SlideShare a Scribd company logo

Cloud security Presentation

Download as PPTX, PDF
A
Ajay p

The document discusses cloud computing security. It begins with an introduction to cloud computing that defines it and outlines its characteristics, service models, and deployment models. It then discusses common security concerns and attacks in cloud computing like DDoS attacks, side channel attacks, and attacks on management consoles. It provides best practices for different security domains like architecture, governance, compliance, and data security. It also discusses current industry initiatives in cloud security.

Education
1 of 46
Downloaded 97 times
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Most read
36
37
38
39
40
41
Most read
42
43
44
45
46
CLOUD COMPUTING SECURITYAjay Porus ISO27K LA,CPISIFounder & Director CSA Hyderabad ChapterLead Implementer Honey Net Project India1
AgendaIntroduction to Cloud ComputingCloud Architecture and CharacteristicsCloud Security Concerns and Attacks Different Security Domains Best PracticesWhat's going in Industry on Cloud 2
Introduction to Cloud ComputingIs It Really New?What is Cloud Computing?How Does it Evolve?What are the Characteristics of Cloud Computing?What is difference in Architecture from traditional Computing?What are different Services Delivery Models?What are different deployment models?Frame work of Cloud ComputingCloud Eco-System3
Is It Really New?No,its Not it’s the evolution of old technologies to a new level which bring together many technologies to provide huge computational powerFirst Cloud around networking (Network As a Cloud) as said ..”we Didn’t care where the message sent, the cloud had it from us” –Kevin Marks, GoogleSecond Cloud around Documents (WWW data abstraction)Third Cloud Present and future. This abstracts infrastructure complexities of servers, application, database and different platforms. (Amazon CEO)4
Cloud Computing DefinitionCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of Seven essential characteristics, three service models, and four deployment models5
How Does it Evolve?MainframesMini ComputerPersonal desktopsClient – ServerIp NetworksMobile DevicesCloud Computing6
Characteristics of Cloud ComputingMulti-tenancy (shared resources)Massive scalabilityRapid ElasticityMeasured service On-demand self-serviceBroad network access7
Traditional vs Cloud ComputingDedicated/traditionalHigh upfront IT investments for new builds High cost of reliable infrastructure High complexity of IT environment Complex infrastructure IT Cloud computingReliability built into the cloud architectureLow upfront IT investmentspay-for-use modelModular IT architecture environmentsNo infrastructure8
Services Delivery Models9
Deployment ModelsPublic Cloud Private CloudCommunity CloudHybrid Cloud10
Cloud Computing Framework11
Cloud Computing FrameworkHybrid CloudsDeploymentModelsCommunityCloudPublic CloudServiceModelsPrivate CloudEssentialCharacteristicsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)On Demand Self-ServiceMassive ScaleResilient ComputingBroad Network AccessRapid ElasticityHomogeneityGeographic DistributionCommon CharacteristicsVirtualizationService OrientationResource PoolingMeasured ServiceLow Cost SoftwareAdvanced Security12
Cloud Eco-System13
Cloud Security Concerns & Attacks General Security ConcernsCloud Security ChallengesTop Threats to Cloud ComputingDDOS & EDOSSide Channel AttackMIM Crypto graphic AttackPoisoned VM’sAttack Against Management ConsoleAbusing Cloud Billing Models and Cloud PhishingDNS Cache poisoning AttacksAuthentication Attack14
General Security ConcernsTrusting vendor’s security modelCustomer inability to respond to audit findingsObtaining support for investigationsIndirect administrator accountabilityProprietary implementations can’t be examinedLoss of physical control15
Cloud Security ChallengesData dispersal and international privacy lawsNeed for isolation managementLogging challengesData ownership issues Using SLAs to obtain cloud securityDependence on secure hypervisorsAttraction to hackers (high value target)Encryption needs for cloud computingHandling compliance16
Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud ComputingInsecure Interfaces and APIsMalicious InsidersShared Technology IssuesAccount or Service HijackingLoss of governanceLock-InCompliance risksManagement interface compromiseData protection (Data Loss or Leakage)17
DDOS & EDOSDistributed denial of service: An attack that make computer or network resources unavailable.Economic denial of service: A DDosattack that make large number of request for which cloud user have to pay (generally per 100oo request 1$ in Amazon) Originates majorly from compromised computers18
Side Channel AttackAttack based on information gained from the physical implementation of a cryptosystem.Timing AttackPower Consumption Attack - Simple Power Analysis Attack (SPA) - Differential Power Analysis Attack (DPA)Electromagnetic AttackAcoustic Crypto AnalysisCache AttackDifferential Fault Analysis19
MIM Crypto graphic AttackPhishing ScamAttack Communication Steal Private or public KeyAttacker’s eavesdropping between the two partiesSend and execute malicious codeGain access to Victim’s system20
Poisoned VM’sAdministrator with full access to configure VMAddition of malicious codeTampering with AMI(Amazon Machine Image)Isolation provided by CSPLaunch of Shared AMI Preconfigured Malicious Business LogicNo ways till this time to find out.21
Attack Against Management ConsoleProprietary console of CSPMost critical console as environment can be changedGoogle Made 2 management consoles- 1st console for normal administration2nd to upload apps to google apps by cmd python script Amazon shared domain of EC2 and amazon.comIf vulnerability found Like CSRF attack on secret keys Once keys hacked then management console can be hacked22
Abusing Billing Models & Cloud PhishingPhishing Scams for AmazonPhishing from Amazon cloud Blacklisting Amazon domain in phishing databaseOnce secret key hacked Cloud based DDOS very costlyMillion of poisoned VM initiate by 1 CSRFattackPayment for the network and CPU consumption23
DNS Cache Poisoning AttacksShared IP’s Once IP released take time to clear from cache & Arp tableTill cleared can be accessed with same IPLack of Knowledge for DNS cache & ARP tableWashigton post face d problem at Amazon EC2Even IP released but had access from internal network24
Authentication AttackWeak PasswordGoogle Hack DatabaseSql InjectionsCross site ScriptingMan in the MiddleBrute force AttackSession HijackingSocial Engineering25
Different Security Domains Best PracticesCloud Computing Architectural Framework .Governance and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditData Security LifecyclePortability and InteroperabilityTraditional Security, BCP & DRData Center OperationsIncident ManagementApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualization Security26
Cloud Architectural SecurityHardware Security (xeon 5600, AES and TXT Support)Virtualization Security (Hypervisor Hardening)Guest OS Security (Operating system Hardening)Platform Security ( Patches and Updates)Application Security ( Secure Development Lifecycle)Network Security ( Firewall, IDS, IPS, VPN, SSL/TLS)Cryptographic Security (PGP Keys, AES, 3DES, 2-DNF)27
Governance and Risk ManagementInvest some of saved money for SecurityRobust IS governance with defined roles & responsibilitiesCollaborative governance structure between provider & customer Assess for sufficiency, maturity, and consistency with the user’s ISMS.SLA should be added in Risk assessmentNew approach for risk assessment from both end’s.CSP include metrics and controls 28
Legal and Electronic DiscoveryMutual understanding of each other’s R&R related to electronic discovery, litigation & Laws.Responsive Information security system to preserve data to authentic & reliable.Providing equal guardianship as in owner’s hand.Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination Unified process for responding to subpoenas, service of process, and other legal requests.29
Compliance and AuditInvolve Legal and Contracts Teams in SLARight to Audit ClauseAnalyze Compliance ScopeAnalyze Impact of Regulations on Data SecurityReview Relevant Partners and Services ProvidersAnalyze Impact of Regulations on Provider InfrastructureAuditor Qualification and SelectionCloud Provider’s SAS 70 Type IICloud Provider’s ISO/IEC 27001/27002 Roadmap30
Data Security LifecycleMaintain CIA of data Security practices and proceduresStrong SLA with all area’s. System of service penalties in SLAData ClassificationEncryptionPerform Regular Backup31
Portability and InteroperabilityIdentify and eliminate any provider-specific extensions to the VM environment. Appropriate de-provisioning of VM imagesAppropriate de-provisioning of discs & storage device. Platform components with a standard syntaxUnderstand the impacts on performance and availability of the application. Consistency of control effectiveness across old and new providers. Vendor to test and evaluate the applications before migration32
Traditional Security, BCP & DRCentralization of dataAdopting as a security baselinePerform onsite inspections of cloud provider facilitiesCustomers should inspect cloud provider disaster recoveryBCP Policy approved by the provider’s board of directors33
Data Center Operationspermission to conduct customer or external third-party audits.Demonstrate compartmentalization of systems, networks, management, provisioning, and personnel.SLA should be clearly defined, measurable, enforceable, and adequate for your requirementsContinual improvement in policies, processes, procedures.24*7*365 days Technical support should be available.34
Incident ManagementDefine incident and event before SLA signoff to CSPWhat incident detection and analysis tools used by CSPConducting proper risk management to stop incidentsA robust Security Information and Event Management (SIEM) requiredDeliver snapshots of the customer’s entire virtual environmentWhole data should be encrypted 35
Application Security Application assessment tools Create trust boundaries for SDLCUse Own VM with configured policies in IAASUse best practice to harden system as in DMZMulti-tenancy in application threat modelSecuring inter host communicationMetrics to assess effectiveness of Security ProgramKeep cloud architecture in Mind. 36
Encryption & Key ManagementEncrypting data In transit (SSL/TLS, SSH)Encrypting data at rest (AES128, 3DES, 2DNF)Encrypting data on Backup mediaUse of encryption data separate then for use.Stipulate encryption in contractDefine secure key lifecycle managementUse industry level key management systemsMake keys secure, limited access to key store & key backup. 37
Identity and Access ManagementAvoid proprietary identity provisioning system Use 2 factor authenticationConsider user centric authentication (Google, live Id)Use open standard for authentication and VPNUse of federated identity and gateways like SAML Use mechanism to transmit user info from PIP to PDPUse IdaaS to have better security & risk mitigation38
Virtualization SecurityIdentify types of virtualization provided by CSPUnderstand hypervisor security and isolation mechanismUnderstand security to protect administrative interfaces (API, web-based)Strong authentication mechanism with tamper proof logging and integrity monitoring toolsExplore Efficiency and feasibility of segregating VMsStrong reporting mechanism for raising alert if compromised 39
What's going in Industry on Cloud Different Initiatives Fabric ComputingHomomorphic EncryptionFuture of Cloud –Mobile Computing40
Different Initiatives Cloud Security AllianceCloud CertCloud CAMM(Capability and Maturity Model)Cloud Audit A6CCM ( Cloud Control Matrix Tool)CAI (Consensus Assessment InitiativeCSA GRC StackTrusted Cloud InitiativeCCSK (Certificate of Cloud Security Knowledge)Cloud Metrics Research41
Fabric ComputingNext generation computing by interconnecting nodes like fabric (including various clouds)High performance computing by loosely coupled storage network devices and parallel processors42
Homomorphic & Predicate EncryptionProcessing of encrypted data very difficultIBM announced Homomorphic encryption (2DNF+)Enables Processing of encrypted data.Require immense computational power Predicate encryption No need to Decrypt whole dataDecrypt only requiredSupporting Disjunctions, Polynomial Equations, and Inner Products43
Future of Cloud –Mobile ComputingMobile computing increasing rapidlyAndroid Platform next generation mobile computingApplication to access cloud on mobile phoneWi-Fi and 3G connection enabling high bandwidthSSL/TLS and SSH from Phone web browser to VM Trusted certificate and private key on phone2 factor Authentication (Fingerprint and password)Different platforms to configure cloud API’s44
Questions?45
Thank YouContact:www.csaindia.inajayporus@csaindia.inhttp://in.linkedin.com/in/ajayporusSkype: ajayporus1Yahoo: ajayporus198646

More Related Content

PDF
Cloud Security: A New Perspective
Wen-Pai Lu
 
PPTX
Cloud computing security issues and challenges
Dheeraj Negi
 
PPTX
Cloud security ppt
Venkatesh Chary
 
PPTX
Cloud Computing Security
Ninh Nguyen
 
PPT
Cloud computing simple ppt
Agarwaljay
 
PPTX
Cloud security and security architecture
Vladimir Jirasek
 
PPT
Introduction to Cloud Computing
CloudSyntrix
 
PPTX
Cloud computing and data security
Mohammed Fazuluddin
 
Cloud Security: A New Perspective
Wen-Pai Lu
 
Cloud computing security issues and challenges
Dheeraj Negi
 
Cloud security ppt
Venkatesh Chary
 
Cloud Computing Security
Ninh Nguyen
 
Cloud computing simple ppt
Agarwaljay
 
Cloud security and security architecture
Vladimir Jirasek
 
Introduction to Cloud Computing
CloudSyntrix
 
Cloud computing and data security
Mohammed Fazuluddin
 

What's hot (20)

PPTX
Cloud security
Niharika Varshney
 
PPTX
Network security
quest university nawabshah
 
PPT
Cloud Computing
Aniket Saxena
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PDF
Cloud computing
Shiva Prasad
 
PDF
Cloud security
BikashPokharel3
 
PPTX
Cia security model
Imran Ahmed
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PPT
Cloud deployment models
Ashok Kumar
 
PPT
Cloud security
Tushar Kayande
 
PPTX
Network security ppt
OECLIB Odisha Electronics Control Library
 
PPTX
Identity and Access Management Introduction
Aidy Tificate
 
PPTX
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
PPTX
Introduction to Cloud Security
Legal Services National Technology Assistance Project (LSNTAP)
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
PPTX
Basics of Cloud Computing
Pranav Vashistha
 
PDF
Introduction to Cloud Computing
Animesh Chaturvedi
 
PDF
Network Security Fundamentals
Rahmat Suhatman
 
Cloud security
Niharika Varshney
 
Network security
quest university nawabshah
 
Cloud Computing
Aniket Saxena
 
Cloud Security
AWS User Group Bengaluru
 
Cloud computing
Shiva Prasad
 
Cloud security
BikashPokharel3
 
Cia security model
Imran Ahmed
 
Identity and Access Management (IAM)
Identacor
 
Cloud Security
AWS User Group Bengaluru
 
Application Security - Your Success Depends on it
WSO2
 
Cloud deployment models
Ashok Kumar
 
Cloud security
Tushar Kayande
 
Network security ppt
OECLIB Odisha Electronics Control Library
 
Identity and Access Management Introduction
Aidy Tificate
 
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Introduction to Cloud Security
Legal Services National Technology Assistance Project (LSNTAP)
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Basics of Cloud Computing
Pranav Vashistha
 
Introduction to Cloud Computing
Animesh Chaturvedi
 
Network Security Fundamentals
Rahmat Suhatman
 
Ad

Viewers also liked (16)

PPT
Commercial T&C Mukul Draft
guest107b0
 
DOC
Verb To Bes
guest8560f
 
PPTX
Healthy Fruits
Niezzam Harun
 
PPTX
Strategisk bruk av sosiale medier, foredrag hos Abelia 20.08.2009
Merete Berg
 
PPT
Shift CD Presentation
guestb6e8f
 
DOC
Past Simple
guest8560f
 
PPTX
God kunnskapsledelse i praksis, foredrag for Dataforeningen Summit
Merete Berg
 
PDF
Shift Profie
guestb6e8f
 
PDF
profit from the core
Rink Tang
 
PDF
Print & Web Portfolio
lukeddennis
 
PDF
HoCare Interreg Europe project
Jan Kubalík
 
DOC
Presente Simple
guest8560f
 
PPT
Drms Inter Clinic Appointment
Niezzam Harun
 
PPTX
Why information security is becoming the most important for mid size business...
Ajay p
 
DOC
Past Simple
guest8560f
 
DOC
Verb To Be
guest8560f
 
Commercial T&C Mukul Draft
guest107b0
 
Verb To Bes
guest8560f
 
Healthy Fruits
Niezzam Harun
 
Strategisk bruk av sosiale medier, foredrag hos Abelia 20.08.2009
Merete Berg
 
Shift CD Presentation
guestb6e8f
 
Past Simple
guest8560f
 
God kunnskapsledelse i praksis, foredrag for Dataforeningen Summit
Merete Berg
 
Shift Profie
guestb6e8f
 
profit from the core
Rink Tang
 
Print & Web Portfolio
lukeddennis
 
HoCare Interreg Europe project
Jan Kubalík
 
Presente Simple
guest8560f
 
Drms Inter Clinic Appointment
Niezzam Harun
 
Why information security is becoming the most important for mid size business...
Ajay p
 
Past Simple
guest8560f
 
Verb To Be
guest8560f
 
Ad

Similar to Cloud security Presentation (20)

PPT
Brighttalk Challenges In Cloud Security
guestc416cd26
 
PPT
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
PPTX
cloud computing security in intenet.pptx
moromoro8
 
PPTX
Cloud and the Future of Networked Systems
James Urquhart
 
PPTX
Security in cloud computing kashyap kunal
Kashyap Kunal
 
PPTX
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Manoj Kumar
 
PPT
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
TT L
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
PPT
Cloud Ecosystems A Perspective
jmcdaniel650
 
PPTX
cloud computing models
Kiran Kumar Anumandla
 
PPT
Salesforce - Introduction to Security & Access
Vibrant Technologies & Computers
 
PPT
htcia-5-2015
Tony Godfrey
 
PPTX
Cloud computing
Ashish Mishra
 
PDF
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
Yury Chemerkin
 
PPTX
Securing Your Public Cloud Infrastructure
Qualys
 
PPTX
Cloud security for financial services
Moshe Ferber
 
PPTX
Cloud computing – An Overview
Kannan Subbiah
 
PPTX
Cloud security v2
Shahar Geiger Maor
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
Brighttalk Challenges In Cloud Security
guestc416cd26
 
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
cloud computing security in intenet.pptx
moromoro8
 
Cloud and the Future of Networked Systems
James Urquhart
 
Security in cloud computing kashyap kunal
Kashyap Kunal
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Manoj Kumar
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
TT L
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
Cloud Ecosystems A Perspective
jmcdaniel650
 
cloud computing models
Kiran Kumar Anumandla
 
Salesforce - Introduction to Security & Access
Vibrant Technologies & Computers
 
htcia-5-2015
Tony Godfrey
 
Cloud computing
Ashish Mishra
 
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
Yury Chemerkin
 
Securing Your Public Cloud Infrastructure
Qualys
 
Cloud security for financial services
Moshe Ferber
 
Cloud computing – An Overview
Kannan Subbiah
 
Cloud security v2
Shahar Geiger Maor
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
Cloud Security using NIST guidelines
Srishti Ahuja
 

Recently uploaded (20)

PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Introduction-to-Social-Work-by-Leonora-Serafeca-De-Guzman-Group-2.pdf
jonelinvento
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
master seminar digital applications in india
ananyaray35
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Introduction-to-Social-Work-by-Leonora-Serafeca-De-Guzman-Group-2.pdf
jonelinvento
 
Pre independence Education in Inndia.pdf
goofy5603
 
Basic Mud Logging Guide for educational purpose
wdandworks
 

Cloud security Presentation

  • 1. CLOUD COMPUTING SECURITYAjay Porus ISO27K LA,CPISIFounder & Director CSA Hyderabad ChapterLead Implementer Honey Net Project India1
  • 2. AgendaIntroduction to Cloud ComputingCloud Architecture and CharacteristicsCloud Security Concerns and Attacks Different Security Domains Best PracticesWhat's going in Industry on Cloud 2
  • 3. Introduction to Cloud ComputingIs It Really New?What is Cloud Computing?How Does it Evolve?What are the Characteristics of Cloud Computing?What is difference in Architecture from traditional Computing?What are different Services Delivery Models?What are different deployment models?Frame work of Cloud ComputingCloud Eco-System3
  • 4. Is It Really New?No,its Not it’s the evolution of old technologies to a new level which bring together many technologies to provide huge computational powerFirst Cloud around networking (Network As a Cloud) as said ..”we Didn’t care where the message sent, the cloud had it from us” –Kevin Marks, GoogleSecond Cloud around Documents (WWW data abstraction)Third Cloud Present and future. This abstracts infrastructure complexities of servers, application, database and different platforms. (Amazon CEO)4
  • 5. Cloud Computing DefinitionCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of Seven essential characteristics, three service models, and four deployment models5
  • 6. How Does it Evolve?MainframesMini ComputerPersonal desktopsClient – ServerIp NetworksMobile DevicesCloud Computing6
  • 7. Characteristics of Cloud ComputingMulti-tenancy (shared resources)Massive scalabilityRapid ElasticityMeasured service On-demand self-serviceBroad network access7
  • 8. Traditional vs Cloud ComputingDedicated/traditionalHigh upfront IT investments for new builds High cost of reliable infrastructure High complexity of IT environment Complex infrastructure IT Cloud computingReliability built into the cloud architectureLow upfront IT investmentspay-for-use modelModular IT architecture environmentsNo infrastructure8
  • 10. Deployment ModelsPublic Cloud Private CloudCommunity CloudHybrid Cloud10
  • 12. Cloud Computing FrameworkHybrid CloudsDeploymentModelsCommunityCloudPublic CloudServiceModelsPrivate CloudEssentialCharacteristicsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)On Demand Self-ServiceMassive ScaleResilient ComputingBroad Network AccessRapid ElasticityHomogeneityGeographic DistributionCommon CharacteristicsVirtualizationService OrientationResource PoolingMeasured ServiceLow Cost SoftwareAdvanced Security12
  • 14. Cloud Security Concerns & Attacks General Security ConcernsCloud Security ChallengesTop Threats to Cloud ComputingDDOS & EDOSSide Channel AttackMIM Crypto graphic AttackPoisoned VM’sAttack Against Management ConsoleAbusing Cloud Billing Models and Cloud PhishingDNS Cache poisoning AttacksAuthentication Attack14
  • 15. General Security ConcernsTrusting vendor’s security modelCustomer inability to respond to audit findingsObtaining support for investigationsIndirect administrator accountabilityProprietary implementations can’t be examinedLoss of physical control15
  • 16. Cloud Security ChallengesData dispersal and international privacy lawsNeed for isolation managementLogging challengesData ownership issues Using SLAs to obtain cloud securityDependence on secure hypervisorsAttraction to hackers (high value target)Encryption needs for cloud computingHandling compliance16
  • 17. Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud ComputingInsecure Interfaces and APIsMalicious InsidersShared Technology IssuesAccount or Service HijackingLoss of governanceLock-InCompliance risksManagement interface compromiseData protection (Data Loss or Leakage)17
  • 18. DDOS & EDOSDistributed denial of service: An attack that make computer or network resources unavailable.Economic denial of service: A DDosattack that make large number of request for which cloud user have to pay (generally per 100oo request 1$ in Amazon) Originates majorly from compromised computers18
  • 19. Side Channel AttackAttack based on information gained from the physical implementation of a cryptosystem.Timing AttackPower Consumption Attack - Simple Power Analysis Attack (SPA) - Differential Power Analysis Attack (DPA)Electromagnetic AttackAcoustic Crypto AnalysisCache AttackDifferential Fault Analysis19
  • 20. MIM Crypto graphic AttackPhishing ScamAttack Communication Steal Private or public KeyAttacker’s eavesdropping between the two partiesSend and execute malicious codeGain access to Victim’s system20
  • 21. Poisoned VM’sAdministrator with full access to configure VMAddition of malicious codeTampering with AMI(Amazon Machine Image)Isolation provided by CSPLaunch of Shared AMI Preconfigured Malicious Business LogicNo ways till this time to find out.21
  • 22. Attack Against Management ConsoleProprietary console of CSPMost critical console as environment can be changedGoogle Made 2 management consoles- 1st console for normal administration2nd to upload apps to google apps by cmd python script Amazon shared domain of EC2 and amazon.comIf vulnerability found Like CSRF attack on secret keys Once keys hacked then management console can be hacked22
  • 23. Abusing Billing Models & Cloud PhishingPhishing Scams for AmazonPhishing from Amazon cloud Blacklisting Amazon domain in phishing databaseOnce secret key hacked Cloud based DDOS very costlyMillion of poisoned VM initiate by 1 CSRFattackPayment for the network and CPU consumption23
  • 24. DNS Cache Poisoning AttacksShared IP’s Once IP released take time to clear from cache & Arp tableTill cleared can be accessed with same IPLack of Knowledge for DNS cache & ARP tableWashigton post face d problem at Amazon EC2Even IP released but had access from internal network24
  • 25. Authentication AttackWeak PasswordGoogle Hack DatabaseSql InjectionsCross site ScriptingMan in the MiddleBrute force AttackSession HijackingSocial Engineering25
  • 26. Different Security Domains Best PracticesCloud Computing Architectural Framework .Governance and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditData Security LifecyclePortability and InteroperabilityTraditional Security, BCP & DRData Center OperationsIncident ManagementApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualization Security26
  • 27. Cloud Architectural SecurityHardware Security (xeon 5600, AES and TXT Support)Virtualization Security (Hypervisor Hardening)Guest OS Security (Operating system Hardening)Platform Security ( Patches and Updates)Application Security ( Secure Development Lifecycle)Network Security ( Firewall, IDS, IPS, VPN, SSL/TLS)Cryptographic Security (PGP Keys, AES, 3DES, 2-DNF)27
  • 28. Governance and Risk ManagementInvest some of saved money for SecurityRobust IS governance with defined roles & responsibilitiesCollaborative governance structure between provider & customer Assess for sufficiency, maturity, and consistency with the user’s ISMS.SLA should be added in Risk assessmentNew approach for risk assessment from both end’s.CSP include metrics and controls 28
  • 29. Legal and Electronic DiscoveryMutual understanding of each other’s R&R related to electronic discovery, litigation & Laws.Responsive Information security system to preserve data to authentic & reliable.Providing equal guardianship as in owner’s hand.Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination Unified process for responding to subpoenas, service of process, and other legal requests.29
  • 30. Compliance and AuditInvolve Legal and Contracts Teams in SLARight to Audit ClauseAnalyze Compliance ScopeAnalyze Impact of Regulations on Data SecurityReview Relevant Partners and Services ProvidersAnalyze Impact of Regulations on Provider InfrastructureAuditor Qualification and SelectionCloud Provider’s SAS 70 Type IICloud Provider’s ISO/IEC 27001/27002 Roadmap30
  • 31. Data Security LifecycleMaintain CIA of data Security practices and proceduresStrong SLA with all area’s. System of service penalties in SLAData ClassificationEncryptionPerform Regular Backup31
  • 32. Portability and InteroperabilityIdentify and eliminate any provider-specific extensions to the VM environment. Appropriate de-provisioning of VM imagesAppropriate de-provisioning of discs & storage device. Platform components with a standard syntaxUnderstand the impacts on performance and availability of the application. Consistency of control effectiveness across old and new providers. Vendor to test and evaluate the applications before migration32
  • 33. Traditional Security, BCP & DRCentralization of dataAdopting as a security baselinePerform onsite inspections of cloud provider facilitiesCustomers should inspect cloud provider disaster recoveryBCP Policy approved by the provider’s board of directors33
  • 34. Data Center Operationspermission to conduct customer or external third-party audits.Demonstrate compartmentalization of systems, networks, management, provisioning, and personnel.SLA should be clearly defined, measurable, enforceable, and adequate for your requirementsContinual improvement in policies, processes, procedures.24*7*365 days Technical support should be available.34
  • 35. Incident ManagementDefine incident and event before SLA signoff to CSPWhat incident detection and analysis tools used by CSPConducting proper risk management to stop incidentsA robust Security Information and Event Management (SIEM) requiredDeliver snapshots of the customer’s entire virtual environmentWhole data should be encrypted 35
  • 36. Application Security Application assessment tools Create trust boundaries for SDLCUse Own VM with configured policies in IAASUse best practice to harden system as in DMZMulti-tenancy in application threat modelSecuring inter host communicationMetrics to assess effectiveness of Security ProgramKeep cloud architecture in Mind. 36
  • 37. Encryption & Key ManagementEncrypting data In transit (SSL/TLS, SSH)Encrypting data at rest (AES128, 3DES, 2DNF)Encrypting data on Backup mediaUse of encryption data separate then for use.Stipulate encryption in contractDefine secure key lifecycle managementUse industry level key management systemsMake keys secure, limited access to key store & key backup. 37
  • 38. Identity and Access ManagementAvoid proprietary identity provisioning system Use 2 factor authenticationConsider user centric authentication (Google, live Id)Use open standard for authentication and VPNUse of federated identity and gateways like SAML Use mechanism to transmit user info from PIP to PDPUse IdaaS to have better security & risk mitigation38
  • 39. Virtualization SecurityIdentify types of virtualization provided by CSPUnderstand hypervisor security and isolation mechanismUnderstand security to protect administrative interfaces (API, web-based)Strong authentication mechanism with tamper proof logging and integrity monitoring toolsExplore Efficiency and feasibility of segregating VMsStrong reporting mechanism for raising alert if compromised 39
  • 40. What's going in Industry on Cloud Different Initiatives Fabric ComputingHomomorphic EncryptionFuture of Cloud –Mobile Computing40
  • 41. Different Initiatives Cloud Security AllianceCloud CertCloud CAMM(Capability and Maturity Model)Cloud Audit A6CCM ( Cloud Control Matrix Tool)CAI (Consensus Assessment InitiativeCSA GRC StackTrusted Cloud InitiativeCCSK (Certificate of Cloud Security Knowledge)Cloud Metrics Research41
  • 42. Fabric ComputingNext generation computing by interconnecting nodes like fabric (including various clouds)High performance computing by loosely coupled storage network devices and parallel processors42
  • 43. Homomorphic & Predicate EncryptionProcessing of encrypted data very difficultIBM announced Homomorphic encryption (2DNF+)Enables Processing of encrypted data.Require immense computational power Predicate encryption No need to Decrypt whole dataDecrypt only requiredSupporting Disjunctions, Polynomial Equations, and Inner Products43
  • 44. Future of Cloud –Mobile ComputingMobile computing increasing rapidlyAndroid Platform next generation mobile computingApplication to access cloud on mobile phoneWi-Fi and 3G connection enabling high bandwidthSSL/TLS and SSH from Phone web browser to VM Trusted certificate and private key on phone2 factor Authentication (Fingerprint and password)Different platforms to configure cloud API’s44

Editor's Notes

  • #39: PIP policy information point pdp policy decision point