Cloud Computing Security Research
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Cloud Computing Security Research PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

Cloud Computing Security Research. Shane Fry NSA September 28, 2011. Overview. Who am I? What is vulnerability analysis? What is the cloud? Who is the cloud? What are the security concerns? What are some malicious uses of the cloud?. Who am I?. What is Vulnerability Analysis?.

Download Presentation

Cloud Computing Security Research

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cloud computing security research

Cloud Computing Security Research

Shane Fry

NSA

September 28, 2011


Overview

Overview

Who am I?

What is vulnerability analysis?

What is the cloud?

Who is the cloud?

What are the security concerns?

What are some malicious uses of the cloud?


Who am i

Who am I?


What is vulnerability analysis

What is Vulnerability Analysis?

  • Looking for vulnerabilities in software, hardware, or entire systems.

  • The goal:

    • Improve the security of hardware/software/systems

    • Create configuration guidance to mitigate vulnerabilities

  • Two kinds of vulnerability analysis

    • Black box

    • White box


What is vulnerability analysis1

What is Vulnerability Analysis?


Vulnerability analysis strategy

Vulnerability Analysis Strategy


Black box testing

Black box testing

Easy

No source code

Tests boundaries between components

Limited code coverage

Reverse Engineer code to determine where the problem code is, and what is going wrong


White box testing

White box testing

  • Time consuming

  • Greater code coverage

  • Static source code analysis

    • Automated

    • Manual

  • Specific tests for suspected problem code


Grey box testing

Grey box testing

  • Uses both White box and Black box techniques:

    • Fuzzing

    • Reverse Engineering

    • Source code analysis


Cloud computing security research

What do you think the cloud is?


Nist definition

NIST Definition

On-demand self-service

Broad network access

Resource pooling

Rapid elasticity

Measured service

[2]


Nist definition1

NIST Definition

Visual Model of NIST Working Definition of Cloud Computing

http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.hml

Essential

Characteristics

Delivery

Models

Deployment

Models

[6]


What is the cloud

What is the cloud?

  • Storage

    • Cheap

    • Distributed

    • Automated backups

  • Computing

    • Cheap

    • Scalable

    • No infrastructure to manage

  • Usually both are employed


Who is the cloud

Who is the cloud?

[7]


Security concerns

Security Concerns

What do you think the security concerns are when using the cloud?


Security concerns1

Security Concerns

  • Data center location

  • Network perimeter security

    • Packet replay attacks

    • Information disclosure

  • Infrastructure security

    • Patch process

    • Underlying protocol security


Security concerns2

Security Concerns

  • Physical security

  • Backup location

  • File scrubbing

    • Persistent data storage

    • VM Images

  • VM Image Security

    • OS Security

    • Known good state

    • Modified base image


Cloud architecture

Cloud Architecture


Malicious use

Malicious Use

WPA cracking [4]

Password cracking [5]

DDoS attacks [3]

Botnets [3]


Cloud computing security research

Questions?


References

References

  • http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

  • http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

  • http://www.defcon.org/images/defcon-18/dc-18-presentations/Bryan-Anderson/DEFCON-18-Bryan-Anderson-Cloud-Computing.pdf

  • https://www.wpacracker.com

  • http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

  • http://2.bp.blogspot.com/_hnCtHg5syTo/S-QY0NuPrrI/AAAAAAAAAKk/yHswSLD0fQk/s1600/NIST+Cloud.jpg

  • http://blogs.southworks.net/mwoloski/files/2008/08/posterservices.png


Cloud computing security research

THE DECISIVE ADVANTAGE


  • Login