Fundamental Cloud Security Cloud Computing Lecture Note 4 Fundamental Cloud Security 오상규 정보통신대학원

Basic Terms and Concepts – 1/3 Overview Information security is a complex ensemble of techniques, technologies, regulations and behaviors that collaboratively protect the integrity of and access to computer systems and data. IT security measures aim to defend against threats and interference that arise from both malicious intent and unintentional user error. Confidentiality The characteristics of something being made accessible only to authorized parties Primarily restricting access to data in transit and storage in cloud environments Message Transfer Cloud Service Consumer Cloud Data Stored Integrity The characteristics of not having been altered by an unauthorized party Data cloud customers stored = data cloud customers retrieved Data Retrieved Cloud Service Consumer Cloud

Basic Terms and Concepts – 2/3 Authenticity The characteristics of something having been provided by an authorized source Non-repudiation – the inability of a party to deny or challenge the authentication of an interaction Availability The characteristics of being accessible and usable during a specified time period The responsibility of both cloud provider and cloud carrier Threat A potential security violation that can challenge defenses in an attempt to breach privacy and/or cause harm All instigated threats (attacks) are designed to exploit known weaknesses or vulnerabilities. Vulnerability A weakness that can be exploited either because it is protected by insufficient security controls, or because existing security controls are overcome by an attack Caused by configuration deficiencies, security policy weaknesses, human errors, hardware or firmware flaws, software bugs, poor security architectures, etc. Risk The possibility of loss or harm arising from performing an activity Typically measured according to its threats level and the number of possible or known vulnerabilities Two metrics used to determine risk for an IT resource: The probability of a threat occurring to exploit vulnerabilities in the IT resource The expectation of loss upon the IT resource being compromised

Basic Terms and Concepts – 3/3 Security controls Countermeasures used to prevent or respond to security threats and to reduce or avoid risk Typically outlined in the security policy containing a set of rules and practices that specify how to implement a system, service or security plan for maximum protection of sensitive and critical IT resources Security mechanisms Criteria describing security countermeasures comprising a defensive framework that protects IT resources, information and services Security policies A set of security rules and regulations Defines how these rules and regulations are implemented and enforced Good policy bad practice…?

(Security Mechanisms) Wants to Abuse or Cause Loss to Threat Agents – 1/2 Definition An entity that poses a threat because it is capable of carrying out an attack Internal or external threats by humans or software programs Cloud Service Owner Wants to Protect Wants to Reduce Establishes Countermeasures (Security Mechanisms) Reduce Regulate vulnerabilities Exploit Security Policy Threats Lead to Risks Poses Increase Data to to Wants to Abuse or Cause Loss to Assets (IT Resources & Data) Threat Agent

Threat Agents – 2/2 Anonymous attacker A non-trusted cloud service consumer without permissions Typically external software programs that launch network-level attacks through public networks Formulating effective attacks requires information on security policies and defenses – bypass user accounts or steal user credentials to attack Malicious service agent A piece of active software intercepting and forwarding the network traffics that flow within a cloud pretending as a legitimate service agent with malicious logic Possible external programs remotely intercept and potentially corrupt network messages Trusted attacker (malicious tenants) A trusted cloud service consumer with permissions Usually launches its attacks from within a cloud’ trust boundaries by abusing legitimate credentials or via the appropriation of sensitive and confidential information The hacking of weak authentication processes, the breaking of encryption, the spamming of e-mail accounts, the denial of service campaigns, etc. Malicious insider Human threat agents acting on behalf of or in relation to the cloud provider Typically current or former employees or third parties with access to the could provider’s premises Expose tremendous potential damages since they may have administrative privileges for accessing cloud consumer IT resources

Cloud Security Threats – 1/3 Traffic eavesdropping Data being passively intercepted by a malicious service agent for illegitimate information gathering purpose while being transferred to or within a cloud Aim to discredit the confidentiality of data and the relationship between the cloud consumer and cloud provider Due to the passive nature of the attack, hard to detect for a long period of time Cloud Service Consumer Cloud Malicious intermediary Messages intercepted and altered by a malicious service agent discrediting the message’s confidentiality and/or integrity Possible malicious contents insertion before forwarding it to its destination Intercepted Message Copy Cloud Service Consumer Cloud Intercept & Alter Message

Cloud Security Threats – 2/3 Denial of service (DoS) Intentional sabotage on shard physical IT resource by overloading it so that the IT resource can hardly be allocated to other consumers sharing the same IT resource Typically intentional overloading shared IT resource by generating excessive messages, consuming full network bandwidth, or sending multiple requests that consume excessive CPU time and memory Cloud Service Consumer A Cloud Service Consumer B (Attacker) Physical Server B Load Virtual Server A Virtual Server B A Load Physical Server Insufficient authorization A case when access is granted to an attacker erroneously or too broadly, resulting in the attacker getting access to IT resources that are normally protected Another case (Weak Authentication) when weak passwords or shared accounts are used to protect IT resources Legitimate Consumer Malicious Attacker Protected IT Resource

Cloud Security Threats – 3/3 Virtualization attack (Overlapping Trust Boundaries) Physical resources shared by multiple virtual users in virtualized environment by the nature of resource virtualization Possible inherent risk that some cloud consumers could abuse their access right to attack the underlying physical IT resources Cloud Service Consumer A Cloud Service Consumer B Virtual Server A Virtual Server B Shared Physical IT Resource

Additional Considerations – 1/3 Flawed implementations Faulty design, implementation or configuration of cloud service deployments can have undesirable consequences. Attackers can exploit those vulnerabilities to impair the integrity, confidentiality and/or availability of cloud provider’s IT resource if the cloud provider’s software and/or hardware have inherent security flaws or operation weakness. Security policy disparity Cloud consumers need to accept the given cloud provider’s security approach which may not be identical or even similar to traditional information security approach when they sign for public cloud service. Even when leasing raw infrastructure-based IT resources, the cloud consumer may not be granted sufficient administrative control or influence over security policies that apply to the IT resources leased from the cloud provider primarily because those IT resources are legally owned by the cloud provider. With some public clouds, additional third parties – such as security brokers and certificate authorities – may introduce their own distinct set of security policies and practices, further complicating any attempt to standardize the protection of cloud consumer assets. Contracts Cloud consumers need to carefully examine contracts and SLA provided by the cloud provider to ensure that security policies and other relevant guarantees are satisfactory when it comes to asset security. The amount of reliability assumed by the cloud provider and/or the level of indemnity that the cloud provider may ask for must be specified in a clear language.

Additional Considerations – 2/3 Sometimes it is hard to determine who is responsible when a security breach (or other type of runtime failure as well) occurs if the cloud consumer’s solution is running on top of IT resources provided by the cloud provider, especially when the security policies of both parties are different from each other. (shop around for right cloud providers with compatible contractual terms and security policies) Risk management Before adopting cloud platform, potential cloud consumers are encouraged to perform a formal risk assessment as part of a risk management strategy. Risk management is comprised of a set of coordinated activities for overseeing and controlling risks – risk assessment, risk treatment and risk control: Risk assessment The given cloud environment is analyzed to identify potential vulnerabilities and shortcomings that threats can exploit in the risk assessment stage. The cloud consumers can ask the potential cloud provider for statistics and other information about past attacks (both successful and unsuccessful) carried out in its cloud. The identified risks are quantified and qualified according to the probability of occurrence and the degree of impact in relation to how the cloud consumer plans utilize cloud based IT resources. Risk treatment Mitigation policies and plans are designed during the risk treatment stage with the intent of successfully treating the risks that were discovered during risk assessment. Some risks can be eliminated, some can be mitigated while others can be dealt with via outsourcing or even incorporated into the insurance and/or operating loss budgets. The cloud provider itself may agree to assume responsibility as part of its contractual obligations.

Additional Considerations – 3/3 Risk control Risk control stage is related to risk monitoring – a three step process that is comprised of surveying related events, reviewing these events to determine the effectiveness of previous assessments and treatments, and identifying any policy adjustment needs. Depending on the nature of monitoring required, this stage may be carried out or shared by the cloud provider. More covered on Cloud Security Mechanisms in Lecture Note 8. Risk Assessment Threats Risk Identification Risk Evaluation Risk Control Risk Treatment Risk Review Risk Mitigation Policy Risk Monitoring Risk Mitigation Actions

Cloud Computing End of Lecture Note 오상규 정보통신대학원