Cloudy SecurityKia Manoochehri
Background
Threat Classification◦ Traditional Threats◦ Availability of cloud services◦ Third-Party Control
The “Notorious Nine”
Contractual Obligations
Outline
Security: “freedom from risk and danger”
In Computer Science we define security as…◦ “the ability of a system to protect information and
system resources with respect to confidentiality and integrity”
What is “security”?
Three core areas◦ Confidentiality
◦ Integrity
◦ Authentication
What is “security”?
Some other security concepts◦ Access Control
◦ Nonrepudiation
◦ Availability
◦ Privacy
What is “security”?
Cloud Service Providers (CSP) provide a “target rich environment”
Consolidation of information draws potential attackers
Potential problematic areas in the field of Cloud Computing aren’t transparent.
Background
Three broad classifications
◦ Traditional Threats
◦ Availability Threats
◦ Third-Party Control Threats
Threat Classification
Anytime a computer is connected to the internet they are at risk…◦ When we are dealing with Cloud based
applications we are amplifying these threats
Question of responsibility◦ User vs Provider
Traditional Threats (User)
Authorization and Authentication◦ Individual access vs enterprise access
One solution would be to have tiered access◦ Not every user is created equal!
Traditional Threats (User)
Distributed Denial of Service attacks (DDoS)
SQL Injection
Phishing
Cross-Site Scripting
Traditional Threats (Cloud)
Digital forensics cannot be applied to the cloud◦ Difficult to trace where an attack is from
Virtual Machine vulnerabilities extend to the cloud as well
Traditional Threats (Cloud)
System failures◦ http://www.forbes.com/sites/anthonykosner/2012/
06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/
◦ Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning. Netflix, Instagram, and Pintrest were down for at
least a few hours.
Availability Threats
Problem stems from CSP outsourcing certain aspects of their operation◦ How does this affect
Introduces more points of entry and vulnerability to the Cloud
Third Party Control Threats
In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing
February 2013 yielded their “Notorious Nine” list◦ 9 major threats in Cloud Computing
“The Notorious Nine”
Data Breaches◦ Currently the biggest threat
◦ The solution is encryption… but What if you lose the key?
◦ Backing up the data is not viable either
Example: Epsilon
“The Notorious Nine”
Data Loss◦ Malicious deletion◦ Accidental deletion by CSP◦ Physical catastrophe ◦ Loss of the encryption key
Compliance policies require audit audit records
Example: Mat Honan
“The Notorious Nine”
Account/Service Hijacking◦ Phishing, fraud, software exploits
◦ Organizations should be proactive
◦ Two-Factor authentication
Example: XSS attack on Amazon
“The Notorious Nine”
Insecure Interfaces and APIs◦ Any vulnerability in an API bleeds over◦ Can effect security and availability
◦ Partially falls on the consumer
“The Notorious Nine”
Denial of Service◦ From the user end… most frustrating
◦ Can cost cloud users $$$
◦ Makes the user doubt the cloud
“The Notorious Nine”
Malicious Insiders◦ Straightforward
◦ Systems that only depends on theCSP for security are at greatest risk
◦ If data-usage encryption is used thedata is still vulnerable during storage
“The Notorious Nine”
Abuse of Cloud Services◦ Using CSP for malicious purpose
◦ Hacking encryption keys via cloud
◦ DDoS attacks via cloud
◦ Problems of detection arise
“The Notorious Nine”
Insufficient Due Diligence ◦ Insufficient user experience
◦ Unknown levels of risk when using CSP
◦ Design and architecture issues for devs
◦ Countered by: Capable resources Extensive internal understanding of risks
“The Notorious Nine”
Shared Technology Vulnerabilities◦ CPU caches, GPUs are not designed to
be isolated
◦ A single vulnerability can lead to an entire environment being compromised
“The Notorious Nine”
Buffer OverflowSQL InjectionPrivilege escalation
SSL Certificate spoofingAttacks on browser cachesPhishing attacks
Limiting resourcesPrivilege-related attacksData DistortionInjecting additional operations
DDoS attacks
Contractual Obligations Goal is to minimize the security risks
Contract between the CSP and user should:◦ State CSP obligations to handle securely sensitive
information and it’s compliance to privacy laws◦ Spell out CSP liability for mishandling information◦ Spell out CSP liability for data loss◦ Spell out rules governing ownership of data◦ Specify the geographical regions where information and
backups can be stored.
Cloudy SecurityKia Manoochehri