Into the Cloud: - Institute for Security Technology Studies (ISTS)
Transcript of Into the Cloud: - Institute for Security Technology Studies (ISTS)
![Page 1: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/1.jpg)
IntotheCloud:Theprosandconsofhostingserversinpublic,
private,andhybridClouds
AdamGoldstein‐ITSecurityEngineer,DartmouthCollegeand
DartmouthCyber‐securityInitiative
SecuringtheeCampus2010–Hanover,NHJuly19,2010
![Page 2: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/2.jpg)
DartmouthCyber‐SecurityInitiative(CSI)
• TheCSIisongoingcollaborationbetweenfaculty,staff,andstudents
• FocusedonprojectsaimedatimprovingthesecurityoftheCollege'sinformationsystems.
• Studentparticipantsinlastyear:– 6undergraduates(CSandThayer)– 2Mastersstudents(CSandThayer)– 3PhDcandidates(CS)
![Page 3: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/3.jpg)
CloudComputing‐Definitions
• SoftwareasaService(SaaS)– GoogleApps,Salesforce.com,MSBPOS
• PlatformasaService(PaaS)– GoogleAppEngine,MSAzure,Force.com
• InfrasctuctureasaService(IaaS)– AmazonEC2– RackspaceCloud– GoGrid
![Page 4: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/4.jpg)
TheAppealofIaaS
• WhatmakeshostingserversintheCloudattractive:– Lowcost– Easeofuse– Scalability– Minimalinfrastructurerequirements– Pay‐for‐usecostmodel
![Page 5: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/5.jpg)
CloudPricing(Jul2010)Rackspace :RAM Hourly
256MB $0.015
2048 MB $0.12
8192 MB $0.48
Amazon EC2 :RAM/CPUs Hourly
1.7GB/1 Small $0.085
1.7GB/5 High CPU Med. $0.17
7.5GB/4 Large $0.34
17GB/6.5 High Mem XL $0.50
7GB/20 High CPU XL $0.68
69GB/26 Hi Mem XXXXL $2.40
![Page 6: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/6.jpg)
CloudPricing(Jul2010)Rackspace :RAM Hourly Monthly
256MB $0.015 $10.95
2048 MB $0.12 $87.60
8192 MB $0.48 $350.40
Amazon EC2 :RAM/CPUs Hourly Monthly
1.7GB/1 Small $0.085 $61.20
1.7GB/5 High CPU Med. $0.17 $122.40
7.5GB/4 Large $0.34 $244.80
17GB/6.5 High Mem XL $0.50 $360.00
7GB/20 High CPU XL $0.68 $489.60
69GB/26 Hi Mem XXXXL $2.40 $1,728.00
![Page 7: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/7.jpg)
PotentialLimitationsofIaaS
• SomeofthecommonlycitedlimitationsofhostingserversintheCloudinclude:– Securityconcerns– Bandwidthlimitations– Serviceavailability– Legalissues
![Page 8: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/8.jpg)
DartmouthIaaSStudy
• GeneralDepartmentinterestintheCloud
• Phase1‐CSIinitiatedastudyofIaaSsecurity• ResearchedusingIaaSforsecurityservices
• IdentifiedpotentialriskofattacksfromCloud
• IdentifiedpotentialriskstocustomersofCloudproviders
• Phase2–CostisamaindriverforIaaS.Isitworthit?:• IaaSDecisionTree
• CloudMetrics
![Page 9: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/9.jpg)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
![Page 10: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/10.jpg)
DartmouthIaaSStudy
• An8question“decision‐tree”whichquicklyallowsDartmouthITadministratorstodeterminewhetheraservermightbeaneligiblecandidateforIaaS
• “Cloudmetrics”forbandwidth,storagecapacity,processingpower,andusagepatternstohelpITstaffdeterminewhetheritismorecosteffectivetohostaserverinthecloudorkeepitinhouse.
![Page 11: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/11.jpg)
DecisionTree‐SensitiveData
Doestheserverhouse,transmit,orprocesssensitivedatasuchas:– PersonallyIdentifiableInformation(PII)
– ProtectedHealthInformation(PHI)– InstitutionalorPersonalFinancialRecords– AcademicRecords
– SensitiveIntellectualPropertyorResearchData
![Page 12: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/12.jpg)
DecisionTree‐SensitiveData?
IfYes–reconsiderhostinginthecloud
• Limitedauditingcapabilities:
– Cannotaccessfunctionsneededforthoroughauditing– CustomerAgreementspreventcertaintypesofauditing
• LimitedSecurityControls:IaaSserversnotprotectedbyfirewallsandIDS/IPS
• Web‐basedAdminConsole:Serverinstancesareonlyprotectedbyusername/password
Muchmoreonthislater…
![Page 13: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/13.jpg)
DecisionTree‐MissionCriticalServices?
IfYes,reconsiderhostinginCloud:– Providershaveverylimitedliabilityintheeventofoutages
– Cansuspendorterminateserversiftheyareunderattack,whetherornotitistheCustomer’sfault
![Page 14: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/14.jpg)
DecisionTree‐Uploads?
Doestheserverrequirelargeandfrequentuploads?
IfYes,reconsiderhostingintheCloud– Uploadspeedsareslow– One‐timeloadsmaybeOK,butfrequentuploadsmaysignificantlyhinderusability
![Page 15: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/15.jpg)
DecisionTree‐DataRetentionPolicies?
IfYes,reconsiderhostingintheCloud– Noguaranteeproviderwillcontinuetoofferserviceforrequiredretentiontime
– Theremaybechallengesinretrievingrecordsiftheserviceissuspended
– IaaSprovidersdonothavepublishedretentionpolicies
![Page 16: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/16.jpg)
DecisionTree–OtherConcerns• DoestheserverrequireanunsupportedOS?
• DoestheserverneedtobeconnectedtoperipheraldevicesoraSAN?
• Aretheresoftwarelicensingissuesthatpreventserverfromrunningincloud?– USBdongle– IPrestrictions
• Isphysicalaccesstotheserverrequired?
![Page 17: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/17.jpg)
DecisionTree‐Summary
265DartmouthServersassessed
AccordingtoDecision‐tree: 211notcandidatesforCloud 54canbeconsidered–Let'sreviewcost
![Page 18: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/18.jpg)
CloudMetrics‐Servercost
Toconsider:• Serversizing
– RAM– CPU– Storage
• CompareCosts– StandAlone– VirtualServer– CloudInstance
![Page 19: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/19.jpg)
CloudPricing(July2010)Rackspace :RAM Hourly Monthly
256MB $0.015 $10.95
2048 MB $0.12 $87.60
8192 MB $0.48 $350.40
Amazon EC2 :RAM/CPUs Hourly Monthly
1.7GB/1 Small $0.085 $61.20
1.7GB/5 High CPU Med. $0.17 $122.40
7.5GB/4 Large $0.34 $244.80
17GB/6.5 High Mem XL $0.50 $360.00
7GB/20 High CPU XL $0.68 $489.60
69GB/26 Hi Mem XXXXL $2.40 $1,728.00
![Page 20: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/20.jpg)
CloudMetrics–ServerCost
Serverrun‐timerequirementcangreatlyinfluencecost/benefit
– Cloudofferingsbecomemoreattractiveiftheserverdoesnotneedtorun24/7
![Page 21: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/21.jpg)
CloudMetrics–ServerCostAnalysis
Dartmouthserverthatisonlyusedoneweekamonth:
• Currentdedicatedserver:– ~$145/monthhardware+additionalcosts(backup,power,cooling)
• MovetoDartmouthVirtualMachine:~$24/month
• HostintheCloud:– AmazonEC2:$3.70/month– RackSpaceCloud:$2.40/month
![Page 22: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/22.jpg)
ServerCosts‐VMvs.Cloud
• Requiredserveruptimecriticalfactor• ForDartmouth,ifserverneedstorun
24/7,cheapertorunonin‐housevirtualmachine
• $24/monthforVM• ~$60/monthforCloud
![Page 23: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/23.jpg)
CloudMetrics–Bandwidthcosts
ForDartmouth:
• Cost/savingsnegligible• CheaperinCloudif:
– aserveruses3timesmoreInternetbandwidththaninternal
• Ofmorethan650serversreviewed,only4%metthatratio
• And,$2.00wasthegreatestmonthlysavingsforaserver‐mostwere<$0.50amonth
![Page 24: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/24.jpg)
CloudMetrics‐Risks
EveniftherearecostsavingsintheCloud,makesuretoconsiderotherfactors:
– Securityconcerns– Legalissues– Availabilityrequirements
![Page 25: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/25.jpg)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
![Page 26: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/26.jpg)
SecurityServicesintheCloud‐Why
• Again,generaldepartmentinterestinresearchingIaaS(e.g.it’scheap)
• CSIisfocusedonSecurity• Manysecurity“services”couldbegood
candidatesforthecloud• Onlyneededforashorttime• Notneeded24/7• Notmission‐critical• Limitedsensitivedata*
![Page 27: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/27.jpg)
SecurityServicesintheCloud:Examples
Externalvulnerabilityscanningandpenetrationtesting
ExternalservicemonitoringApplicationandsoftwareevaluationSecuritytooltraining
![Page 28: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/28.jpg)
SecurityServicesintheCloud:AcceptableUsePolicies
Ingeneral,probingyourownsystemsfromthecloudisallowed
MostAUP’spreventprobingthecloudserviceswithoutexplicitconsentfromthevendor
![Page 29: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/29.jpg)
AcceptableUsePolicies:Examples
RackspaceCloud:
“Unauthorizedaccesstooruseofdata,systemsornetworks,includinganyattempttoprobe,scanortestthevulnerabilityofasystemornetworkortobreachsecurityorauthenticationmeasureswithoutexpressauthorizationoftheownerofthesystemornetwork”
AmazonEC2:
“YoumaynotusetheServicestoviolatethesecurityorintegrityofanynetwork,computerorcommunicationssystem,softwareapplication,ornetworkorcomputingdevice(each,a“System”).Prohibitedactivitiesinclude:
Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
Interception. Monitoring of data or traffic on a System without permission.”
![Page 30: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/30.jpg)
AcceptableUsePolicies:TestingagainsttheCloud
RackspaceAUP:“Youmaynotattempttoprobe,scan,penetrateortest
thevulnerabilityofaRackspaceCloudsystemornetworkortobreachtheRackspaceCloud'ssecurityorauthenticationmeasures,whetherbypassiveorintrusivetechniques,withouttheRackspaceCloud'sexpresswrittenconsent.”
![Page 31: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/31.jpg)
TestFindings‐Scanning
• ConductedNMAPscansofbothDartmouthDataCenters
• Cloudprovidersdidnotblockscansorraisealertsontheactivity
• /22subnets(1024hosts)averaged35seconds
• Maxrtttimeoutof100msproducedaccurateresults
![Page 32: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/32.jpg)
TestFindings–Scanning
• Usedscanresultstocreatea“FirewallMap”
• Comparedopenportswithflowdatatomakefirewallrecommendations
• Internalscannerstillneededtotestprivateaddresses
![Page 33: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/33.jpg)
TestFindings–VulnerabilityScanning
• ComputingServicesroutinelyconductsvulnerabilityscansfromaninternalserver
• SamescanswereconductedfromtheCloud
• Again,noblocksoralertsweregeneratedfromthevendor
• ExploittoolswerealsoinstalledontheCloudservers.
![Page 34: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/34.jpg)
TestFindings–VulnerabilityScanning(2)
• Scanof904servers• Almost30,000possibletestsperhost• Completedin<2hours
![Page 35: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/35.jpg)
ScanningfromtheCloud‐CostAnalysis
Currentdedicatedscanningserver:~$145/monthhardware+additionalcosts(backup,power,cooling)
MovetoDartmouthVirtualMachine:~$24/month
HostintheCloud:AmazonEC2:$3.70/monthRackSpaceCloud:$2.40/month
![Page 36: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/36.jpg)
ExploringIaaSofferings‐S3Storage
AmazonSimpleStorageService(S3):• Cloudstorageforanytypeofdata• ComparabletoNetwork‐attachedStorage(NAS)
• Accessiblefrommultiplesystemssimultaneously
![Page 37: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/37.jpg)
ExploringIaaSofferings‐EBSStorage
AmazonElasticBlockStorage(EBS)• CloudstoragethatcanbeattachedtoEC2instances
• ComparabletoStorageAttachedNetwork(SAN)
• CanonlybeaccessedbyoneEC2instanceatatime
![Page 38: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/38.jpg)
ExploringIaaSofferings–StoragePricing
AmazonS3• $0.15perGB‐monthofdatastored
• $0.01per1,000PUTrequests(saving)
• $0.01per10,000GETrequests(loading)
AmazonEBSVolumes• $0.10perGB‐monthofprovisionedstorage
• $0.10per1millionI/Orequests
• $0.15perGB‐datatransferredout
• Free–Datatransferin(until6/30/2010)
![Page 39: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/39.jpg)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
![Page 40: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/40.jpg)
GatheringStorm?
IftheCloudcanbeusedforgood,canitalsobeusedforevil?
![Page 41: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/41.jpg)
AppealoftheCloudto“Mal‐users”
WhyusetheCloudformaliciouscomputing?• Cheap• Powerful• Temporarysystems• Withfraudanincreasingmotivatorof“mal‐users”,lessskillorinterestincompromisingsystems
• Anonymous?
![Page 42: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/42.jpg)
AccesstotheCloud
Onlyavalidcreditcardande‐mailaddressarerequiredtosetupacloudserver.
Serversarecontrolledviaweb‐consoleandSSH.EasytoaccessthroughTororananonymizer
StealingAmazoncredentialscanallowamal‐usertosetupCloudservers.
![Page 43: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/43.jpg)
CheapPower
Usingownequipmentforprocessorintensivetasksislikelycostprohibitive
AmazonEC2High‐CPUExtraLargeInstance• 7GBofmemory• 20CPUs• 1690GBofinstancestorage• Price:$0.25‐0.68perinstancehour
![Page 44: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/44.jpg)
MinimalTechnicalControls
Fromourtesting,nosecuritycontrolsonwhatcanberuninthecloud
Receivednowarningsforscanning,vulnerabilityprobes,orexploits
![Page 45: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/45.jpg)
AttacksfromtheCloud?
• Dartmouthhasblocked42attacksfromAmazonandRackspaceServersinthepast6months
• Otherschoolshavereportedsimilarfindings
• Asmallpercentoftotalblocks,butindicatespotentialtrend
![Page 46: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/46.jpg)
AttacksfromtheCloud?
• IfthemodelworksforAmazon,coulditworkformorenefarious“companies”
• Or,adifferentview…• “Thebiggestcloudontheplanetisownedby…thecrooks”
http://www.networkworld.com/community/node/58829
![Page 47: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/47.jpg)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
![Page 48: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/48.jpg)
RiskstoCustomers‐IPaddressing• Filtering/blacklisting
• Attacksfromthecloudtoyournetwork?• Willitbehardtodetectorblockattacksfrompopular
cloudservices?• Willyoubeblockedifotherhostsincloudarecreating
problems?“iftheRackspaceCloudIPnumbersassignedto
youraccountarelistedonanabusedatabase…theRackspaceCloudmaytakereasonableactiontoprotectitsIPnumbers,includingsuspensionand/orterminationofyourservice,regardlessofwhethertheIPnumberswerelistedasaresultofyouractions;”
![Page 49: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/49.jpg)
RisktoCustomers–CloudImageTrojans
FromolderAmazonEC2AUP:
“YoumaynotshareorpublishAmazonMachineImages(“AMIs”)orothercontentorapplicationsontheAWSWebsitethatareintendedtocause,orhavetheconsequenceofcausing,theusertobeinviolationofthetermsandconditionsofthisAgreement.”
![Page 50: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/50.jpg)
RiskstoCustomers–DenialofService
• Nocontrolofinboundfilteringtocloudservers• SomeAUP’sstatethataservercanbeblockedifunder
attack• AmazonCustomerAgreement
“…suspendaccesstoServices…intheeventofadenialofserviceattackorotherattackontheService”
• FromGoGridAUP:“GoGridmayalsodisableCustomer'sserviceifGoGridsuspectsthatsuch
serviceisthetargetofanattackorinanywayinterfereswithservicesprovidedtoothercustomers,evenifCustomerisnotatfault.”
• Willscansorotherprobesagainstacloudserverbeenoughtohavetheproviderblockit?
![Page 51: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/51.jpg)
Riskstocustomers–Limitedsecurityauditing
Again,AUPsprohibitperformingsecuritytestsagainstcloudservers
Minimalunderstandingofback‐endsecurity• Whatcancloudcompaniesaccess?• Whatcontrolsdotheyhaveinplace?(HR,Auditing)
![Page 52: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/52.jpg)
Riskstocustomers–Dataretention/e‐discovery
• NopublishedpoliciesonhowCloudprovidershandlee‐discoveryrequests
• Whatremainswhenserverorstorageisdeleted?
• DoCloudprovidersperformtheirownbackups?Whatistheirretentionpolicy?
• Doproviderscollectandretainaccesslogs?
![Page 53: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/53.jpg)
Riskstocustomers–AdministrativeConsole
• Providersuseaweb‐basedadminconsoletocontrolserverinstances
• Consoleaccountsuseusername/password
• Doesn’tmatterhowwellyoulockdownserversifattackercangetconsolecredentials• Phishing/spearfishing• Sharingcredentials• Guessing• Sniffing
![Page 54: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/54.jpg)
Riskstocustomers–AdministrativeConsole
Whataboutaccesscodeandprivatekeys?Itmaybedifficultforadminstosecurethemappropriately• Keyslikelywrittentoscriptsandstoredincleartext
• Keyslikelysharedamongsystemadministrators
• Potentialformalwaretostealkeys?
![Page 55: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/55.jpg)
SeminarAgenda
• Introductions• CloudDecisionTree• CalculatingtheCloud‐Metrics
• PleasantSkiesorGatheringStorm• SecurityServicesintheCloud• “Mal‐Users”intheCloud• RisktoCustomers
• ThePotentialofPrivateClouds*Interactiveexercisesthroughout
![Page 56: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/56.jpg)
Possiblesolution?PrivateCloud
InternalPrivateClouds:providesimilaruserexperiencetoRackSpaceandAmazonEC2butruninyourDataCenter• Eucalyptus–Commercially‐backedopen‐sourceinternalcloud
• VMWarevCloud,Citrix,andothers
![Page 57: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/57.jpg)
PrivateCloud
BenefitsofinternalCloud:• Reducedsecurityrisk• Fewerbandwidthlimitations• Inmanycases,lowercostthanIaaSprovidersandenterprisevirtualizationsolutions
Potentialusesofinternalcloud• Facultyandstudentcourseworkandresearch• Testanddevelopmentsystems• Short‐termproductionservers
![Page 58: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/58.jpg)
PrivateCloud–Costcomparison
Serverwith2GBofRAM• Dedicatedserver:~$100amonth• CloudProvider:~$60amonth• VMWare:~$24amonth• InternalCloud:~12amonth
![Page 59: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/59.jpg)
DCloud‐DartmouthEucalyptusProject
• OpensourceCloudsoftware• WorkswithopensourceXENorKVMvirtualization
• ImplementsAmazonspecificationsforEC2,S3,andEBS
• CompliantwithAmazonAPIandtoolsuite• Supportsbuildingahybrid‐cloudwithAmazon
![Page 60: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/60.jpg)
Dcloud‐EucalyptusArchitecture
![Page 61: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/61.jpg)
HybridCloud
• CombiningpublicandprivateClouds• Microsoft,VMWare,andEucalytpus/Amazonallhaveofferings
• Potential:• DisasterRecovery• Elasticity• Lowercostredeundancy
• Securitystillaconcern
![Page 62: Into the Cloud: - Institute for Security Technology Studies (ISTS)](https://reader036.fdocuments.in/reader036/viewer/2022071602/613d6638736caf36b75cdf4d/html5/thumbnails/62.jpg)
Thanks!
AdamGoldstein
ITSecurityEngineer
PeterKiewitComputingServices
RyanSpeers–Dartmouth2011
RickyMelgares–Dartmouth2011