cloudy security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cloudy Security PowerPoint Presentation
Download Presentation
Cloudy Security

Loading in 2 Seconds...

play fullscreen
1 / 27

Cloudy Security - PowerPoint PPT Presentation

  • Uploaded on

Cloudy Security. Kia Manoochehri. Outline. Background Threat Classification Traditional Threats Availability of cloud services Third-Party Control The “Notorious Nine” Contractual Obligations. What is “security”?. Security: “freedom from risk and danger”

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cloudy Security' - mya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cloudy security

Cloudy Security

Kia Manoochehri

  • Background
  • Threat Classification
    • Traditional Threats
    • Availability of cloud services
    • Third-Party Control
  • The “Notorious Nine”
  • Contractual Obligations
what is security
What is “security”?
  • Security: “freedom from risk and danger”
  • In Computer Science we define security as…
    • “the ability of a system to protect information and system resources with respect to confidentiality and integrity”
what is security1
What is “security”?
  • Three core areas
    • Confidentiality
    • Integrity
    • Authentication
what is security2
What is “security”?
  • Some other security concepts
    • Access Control
    • Nonrepudiation
    • Availability
    • Privacy
  • Cloud Service Providers (CSP) provide a “target rich environment”
  • Consolidation of information draws potential attackers
  • Potential problematic areas in the field of Cloud Computing aren’t transparent.
threat classification
Threat Classification
  • Three broad classifications
    • Traditional Threats
    • Availability Threats
    • Third-Party Control Threats
traditional threats user
Traditional Threats (User)
  • Anytime a computer is connected to the internet they are at risk…
    • When we are dealing with Cloud based applications we are amplifying these threats
  • Question of responsibility
    • User vs Provider
traditional threats user1
Traditional Threats (User)
  • Authorization and Authentication
    • Individual access vs enterprise access
  • One solution would be to have tiered access
    • Not every user is created equal!
traditional threats cloud
Traditional Threats (Cloud)
  • Distributed Denial of Service attacks (DDoS)
  • SQL Injection
  • Phishing
  • Cross-Site Scripting
traditional threats cloud1
Traditional Threats (Cloud)
  • Digital forensics cannot be applied to the cloud
    • Difficult to trace where an attack is from
  • Virtual Machine vulnerabilities extend to the cloud as well
availability threats
Availability Threats
  • System failures
    • Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning.
      • Netflix, Instagram, and Pintrest were down for at least a few hours.
third party control threats
Third Party Control Threats
  • Problem stems from CSP outsourcing certain aspects of their operation
    • How does this affect
  • Introduces more points of entry and vulnerability to the Cloud
the notorious nine
“The Notorious Nine”
  • In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing
  • February 2013 yielded their “Notorious Nine” list
    • 9 major threats in Cloud Computing
the notorious nine1
“The Notorious Nine”
  • Data Breaches
    • Currently the biggest threat
    • The solution is encryption… but
      • What if you lose the key?
    • Backing up the data is not viable either
  • Example: Epsilon
the notorious nine2
“The Notorious Nine”
  • Data Loss
    • Malicious deletion
    • Accidental deletion by CSP
    • Physical catastrophe
    • Loss of the encryption key
  • Compliance policies require audit

audit records

  • Example: Mat Honan
the notorious nine3
“The Notorious Nine”
  • Account/Service Hijacking
    • Phishing, fraud, software exploits
    • Organizations should be proactive
    • Two-Factor authentication
  • Example: XSS attack on Amazon
the notorious nine4
“The Notorious Nine”
  • Insecure Interfaces and APIs
    • Any vulnerability in an API bleeds over
    • Can effect security and availability
    • Partially falls on the consumer
the notorious nine5
“The Notorious Nine”
  • Denial of Service
    • From the user end… most frustrating
    • Can cost cloud users $$$
    • Makes the user doubt the cloud
the notorious nine6
“The Notorious Nine”
  • Malicious Insiders
    • Straightforward
    • Systems that only depends on the

CSP for security are at greatest risk

    • If data-usage encryption is used thedata is still vulnerable during storage
the notorious nine7
“The Notorious Nine”
  • Abuse of Cloud Services
    • Using CSP for malicious purpose
    • Hacking encryption keys via cloud
    • DDoS attacks via cloud
    • Problems of detection arise
the notorious nine8
“The Notorious Nine”
  • Insufficient Due Diligence
    • Insufficient user experience
    • Unknown levels of risk when using CSP
    • Design and architecture issues for devs
    • Countered by:
      • Capable resources
      • Extensive internal understanding of risks
the notorious nine9
“The Notorious Nine”
  • Shared Technology Vulnerabilities
    • CPU caches, GPUs are not designed tobe isolated
    • A single vulnerability can lead to an entire environment being compromised

Buffer Overflow

SQL Injection

Privilege escalation

DDoS attacks

SSL Certificate spoofing

Attacks on browser caches

Phishing attacks

Limiting resources

Privilege-related attacks

Data Distortion

Injecting additional operations

contractual obligations
Contractual Obligations
  • Goal is to minimize the security risks
  • Contract between the CSP and user should:
    • State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws
    • Spell out CSP liability for mishandling information
    • Spell out CSP liability for data loss
    • Spell out rules governing ownership of data
    • Specify the geographical regions where information and backups can be stored.
cloudy security1

Cloudy Security

Kia Manoochehri