Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.
-
Upload
viviana-threadgill -
Category
Documents
-
view
238 -
download
0
Transcript of Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.
![Page 1: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/1.jpg)
Cloud Security: Infrastructure, Data Security, and Access Control
Adapted from slides by Keke Chen
![Page 2: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/2.jpg)
Suggested Readings• Reference book: “Cloud Security and Privacy: An
Enterprise Perspective on Risks and Compliance (Theory in Practice)”, Tim Mather et al. http://www.amazon.com/Cloud-Security-Privacy-Enterprise-Perspective/dp/0596802765
• Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf– Cloud Security Alliance
![Page 3: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/3.jpg)
Outline
• Overview• Infrastructure Security• Data Security• Identity and access management• Audit, compliance and federation of clouds• Security and privacy concerns• Security as a service• Network security, policies (research)
![Page 4: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/4.jpg)
• What makes Cloud Security different from Normal Cyber Security Systems?
How Does Cloud Security Differ?
![Page 5: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/5.jpg)
Cloud Security Standards• Cloud Security Alliance
– Security Guidance for Critical Areas of Focus in Cloud Computing– Top Threats to Cloud Computing – Cloud Audit (A6Automated Audit,Assertion,Assessment,and
Assurance API)• NIST Cloud Security Initiative
– Guidelines on Security and Privacy in Public Cloud Computing • Military IASE standards from DISA-CSD • Federal Government
– FedRAMP(2011)– Evolved from NIST 800-053, from 2009– Assessment procedures
• OASIS Identity in the cloud– Open standards for identity deployment, provisioning and
management
![Page 6: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/6.jpg)
Different Kinds of Clouds (NIST)
![Page 7: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/7.jpg)
Private versus Public Cloud Security
![Page 8: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/8.jpg)
Security and Who Owns a Cloud?
![Page 9: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/9.jpg)
Dimensions of Security
![Page 10: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/10.jpg)
Tradeoffs and Security Provisions
![Page 11: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/11.jpg)
Cloud Alliance 7 ConcernsDomain GUIDANCE DEALING WITH SECURITY
Governance and Enterprise Risk Management
Govern and measure enterprise risk
Legal Issues: Contracts and Electronic Discovery
Protection requirements, security breach disclosure laws, regulatory requirements, privacy requirements, international laws
Compliance and Audit Proving compliance during audit
Information Management and Data Security
Identification and control of data in cloud. CAI
Portability and Interoperability Move data services from one provider to another, interoperability
Traditional Security, Business Continuity and Disaster Recovery
Security of operational processes and procedures (security, business continuity and disaster recovery
Data Center Operations Evaluation of Stability, On-going services
![Page 12: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/12.jpg)
Domain GUIDANCE DEALING WITH SECURITY
Incident Response, Notification and Remediation
Provider and user levels to enable proper incident handling and forensics
Application Security +Application migration
Encryption and Key Management Appropriate encryption and scalable key management
Identity and Access Management Organization’s identity, access controls
Virtualization Multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities
Security as a Service Third part facilitated security assurance, incident management, compliance attestation, identity and access oversight
![Page 13: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/13.jpg)
NIST
• Guidelines on Security and Privacy in Public Cloud Computing, Wayne Jansen and Timothy Grance, NIST, January 2011 http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
![Page 14: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/14.jpg)
Security: Pros v Cons of Cloud
• Staff Specialization. • Platform Strength. • Resource Availability. • Backup and Recovery.• Mobile Endpoints.• Data Concentration.• Data Center Oriented.• Cloud Oriented.
• System Complexity. • Shared Multi-tenant
Environment. • Internet-facing Services• Loss of Control.• Botnets.• Mechanism Cracking
![Page 15: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/15.jpg)
Overview
![Page 16: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/16.jpg)
• Infrastructure – IaaS, PaaS, and SaaS
• Focus on public clouds – No special security problems with private
clouds – traditional security problems only
• Different levels– Network level– Host level– Application level
Infrastructure Security
![Page 17: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/17.jpg)
• Confidentiality and integrity of data-in-transit– Amazon had security bugs with digital signature on
SimpleDB, EC2, and SQS accesses (in 2008)• Less or no system logging /monitoring
– Only cloud provider has this capability– Thus, difficult to trace attacks
• Reassigned IP address– Expose services unexpectedly – Spammers using EC2 are difficult to identify
• Availability of cloud resources – Some factors, such as DNS, controlled by the cloud
provider. • Physically separated tiers become logically
separated – E.g., 3 tier web applications
Network level
![Page 18: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/18.jpg)
Private Cloud Network Security
![Page 19: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/19.jpg)
• Hypervisor security– “zero-day vulnerability” in VM, if the
attacker controls hypervisor
• Virtual machine security– SSH private keys (if mode is not
appropriately set)– VM images (especially private VMs)– Vulnerable Services
Host level (IaaS)
![Page 20: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/20.jpg)
• SaaS application security– Example: In an accident, Google Docs
access control failed. All users can access all documents
Application level
![Page 21: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/21.jpg)
• Data-in-transit• Data-at-rest• Processing of data, including
multitenancy• Data lineage• Data provenance• Data remanence
Data Security
![Page 22: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/22.jpg)
• Data-in-transit– Confidentiality and integrity
• Data-at-rest & processing data– Possibly encrypted for static storage– Cannot be encrypted for most PaaS and
SaaS (such as Google Apps) prevents indexing or searching
• Research on indexing/searching encrypted data
• Fully homomorphic encryption?
Data Security
![Page 23: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/23.jpg)
• Definition: tracking and managing data• For audit or compliance purpose• Data flow or data path visualization
– E.g. data transferred to AWS on date x1 at time y1 and stored in a bucket on S3 example.s3.amazonaws.com, then processed on date x2 at time y2 on EC2 in ec2-67-202-51-223.compute-1.amazonaws.com, then stored in another bucket, example2.s3.amazonaws.com, then brought back locally on date x3 at time y3, …
• Time-consuming process even for inhouse data center– Not possible for a public cloud
Data lineage
![Page 24: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/24.jpg)
• Origin/ownership of data– Verify the authority of data– Trace the responsibility – e.g., financial and medical data
• Difficult to prove data provenance in a cloud computing scenario
Data provenance
![Page 25: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/25.jpg)
• Data left intact by a nominal delete operation– In many DBMSs and file systems, data is
deleted by flagging it.
• Lead to possible disclosure of sensitive information
• Department of Defense: National Industrial security program operating manual– Defines data clearing and sanitization
Data remanence
![Page 26: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/26.jpg)
• The provider collects a huge amount of security-related data– Data possibly related to service users– If not managed well, it is a big threat to
users’ security
Provider’s data and its security
![Page 27: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/27.jpg)
• What kinds of protocols and techniques are needed/used?
What Do You know about Identity and Access Management?
![Page 28: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/28.jpg)
• Traditional trust boundary reinforced by network control – VPN, Intrusion detection, intrusion
prevention
• Loss of network control in cloud computing
• Have to rely on higher-level software controls– Application security– User access controls - IAM
Identity and Access Management
![Page 29: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/29.jpg)
• IAM components– Authentication– Authorization– Auditing
• IAM processes– User management– Authentication management– Authorization management– Access management – access control– Propagation of identity to resources– Monitoring and auditing
Identity and Access Management
![Page 30: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/30.jpg)
IAM functional architecture
![Page 31: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/31.jpg)
Avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience SAML(Security Assertion Markup Lang).
http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
Automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning SPML (service provisioning markup lang).
http://www.oasis-open.org/standards#spmlv2.0
Provision user accounts with appropriate privileges and manage entitlements XACML (extensible access control markup lang).
Authorize cloud service X to access my data in cloud service Y without disclosing credentials Oauth (open authentication).
IAM standards and specifications
![Page 32: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/32.jpg)
SAML Example
ACS: Assertion Consumer Service SSO : single sign-on
![Page 33: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/33.jpg)
SPML example
![Page 34: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/34.jpg)
XACML Example
PEP: policy enforcement point(app interface)PDP: policy decision point
![Page 35: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/35.jpg)
OAuth example
![Page 36: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/36.jpg)
• OpenID• Information Cards• Open Authentication (OATH)
• Issues for OpenID– Phishing – malicious relying party
forwards end-user to bogus identity provider authentication page
– Allows sniffing of certificate and replay
IAM standards/protocols
![Page 37: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/37.jpg)
Difference Open ID versus Oauth (Thanks to Wikipedia)
![Page 38: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/38.jpg)
• Dealing with heterogeneous, dynamic, loosely coupled trust relationships
• Enabling “Login once, access different systems within the trust boundary”– Single sign-on (SSO)– Centralized access control services– Yahoo! OpenID
IAM practice- Identity federation
![Page 39: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/39.jpg)
Audit, compliance and federation of clouds
![Page 40: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/40.jpg)
NIST: Interactions between Actors in Cloud Computing
40
Cloud Consumer
Cloud ProviderCloud Broker
Cloud Auditor
The communication path between a cloud provider & a cloud consumerThe communication paths for a cloud auditor to collect auditing informationThe communication paths for a cloud broker to provide service to a cloud consumer
Cloud Carri
er
![Page 41: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/41.jpg)
41
The Combined Conceptual Reference Diagram
Cloud Carrier
Cloud Consumer
CloudAuditor
Cloud Broker
SecurityAudit
PrivacyImpact Audit
Performance Audit
Cloud Service
Management
Service Layer
Business Support
Pri
vacy
ServiceArbitrage
Service Aggregation
Service Intermediation
Sec
uri
ty
Provisioning/Configuration
Portability/Interoperability
Physical Resource Layer
IaaS
SaaS
PaaS
Resource Abstraction and Control Layer
Hardware
Facility
![Page 42: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/42.jpg)
42
Cloud Provider: Service Orchestration
Service Layer
Physical Resource Layer
IaaS
SaaS
PaaS
Resource Abstraction and Control Layer
Hardware
Facility
Cloud Provider
Biz Process/Operations
App/SvcUsage
Scenarios
Software as a Service
Application Development
Develop, Test, Deploy and
Manage Usage
Scenarios
Platform as a Service
Infrastructure as a Service
IT Infrastructure& Operation
Develop, Test, Deploy and
Manage Usage
Scenarios
![Page 43: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/43.jpg)
Federation of Clouds/Hybrid Clouds 1. • Using multiple clouds for different applications to
match needs (local cloud and cloud bursting) • Allocating components of an application to
different environments (e.g., compute vs database tiers), whether internal or external (“application stretching”)
• Moving an application to meet requirements at specific stages in its lifecycle, from early development through unit test, scale testing, pre-production and ultimately full production scenarios
![Page 44: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/44.jpg)
Federation of Clouds/Hybrid Clouds 2. • Moving workloads closer to end users across geographic
locations, including user groups within the enterprise, partners and external customers
• Meeting peak demands efficiently in the cloud while the low steady-state is handled internally
• Keeping large data within country, geography or organization while allowing global distributed computation
• Maintaining confidential data on better protected clouds while allowing distributed computation on more computationally efficient ones.
![Page 45: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/45.jpg)
Key Security and Privacy Issues
• Governance -- control and oversight over policies, procedures, and standards for application development, as well as the design, implementation, testing, and monitoring of deployed services.
![Page 46: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/46.jpg)
Key Security and Privacy Issues
• Compliance -- conformance with an established specification, standard, regulation, or law. – Data location --- trans-border data flows include whether the
laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits
– Laws and Regulations --- OMB, Clinger-Cohen Act, FISMA, NARA (archives), HIPPA, PCI DSS (cards)
– Electronic Discovery --- FOIA, litigation
![Page 47: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/47.jpg)
Key Security and Privacy Issues
• Trust– Insider Access --- (esp. DOS)– Data Ownership --- Privacy versus data ownership.– Composite Services --- Nesting and layering of
services, trust is not transitive, liability and performance guarantees
– Visibility --- detailed network and system level monitoring, oversight
– Risk Management
![Page 48: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/48.jpg)
Security as a Service
• Origins: Email Spam• Today
– Email Filtering– Web Content Filtering– Vulnerability Management– Identity Management as a service– Etc.
• Naming: SaaS – NOT to be confused with Software as a Service!SecaaS: Security as a Service (Cloud Security Alliance)
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
![Page 49: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/49.jpg)
SaaS Categorization by CSA
CSA: Cloud Security Alliance1. Identity and Access Management 2. Data Loss Prevention3. Web Security4. Email Security5. Security Assessments6. Intrusion Management7. Security Information and Event Management (SIEM)8. Encryption9. Business Continuity and Disaster Recovery10. Network Security
![Page 50: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/50.jpg)
Identity and Access Management (IAM)
• SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS- Federation
• Commercial Cloud Examples– CA Arcot Webfort – CyberArk Software Privileged Identity Manager– Novell Cloud Security Services– ObjectSecurity OpenPMF (authorization policy automation, for private
cloud only)– Symplified
• Threats addressed– Identity theft, Unauthorized access, Privilege escalation, Insider threat,
Non-repudiation, Excess privileges / Excessive access, Delegation of authorizations / Entitlements, Fraud
![Page 51: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/51.jpg)
Data Loss Prevention• Monitoring, protecting, and verifying the security of data• by running as a client on desktops / servers and running rules
– “No FTP” or “No uploads” to web sites– “No documents with numbers that look like credit cards can be emailed” – “Anything saved to USB storage is automatically encrypted and can only
be unencrypted on another office owned machine with a correctly installed DLP client”
– “Only clients with functioning DLP software can open files from the fileserver”
• Related to IAM • Threats Addressed
– Data loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines
![Page 52: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/52.jpg)
Web Security
• Real-time protection – On-premise through software/appliance installation– Proxying or redirecting web traffic to the cloud provider
• Prevent malware from entering the enterprise via activities such as web browsing
• Mail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing
• Threats addressed– Keyloggers, Domain Content, Malware, Spyware, Bot Network,
Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam
![Page 53: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/53.jpg)
Email Security
• Control over inbound and outbound email• Enforce corporate polices such as acceptable use and spam• Policy-based encryption of emails• Digital signatures enabling identification and non-
repudiation • Services
– Content security, Anti- virus/Anti-malware, Spam filtering, Email encryption, DLP for outbound email, Web mail, Anti-phishing
• Threats addressed– Phishing, Intrusion, Malware, Spam, Address spoofing
![Page 54: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/54.jpg)
Security Assessments• Third-party audits of cloud services or assessments of local systems via
cloud-provided solutions• Well defined and supported by multiple standards such as NIST, ISO, and CIS• Additional Cloud Challenges
– Virtualization awareness of the tool– Support for common web frameworks in PaaS applications– Compliance Controls for IaaS, PaaS, and SaaS platforms
• Services– Internal and / or external penetration test, Application penetration test, Host and
guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment
• Threats addressed– Inaccurate inventory, Lack of continuous monitoring, Lack of correlation
information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed
![Page 55: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/55.jpg)
Intrusion Management
• Using pattern recognition to detect and react to statistically unusual events
• IM tools are mature, however – virtualization and massive multi-tenancy is creating new
targets for intrusion– raises many questions about the implementation of the same
protection in cloud environments• Services
– Packet Inspection, Detection, Prevention• Threats addressed
– Intrusion, Malware
![Page 56: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/56.jpg)
Security Information and Event Management (SIEM)
• Accept log and event information• Correlate and analyze to provide real-time reporting and
alerting on incidents / events• Services
– Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations)
• Threats addressed– Abuse, Insecure Interfaces and APIs, Malicious Insiders, Shared
Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud
![Page 57: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/57.jpg)
Encryption
• The process of obfuscating/encoding data using cryptographic algorithms – Algorithm(s) that are computationally difficult to break
• Services– VPN services, Encryption Key Management, Virtual Storage
Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation
• Threats addressed– Failure to meet Regulatory Compliance requirements, Mitigating
insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross-border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government
![Page 58: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/58.jpg)
Business Continuity and Disaster Recovery
• Ensure operational resiliency in the event of any service interruptions
• Flexible and reliable failover • Utilize cloud’s flexibility to minimize cost and maximize
benefits• Services
– File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressed
– Natural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard
![Page 59: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/59.jpg)
Network Security• Services that allocate access, distribute, monitor, and protect the
underlying resource services– Address security controls at the network in aggregate, Or – Specifically address at the individual network of each underlying resource
• In Clouds, likely to be provided by virtual devices alongside traditional physical devices– Tight integration with the hypervisor to ensure full visibility of all traffic
on the virtual network layer is key• Services
– Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS
• Threats addressed– Data Threats, Access Control Threats, Application Vulnerabilities, Cloud
Platform Threats, Regulatory, Compliance & Law Enforcement
![Page 60: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/60.jpg)
60
Network Security (Research)• Policies about the configurations of the infrastructure are used for specifying security and
availability requirements
• A critical device should be placed within a security perimeter• Unprotected devices should not communicate with machines running critical services• Computation on confidential data must performed on hosts under the control of DoD
• Policy-driven approach has been taken by FISMA, PCI-DSS, NERC
Scalability Real-time detection of violations
Monitoring itself needs to be secure
Information needs to be shared across cloud providers
Requirements
![Page 61: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/61.jpg)
61
Policy Distribution
Reaction Agent
Reaction Agent
Odessa Agent
Odessa Agent
NetOdessa Agent
DORA Subsystem
Trustworthiness of W
orkflows
Trust Calculation Module
External Event
Aggregator
External Event
Aggregator
Formal Design and analysis of Assured
Mission Critical Computations
Evaluation on a distributed networked
test-bed
Middleware for Assured Clouds
Risk Assessment Modules
Distance from Compliance Calculation
![Page 62: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/62.jpg)
62
Reaction Agents are part of the Middleware
When a policy violation is detected• Security, availability, or timeliness requirements might not be
satisfied • We need to reconfigure the system
We implemented a cloud-based OpenFlow reaction agent
OpenFlow controller Flow information
reconfigurationsReactionAgent
violation
![Page 63: Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.](https://reader035.fdocuments.in/reader035/viewer/2022062312/551aa74855034656628b49fd/html5/thumbnails/63.jpg)
To Read Further• Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for
Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf]• Kroske, E. ; Farivar, R. ; Montanari, M. ; Larson, K. ; Campbell, R.H.,
NetODESSA: Dynamic Policy Enforcement in Cloud Networks, 30th IEEE Symposium on Reliable Distributed Systems - Workshops (SRDSW), 2011
• Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept 2011. [pdf]
• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June 2011. [pdf]