Lecture 20: Cloud Security COSC6376 Cloud Computing Lecture 20: Cloud Security Instructor: Weidong Shi (Larry), PhD Computer Science Department University of Houston

Outline Cloud security Customer’s fears Threat model

Reading Assignment

Cloud security The cloud acts as a big black box, nothing inside is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

High-level cloud security concerns Less Control Many companies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease. Data Security Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees. Security Management Providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud. Compliance Complying with HIPPA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. 5 5 5

Customer concerns “I am nervous about someone else controlling my data” “My data is on the same disks as data from other users. If another customer’s data is raided by FBI, could mine go with it?” “I am not willing to say that the copy of the data in the cloud is the only copy I’ve got” “I am fearful of vendor lock-in” “I am still responsible for demonstrating compliance” “I don’t know where my data is stored – in which country?” “I don’t understand how my data is kept separate from others” “I don’t see how I recover my data in case of a disaster” “I want to investigate any illegal activity over my data” “I want to ensure my data is available when I need it”

Cloud security breach examples Google Doc allowed shared permission without user knowledge http://www.google.com/support/forum/p/Google+Docs/thread?t id=2ef115be2ce4fd0e&hl=en Salesforce.com phishing attack led to leak of a customer list; subsequent attacks http://voices.washingtonpost.com/securityfix/2007/11/salesforce com_acknowledges_dat.html Vasrev.com Webhost hack wipes out data for 100,000 sites http://www.theregister.co.uk/2009/06/08/webhost_attack/ Twitter company files leaked in Cloud Computing security failure http://www.infosecurity-us.com/view/2554/twitter-company- files-leaked-in-cloud-computing-security-failure/ DDoS attack that downed Twitter also hit Facebook http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_2009-08-07

Companies are still afraid to use clouds [Chow09ccsw]

Causes of problems associated with cloud computing Most security problems stem from: Loss of control Lack of trust (mechanisms) Multi-tenancy These problems exist mainly in 3rd party management models Self-managed clouds still have security issues, but not related to above 9

Loss of control in the cloud Consumer’s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement are managed by the cloud provider Consumer relies on provider to ensure Data security and privacy Resource availability Monitoring and repairing of services/resources

Lack of trust in the cloud Trusting a third party requires taking risks Defining trust and risk Opposite sides of the same coin (J. Camp) People only trust when it pays (Economist’s view) Need for trust arises only in risky situations Defunct third party management schemes Hard to balance trust and risk

Multi-tenancy issues in the cloud Conflict between tenants’ opposing goals Tenants share a pool of resources and have opposing goals How to provide separation between tenants? Cloud Computing brings new threats Multiple independent users share the same physical infrastructure Thus an attacker can legitimately be in the same physical machine as the target

Taxonomy of fear Confidentiality Integrity Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential? Will cloud compromises leak confidential client data Will the cloud provider itself be honest and won’t peek into the data? Integrity How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it? From [5] www.cs.jhu.edu/~ragib/sp10/cs412

Taxonomy of fear Availability Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Would cloud scale well-enough? Often-voiced concern Although cloud providers argue their downtime compares well with cloud user’s own data centers From [5] www.cs.jhu.edu/~ragib/sp10/cs412

Taxonomy of fear Privacy issues raised via massive data mining Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients Increased attack surface Entity outside the organization now stores and computes data, and so Attackers can now target the communication link between cloud provider and client Cloud provider employees can be phished From [5] www.cs.jhu.edu/~ragib/sp10/cs412

Taxonomy of fear Auditability and forensics (out of control of data) Difficult to audit data held outside organization in a cloud Forensics also made difficult since now clients don’t maintain data locally Legal quagmire and transitive trust issues Who is responsible for complying with regulations? e.g., SOX, HIPAA? If cloud provider subcontracts to third party clouds, will the data still be secure? From [5] www.cs.jhu.edu/~ragib/sp10/cs412

Taxonomy of fear Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO Security is one of the most difficult task to implement in cloud computing. Different forms of attacks in the application side and in the hardware components Attacks with catastrophic effects only needs one security flaw (http://www.exforsys.com/tutorials/cloud-computing/cloud-computing-security.html)

Threats, vulnerabilities, and enemies Objective Learn the cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud Technique Apply different threat modeling schemes

Threat model A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: Identify attackers, assets, threats and other components Rank the threats Choose mitigation strategies Build solutions based on the strategies

Threat model Basic components Attacker modeling Choose what attacker to consider Attacker motivation and capabilities Assets / potentially attacked targets Vulnerabilities / threats

Recall: cloud computing stack

Recall: Cloud Architecture SaaS / PaaS Provider Client Cloud Provider (IaaS)

Attackers

Who is the attacker? Insider? Outsider? Malicious employees at client Malicious employees at Cloud provider Cloud provider itself Outsider? Intruders Network attackers?

Attacker capability: malicious insiders At client Learn passwords/authentication information Gain control of the VMs At cloud provider Log client communication

Attacker capability: cloud provider What can the attacker do? Can read unencrypted data Can possibly peek into VMs, or make copies of VMs Can monitor network communication, application patterns

Attacker motivation: cloud provider Why? Gain information about client data Gain information on client behavior Use the information to improve services Sell the information to gain financial benefits

Attacker capability: outside attacker What can the attacker do? Listen to network traffic (passive) Insert malicious traffic (active) Probe cloud structure (active) Launch DoS

Attacker goals: outside attackers Intrusion Network analysis (network security) Man in the middle: public key example

Assets – targets under attack

Assets Confidentiality: Data stored in the cloud Configuration of VMs running on the cloud Identity of the cloud users Location of the VMs running client code

Assets Integrity Data stored in the cloud Computations performed on the cloud

Assets Availability Cloud infrastructure SaaS / PaaS

Threats – methods doing attacks

Organizing the threats using STRIDE Spoofing identity Tampering with data Repudiation (refuse to do with, dispute) Information disclosure Denial of service Escalation of privilege

Spoofing identity Illegally obtaining access and use of another person’s authentication information Man in the middle URL phishing Email address spoofing (email spam)

Tampering with data Malicious modification of the data Often hard and costly to detect you might not find the modified data until some time has passed; once you find one tampered item, you’ll have to thoroughly check all the other data on your systems

Repudiation A legitimate transaction will be disowned by one of the participants You sign a document first; and refused to confirm the signature Need a trusted third party to mitigate

Information/data disclosure An attacker can gain access, without permission, to data that the owner doesn’t want him or her to have.

Denial of service An explicit attempt to prevent legitimate users from using a service or system. It involves the overuse of legitimate resources. You can stop all such attacks by removing the resource used by the attacker, but then real users can’t use the resource either.

Escalation of privilege An unprivileged user gains privileged access. E.g. unprivileged user who contrives a way to be added to the Administrators group

Typical threats Mitigation technique Threat type Spoofing identity Authentication Protect secrets Do not store secrets Tampering with data Authorization Hashes Message authentication codes Digital signatures Tamper-resistant protocols Repudiation Audit trails [STRIDE]

Typical threats (contd.) Threat type Mitigation technique Information disclosure Authorization Privacy-enhanced protocols Encryption Protect secrets Do not store secrets Denial of service Authentication Filtering Throttling Quality of service Escalation of privilege Run with least privilege [STRIDE]

Threat tree

References Doc Shankar. Security Implications of Cloud Computing Bharat Bhargava, Anya Kim, YounSun Cho. Research in Cloud Security and Privacy