cloud security privacy- org
TRANSCRIPT
CLOUD COMPUTING- Dharmalingam S
Note: Its only for studying and knowledge sharing purpose
CLOUD .?
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort.
TRADITIONAL IT CLOUD
ARCHITECTURAL BLOCK
BASIC SERVICES
BUILDING CLOUD ENVIRONMENT
Heterogeneous System support.
Service Management
Dynamic Workload and Resource Management
Reliabilty, Availability and Security
Integartions with Existing data Center management tools
Visibility and reporting
Cloud must be a converged infrastructure – Supports DR, Elasticity, Avoid Single point of failure.
There has to be fully automated orchestration of service management and software distribution across the converged infrastructure
CURRENT CLOUD SETUP:
CLOUD SECURITY Data breaches.
Multi-Factor authentication and Encryption of data. Insufficient identity, Credential and Access
managementWeak password Identity solution between the customersCryptographic keysAny centralized storage mechanism containing data
secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers
Insecure Interfaces and APIs
System VulnerabilitiesKernel, System libraries and application tools-
put the security of all services and data significant risks
Bugs are everywhereSolution - Vulnerability scanning, secuirty
patches or upgrades. Secure design and architecture can lessen the chances of attacker taking full control of every part of an information system .
Heartbleed, Shellshock
Account HijackingPhising, fraud, reuse of passwords.Organizations should look to prohibit the sharing
of account credentials among user services. Amazon systems were used to run Zeus
Botnodes
Malicious Insiders
Advanced Persistent ThreatsSpearphishing, direct hacking systems, delivering
attack code through USB devices, penetration through partner networks and use of unsecured or third-party networks are common points of entry for APTs.
Data Loss
Insufficient Due Diligence Good Roadmap and Checklist for due diligence for
evaluating technologies An organization that rushes to adopt cloud technologies
and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success. Amazon AWS experience an outage, due to accidental deletion of information that controls load balancing.
Nirvanix cloud storage specialist hosted data for IBM, DELL went bankruptcy for the above reasons.
Facebook faced issues after buying M&A.
Denial of Service
Shared Technology Vulnerabilities
PHYSICAL SECURITY• The elements of physical security are also a key element in
ensuring that data center operations and delivery teams can
provide continuous and authenticated uptime of greater than
99.9999%
• Physical access control and monitoring, including 24/7/365
onsite security, biometric hand geometry readers inside “man
traps,” bullet-resistant walls, concrete bollards, closed-circuit TV
(CCTV) integrated video, and silent alarms.
• Environmental controls and backup power
• Policies, processes, and procedures
NETWORK SECURITY• Denial of Service: .
DNS Hacking, Routing Table “Poisoning”, XDoS attackso syn cookies
o Connection limiting
o Internal bandwidth maintained
• Port Scanningo Port scans are violation of Acceptable Use Policy(AUP)
• Man in the Middle Attack: To overcome it always use SSL
• IP Spoofing: Spoofing is the creation of TCP/IP packets using
somebody else's IP address. o Host based firewall infrastructure
o Infrastructure will not permit an instance to send traffic with a source IP
or MAC address other than its own.
SECURITY IN THE MIDDLEWAREIt supports the Security groups, where we can define our
own security groups and assign ACLs The firewall can be configured in groups permitting
different classes of instances to have different rules for ex)
webserver
http –port 80
https-port 443
SSH –port 22
-- IAM & Certificates based communication between
cloud components.
CREDENTIAL MANAGEMENT• Access Credentials
o Access Keyso X.509 certificateso Key pairs
• Sign-In Credentialso Email Address (User Name) and Passwordo Account Identifiers
• Account Identifierso Account IDo Canonical ID
EC2 SECURITY• Host OS
o Built on bastion host
o Cryptographically strong SSH keys to access bastion hosto Access are logged and routinely audited
• Guest OS
o Virtual instances are controlled by customer
o Customers have full root access and administrative
controls
o Customers use token or key based authentication
EC2 SECURITYFirewall: Set with default as deny mode Requires customers X.509 certificate and keys to
authorize change
API Calls to launch and terminate instances are signed
by X.509 certificate/secret Access keys API calls are encrypted in transit with SSL
SECURITY SOLUTIONS -
WHAT WE ACHIEVED
DATA ISOLATION ( VM ISOLATION) All the VM’s in the hypervisor are communicating via
event channels and shared memory with in the host.
By creating the policies in the hypervisor level we can the allow/deny the interdomain communication.
Implemented in XSM Framework similar to seLinuxSecurity Label
Object : Role : Type
DIGITAL CERTIFICATE LOGIN It prevents Account hijacking.
Every user will be distributed with the Digital Certificates which is approved by CA.
Digital certificates have Private key, Public key, Name, Unique serial number, etc.,
User Certificates are verified in the LDAP for allow/deny the user.
• Role Based Access Control• Individual roles will be assigned to the user• Based on the roles policies are written• We can create groups also
Example: Normal users are not allowed to create VMs only allowed make a request.
RBAC
LOG MANAGEMENT ENGINE Real time log Correlation Engine Able to find the Error within some seconds Using logstash + Elasticsearch + Kibana3 we
achieved. Web applications also available Easily we can search the logs based on the time
and text
PRIVACY It is less technical issue and more of
policy and legal issues. Policies have to empower people to control the collection, use and distribution of their personal information.
THINGS TO CONSIDER: Notice Choice Onward Transfer Security Data integrity Access Enforcement
PRIVACY BY DESIGN Data minimization Controllability Transparency User-friendly systems Data confidentiality Data quality Use limitation
END USER COMPUTING
REFERENCES: For Cloud Standards:
http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf