Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi

alessandro@filerock.com

Alessandro Manfredi

Hey Cloud,it’s the user calling,he says he wants the security back

The images used in this presentation are covered by different licenses, see the “Images Licenses” at the end of the deck.

1. Cloud computing in a nutshell2. About cloud security

• Guarantees provided by cloud services• Assumptions customers might regret

3. Focus on data security• Data integrity check techniques• The FileRock solution• Demo

alessandro@filerock.comAlessandro Manfredi

Agenda

1. Cloud computing in a nutshell2. About cloud security

• Guarantees provided by cloud services• Assumptions customers might regret

3. Focus on data security• Data integrity check techniques• The FileRock solution• Demo

Agenda

spoiler:not many

Cloud Computing - What

Countless definitions and categories...

Cloud Computing - What

On demand

Scalable

Cost-effective

etc. etc.

Countless definitions and categories...

Cloud Computing - How

How?Shared infrastructure

Automatedprovisioning

Consolidated hardware

Remoteadministration

Hey, we manage these stuff from remote!

So what about security?

“The cloud is built on trust”-- random.choice(cloud_enthusiasts)

THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO

REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR

OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY

WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT

ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE

OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES [...]

THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO

REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR

OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY

WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT

ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE

OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES [...]

Source: https://aws.amazon.com/agreement/

..do not blame them, it’s common to the ToS of most of the service providers! E.g., see:

• https://www.rackspace.com/information/legal/cloud/tos

• https://developers.google.com/appengine/terms

“The big guys probably handle security better than how you could

do on premise”

“The big guys probably handle security better than how you could

do on premise”

To some extent, this actually makes sense• Operating on a large scale, they have more resources• Redundant networks, power sources, etc.• Good physical surveillance

However...

Betting on a lot of assumptions that the provider...

Assuming that the provider...

... has no malicious intent ...

... has complete control over employees ...

... uses software that never fails ...

... does not introduce security-critical bugs ...

... never screws up ...

... always takes good care of your resources,even if by ToS / SLA

they are not legally responsiblefor any error or damage.

Wait, what can possibly go wrong with services used by hundreds of millions of

customers around the world?

What can possibly go wrong?

Mistakes happen

On June 2011, for few hours any Dropbox account was

accessible with any password

( not blaming them, these things can happen )

Screenshots of web pages can include contents whose license is defined by the relative publisher.

Ok, but that’s just because it’s a consumer service...It will never happen in an enterprise-class service...Plus everyone now offers two factor authentication.

What about enterprise services?

Even big security firms have security breaches

Screenshots of web pages can include contents whose license is defined by the relative publisher.

Earlier in 2011, RSA was victim of a breach that

compromised customers protected by their SecurID

( again, not blaming them, these things can happen )

Even when providers behave as you expect...

Cloud providers must obey the laws enforced in the country where they are

based.

Even when providers behave as you expect...

Cloud providers must obey the laws enforced in the country where they are

based.

Authorities can access your data

Data might be intentionally tampered or made

unavailable

Focus on data security

Data security

Three main concerns

Data security

ConfidentialityC

IntegrityI

AvailabilityA

Three main concerns

Data security

ConfidentialityC

IntegrityI

AvailabilityA

Why integrity matters

1 Data is stored on the cloud

2 The provider experiences a fault or a breach.Data gets corrupted.(possibly, a previous version of the data is restored from a backup)

3 The user wants to recoverhis data from the cloud

4 Corrupted data is retrieved by the user without any notice

5 The corrupted data is used by the user in his own activity, unnoticed.

Integrity check, from 10.000 ft

1 Data is stored on the cloud

2 A fingerprint of the whole data set,called basis, is efficiently recomputed

3 The user wants to recoverhis data from the cloud

4 The software retrieves the data together with a proof of integrity

5 The integrity of the data is checked by matching the proof with the last trusted basis.

How is that done?

Authenticated Data Structures

A B C D

d e f g

basis: a fingerprint of the whole data set

A B C D

d e f g

basis: a fingerprint of the whole data set

kept safeclient side,updated on

any data modification

A B C D

d e f g

Example: Integrity check for “D"

d e f g

D = data D

d e f g

D = data

Integrity Proof

g = hash(D)

d e f g

D = data D

c = hash(f, g)

g = hash(D)

d e f g

D = data D

a = hash(b, c)

c = hash(f, g)

g = hash(D)

d e f g

D = data D

a = hash(b, c)

c = hash(f, g)

g = hash(D)

d e f g

D = data

must match the trusted basis

• Verify integrity of the whole dataset• ...including completeness

• Work in log(dataset_size) time• Only the basis needs to be stored locally

• ...small as the output of an hash function

Integrity check capabilities

• Verify integrity of the whole dataset• ...including completeness

• Work in log(dataset_size) time• Only the basis needs to be stored locally

• ...small as the output of an hash function

Integrity check capabilities

• Always work with correct data• Can be used for specific SLAs

By the way, if you look at the FileRock ToS...

As the other services,all warranties are disclaimed.

Your reaction...

Are you kidding me?

• Open source client• Client-side encryption

• Encryption keys never shared with the service

• Client-side integrity check• Data replication

• Local replication (synchronization)• Remote replication (cross-provider)*

The FileRock Solution

*not implemented yet

• Open source client• Client-side encryption

• Encryption keys never shared with the service

• Client-side integrity check• Data replication

• Local replication (synchronization)• Remote replication (cross-provider)*

The FileRock Solution

*not implemented yet

Available on

FileRock: how it looks now

FileRock Toolkit Demo

FileRock - Try it

https://www.filerock.com/register

alessandro@filerock.com

Alessandro Manfredi

Hey Cloud,it’s the user calling,he says he wants the security back

@n0on3 in/n0on3

End of the presentation

Images Licenses

Public Domain

See the owner note

Free for personal use

Free for commercial usedo not redistribute

Copyright belongs to the original authors and

publishers

Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi

Technology

Transcript of Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi

Collection Development… build something awesome Angie Manfredi, NNMYSSIG Roundtable, 5/10.

Carta dei trattamenti massage list - Manfredi Wellness Manfredonia

Company profile manfredi&partners_en

Manfredi 2008 Monografia

Instruction Set Architecture - Intranet DEIBhome.deib.polimi.it/silvano/FilePDF/ACSO/ISA.pdf · Linguaggio assemblatore • Anche chiamato assembly Assembly ... • 68000 ha: –

Manfredi, G., Prota, A., Verderame, G. M., De Luca, F ... file1 2012 Emilia earthquake, Italy: Reinforced Concrete buildings response Manfredi Gaetano, Prota Andrea, Verderame Gerardo

Victor Manfredi - Philological Perspectives on the Southeastern Nigeria Diaspora

Elkus Manfredi Architect Slides

ECCO2 and Carbon Cycle Modeling : Arctic Ocean Applications Manfredi Manizza, EAPS-MIT.

Manuale per l’utente - BD...Manuale per l’utente del sistema Alaris - con v9.33 Modello 8015 vi La sezione unità PC Alaris del presente manuale per l'utente fornisce le procedure

Manuale per l’utente - Technogym Direct · Manuale per l’utente User's manual ... Disposing of the chest band ... The supplied accessories are contained in the “Service Box”:

ART500... Vito Manfredi Born in Hobart in 1957, Vito Manfredi attended the Tasmanian School of Art and was a founding member of the artist collective Chameleon before relocating to

UN VIAGGIO CHIAMATO POESIE - Inglese, Italiano, Tedesco e ... · UN VIAGGIO CHIAMATO..... POESIE - Inglese, Italiano, Tedesco e Francese (Luglio 1997 – Maggio 2005) By Sakora Sandon

By: Arianna Manfredi Nicole Otiura Chiara Zuñiga.

STATE OF THE INDUSTRY • Manfredi Lefebvre D’Ovidio, Chairman CLIA Europe - Chairman Silversea

Beolink.org myS3 Fabrizio Manfredi Furuholmen Federico Mosca.

Curriculum Vitae_Alice Manfredi

E. Cosenza,^ G. Manfredi,^ G.M. Verderame · E. Cosenza,^ G. Manfredi,^ G.M. Verderame ™ Dipartimento di Analisi e Progettazione Strutturale, Facolta di Ingegneria, Universita di

MiniMed 640G Guida per l’utente del sistema · PDF fileMiniMed™ 640G Guida per l’utente del sistema MP6025957-083 / A HISTORY. ... Bolus Wizard™, Enlite™, MiniLink™, Dual

L’innovazione aperta e collaborativa con l’utente, nel ...