1 / 8

S ecurity challenges in a networked world

S ecurity challenges in a networked world . Theo Dimitrakos Chief Security Researcher –Security Futures Practice, BT Research & Technology Professor of Computer Science – School of Computing, University of Kent . Overview . Change factors New security threats Research challenges .

lainey
Download Presentation

S ecurity challenges in a networked world

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security challenges in a networked world Theo Dimitrakos Chief Security Researcher –Security Futures Practice, BT Research & Technology Professor of Computer Science – School of Computing, University of Kent

  2. Overview • Change factors • New security threats • Research challenges

  3. Change factors

  4. Commonly referenced cloud security incidents Service Availability • Amazon: Hey Spammers, Get Off My Cloud! (2008) • Megaupload US prosecutor investigation (2012) Bitbucket's Amazon DDoS - what went wrong (2009) AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursqaure Bad co-hosts Data Remanence You can check out but can’t leave In-cloud federated Identity Management Location & Privacy Who looks at/after your data? And where? Jurisdictions? Data Provanence Where did the data come from? Lack of Standards An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine Security issues with Google Docs Security Issues with Sony User Network Diginotar (June 2011) RSA SecureID (March2011) Risk communication & Response Hypervisor & Virtual Machine Vulnerabilities Crypto Ops in VM Entitlement Management

  5. Cloud Security: the challenges Near real-time virtual patching Intrusion Prevention at Hypervisor level – below Guest OS Malware prevention / detection at Hypervisor level • CSPs don’t: • allow clients to classify data • offer different levels of security based upon data sensitivity • offer DLP services Robust at system level (modulo kernel bugs) Issues at management plane Memory hijacking Co-ordinate security policies & provisioning for network & server virtualisation Location/resource optimisation • Guest OS needs • security protection • Resilient VM lifecycle • dynamic • at massive scale • Hypervisor / trusted VM: • the best place to secure • Limited compute resources • Security API standards • Difficult to exploit but high-impact • Do you trust Microsoft? • Do you trust VMWare? Crypto doesn’t like virtual Current algorithms set to optimise resource pooling Can’t always use specialised HW Encryption key management

  6. Cloud Security: the challenges Provider & resource / data location Cross-border data movement PII and privacy obligations (HIPAA, GLBA) Auditing and compliance (PCI, ISO 27001) Poor quality of evidence Lack of standards Lack of interoperability Limited service portability Incompatible management processes EU vs. US vs. China (Gov. access) Differences in data protection Cost of keeping data hosting in EUAudit data legally owned by CSP refusal to ‘hand over audit logs?Difficult to involve law enforcement with CSP activities Security of shared resources Process isolation Data segregation“Data sharding” (fragment across images) Entitlement & Access Mgmt (policy issuing authority) Latency sensitive applications Enforcement of SLA obligations Insufficient capabilities to cater for managing critical data In-cloud segregation of data: difficult Accidental seizure of customer data during forensic investigations VMs provided by IaaS provider Platform stack by PaaS provider IaaS, PaaS issues + application security

  7. Cloud Security: the challenges Credential Mapping Authorization with Constrained Delegation (Policy Integrity & Recognition of Authority) Trust & Federation Security Auditing Active Directory/LDAP - Attributes, Credentials and Groups for Edge servers Provisioning Identity Integration User Management Credential Management Entitlement Management Device Credentials, PKI Infrastructure Federation and Edge Server Security – Secure Application Integration Fabric (Secure ESB Gateway)

  8. Questions For more information please contact: theo.dimitrakos@bt.com theo.dimitrakos@ifiptm.org

More Related