, http://cs5421.sslab.cs.nthu.edu.tw/home/Materials/Lecture2-
IntroductiontoCloudComputing.pdf?attredirects=0&d=1
NIST (National Institute of Standards and Technology).
http://csrc.nist.gov/groups/SNS/cloud-computing/
M. Armbrust et. al., “Above the Clouds: A Berkeley View of Cloud Computing,” Technical Report No. UCB/EECS-2009-28, University of California at Berkeley,
2009.
R. Buyya et. al., “Cloud computing and emerging IT platforms: Vision,
hype, and reality for delivering computing as the 5th utility,” Future
Generation Computer Systems, 2009.
Cloud Computing Use Cases. http://groups.google.com/group/cloud-
computing-use-cases
Cloud Computing Explained. http://www.andyharjanto.com/2009/11/wanted-cloud-computing-explained-in.html
All resources of the materials and pictures were partially retrieved from the Internet.
All material from “Security Guidance for Critical Areas of Focus in Cloud Computing v2.1”, http://www.cloudsecurityalliance.org
Various cloud working groups
Open Cloud Computing Interface Working Group, Amazon EC2 API, Sun Open Cloud API, Rackspace API, GoGrid API, DMTF Open Virtualization Format (OVF)
Cloud Computing Security Issues, Randy Marchany, VA Tech IT
Security, marchany@vt.edu
Research in Cloud Security and Privacy,
www.cs.purdue.edu/homes/bb/cloud/cloud-complete.ppt
Introduction to Security and Privacy in Cloud Computing, Introduction to Security and Privacy in Cloud Computing. Spring 2010 course at the Johns
Hopkins University. By Ragib Hassan

Contact Us
For more information please call TxMQ VP Miles
Roty, 716-636-0070 (228), or email
miles@txmq.com.
Visit us at TxMQ.com.

�ݺ�ߣ

Gary Homeland Security Presentation 102114

More Related Content

Gary Homeland Security Presentation 102114

Editor's Notes