cloud security privacy- org

30
CLOUD COMPUTING - Dharmalingam S Note: Its only for studying and knowledge sharing purpose

Upload: dharmalingam-s

Post on 08-Feb-2017

51 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: Cloud security  privacy- org

CLOUD COMPUTING- Dharmalingam S

Note: Its only for studying and knowledge sharing purpose

Page 2: Cloud security  privacy- org

CLOUD .?

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort.

Page 3: Cloud security  privacy- org

TRADITIONAL IT CLOUD

Page 4: Cloud security  privacy- org

ARCHITECTURAL BLOCK

Page 5: Cloud security  privacy- org

BASIC SERVICES

Page 6: Cloud security  privacy- org

BUILDING CLOUD ENVIRONMENT

Heterogeneous System support.

Service Management

Dynamic Workload and Resource Management

Page 7: Cloud security  privacy- org

Reliabilty, Availability and Security

Integartions with Existing data Center management tools

Visibility and reporting

Cloud must be a converged infrastructure – Supports DR, Elasticity, Avoid Single point of failure.

There has to be fully automated orchestration of service management and software distribution across the converged infrastructure

Page 8: Cloud security  privacy- org

CURRENT CLOUD SETUP:

Page 9: Cloud security  privacy- org
Page 10: Cloud security  privacy- org

CLOUD SECURITY Data breaches.

Multi-Factor authentication and Encryption of data. Insufficient identity, Credential and Access

managementWeak password Identity solution between the customersCryptographic keysAny centralized storage mechanism containing data

secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers

Page 11: Cloud security  privacy- org

Insecure Interfaces and APIs

System VulnerabilitiesKernel, System libraries and application tools-

put the security of all services and data significant risks

Bugs are everywhereSolution - Vulnerability scanning, secuirty

patches or upgrades. Secure design and architecture can lessen the chances of attacker taking full control of every part of an information system .

Heartbleed, Shellshock

Page 12: Cloud security  privacy- org

Account HijackingPhising, fraud, reuse of passwords.Organizations should look to prohibit the sharing

of account credentials among user services. Amazon systems were used to run Zeus

Botnodes

Malicious Insiders

Advanced Persistent ThreatsSpearphishing, direct hacking systems, delivering

attack code through USB devices, penetration through partner networks and use of unsecured or third-party networks are common points of entry for APTs.

Page 13: Cloud security  privacy- org

Data Loss

Insufficient Due Diligence Good Roadmap and Checklist for due diligence for

evaluating technologies An organization that rushes to adopt cloud technologies

and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success. Amazon AWS experience an outage, due to accidental deletion of information that controls load balancing.

Nirvanix cloud storage specialist hosted data for IBM, DELL went bankruptcy for the above reasons.

Facebook faced issues after buying M&A.

Denial of Service

Shared Technology Vulnerabilities

Page 14: Cloud security  privacy- org

PHYSICAL SECURITY• The elements of physical security are also a key element in

ensuring that data center operations and delivery teams can

provide continuous and authenticated uptime of greater than

99.9999%

• Physical access control and monitoring, including 24/7/365

onsite security, biometric hand geometry readers inside “man

traps,” bullet-resistant walls, concrete bollards, closed-circuit TV

(CCTV) integrated video, and silent alarms.

• Environmental controls and backup power

• Policies, processes, and procedures

Page 15: Cloud security  privacy- org

NETWORK SECURITY• Denial of Service: .

DNS Hacking, Routing Table “Poisoning”, XDoS attackso syn cookies

o Connection limiting

o Internal bandwidth maintained

• Port Scanningo Port scans are violation of Acceptable Use Policy(AUP)

• Man in the Middle Attack: To overcome it always use SSL

• IP Spoofing: Spoofing is the creation of TCP/IP packets using

somebody else's IP address. o Host based firewall infrastructure

o Infrastructure will not permit an instance to send traffic with a source IP

or MAC address other than its own.

Page 16: Cloud security  privacy- org

SECURITY IN THE MIDDLEWAREIt supports the Security groups, where we can define our

own security groups and assign ACLs The firewall can be configured in groups permitting

different classes of instances to have different rules for ex)

webserver

http –port 80

https-port 443

SSH –port 22

-- IAM & Certificates based communication between

cloud components.

Page 17: Cloud security  privacy- org

CREDENTIAL MANAGEMENT• Access Credentials

o Access Keyso X.509 certificateso Key pairs

• Sign-In Credentialso Email Address (User Name) and Passwordo Account Identifiers

• Account Identifierso Account IDo Canonical ID

Page 18: Cloud security  privacy- org

EC2 SECURITY• Host OS

o Built on bastion host

o Cryptographically strong SSH keys to access bastion hosto Access are logged and routinely audited

• Guest OS

o Virtual instances are controlled by customer

o Customers have full root access and administrative

controls

o Customers use token or key based authentication

Page 19: Cloud security  privacy- org

EC2 SECURITYFirewall: Set with default as deny mode Requires customers X.509 certificate and keys to

authorize change

API Calls to launch and terminate instances are signed

by X.509 certificate/secret Access keys API calls are encrypted in transit with SSL

Page 20: Cloud security  privacy- org

SECURITY SOLUTIONS -

WHAT WE ACHIEVED

Page 21: Cloud security  privacy- org

DATA ISOLATION ( VM ISOLATION) All the VM’s in the hypervisor are communicating via

event channels and shared memory with in the host.

By creating the policies in the hypervisor level we can the allow/deny the interdomain communication.

Implemented in XSM Framework similar to seLinuxSecurity Label

Object : Role : Type

Page 22: Cloud security  privacy- org

DIGITAL CERTIFICATE LOGIN It prevents Account hijacking.

Every user will be distributed with the Digital Certificates which is approved by CA.

Digital certificates have Private key, Public key, Name, Unique serial number, etc.,

User Certificates are verified in the LDAP for allow/deny the user.

Page 23: Cloud security  privacy- org

• Role Based Access Control• Individual roles will be assigned to the user• Based on the roles policies are written• We can create groups also

Example: Normal users are not allowed to create VMs only allowed make a request.

RBAC

Page 24: Cloud security  privacy- org

LOG MANAGEMENT ENGINE Real time log Correlation Engine Able to find the Error within some seconds Using logstash + Elasticsearch + Kibana3 we

achieved. Web applications also available Easily we can search the logs based on the time

and text

Page 25: Cloud security  privacy- org

PRIVACY It is less technical issue and more of

policy and legal issues. Policies have to empower people to control the collection, use and distribution of their personal information.

Page 26: Cloud security  privacy- org

THINGS TO CONSIDER: Notice Choice Onward Transfer Security Data integrity Access Enforcement

Page 27: Cloud security  privacy- org

PRIVACY BY DESIGN Data minimization Controllability Transparency User-friendly systems Data confidentiality Data quality Use limitation