Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

“…dare to dream; care to win…”
© Venkateswar Reddy Melachervu 2013. All rights reserved.
Venkateswar Reddy Melachervu
Associate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
Cloud Computing and Safety
Let’s Secure Cloud!
20th July 2013
In God we trust; All others, we virus scan

© 2010. All rights reserved.
Cloud Computing and Security
“The only truly secure system is one that is powered off,
cast in a block of concrete and sealed in a lead-lined room
with armed guards”
- Unknown
Only the Paranoid Survive
- Andy Grove, Former Chairman, Intel Inc.

“Some of the generally available information in the cloud on computing and cloud security is
the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby
thankfully acknowledge those sources”
Disclaimer

Agenda
 Global Cyber Attacks Stats
 What is Computing Security?
 Cloud Computing, Models and Security Demystified
 New Security Challenges of Cloud Computing
 Security Dimensions – The CIA Triad
 Scope of Cloud Computing Security
 Security Challenge Eco-system
 Vulnerabilities, Threats and Exposure Points
 Attacks – Modes and Types
 The Notorious Nine – Cloud Security Threats
 Methods of Defence
 Tenets of Security Control
 Security Life Cycle
 Cloud Security Components and Governance
 Tiered Cloud Security Handling Framework
 Bottom-line
 Take-aways

 In 1988 a "worm program“ – Morris Worm -
written by a college student - Robert T.
Morris, Jr. of Cornell University - shut down
about 10 percent of computers connected to
the Internet. This was the beginning of the
era of cyber/Cloud attacks
 First National Bank of Chicago is the victim of
$70-million computer theft
Cyber Crime – The Beginning

 Heartland Payment Systems
 Impact: 134 million credit cards
exposed through SQL injection to install
spyware on Heartland's data systems.
 March 2008
Incident Few Years Back

2012 Global Cyber Attacks Stats

 Revenue loss
 Customer data loss and liabilities
 Embarrassment to yourself and/or the
University
 Having to recreate lost data
 Identity theft
 Data corruption or destruction
 Loss of patient, employee, and public trust
 Costly reporting requirements and penalties
 Disciplinary action (up to expulsion or
termination)
 Unavailability of vital data
Security Violation Consequences

What’s Computing Security?

 Protection of computing systems and the
data that they store or access
 To prevent theft of or damage to the
hardware, Software etc. - Confidentiality
 To prevent theft of or damage to the
information and to protect privacy –
Privacy and Integrity
 To prevent disruption of service -
Availability/Denial of Service
What Is Computing/IT Security?

Isn’t this just an IT Problem?
Why Do I Need to Learn About Computer
Security?
Everyone who uses a computer needs to understand how
to keep his or her computer and data secure
IT Security is a not a product, but a process

 No major operating system has ever worked perfectly
 No OS vendor has dared offer a warranty against
malfunctions
 It is far easier to build a secure system than to build a
correct system
 You might be able to live in a house with a few holes
in the walls, but you will not be able to keep burglars
out
 Securing a system has traditionally been a battle of
wits
 The problem is people/exploitation - not computers
Why Computers Are Not Secure?

Cloud Computing – NIST Definition
“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction”
13

Cloud Computing - Business
Definition
“A large-scale distributed computing
paradigm that is driven by economies of
scale, in which a pool of abstracted,
virtualized, dynamically-scalable,
managed computing power, storage,
platforms, and services are delivered on
demand to external customers over the
Internet”

 On demand computational services over
web
 Spiky compute needs of the scientists
 Horizontal and dynamic scaling with no
additional cost
 Increased throughput
 Multi-tenant
 Accessed over a network
 Only pay for what you use
 Shared internally or with other customers
 Resources - storage, computing, services, etc.
 Internal network or Internet
 Similar to Timesharing
 Rent IT resources vs. buy
Cloud Computing Demystified

Multi-Tenancy
16

Cloud Service Layers and Models
17
IaaS
PaaS
SaaSModelsLayers
AutonomousMore Control/ Flexibility
IaaS PaaS

Conventional Data Centre

Cloud Modelled Data Centre

Public, Private, Hybrid Clouds
20

Cloud Computing
Enablers and Inhibitors

Why Cloud Computing Brings
New Security Challenges?
 Data, applications, resources are located with
provider
 User identity management is handled by the
cloud provider
 User access control rules, security policies and
enforcement are managed by the cloud
provider
 Multi-tenancy
 Consumer relies on provider to ensure
 Data security and privacy
 Resource availability
 Monitoring and repairing of services/resources
 Self-managed or Private Clouds overcome
most of the above new threats
22

Security Dimensions – The CIA Triad
Secured
Hardware

Confidentiality
 The need for keeping information
secret
 Protecting proprietary designs from
competitors
 Protecting a company’s personnel records
 Protecting personal financial/ID info
against ID theft
 Applies to resource hiding
 System configuration data
 Resources - Systems, Equipment, Services
etc.

Integrity
 Preventing improper or unauthorized
change or access
 Data integrity and system integrity
 Non-repudiation
 Example : Digital Cert of the Origin Source

Availability
 Reliability and system design
 To prevent Denial of Service Attacks - The
attempts to block the availability of systems or
services
 System designs usually assume a statistical
model to analyze expected patterns of use

 Example 1: C vs. I+A
 Disconnect computer from Internet to
increase confidentiality
 Availability suffers, integrity suffers due to
lost updates
 Example 2: I vs. C+A
 Have extensive data checks by different
people/systems to increase integrity
 Confidentiality suffers as more people see
data, availability suffers due to locks on data
under verification)
Need to Balance CIA Triad

Scope of Cloud Security
Cloud
Data Center
LAN/WAN/
Wifi/PLMN/
PAN
LAN/WAN/
Wifi/PLMN/
PAN
Cloud Eco-system
C
I
A C

Security Challenge Eco-system
Physical
Logical
Environmental
Operational
Hardware Software
HumansData
Network

 Vulnerability
 A weakness in a security system
 Threat
 Circumstances that have a potential to
cause harm
 Exposure Points
 External access points that can be taken
advantage compromising security by
most advanced attacker
 Attack - materialization of a
vulnerability/threat/compromised
exposure point or combination)
 Attack may be:
 Successful a.k.a. an exploit - Resulting in
a breach of security, a system
penetration, etc.
 Unsuccessful - When controls block a
threat trying to exploit a vulnerability
Vulnerabilities, Threats, and
Exposure Points

 Software Deletion
 Easy to delete needed software by mistake
 To prevent this: use configuration
management software
 Software Modification
 Worms, Trojan Horses, Viruses, Logic
Bombs, Trapdoors, Information Leaks ...
 Software Theft
 Unauthorized copying
 via P2P, etc.
Software Vulnerabilities

 Add or remove a hardware
device
 Ex: Snooping, wiretapping
Ex: Modification, alteration of a
system
 Physical attacks on hardware
 Accidental or voluntary
 Theft / destruction
 Damage the machine
(spilled coffe, mice, real
bugs)
 Steal the machine
Hardware Vulnerabilities

Network/Web Vulnerabilities
 Phishing
 An evil website pretends to be a trusted website
 Example:
 You type, by mistake, “mibank.com” instead of
“mybank.com”
 mibank.com designs the site to look like mybank.com
so the user types in their info as usual
 BAD! Now an evil person has your info!
 SQL Injection
 Cross Site Scripting
 Writing a complex Javascript program that steals
data left by other sites that you have visited in same
browsing session

Kinds of Threats
 Interception
 An unauthorized party (human or not) gains
access to an asset
 Interruption
 an asset becomes lost, unavailable, or
unusable
 Modification
 an unauthorized party changes the state of an
asset
 Fabrication
 an unauthorized party counterfeits an asset

 Over the Internet
 Over LAN
 Locally
 Offline
 Theft
 Deception
Modes of Attacks

 Not all hackers are evil wrongdoers trying to steal
your info
 Classification 1
 Amateurs
 Opportunistic attackers (use a password they
found)
 Script kiddies
 Hackers - nonmalicious
 In broad use beyond security community: also
malicious
 Crackers – malicious
 Career criminals
 State-supported spies and information warriors
 Classification 2
 Recreational hackers / Institutional hackers
 Organized criminals / Industrial spies / Terrorists
 National intelligence gatherers / Info warriors
Types of Attackers

Common Attacks
 Network Attacks
 Packet sniffing, man-in-the-middle, DNS
hacking
 Web attacks
 Phishing, SQL Injection, Cross Site Scripting
 OS, applications and software attacks
 Virus, Trojan, Worms, Rootkits, Buffer
Overflow

Network Attacks
 Packet Sniffing
 Internet traffic consists of data “packets”, and these
can be “sniffed”
 Leads to other attacks such as
password sniffing, cookie
stealing session hijacking,
information stealing
 Man in the Middle
 Insert a router in the path between client and server,
and change the packets as they pass through
 DNS hijacking
 Insert malicious routes into DNS tables to send traffic
for genuine sites to malicious sites

 Bacterium
 A specialized form of virus which does not attach to a specific file. Usage
obscure.
 Logic bomb
 Malicious logic that activates when specified conditions are met. Usually
intended to cause denial of service or otherwise damage system resources.
 Trapdoor
 A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the
trap door to gain access to the computer without being blocked by security
services or mechanisms
 Trojan horse
 A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms,
sometimes by exploiting legitimate authorizations of a system entity that
invokes the program.
Malicious SW Attacks

 Virus
 A hidden, self-replicating section of computer software, usually malicious logic,
that propagates by infecting (i.e., inserting a copy of itself into and becoming
part of) another program. A virus cannot run by itself; it requires that its host
program be run to make the virus active.
 Worm
 A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume
computer resources destructively.
Malicious SW Attacks

 Data Breaches
 Data Loss
 Account Hijacking
 Insecure APIs
 Denial of Service
 Malicious Insiders
 Abuse of Cloud Services
 Insufficient Due Diligence
 Shared Technology Issues
The Notorious Nine
Cloud Computing Top Threats in 2013
Source : Cloud Security Alliance

 Castle in Middle Ages
 Location with natural
obstacles
 Surrounding moat
 Drawbridge
 Heavy walls
 Strong gate
 Tower
 Guards
 Computers Today
 Encryption
 Software controls
 Hardware controls
 Policies and procedures
 Multiple controls – physical and
computational
 System perimeter – defines
inside/outside
 Pre-emption – attacker scared away
 Deterrence – attacker could not
overcome defences
 Faux environment – attack deflected
towards a worthless target
Tenets of Security Defence
and Control

 Policy vs. Procedure
 Policy: What is/what is not allowed
 Procedure: How you enforce policy
 Policy - must consider
 Alignment with users’ legal and ethical standards
 Probability of use
 Inconvenient: 200 character password, change
password every week
 Periodic reviews
 A given control usually becomess less effective with time
 Need to replace ineffective/inefficient controls with
better ones
 Advantages of policy and procedural controls
 Can replace hardware, software controls
 Can be least expensive
Tenets of Security Control

 Prevent attack
 Block attack / Close vulnerability
 Deter attack
 Make attack harder (can’t make
it impossible )
 Detect attack
 During or after
 Deflect attack
 Make another target more
attractive than this target
 Recover from attack
Security
Methods of Defence
 IT Defense consists of:
 Encryption
 Software controls
 Hardware controls
 Policies
 Physical controls

Security Life Cycle
Analyze Threats
Policy
Specification
Design
Implementation
Operation and Maintenance
Governance

Security Analysis Process
 Identify Assets
 Which assets are we trying to protect?
 What properties of these assets must be
maintained?
 Identify Threats
 What attacks can be mounted?
 What other threats are there (natural
disasters, etc.)?
 Identify Countermeasures
 How can we counter those attacks?
 Independent Analysis
46

 Cloud Provisioning Services
 Cloud Data Storage Services
 Cloud Processing Infrastructure
 Cloud Support Services
 Cloud Network and Perimeter
Security
 Elastic Elements: Storage,
Processing, and Virtual Networks
Cloud Security Components

Organize Threats – STRIDE Model
 Spoofing identity
 Tampering with data
 Repudiation
 Information disclosure
 Denial of service
 Elevation of privilege
48

Legal
 Functional
 Which functions & services in the Cloud have
legal implications for both parties
 Jurisdictional
 Which governments administer laws and
regulations impacting services, stakeholders,
data assets
 Contractual
 Terms & conditions
49

Governance
 Identify, implement process, controls to
maintain effective governance, risk mgt,
compliance
 Provider security governance should be
assessed for sufficiency, maturity, consistency
50

Tiered Cloud Security Handling
Framework
Physical Infrastructure
Tenant
#2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant
#1
Insulate
information from
cloud providers’
employees
Insulate
information
from other
tenants
Insulate infrastructure
from Malware, Trojans
and cybercriminals
Segregate and
control user
access
Control and
isolate VM in the
virtual
infrastructure
Federate
identities with
public clouds
Identity
federation
Virtual
network
security
Access
Mgmt
Cybercrime
intelligence
Strong
authentication
Data loss
prevention
Encryption &
key mgmt
Tokenization
Governance
Anti-malware
Enable end to end view of security events and compliance and control across
infrastructures

 CCSK - Cloud Security Alliance Certifications
 CISSP – (ISC)2
 CPTC – Certified Penetration Testing Consultant
 CPTE – Certified Penetration Testing Engineer
 CompTIA – Security+
 CSTA – Certified Security Testing Associate
 GPEN – GIAC Certified Penetration Tester
 OSCP – Offensive Security Certified Professional
 CEH – Certified Ethical Hacker
 ECSA – EC-Council Certified Security Analyst
 CEPT – Certified Expert Penetration Tester
Security Certifications
Source : http://www.concise-courses.com/security/certifications-list/

Bottom Line
 Engage in full risk management process
for each case
 For small and medium organizations
 Cloud security may be a big improvement!
 Cost savings may be large (economies of scale)
 For large organizations
 Already have large, secure data centers
 Main sweet spots:
 Elastic services
 Internet-facing services
 Employ countermeasures
53

Take-Aways
 Policy defines security and
mechanisms enforce security
 Confidentiality
 Integrity
 Availability
 Trust and knowing assumptions
 Importance of assurance
 The human factor

Cloud Computing and Safety
Let’s Secure Cloud!
20th July 2013
Venkateswar Reddy Melachervu
Associate Vice President – IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
In God we trust; All others, we virus scan
Thank You
“…dare to dream; care to win…”

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Cloud Computing and Security - ISACA Hyderabad Chapter Presentation (20)

More from Venkateswar Reddy Melachervu (8)

Recently uploaded (20)

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation