Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Slides:

Advertisements

Similar presentations

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Security Issues and Challenges in Cloud Computing

Security+ Guide to Network Security Fundamentals

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Applied Cryptography for Network Security

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

CLOUD PRIVACY AND SECURITY CS 595 LECTURE 15 4/15/2015.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Authors: Thomas Ristenpart, et at.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Storage Security and Management: Security Framework

Cryptography and Network Security

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

SEC835 Practical aspects of security implementation Part 1.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Operating system Security By Murtaza K. Madraswala.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

Module 11: Designing Security for Network Perimeters.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Chap1: Is there a Security Problem in Computing?.

Ingredients of Security

Network Security Introduction

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

Copyright © 2013 – Curt Hill Computer Security An Overview.

Computers and Security by Calder Jones. What is Computer Security Computer Security is the protection of computing systems and the data that they store.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

UNIT-4 Computer Security Classification 2 Online Security Issues Overview Computer security – The protection of assets from unauthorized access, use,

Forms of Network Attacks Gabriel Owens COSC 352 February 24, 2011.

1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.

Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.

Network security Vlasov Illia

CS457 Introduction to Information Security Systems

Mapping/Topology attacks on Virtual Machines

Threat Modeling for Cloud Computing

Lecture 20: Cloud Security

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Secure Software Confidentiality Integrity Data Security Authentication

Threat modeling Aalto University, autumn 2013.

Operating system Security

Off-line Risk Assessment of Cloud Service Provider

Information and Network Security

Cloud Testing Shilpi Chugh.

CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.

Security network management

Engineering Secure Software

Engineering Secure Software

Presentation transcript:

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing

Basic security concepts 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall Goal 1.Crash course on computer security!! 1.Learn how to analyze the security of a system/scheme in a systematic manner. 2.Examine cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud

What is computer security? In a nutshell – – Knowing who is who, for real !! (authentication) – Keeping bad guys out, letting good guys in (authorization) – Ensuring secrecy of sensitive info (confidentiality and privacy) – Making sure no one broke anything (integrity) – Preventing bad guys from paralyzing systems through resource starvation (availability) 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20113

What makes computer security different from most other CS topics? Security is mostly a human problem Most security problems are as old as human civilization itself!! 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20114

Authentication Problem: How do we verify the identity of an entity? Solution: Use the common authentication factors: – What you know – What you have – What you are – Who you know How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20115

Authorization Problem: How do we figure out what an entity is allowed to access or do? Solution: Use access control rules/models/roles, capabilities, etc. How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20116

Confidentiality and Privacy Problem: How can we keep secret information secret? (i.e., prevent unauthorized entities from reading it) Solution: Encryption How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20117

Integrity Problem: How can we prevent/detect unauthorized modification of objects? Solution: Tamper proofing (hard to do!!) Tamper evidence (via signatures, hashes) How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20118

Availability Problem: How can we prevent malicious parties from overloading our system? Solution: Throttling, puzzles, ip blacklisting How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20119

Threat Model A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: – Identify attackers, assets, threats, and other components – Rank the threats – Choose mitigation strategies – Build solutions based on the strategies 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Threat Model Basic components Attacker modeling – Choose what attacker to consider – Attacker motivation and capabilities Assets / Attacker Goals Vulnerabilities / threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Recall: Cloud Computing Stack 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Recall: Cloud Architecture 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall Client SaaS / PaaS Provider Cloud Provider (IaaS)

Attackers 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Who is the attacker? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall Insider? Malicious employees at client Malicious employees at Cloud provider Cloud provider itself Outsider? Intruders Network attackers?

Attacker Capability: Malicious Insiders At client – Learn passwords/authentication information – Gain control of the VMs At cloud provider – Log client communication 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Attacker Capability: Cloud Provider What? – Can read unencrypted data – Can possibly peek into VMs, or make copies of VMs – Can monitor network communication, application patterns 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Attacker motivation: Cloud Provider Why? – Gain information about client data – Gain information on client behavior – Sell the information or use itself Why not? – Cheaper to be honest? Why? (again) – Third party clouds? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Attacker Capability: Outside attacker What? – Listen to network traffic (passive) – Insert malicious traffic (active) – Probe cloud structure (active) – Launch DoS 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Assets 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Threat Model Basic components Attacker modeling – Choose what attacker to consider – Attacker motivation and capabilities Assets / Attacker Goals Vulnerabilities / threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Attacker goals: Outside attackers Intrusion Network analysis Man in the middle Cartography 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Assets (Attacker goals) Confidentiality: – Data stored in the cloud – Configuration of VMs running on the cloud – Identity of the cloud users – Location of the VMs running client code 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Assets (Attacker goals) Integrity – Data stored in the cloud – Computations performed on the cloud 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Assets (Attacker goals) Availability – Cloud infrastructure – SaaS / PaaS 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Organizing the threats using STRIDE Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

Typical threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall [STRIDE]

Typical threats (contd.) 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall [STRIDE]

Summary A threat model helps in designing appropriate defenses against particular attackers Your solution and security countermeasures will depend on the particular threat model you want to address 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall

8/18/201131Ragib Hasan | UAB CIS | CS491/691/791 Fall 2011 Further Reading Frank Swiderski and Window Snyder, “Threat Modeling “, Microsoft Press, 2004 The STRIDE Threat Model