cloudy security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cloudy Security PowerPoint Presentation
Download Presentation
Cloudy Security

Loading in 2 Seconds...

play fullscreen
1 / 27

Cloudy Security - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Cloudy Security. Kia Manoochehri. Outline. Background Threat Classification Traditional Threats Availability of cloud services Third-Party Control The “Notorious Nine” Contractual Obligations. What is “security”?. Security: “freedom from risk and danger”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cloudy Security' - mya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cloudy security

Cloudy Security

Kia Manoochehri

outline
Outline
  • Background
  • Threat Classification
    • Traditional Threats
    • Availability of cloud services
    • Third-Party Control
  • The “Notorious Nine”
  • Contractual Obligations
what is security
What is “security”?
  • Security: “freedom from risk and danger”
  • In Computer Science we define security as…
    • “the ability of a system to protect information and system resources with respect to confidentiality and integrity”
what is security1
What is “security”?
  • Three core areas
    • Confidentiality
    • Integrity
    • Authentication
what is security2
What is “security”?
  • Some other security concepts
    • Access Control
    • Nonrepudiation
    • Availability
    • Privacy
background
Background
  • Cloud Service Providers (CSP) provide a “target rich environment”
  • Consolidation of information draws potential attackers
  • Potential problematic areas in the field of Cloud Computing aren’t transparent.
threat classification
Threat Classification
  • Three broad classifications
    • Traditional Threats
    • Availability Threats
    • Third-Party Control Threats
traditional threats user
Traditional Threats (User)
  • Anytime a computer is connected to the internet they are at risk…
    • When we are dealing with Cloud based applications we are amplifying these threats
  • Question of responsibility
    • User vs Provider
traditional threats user1
Traditional Threats (User)
  • Authorization and Authentication
    • Individual access vs enterprise access
  • One solution would be to have tiered access
    • Not every user is created equal!
traditional threats cloud
Traditional Threats (Cloud)
  • Distributed Denial of Service attacks (DDoS)
  • SQL Injection
  • Phishing
  • Cross-Site Scripting
traditional threats cloud1
Traditional Threats (Cloud)
  • Digital forensics cannot be applied to the cloud
    • Difficult to trace where an attack is from
  • Virtual Machine vulnerabilities extend to the cloud as well
availability threats
Availability Threats
  • System failures
    • http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/
    • Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning.
      • Netflix, Instagram, and Pintrest were down for at least a few hours.
third party control threats
Third Party Control Threats
  • Problem stems from CSP outsourcing certain aspects of their operation
    • How does this affect
  • Introduces more points of entry and vulnerability to the Cloud
the notorious nine
“The Notorious Nine”
  • In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing
  • February 2013 yielded their “Notorious Nine” list
    • 9 major threats in Cloud Computing
the notorious nine1
“The Notorious Nine”
  • Data Breaches
    • Currently the biggest threat
    • The solution is encryption… but
      • What if you lose the key?
    • Backing up the data is not viable either
  • Example: Epsilon
the notorious nine2
“The Notorious Nine”
  • Data Loss
    • Malicious deletion
    • Accidental deletion by CSP
    • Physical catastrophe
    • Loss of the encryption key
  • Compliance policies require audit

audit records

  • Example: Mat Honan
the notorious nine3
“The Notorious Nine”
  • Account/Service Hijacking
    • Phishing, fraud, software exploits
    • Organizations should be proactive
    • Two-Factor authentication
  • Example: XSS attack on Amazon
the notorious nine4
“The Notorious Nine”
  • Insecure Interfaces and APIs
    • Any vulnerability in an API bleeds over
    • Can effect security and availability
    • Partially falls on the consumer
the notorious nine5
“The Notorious Nine”
  • Denial of Service
    • From the user end… most frustrating
    • Can cost cloud users $$$
    • Makes the user doubt the cloud
the notorious nine6
“The Notorious Nine”
  • Malicious Insiders
    • Straightforward
    • Systems that only depends on the

CSP for security are at greatest risk

    • If data-usage encryption is used thedata is still vulnerable during storage
the notorious nine7
“The Notorious Nine”
  • Abuse of Cloud Services
    • Using CSP for malicious purpose
    • Hacking encryption keys via cloud
    • DDoS attacks via cloud
    • Problems of detection arise
the notorious nine8
“The Notorious Nine”
  • Insufficient Due Diligence
    • Insufficient user experience
    • Unknown levels of risk when using CSP
    • Design and architecture issues for devs
    • Countered by:
      • Capable resources
      • Extensive internal understanding of risks
the notorious nine9
“The Notorious Nine”
  • Shared Technology Vulnerabilities
    • CPU caches, GPUs are not designed tobe isolated
    • A single vulnerability can lead to an entire environment being compromised
slide25

Buffer Overflow

SQL Injection

Privilege escalation

DDoS attacks

SSL Certificate spoofing

Attacks on browser caches

Phishing attacks

Limiting resources

Privilege-related attacks

Data Distortion

Injecting additional operations

contractual obligations
Contractual Obligations
  • Goal is to minimize the security risks
  • Contract between the CSP and user should:
    • State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws
    • Spell out CSP liability for mishandling information
    • Spell out CSP liability for data loss
    • Spell out rules governing ownership of data
    • Specify the geographical regions where information and backups can be stored.
cloudy security1

Cloudy Security

Kia Manoochehri