1 / 11

Security in Cloud

Security in Cloud. Srinivasan Narayanamurthy Vineet Pandey. University Day Student Workshop dt. March 07, 2013. Outline of the talk. Cloud computing problem with the deployment models Threats Attacks Recent news and techniques For the break-out session.

macha
Download Presentation

Security in Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Cloud Srinivasan Narayanamurthy Vineet Pandey University Day Student Workshop dt. March 07, 2013

  2. Outline of the talk • Cloud computing • problem with the deployment models • Threats • Attacks • Recent news and techniques • For the break-out session

  3. Characteristics Service & Deployment Models Private Partner Community Hybrid Public End Users Software as a Service (SaaS) • Only basic OS-level protections • Easily bypassed by a malware Platform as a Service (PaaS) • Tenants rent VMs • Isolation provided by the Hypervisor Infrastructure as a Service (IaaS) Physical Infrastructure

  4. Source: Cloud Security Alliance, 2010 https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf • Could expose more functionality than intended • Policy could be circumvented • Credentials may need to be passed – is the interface secure? Insecure APIs • Password and key cracking • DDoS • Launching dynamic attack points • Hosting malicious data • Botnet command and control • Building rainbow tables • CAPTCHA solving Abuse & Nefarious use Malicious Insiders • Particularly poignant for cloud • Little risk of detection • System administrator qual. and vetting process differ Shared Technology Vuln. • Unknown Risk Profile • Is the cloud maintained? • Companies do not disclose • Is the infrastructure up to date (patches & firmware) • Does the combination of different service providers create previously unseen vulnerabilities? • Underlying architecture (CPU cache, GPU, etc.) not intended to offer strong isolation properties • Virtualization hypervisor used to mediate access between guest OS and physical resources • Exploits exist (Blue Pill, Red Pill) Threats Unknown Risk Profile • Data is outside the owner’s control • Data can be deleted or decoupled (lost) • Encryption keys can be lost • Unauthorized parties may gain access • Caused by • Insufficient authN, authZ, and access controls • Persistence and remanance • Poor disposal procedures • Poor data center reliability Account, Service, Traffic Hijacking Data loss /leakage • Exploits phishing attacks, fraud, or software vulnerabilities • Credential reuse

  5. Past Attacks • Blue Pill, Red Pill (Joanna Rutkowska, Black Hat 2006) • Blue Pill – rootkit based on x86 virtualization • Red Pill – detect the presence of a virtual machine • Cloudburst (2009-10) • Enables guest VM to attack its host • US-CERT VU#649219 (CloudBurst) • SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

  6. Attacks demonstrated • MIT (Ristenpart et al.) demonstrated cross-tenant attacks* • Amazon EC2 • Proof of attacker VM collocation • Side channels in shared hardware (L2 cache) • DoS • WordpressOutage June 2010** • 100s of tenants (CNN,…) down in multi-tenant environment. • Uncoordinated change in database • Amazon, Apple, T-Systems availability issues during 2012 • * Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Nov 9–13). ACM Press, New York, 2009, 199–212 • ** http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/

  7. Insecure APIs Malicious Insiders Abuse & Nefarious use • Secure REST API with OAuth & OIdentity • CryptDB • 35% IT Sabotage • 18% theft of intellectual property • 40% fraud • Beyond encryption (RSAConf 2013) • Zeus botnet Unknown Risk Profile Shared Technology Vuln. Threats • TPM & vTPM • Side channels by Buffer Overflow • Multiple cloud provisioning(Rightscale) • Key management by the tenant • Crypto shredding • Federated identity management Account, Service, Traffic Hijacking Data loss /leakage

  8. For the Break-out Session • Guarantees Required • Security • Encryption (PDP) • Integrity checking (PoR) • Freshness guarantee • Availability • Reliability & Correctness (PoW) • Beyond RAID-5 & RAID-6

  9. Cloud computing • Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction • Source: NIST • (http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html)

  10. Characteristics Service & Deployment Models Private Partner Community Hybrid Public End Users - Application as a service - Online CRM (Salesforce CRM), word processing (Google Docs), etc. Software as a Service (SaaS) - Run-time environments - Lifecycle management Software - Google App Engine, Force.com, Azure Platform as a Service (PaaS) - Compute resource as a service - Hardware & OS abstractions - Amazon EC2, S3 Infrastructure as a Service (IaaS) Physical Infrastructure

More Related