Fundamental of Cloud Security

Salim Hariri, UA Site Director

NSF Center for Cloud and Autonomic Computing
The University of Arizona
nsfcac.arizona.edu
hariri@ece.arizona.edu
 Presentation Outline
 Introduction
 Cloud Computing Standers
 Cloud Security Issues
 Cloud Attack Mechanisms
 Cloud Protection and Solutions
INTRODUCTION
Cloud Computing – Motivation
 Car rental services  Cloud rental services
–  For short period –  For short period
–  Before you get your own –  Before you get your own
car devices
–  No need to maintain and –  No need to maintain and
upgrade upgrade
–  Is popular
 Cloud Computing Potential
Benefits
I  ncreased Reliability – Duplicated data, logs, better
maintenance
 Reduction in IT operating costs (Pay-as-you-Go)
 Scalability and Agility
  biquitous Accessibility – Internet, and perform same
U
task from any where and using any network device
 Levels the playing field
 Fast request-driven provisioning (On Demand)
 Improves collaboration
How the Cloud is growing?

* Source:http://www.forbescustom.com/TechnologyPgs/CloudComputingP1.html [accessed: May 26, 2013]

 Cloud Computing Growth
•  Cloud usage is like having a customized cellular plan
with all the features and functionality that you want,
paying only for what you use, and with the ability to
cancel at anytime without penalties or additional fees.
•  Worldwide cloud service revenue grew at 16.6% in 2010,
reaching $68.3 billion, according to Gartner report.
o  It is expected that enterprises will spend in the next five years
around $112 billion on cloud technologies and services
CLOUD COMPUTING
STANDARD
 NIST definition of cloud
computing
  loud computing is a model for enabling
C
ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.
 What Comprises Cloud
Computing?
 NIST defines:
– Five essential cloud characteristics
– Three cloud service models
– Four cloud deployment models.
NIST Model of Cloud
Five Essential Cloud Characteristics

 On-demand self-service
 Broad network access
 Resource pooling
 Rapid elasticity
 Measured service

12
 Three Cloud Service Models
 Cloud Software as a Service (SaaS)*
–  To use the provider’s applications
 Cloud Platform as a Service (PaaS) *
–  To deploy customer-created and acquired applications
 Cloud Infrastructure as a Service (IaaS)
–  To provision processing, storage, networks, and other
fundamental computing resources
* To be considered as cloud services, they must be running on top of
an cloud infrastructure.

13
Cloud Service Delivery Models
SaaS

PaaS

IaaS
 Cloud Service Models –IaaS
•  It delivers computer
infrastructure as a
service, along with raw
storage and networking
•  Rather than purchasing
servers, software, data-
center space, or network
equipment, clients buy
them as a fully
outsourced service
What is IaaS?

Source: Securosis, L.L.C. / Cloud Security Alliance

 IaaS
Benefits Issues

•  Tremendous control to use •  Involves integrating all

whatever content system aspects of an application
makes sense. (DB, plug-ins, etc.)
•  Flexibility to secure data to •  Responsible for all
whatever degree configurations implemented
necessary. on the server (and in apps)
•  Responsible to keep
software up to date
•  Multi-tenancy at hypervisor
level

Src: Securosis, L.L.C. / Cloud Security Alliance

17
 Cloud Service Models – PaaS
•  It delivers a computing
platform and solution stack
as a service. PaaS offering
facilitate deployment of
applications without the
cost and complexity of
buying and managing the
underlying hardware and
software and provisioning
hosting capabilities
What is PaaS?

Src: Securosis, L.L.C. / Cloud Security Alliance

 PaaS
Benefits Issues

•  Packaged application “stack” •  Still responsible to keep

reduces some complexity stack updated
(configuration, components) •  Locked into providers API
•  If application vendor supports (which can change)
cloud APIs, streamlines •  Multi-tenancy at platform
implementation layer

Src: Securosis, L.L.C. / Cloud Security Alliance

20
 Software as a Service SaaS
•  Cloud computing services, such as
Amazon's EC2 and Google Apps, are
booming.
•  With Software as a Service, you’re not
writing an app, just using someone else’s.
•  Changes the dynamic of pricing the software
(pay on a per-use basis).
•  20% growth in SaaS products per year.
 Cloud Service Models – SaaS
Software and data are hosted on the cloud and are typically
accessed by users using a thin client (browser with internet
access)
What is SaaS?

Src: Securosis, L.L.C. / Cloud Security Alliance

 SaaS
Benefits Issues

•  Packaged solution •  Very little app

reduces complexity customization
•  Scaling environment •  No control of
isn’t customer’s components.
problem. •  No control of security
•  All updates/ (can only assess, not
configurations/security impact).
handled by provider. •  Multi-tenancy issues
at application layer.
Src: Securosis, L.L.C. / Cloud Security Alliance

24
Cloud Deployment Models

Public Private
Cloud
Deployment
Models

Community Hybrid
Src: Securosis, L.L.C. / Cloud Security Alliance
 Cloud Deployment Models
•  Deployment Options
o  Private
o  Public
o  Community
o  Hybrid
•  Controlled/Owned By
o  Internal
o  External
Cloud Computing Infrastructures – Public
Clouds
•  Run by 3rd parties such as Amazon,
Google or Microsoft.
•  Employ statistical multiplexing to
provide hardware and software
resources.
•  Are hosted away from user
premises.
•  For security, other applications
running on the same clouds are
transparent to cloud users.

•  Public clouds guarantee improved performance, considerable & scalable

resources, and growth flexibility.
 Public Cloud, Advantages,
drawbacks
 Pros:
–  Reliability

–  Cost Efficiency

–  Scalability and Agility

 Cons:
–  Security

–  Control
 Cloud Computing Infrastructures –
Private Clouds
•  Built for only one client.
•  Provide complete control
over data, security and QoS.
•  Deployed on enterprise
datacenter or co-location
facility.

•  Built by companies own IT organization or cloud service provider.

•  Hosted private model- high level of control + technical expertise to
establish and operate the cloud.
 Private Cloud, Advantages,
drawbacks
 Pros:
–  Control / Security

–  Availability

–  Speed of Access

  Cons:
–  Scalability

–  Maintenance
 Community Cloud
I  n a community cloud
Multiple organizations
and infrastructures from
Industry Y
the same community Industry X Community
Community Cloud
share the cloud Cloud
infrastructure.
  hey all have similar
T C
concerns and goals B D

which helps to agree on A

the same cloud policies.

Community Cloud, Advantages,
drawbacks
 Pros
–  Security

–  Legal/compliance

–  Same Policy and Concerns

 Cons
–  Development

–  Cost
 Cloud Computing Infrastructures –
Hybrid Clouds
•  Combines both private and public
clouds.
•  Private clouds are augmented with
resources of public cloud.
•  Are used to support Web 2.0
applications
•  Also used to handle workload
spikes, i.e. surge computing.

•  More suitable for handling small data transfer or applications are

stateless, than if large amount of data were transferred for small
amount of processing.
Hybrid Clouds

Source: Securosis, L.L.C. / Cloud Security Alliance

 Hybrid Cloud, Advantages,
drawbacks
 Pros:
–  High performance:
–  Expanded capacity
–  Scalability
–  Security
–  Low cost:
 Cons:
–  Complex SLAs:
–  Complex networking
CLOUD SECURITY ISSUES
If cloud computing is so great,
why isn’t everyone doing it?
  he cloud acts as a big black box, nothing inside the
T
cloud is visible to the clients
  lients have no idea or control over what happens
C
inside a cloud
  ven if the cloud provider is honest, it can have
E
malicious system admins who can tamper with the VMs
and violate confidentiality and integrity
  louds are still subject to traditional data
C
confidentiality, integrity, availability, and privacy
issues, plus some additional attacks

37  
Companies are still afraid to use clouds

[Chow09ccsw]  
38  
 Top Cyberattacks in 2014 so far!
 Analysts, Hold Security, startlingly announced in February that it had
managed to obtain a list of 360 million account credentials for web services
from the black market. That’s just after three weeks of research.
 According to research from Arbor Networks, the number of DDoS events
topping 20Gbps in the first half of 2014, are double that of 2013.
Akamai Technologies State of the Internet report also showed that hacker
attacks on websites went up 75% in the final quarter of 2013, with hackers in
China responsible for 43% of all attacks
 This incredible cybermap.kaspersky.com
interactive map from Antivirus software firm Kaspersky, which depicts all the
current cyber attacks occurring around the world in real time, shows the growing
intensity of hacks as the year progresses.
Top Cyberattacks in 2014 - continue
 In May, eBay revealed that hackers had managed to steal personal records of 233
million users, with usernames, passwords, phone numbers and physical addresses
compromised.
 Community Health Services (health care). The personal data for 4.5 million patients
were compromised between April and June. The sophisticated malware used in the
attack reportedly originated in China. (September 2014)
 Google (communications). Reportedly, 5 million Gmail usernames and passwords
were compromised.[23] About 100,000 were released on a Russian forum site.
(September 2014)
 Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-
force tactics and third-party applications to access Apple user’s online data storage,
leading to the subsequent posting of celebrities’ private photos online. (September 2014)
 J.P. Morgan Chase (financial). The contact information for 76 million households and 7
million small businesses was compromised. The hackers may have originated in Russia
and may have ties to the Russian government. (October 2014)
 Causes of Problems Associated
with Cloud Computing
  ost security problems stem from:
M
–  Loss of control
–  Lack of trust (mechanisms)
–  Multi-tenancy
 These problems exist mainly in 3rd party
management models
–  Self-managed clouds still have security
issues, but not related to above
 Loss of Control in the Cloud
 Consumer’s loss of control
–  Data, applications, resources are located with provider

–  User identity management is handled by the cloud

–  User access control rules, security policies and enforcement

are managed by the cloud provider

–  Consumer relies on provider to ensure

•  Data security and privacy
•  Resource availability
•  Monitoring and repairing of services/resources
 Multi-tenancy Issues in the Cloud
  onflict between tenants’ opposing goals
C
–  Tenants share a pool of resources and have opposing goals
 How does multi-tenancy deal with conflict of interest?
–  Can tenants get along together and ‘play nicely’ ?
–  If they can’t, can we isolate them?
 How to provide separation between tenants?

  loud Computing brings new threats

C
–  Multiple independent users share the same physical
infrastructure
–  Thus an attacker can legitimately be in the same physical
machine as the target
 Taxonomy of Fear
 Confidentiality
–  Fear of loss of control over data
•  Will the sensitive data stored on a cloud remain confidential?
•  Will cloud compromises leak confidential client data
–  Will the cloud provider itself be honest and won’t peek into
the data?

 Integrity
–  How do I know that the cloud provider is doing the
computations correctly?

–  How do I ensure that the cloud provider really stored my

data without tampering with it? www.cs.jhu.edu/~ragib/sp10/cs412

44  
 Taxonomy of Fear (cont.)
 Availability
–  Will critical systems go down at the client, if the
provider is attacked in a Denial of Service attack?

–  What happens if cloud provider goes out of business?

–  Would cloud scale well-enough?

www.cs.jhu.edu/~ragib/sp10/cs412

45  
 Taxonomy of Fear (cont.)
•  Privacy issues raised via massive data mining
–  Cloud now stores data from a lot of clients, and can run data mining
algorithms to get large amounts of information on clients
•  Increased attack surface
–  Entity outside the organization now stores and computes data, and
so
–  Attackers can now target the communication link between cloud
provider and client
–  Cloud provider employees can be phished

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

46  
 Taxonomy of Fear (cont.)
 Auditability and forensics (out of control of data)
–  Difficult to audit data held outside organization in a cloud

–  Forensics also made difficult since now clients don’t maintain

data locally

 Legal quagmire and transitive trust issues

–  Who is responsible for complying with regulations?
•  e.g., SOX, HIPAA, PCI DSS ?
–  If cloud provider subcontracts to third party clouds, will the
data still be secure?
www.cs.jhu.edu/~ragib/sp10/cs412

47  
Cloud Computing: who should use it?
 Cloud computing definitely makes sense if your own security is
weak, missing features, or below average.
  ltimately, if
U
–  the cloud provider’s security people are “better” than yours
(and leveraged at least as efficiently),

–  the web-services interfaces don’t introduce too many new

vulnerabilities, and

–  the cloud provider aims at least as high as you do, at

security goals,

then cloud computing has better security.

From [2] John McDermott, ACSAC 09

CLOUD ATTACK MECHANISMS
 Threat Model
  A threat model helps in analyzing a security problem,
design mitigation strategies, and evaluate solutions
 Steps:
–  Identify attackers, assets, threats and other components

–  Rank the threats

–  Choose mitigation strategies

–  Build solutions based on the strategies

www.cs.jhu.edu/~ragib/sp10/cs412

50  
 Threat Model
 Basic components
–  Attacker modeling
•  Choose what attacker to consider
–  insider vs. outsider?
–  single vs. collaborator?
•  Attacker motivation and capabilities
–  Attacker goals

–  Vulnerabilities / threats
www.cs.jhu.edu/~ragib/sp10/cs412

51  
Delivery model Security Issues
The lower the cloud provider stands
in terms of service delivery, the more
security the service customer is
responsible for!
Delivery model Security Issues
Customer
Providers
Software/Application
Development Platform

SaaS Computing
Network

Security Responsibility
Security Responsibility
Storage

Software/Application
Development Platform

PaaS Computing
Network
Storage

Software/Application
Development Platform

IaaS Computing
Network
Storage
 Cloud Security Taxonomy
Based on Service Models Based on Layers
SaaS
-Cross Site Scripting
-Access Control Weaknesses
-SQL Injection Flaws
-Network Penetration
-Insecure SSL trust configuration
-Data Security

PaaS
-Data Security Issues

IaaS
-Data Reliability
Source:V. S. Subashini, "A survey on security issues in service Source: C. Modi, D. Patel, B. Borisaniya, A. Patel and M. Rajarajan,
delivery models of cloud computing," Journal of Network and "A survey on security issues and solutions at different layers of
Computer Applications, vol. 34, pp. 1-11, 2011. Cloud computing," The Journal of Supercomputing, pp. 1-32, 2012.
Delivery model Security Issues
Cloud Risk and Impact
Analysis
 The Notorious Nine
  he CSA(Cloud Security
T 1.  Data Breaches
Alliance) has identified 2.  Data Loss
"The Notorious Nine", the 3.  Account Hijacking
top 9 cloud computing 4.  Insecure APIs
threats for 2013. 5.  Denial of Service
6.  Malicious Insiders
7.  Abuse of Cloud Services
8.  Insufficient Due Diligence
9.  Shared Technology Issues
 Data Breaches/Loss
  eletion or alteration of records without a backup, Loss
D
of an encoding key are some of the common examples
which leads to data loss.
  s the data resides on the third parties data centers,
A
security of data is becoming the main concern for cloud
adoption.
  hus it is the duty of Cloud security provider to prevent
T
the unauthorized parties from gaining access to the
sensitive data.
 Data Loss Remediation
 Implementing strong access controls
 Strong encryption and decryption for data.
I  mplement strong key generation, storage and
management, and destruction practices.
  aintaining back up for the data and updating the
M
changes timely.
 Data Breaches

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Taxonomy of Security
 CIANA
–  stands for Confidentiality, Integrity, Availability, Non-Repudiation,
and Authentication (Information Assurance, Information Security)

  TRIDE is a system developed by Microsoft threat

S
analysis:
–  Spoofing of user identity
–  Tampering
–  Repudiation
–  Information disclosure (privacy breach or data leak)
–  Denial of service (D.o.S)
–  Elevation of privilege
 Data Loss

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Account, Service and Traffic
Hijacking
I  f an attacker gains access to the credentials,
they can eavesdrop on your activities and
transactions, manipulate data, return falsified
information, and redirect your clients to
illegitimate sites.
  sing the credentials and passwords for longer
U
time without changing and reusing the same for
different accounts makes this type of attack easy.
 Remediation
  ollowing the password rules to create strong
F
passwords
 Changing the passwords timely
  rohibiting the use of passwords on unknown
P
machines and sharing of the passwords with
other users
Account or Service
Traffic Hijacking

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Insecure APIs
  he security of the cloud services is dependent
T
on how secure is their API's
  ccidental and malicious attempts must be
a
taken into consideration when designing the APIs
  rganizations are facing a variety of
O
authenticity, confidentiality, and integrity, issues
due to their dependence on a weak set of APIs
 Insecure APIs

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Remediation
  nalyze the security model of cloud
A
provider interfaces.
  nsure strong authentication and
E
access controls are implemented in
concert with encrypted transmission.
 Denial of Service
  reventing users from accessing cloud
P
services.
  sing resource exhaustion attacks or
U
software vulnerability attacks.
  he cloud becomes irresponsive or legal
T
users will pay more for using more
resources.
 Denial of Service

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Remediation
 None is provided by CSA
 Anomaly Behavior Analysis (ABA)
I  ntrusion Tolerance by using diversity
and redundancy
 Malicious Insiders
  alicious insider threat is well-known to most
M
organizations.
  provider may not reveal how it grants
A
employees access to physical and virtual assets,
how it monitors these employees, or how it
analyzes and reports on policy compliance.
  his kind of situation clearly creates an attractive
T
opportunity for hobbyist hacker.
 Malicious Insiders

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Remediation
  uman resource required specifications
H
should be part of legal contract.

  loud Service Provider should provide

C
transparently all security and management
practices.
 Abuse of Cloud Services
  he registration process for cloud resources has
T
become so easy that anyone with a valid credit
card can register and immediately begin using
services.
  hus, spammers, malicious code authors, and
T
other criminals have been able to conduct their
activities with relative impunity
  hus PaaS and IaaS providers are suffering
T
from these kind of attacks.
 Abuse of Cloud
Services

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Impact
  ttackers are coming up with new technologies to
A
improve their reach, avoid detection and improve
the effectiveness of their activities.
 The reasons for this type of attacks are:
–  Weak registration systems that are facilitating the
anonymity.

–  Limited capabilities of service providers to fraud

detection capabilities
 Remediation
 Strict initial registration and validation
  nhanced credit card fraud monitoring
E
and coordination
  onstant monitoring of customer network
C
traffic.
  onitoring public blacklists for one’s own
M
network blocks.
 Insufficient Due Diligence
  rganizations moving fast toward the
O
cloud for its cost reductions, operational
efficiencies and improved security.
  owever, without a full understanding of
H
the cloud service provider environment
and responsibilities, they are increasing
their risk.
 Insufficient Due
Diligence

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Remediation

  rganizations need to understand

O
the risk of moving to the cloud.
  4/7 Continuous Monitoring,
2
Analysis, and Mitigation
Shared Technology Vulnerabilities
  loud Service Providers deliver their services in a
C
scalable way by sharing infrastructure.
 Cloud services depend on utilizing virtualization.
  irtualization Hypervisors, like any other software,
V
have flaws that allow attackers with access to the
guest operating system to attack the host.
  his impacts the operations of other cloud
T
customers and allow attackers to gain access to
unauthorized data.
 Shared Technology
Issues

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 Remediation
I  mplementing and applying security best practices
for both the installation and configuration processes
  ontinuously monitoring for the environment to
C
detect unauthorized activities.
  nforcing strict access control and strong
E
authentication for all critical operations.
  ontinuously searching for vulnerabilities and
C
threats.
 Unknown risk Profile
  he features and functionality of the
T
cloud services are well informed to the
customer, but the details of internal
security procedures, auditing, logging,
internal access control remains
unanswered leaving customers with an
unknown risk profile
 General Security Issues
I  n addition to the above mentioned top threats there are
many other threats that are effecting cloud computing.
They are:
 Insider Threats
 Hypervisor vulnerabilities
 Denial of Service attacks
 Malware Injection attacks
 Man-In-The Middle Cryptographic attacks
UA Ongoing Cybersecurity
Research Projects
 Big Data Analytics Pipeline

Extraction/ Integration/
Acuistion/ Analysis/ Interpretati
Cleaning/ Aggregation/
Recording Modeling ons
Annotation Representations

Research Challenges
Heterogeneity

Collaboration
Timliness

Privacy

Human
Scale
Big Data Analytics for Cyberecurity
Architecture

89
 User Cyber Flow (UCF)
Biometric
Mouse Keyboard
authentication
Social Sites
Gaming Social Media

Identify External
Entertainment Threats/
Alerts

Packet Rate
SIEM
Network Tools
Bandwidth Flow
Number of
Connection
HR Software Hardware
Web Sites Systems Flow

Computer
Role Privileges Mobile
Apps Files

90
 Application-Cyber Flow (ACF)
USER

Java Applets

HTML Flash

J.S.
HTML5 CSS

JQuery Coffee.JS Charts.JS Bootstrap SCSS LESS

AJAX GRAPHS
OWF User

91
 Server-Cyber Flow (SCF)
API Responses

Network SERVE Ruby on

Rails
Multiple Conn.
R

NodeJS
SQLITE Python

PHP ASP
High Performance API
SQL JAVA

NoSQL
MongoDB Glassfish Tomcat

MySQL
MVC
PostgresQL OWF Server
Symphony
Zend Cake

92
Insider Threat Detection (ITD) with Smart
Big Data Analytics
AVIRTEK
AIM-ITD
PRODUCT

93
 Conclusion
•  Cloud computing is sometimes viewed as a reincarnation
of the classic mainframe client-server model
–  However, resources are ubiquitous, scalable, highly virtualized

–  Contains all the traditional threats, as well as new ones

•  In developing solutions to cloud computing security

issues it may be helpful to identify the problems and
approaches in terms of
–  Loss of control

–  Lack of trust

–  Multi-tenancy problems