of 55/55
“…dare to dream; care to win…” © Venkateswar Reddy Melachervu 2013. All rights reserved. Venkateswar Reddy Melachervu Associate Vice President – IT www.linkedin.com/in/vmelachervu [email protected] Cloud Computing and Safety Let’s Secure Cloud! 20 th July 2013 In God we trust; All others, we virus scan

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

  • View
    2.102

  • Download
    1

Embed Size (px)

DESCRIPTION

Global Cyber Attacks Stats What is Computing Security? Cloud Computing, Models and Security Demystified New Security Challenges of Cloud Computing Security Dimensions – The CIA Triad Scope of Cloud Computing Security Security Challenge Eco-system Vulnerabilities, Threats and Exposure Points Attacks – Modes and Types The Notorious Nine – Cloud Security Threats Methods of Defence Tenets of Security Control Security Life Cycle Cloud Security Components and Governance Tiered Cloud Security Handling Framework Bottom-line Take-aways

Text of Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

  • dare to dream; care to win

    Venkateswar Reddy Melachervu 2013. All rights reserved.

    Venkateswar Reddy MelachervuAssociate Vice President IT

    www.linkedin.com/in/vmelachervu

    [email protected]

    Cloud Computing and SafetyLets Secure Cloud!

    20th July 2013

    In God we trust; All others, we virus scan

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards

    - Unknown

    Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources

    Disclaimer

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Agenda

    Global Cyber Attacks Stats

    What is Computing Security?

    Cloud Computing, Models and Security Demystified

    New Security Challenges of Cloud Computing

    Security Dimensions The CIA Triad

    Scope of Cloud Computing Security

    Security Challenge Eco-system

    Vulnerabilities, Threats and Exposure Points

    Attacks Modes and Types

    The Notorious Nine Cloud Security Threats

    Methods of Defence

    Tenets of Security Control

    Security Life Cycle

    Cloud Security Components and Governance

    Tiered Cloud Security Handling Framework

    Bottom-line

    Take-aways

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    In 1988 a "worm program Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks

    First National Bank of Chicago is the victim of $70-million computer theft

    Cyber Crime The Beginning

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Heartland Payment Systems

    Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

    March 2008

    Incident Few Years Back

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    2012 Global Cyber Attacks Stats

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Revenue loss

    Customer data loss and liabilities

    Embarrassment to yourself and/or the University

    Having to recreate lost data

    Identity theft

    Data corruption or destruction

    Loss of patient, employee, and public trust

    Costly reporting requirements and penalties

    Disciplinary action (up to expulsion or termination)

    Unavailability of vital data

    Security Violation Consequences

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Whats Computing Security?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Protection of computing systems and the data that they store or access

    To prevent theft of or damage to the hardware, Software etc. - Confidentiality

    To prevent theft of or damage to the information and to protect privacy Privacy and Integrity

    To prevent disruption of service -Availability/Denial of Service

    What Is Computing/IT Security?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Isnt this just an IT Problem?

    Why Do I Need to Learn About Computer Security?

    Everyone who uses a computer needs to understand how to keep his or her computer and data secure

    IT Security is a not a product, but a process

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    No major operating system has ever worked perfectly

    No OS vendor has dared offer a warranty against malfunctions

    It is far easier to build a secure system than to build a correct system

    You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out

    Securing a system has traditionally been a battle of wits

    The problem is people/exploitation - not computers

    Why Computers Are Not Secure?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Computing NIST Definition

    Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

    13

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Computing - Business Definition

    A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    On demand computational services over web

    Spiky compute needs of the scientists

    Horizontal and dynamic scaling with no additional cost

    Increased throughput

    Multi-tenant

    Accessed over a network

    Only pay for what you use

    Shared internally or with other customers

    Resources - storage, computing, services, etc.

    Internal network or Internet

    Similar to Timesharing

    Rent IT resources vs. buy

    Cloud Computing Demystified

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Multi-Tenancy

    16

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Service Layers and Models

    17

    IaaS

    PaaS

    SaaSModelsLayers

    AutonomousMore Control/ Flexibility

    IaaS PaaS

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Conventional Data Centre

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Modelled Data Centre

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Public, Private, Hybrid Clouds

    20

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud ComputingEnablers and Inhibitors

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Why Cloud Computing Brings New Security Challenges?

    Data, applications, resources are located with provider

    User identity management is handled by the cloud provider

    User access control rules, security policies and enforcement are managed by the cloud provider

    Multi-tenancy

    Consumer relies on provider to ensure Data security and privacy

    Resource availability

    Monitoring and repairing of services/resources

    Self-managed or Private Clouds overcome most of the above new threats

    22

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Security Dimensions The CIA Triad

    Secured

    Hardware

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Confidentiality

    The need for keeping information secret Protecting proprietary designs from

    competitors

    Protecting a companys personnel records

    Protecting personal financial/ID info against ID theft

    Applies to resource hiding System configuration data

    Resources - Systems, Equipment, Services etc.

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Integrity

    Preventing improper or unauthorized change or access

    Data integrity and system integrity

    Non-repudiation Example : Digital Cert of the Origin Source

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Availability Reliability and system design

    To prevent Denial of Service Attacks - The attempts to block the availability of systems or services

    System designs usually assume a statistical model to analyze expected patterns of use

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Example 1: C vs. I+A

    Disconnect computer from Internet to increase confidentiality

    Availability suffers, integrity suffers due to lost updates

    Example 2: I vs. C+A

    Have extensive data checks by different people/systems to increase integrity

    Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)

    Need to Balance CIA Triad

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Scope of Cloud Security

    Cloud

    Data Center

    LAN/WAN/Wifi/PLMN/

    PAN

    LAN/WAN/Wifi/PLMN/

    PAN

    Cloud Eco-system

    C

    I

    A C

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Security Challenge Eco-system

    Ph

    ysi

    cal L

    og

    ical

    Environmental

    Operational

    Hardware Software

    HumansData

    Network

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Vulnerability A weakness in a security system

    Threat Circumstances that have a potential to

    cause harm

    Exposure Points External access points that can be taken

    advantage compromising security by most advanced attacker

    Attack - materialization of a vulnerability/threat/compromised exposure point or combination)

    Attack may be: Successful a.k.a. an exploit - Resulting in

    a breach of security, a system penetration, etc.

    Unsuccessful - When controls block a threat trying to exploit a vulnerability

    Vulnerabilities, Threats, and Exposure Points

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Software Deletion Easy to delete needed software by mistake

    To prevent this: use configuration management software

    Software Modification Worms, Trojan Horses, Viruses, Logic

    Bombs, Trapdoors, Information Leaks ...

    Software Theft Unauthorized copying

    via P2P, etc.

    Software Vulnerabilities

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Add or remove a hardware device Ex: Snooping, wiretapping

    Ex: Modification, alteration of a system

    Physical attacks on hardware Accidental or voluntary Theft / destruction

    Damage the machine (spilled coffe, mice, realbugs)

    Steal the machine

    Hardware Vulnerabilities

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Network/Web Vulnerabilities

    Phishing An evil website pretends to be a trusted website

    Example: You type, by mistake, mibank.com instead of

    mybank.com

    mibank.com designs the site to look like mybank.com so the user types in their info as usual

    BAD! Now an evil person has your info!

    SQL Injection

    Cross Site Scripting Writing a complex Javascript program that steals

    data left by other sites that you have visited in same browsing session

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Kinds of Threats

    Interception An unauthorized party (human or not) gains

    access to an asset

    Interruption an asset becomes lost, unavailable, or

    unusable

    Modification an unauthorized party changes the state of an

    asset

    Fabrication an unauthorized party counterfeits an asset

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Over the Internet

    Over LAN

    Locally

    Offline

    Theft

    Deception

    Modes of Attacks

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Not all hackers are evil wrongdoers trying to steal your info

    Classification 1 Amateurs

    Opportunistic attackers (use a password theyfound)

    Script kiddies

    Hackers - nonmalicious In broad use beyond security community: also

    malicious

    Crackers malicious

    Career criminals

    State-supported spies and information warriors

    Classification 2 Recreational hackers / Institutional hackers

    Organized criminals / Industrial spies / Terrorists

    National intelligence gatherers / Info warriors

    Types of Attackers

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Common Attacks

    Network Attacks Packet sniffing, man-in-the-middle, DNS

    hacking

    Web attacks Phishing, SQL Injection, Cross Site Scripting

    OS, applications and software attacks Virus, Trojan, Worms, Rootkits, Buffer

    Overflow

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Network Attacks

    Packet Sniffing Internet traffic consists of data packets, and these

    can be sniffed

    Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing

    Man in the Middle Insert a router in the path between client and server,

    and change the packets as they pass through

    DNS hijacking Insert malicious routes into DNS tables to send traffic

    for genuine sites to malicious sites

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Bacterium A specialized form of virus which does not attach to a specific file. Usage

    obscure.

    Logic bomb Malicious logic that activates when specified conditions are met. Usually

    intended to cause denial of service or otherwise damage system resources.

    Trapdoor A hidden computer flaw known to an intruder, or a hidden computer

    mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms

    Trojan horse A computer program that appears to have a useful function, but also has a

    hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

    Malicious SW Attacks

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Virus A hidden, self-replicating section of computer software, usually malicious logic,

    that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

    Worm A computer program that can run independently, can propagate a complete

    working version of itself onto other hosts on a network, and may consume computer resources destructively.

    Malicious SW Attacks

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Data Breaches

    Data Loss

    Account Hijacking

    Insecure APIs

    Denial of Service

    Malicious Insiders

    Abuse of Cloud Services

    Insufficient Due Diligence

    Shared Technology Issues

    The Notorious NineCloud Computing Top Threats in 2013

    Source : Cloud Security Alliance

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Castle in Middle Ages Location with natural

    obstacles

    Surrounding moat

    Drawbridge

    Heavy walls

    Strong gate

    Tower

    Guards

    Computers Today Encryption

    Software controls

    Hardware controls

    Policies and procedures

    Multiple controls physical and computational

    System perimeter defines inside/outside

    Pre-emption attacker scared away

    Deterrence attacker could not overcome defences

    Faux environment attack deflected towards a worthless target

    Tenets of Security Defence and Control

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Policy vs. Procedure

    Policy: What is/what is not allowed

    Procedure: How you enforce policy

    Policy - must consider Alignment with users legal and ethical standards

    Probability of use Inconvenient: 200 character password, change

    password every week

    Periodic reviews A given control usually becomess less effective with time

    Need to replace ineffective/inefficient controls with better ones

    Advantages of policy and procedural controls

    Can replace hardware, software controls

    Can be least expensive

    Tenets of Security Control

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Prevent attack Block attack / Close vulnerability

    Deter attack Make attack harder (cant make

    it impossible )

    Detect attack During or after

    Deflect attack Make another target more

    attractive than this target

    Recover from attack

    Security

    Methods of Defence

    IT Defense consists of:

    Encryption

    Software controls

    Hardware controls

    Policies

    Physical controls

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Security Life Cycle

    Analyze Threats

    Policy

    Specification

    Design

    Implementation

    Operation and Maintenance

    Go

    ve

    rna

    nce

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Security Analysis Process

    Identify Assets Which assets are we trying to protect?

    What properties of these assets must be maintained?

    Identify Threats What attacks can be mounted?

    What other threats are there (natural disasters, etc.)?

    Identify Countermeasures How can we counter those attacks?

    Independent Analysis

    46

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Provisioning Services

    Cloud Data Storage Services

    Cloud Processing Infrastructure

    Cloud Support Services

    Cloud Network and Perimeter Security

    Elastic Elements: Storage, Processing, and Virtual Networks

    Cloud Security Components

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Organize Threats STRIDE Model

    Spoofing identity

    Tampering with data

    Repudiation

    Information disclosure

    Denial of service

    Elevation of privilege

    48

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Legal

    Functional Which functions & services in the Cloud have

    legal implications for both parties

    Jurisdictional Which governments administer laws and

    regulations impacting services, stakeholders, data assets

    Contractual Terms & conditions

    49

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Governance

    Identify, implement process, controls to maintain effective governance, risk mgt, compliance

    Provider security governance should be assessed for sufficiency, maturity, consistency

    50

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Tiered Cloud Security Handling Framework

    Physical Infrastructure

    Tenant #2

    APP

    OS

    APP

    OS

    Virtual Infrastructure

    Physical Infrastructure

    Cloud Provider

    APP

    OS

    APP

    OS

    Virtual Infrastructure

    Tenant #1

    Insulate information from cloud providers

    employees

    Insulate information from other

    tenants

    Insulate infrastructure from Malware, Trojans

    and cybercriminals

    Segregate and control user

    access

    Control and isolate VM in the

    virtual infrastructure

    Federate identities with public clouds

    Identity federation

    Virtual network security

    Access Mgmt

    Cybercrime intelligence

    Strong authentication

    Data loss prevention

    Encryption & key mgmt

    Tokenization

    Governance

    Anti-malware

    Enable end to end view of security events and compliance and control across infrastructures

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    CCSK - Cloud Security Alliance Certifications

    CISSP (ISC)2

    CPTC Certified Penetration Testing Consultant

    CPTE Certified Penetration Testing Engineer

    CompTIA Security+

    CSTA Certified Security Testing Associate

    GPEN GIAC Certified Penetration Tester

    OSCP Offensive Security Certified Professional

    CEH Certified Ethical Hacker

    ECSA EC-Council Certified Security Analyst

    CEPT Certified Expert Penetration Tester

    Security Certifications

    Source : http://www.concise-courses.com/security/certifications-list/

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Bottom Line

    Engage in full risk management process for each case

    For small and medium organizations Cloud security may be a big improvement!

    Cost savings may be large (economies of scale)

    For large organizations Already have large, secure data centers

    Main sweet spots: Elastic services

    Internet-facing services

    Employ countermeasures

    53

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Take-Aways

    Policy defines security and mechanisms enforce security Confidentiality

    Integrity

    Availability

    Trust and knowing assumptions

    Importance of assurance

    The human factor

  • Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Computing and SafetyLets Secure Cloud!

    20th July 2013

    Venkateswar Reddy MelachervuAssociate Vice President IT

    www.linkedin.com/in/vmelachervu

    [email protected]

    In God we trust; All others, we virus scan

    Thank You

    dare to dream; care to win