Download pdf - Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

“…dare to dream; care to win…”

© Venkateswar Reddy Melachervu 2013. All rights reserved.

Venkateswar Reddy MelachervuAssociate Vice President – IT

www.linkedin.com/in/vmelachervu

[email protected]

Cloud Computing and SafetyLet’s Secure Cloud!

20th July 2013

In God we trust; All others, we virus scan

http://www.linkedin.com/in/vmelachervu

© 2010. All rights reserved.

Cloud Computing and Security© Venkateswar Reddy Melachervu 2013. All rights reserved.

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards”

- Unknown

Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.



“Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources”

Disclaimer



Agenda

Global Cyber Attacks Stats

What is Computing Security?

Cloud Computing, Models and Security Demystified

New Security Challenges of Cloud Computing

Security Dimensions – The CIA Triad

Scope of Cloud Computing Security

Security Challenge Eco-system

Vulnerabilities, Threats and Exposure Points

Attacks – Modes and Types

The Notorious Nine – Cloud Security Threats

Methods of Defence

Tenets of Security Control

Security Life Cycle

Cloud Security Components and Governance

Tiered Cloud Security Handling Framework

Bottom-line

Take-aways



In 1988 a "worm program“ – Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks

First National Bank of Chicago is the victim of $70-million computer theft

Cyber Crime – The Beginning



Heartland Payment Systems

Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

March 2008

Incident Few Years Back



2012 Global Cyber Attacks Stats



Revenue loss

Customer data loss and liabilities

Embarrassment to yourself and/or the University

Having to recreate lost data

Identity theft

Data corruption or destruction

Loss of patient, employee, and public trust

Costly reporting requirements and penalties

Disciplinary action (up to expulsion or termination)

Unavailability of vital data

Security Violation Consequences



What’s Computing Security?



Protection of computing systems and the data that they store or access

To prevent theft of or damage to the hardware, Software etc. - Confidentiality

To prevent theft of or damage to the information and to protect privacy –Privacy and Integrity

To prevent disruption of service -Availability/Denial of Service

What Is Computing/IT Security?



Isn’t this just an IT Problem?

Why Do I Need to Learn About Computer Security?

Everyone who uses a computer needs to understand how to keep his or her computer and data secure

IT Security is a not a product, but a process



No major operating system has ever worked perfectly

No OS vendor has dared offer a warranty against malfunctions

It is far easier to build a secure system than to build a correct system

You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out

Securing a system has traditionally been a battle of wits

The problem is people/exploitation - not computers

Why Computers Are Not Secure?



Cloud Computing – NIST Definition

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

13



Cloud Computing - Business Definition

“A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet”



On demand computational services over web

Spiky compute needs of the scientists

Horizontal and dynamic scaling with no additional cost

Increased throughput

Multi-tenant

Accessed over a network

Only pay for what you use

Shared internally or with other customers

Resources - storage, computing, services, etc.

Internal network or Internet

Similar to Timesharing

Rent IT resources vs. buy

Cloud Computing Demystified



Multi-Tenancy

16



Cloud Service Layers and Models

17

IaaS

PaaS

SaaSModelsLayers

AutonomousMore Control/ Flexibility

IaaS PaaS



Conventional Data Centre



Cloud Modelled Data Centre



Public, Private, Hybrid Clouds

20

http://en.wikipedia.org/wiki/File:Cloud_computing_types.svg

http://en.wikipedia.org/wiki/File:Cloud_computing_types.svg



Cloud ComputingEnablers and Inhibitors



Why Cloud Computing Brings New Security Challenges?

Data, applications, resources are located with provider

User identity management is handled by the cloud provider

User access control rules, security policies and enforcement are managed by the cloud provider

Multi-tenancy

Consumer relies on provider to ensure Data security and privacy

Resource availability

Monitoring and repairing of services/resources

Self-managed or Private Clouds overcome most of the above new threats

22



Security Dimensions – The CIA Triad

Secured

Hardware



Confidentiality

The need for keeping information secret Protecting proprietary designs from

competitors

Protecting a company’s personnel records

Protecting personal financial/ID info against ID theft

Applies to resource hiding System configuration data

Resources - Systems, Equipment, Services etc.



Integrity

Preventing improper or unauthorized change or access

Data integrity and system integrity

Non-repudiation Example : Digital Cert of the Origin Source



Availability Reliability and system design

To prevent Denial of Service Attacks - The attempts to block the availability of systems or services

System designs usually assume a statistical model to analyze expected patterns of use



Example 1: C vs. I+A

Disconnect computer from Internet to increase confidentiality

Availability suffers, integrity suffers due to lost updates

Example 2: I vs. C+A

Have extensive data checks by different people/systems to increase integrity

Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)

Need to Balance CIA Triad



Scope of Cloud Security

Cloud

Data Center

LAN/WAN/Wifi/PLMN/

PAN

LAN/WAN/Wifi/PLMN/

PAN

Cloud Eco-system

C

I

A C



Security Challenge Eco-system

Ph

ysi

cal L

og

ical

Environmental

Operational

Hardware Software

HumansData

Network



Vulnerability A weakness in a security system

Threat Circumstances that have a potential to

cause harm

Exposure Points External access points that can be taken

advantage compromising security by most advanced attacker

Attack - materialization of a vulnerability/threat/compromised exposure point or combination)

Attack may be: Successful a.k.a. an exploit - Resulting in

a breach of security, a system penetration, etc.

Unsuccessful - When controls block a threat trying to exploit a vulnerability

Vulnerabilities, Threats, and Exposure Points



Software Deletion Easy to delete needed software by mistake

To prevent this: use configuration management software

Software Modification Worms, Trojan Horses, Viruses, Logic

Bombs, Trapdoors, Information Leaks ...

Software Theft Unauthorized copying

via P2P, etc.

Software Vulnerabilities



Add or remove a hardware device Ex: Snooping, wiretapping

Ex: Modification, alteration of a system

Physical attacks on hardware Accidental or voluntary Theft / destruction

Damage the machine (spilled coffe, mice, realbugs)

Steal the machine

Hardware Vulnerabilities



Network/Web Vulnerabilities

Phishing An evil website pretends to be a trusted website

Example: You type, by mistake, “mibank.com” instead of

“mybank.com”

mibank.com designs the site to look like mybank.com so the user types in their info as usual

BAD! Now an evil person has your info!

SQL Injection

Cross Site Scripting Writing a complex Javascript program that steals

data left by other sites that you have visited in same browsing session



Kinds of Threats

Interception An unauthorized party (human or not) gains

access to an asset

Interruption an asset becomes lost, unavailable, or

unusable

Modification an unauthorized party changes the state of an

asset

Fabrication an unauthorized party counterfeits an asset



Over the Internet

Over LAN

Locally

Offline

Theft

Deception

Modes of Attacks



Not all hackers are evil wrongdoers trying to steal your info

Classification 1 Amateurs

Opportunistic attackers (use a password theyfound)

Script kiddies

Hackers - nonmalicious In broad use beyond security community: also

malicious

Crackers – malicious

Career criminals

State-supported spies and information warriors

Classification 2 Recreational hackers / Institutional hackers

Organized criminals / Industrial spies / Terrorists

National intelligence gatherers / Info warriors

Types of Attackers



Common Attacks

Network Attacks Packet sniffing, man-in-the-middle, DNS

hacking

Web attacks Phishing, SQL Injection, Cross Site Scripting

OS, applications and software attacks Virus, Trojan, Worms, Rootkits, Buffer

Overflow



Network Attacks

Packet Sniffing Internet traffic consists of data “packets”, and these

can be “sniffed”

Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing

Man in the Middle Insert a router in the path between client and server,

and change the packets as they pass through

DNS hijacking Insert malicious routes into DNS tables to send traffic

for genuine sites to malicious sites



Bacterium A specialized form of virus which does not attach to a specific file. Usage

obscure.

Logic bomb Malicious logic that activates when specified conditions are met. Usually

intended to cause denial of service or otherwise damage system resources.

Trapdoor A hidden computer flaw known to an intruder, or a hidden computer

mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms

Trojan horse A computer program that appears to have a useful function, but also has a

hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Malicious SW Attacks



Virus A hidden, self-replicating section of computer software, usually malicious logic,

that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Worm A computer program that can run independently, can propagate a complete

working version of itself onto other hosts on a network, and may consume computer resources destructively.

Malicious SW Attacks



Data Breaches

Data Loss

Account Hijacking

Insecure APIs

Denial of Service

Malicious Insiders

Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology Issues

The Notorious NineCloud Computing Top Threats in 2013

Source : Cloud Security Alliance



Castle in Middle Ages

Location with natural obstacles

Surrounding moat

Drawbridge

Heavy walls

Strong gate

Tower

Guards

Computers Today Encryption

Software controls

Hardware controls

Policies and procedures

Multiple controls – physical and computational

System perimeter – defines inside/outside

Pre-emption – attacker scared away

Deterrence – attacker could not overcome defences

Faux environment – attack deflected towards a worthless target

Tenets of Security Defence and Control



Policy vs. Procedure

Policy: What is/what is not allowed

Procedure: How you enforce policy

Policy - must consider Alignment with users’ legal and ethical standards

Probability of use Inconvenient: 200 character password, change

password every week

Periodic reviews A given control usually becomess less effective with time

Need to replace ineffective/inefficient controls with better ones

Advantages of policy and procedural controls

Can replace hardware, software controls

Can be least expensive

Tenets of Security Control



Prevent attack Block attack / Close vulnerability

Deter attack Make attack harder (can’t make

it impossible )

Detect attack During or after

Deflect attack Make another target more

attractive than this target

Recover from attack

Security

Methods of Defence

IT Defense consists of:

Encryption

Software controls

Hardware controls

Policies

Physical controls



Security Life Cycle

Analyze Threats

Policy

Specification

Design

Implementation

Operation and Maintenance

Go

ve

rna

nce



Security Analysis Process

Identify Assets Which assets are we trying to protect?

What properties of these assets must be maintained?

Identify Threats What attacks can be mounted?

What other threats are there (natural disasters, etc.)?

Identify Countermeasures How can we counter those attacks?

Independent Analysis

46



Cloud Provisioning Services

Cloud Data Storage Services

Cloud Processing Infrastructure

Cloud Support Services

Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and Virtual Networks

Cloud Security Components



Organize Threats – STRIDE Model

Spoofing identity

Tampering with data

Repudiation

Information disclosure

Denial of service

Elevation of privilege

48



Legal

Functional Which functions & services in the Cloud have

legal implications for both parties

Jurisdictional Which governments administer laws and

regulations impacting services, stakeholders, data assets

Contractual Terms & conditions

49



Governance

Identify, implement process, controls to maintain effective governance, risk mgt, compliance

Provider security governance should be assessed for sufficiency, maturity, consistency

50



Tiered Cloud Security Handling Framework

Physical Infrastructure

Tenant #2

APP

OS

APP

OS

Virtual Infrastructure

Physical Infrastructure

Cloud Provider

APP

OS

APP

OS

Virtual Infrastructure

Tenant #1

Insulate information from cloud providers’

employees

Insulate information from other

tenants

Insulate infrastructure from Malware, Trojans

and cybercriminals

Segregate and control user

access

Control and isolate VM in the

virtual infrastructure

Federate identities with public clouds

Identity federation

Virtual network security

Access Mgmt

Cybercrime intelligence

Strong authentication

Data loss prevention

Encryption & key mgmt

Tokenization

Governance

Anti-malware

Enable end to end view of security events and compliance and control across infrastructures



CCSK - Cloud Security Alliance Certifications

CISSP – (ISC)2

CPTC – Certified Penetration Testing Consultant

CPTE – Certified Penetration Testing Engineer

CompTIA – Security+

CSTA – Certified Security Testing Associate

GPEN – GIAC Certified Penetration Tester

OSCP – Offensive Security Certified Professional

CEH – Certified Ethical Hacker

ECSA – EC-Council Certified Security Analyst

CEPT – Certified Expert Penetration Tester

Security Certifications

Source : http://www.concise-courses.com/security/certifications-list/

http://www.concise-courses.com/security/difference-cpte-and-cptc/



http://www.concise-courses.com/mile2/cpte/bootcamp/

http://www.concise-courses.com/comptia/securityplus/bootcamp/

http://www.concise-courses.com/security/certifications-list/



Bottom Line

Engage in full risk management process for each case

For small and medium organizations Cloud security may be a big improvement!

Cost savings may be large (economies of scale)

For large organizations Already have large, secure data centers

Main sweet spots: Elastic services

Internet-facing services

Employ countermeasures

53



Take-Aways

Policy defines security and mechanisms enforce security Confidentiality

Integrity

Availability

Trust and knowing assumptions

Importance of assurance

The human factor

© Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud Computing and SafetyLet’s Secure Cloud!

20th July 2013

Venkateswar Reddy MelachervuAssociate Vice President – IT

www.linkedin.com/in/vmelachervu

[email protected]

In God we trust; All others, we virus scan

Thank You

“…dare to dream; care to win…”

http://www.linkedin.com/in/vmelachervu