CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+

Slides:

Advertisements

Similar presentations

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Advertisements

Presented by Jeremy Olson CPE 401 Spring  What is cloud computing?  Short history  Essential characteristics  Service models  Deployment models.

Computers Are Your Future Twelfth Edition Spotlight 5: Cloud Computing Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Presented by: Rajdeep Biswas Roll No.: 0104IT071082; Branch: IT (VII Sem.) R.K.D.F. Institute of Science & Technology Cloud Computing When Outsourcing.

Virtualization and the Cloud

Agenda Who needs an Architect? Cloud and Security Key Security Differences in Private Cloud Cloud Security Challenges Secondary to Essential Characteristics.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Cloud computing Tahani aljehani.

Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams

SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE.

Plan Introduction What is Cloud Computing?

CLOUD COMPUTING. FIVE ESSENTIAL CHARACTERISTICS. WHAT IS CLOUD? 2.

CLOUD COMPUTING. IAAS / PAAS / SAAS LAYERS. Olena Matokhina Development and Consulting Team Lead 2 ABOUT PRESENTER.

Effectively and Securely Using the Cloud Computing Paradigm.

September * Provide analysis, advice, and recommendations on the impacts that new and emerging technologies are likely to have on the management.

Cloud Computing Source:

Introduction to Cloud Computing

Presentation to the Housing Technology Conference Tim Cowland- Senior Consultant 27 th February 2014 The Rise of the Housing Cloud.

Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.

InfoSecurity Conference 2011 The Challenges of Cloud Computing John R. Robles John R. Robles and Associates

HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.

In the name of God :).

M.A.Doman Short video intro Model for enabling the delivery of computing as a SERVICE.

Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.

Plan  Introduction  What is Cloud Computing?  Why is it called ‘’Cloud Computing’’?  Characteristics of Cloud Computing  Advantages of Cloud Computing.

What is the cloud ? IT as a service Cloud allows access to services without user technical knowledge or control of supporting infrastructure Best described.

1 NETE4631 Course Wrap-up and Benefits, Challenges, Risks Lecture Notes #15.

By Nicole Rowland. What is Cloud Computing?  Cloud computing means that infrastructure, applications, and business processes can be delivered to you.

1© Copyright 2010 EMC Corporation. All rights reserved. Hey Enterprise! I’ve got my OWN Cloud! IAPP 2010 Privacy Academy Wayne Pauley, EMC Corporation.

Define Cloud Computing

PaaSport Introduction on Cloud Computing PaaSport training material.

Cloud computing Cloud Computing1. NIST: Five essential characteristics On-demand self-service Computing capabilities, disks are demanded over the network.

CLOUD COMPUTING RICH SANGPROM. What is cloud computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

Web Technologies Lecture 13 Introduction to cloud computing.

1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.

Becoming the Next Private Cloud Expert Yung Chou Technical Evangelist Microsoft Corporation WSV318.

CLOUD-BASED VIDS A CIO’S PERSPECTIVE Stephen Alford, CIO WEP, Inc.

Mark Irvine Cloud Computing. Introduction Audience Purpose.

Software as a Service (SaaS) Fredrick Dande, MBA, PMP.

© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.

1 Views of Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair March 25, © Ravi Sandhu.

INTRODUCTION TO CLOUD COMPUTING. CLOUD  The expression cloud is commonly used in science to describe a large agglomeration of objects that visually appear.

Welcome To We have registered over 5,000 domain names and host over 1,500 cloud servers for individuals and organizations, Our fast and reliable.

CS 6027 Advanced Networking FINAL PROJECT . Cloud Computing KRANTHI CHENNUPATI PRANEETHA VARIGONDA SANGEETHA LAXMAN VARUN DENDUKURI.

Corporate Concerns on Cloud Services Environment กษิภัท ธนิตธนาคุณ คอลัมนิสต์ “IT Auditing” นิตยสาร ELEADER กรรมการผู้จัดการ บริษัท เคที ไอที โซลูชั่น.

1 Secure Cloud Computing: A Research Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair Texas Fresh Air Big Data and Data Analytics Conference.

Chapter 6: Securing the Cloud

The Future? Or the Past and Present?

Conflict Resolution & Policy Compliance in Multi-Cloud Distributed System. Presented By:- Adarsh Pillay Deepak Begrajka Rudra gupta.

VIRTUALIZATION & CLOUD COMPUTING

Hot Topics:Mobility in the Cloud

The Future? Or the Past and Present?

Cloud Computing Kelley Raines.

AWS. Introduction AWS launched in 2006 from the internal infrastructure that Amazon.com built to handle its online retail operations. AWS was one of the.

Cloud Computing ISY143.

EIS Fast-track Revision Om Trivedi Enterprise Information Systems

Developing a Baseline On Cloud Security Jim Reavis, Executive Director

Cloud Computing Cloud computing refers to “a model of computing that provides access to a shared pool of computing resources (computers, storage, applications,

Emerging technologies-

Introduction to Cloud Computing

Cloud Computing: Concepts

Views of Cloud Computing

Presentation transcript:

CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+

AGENDA Cloud Computing Intro Pentesting the Cloud Advices Q&A

CLOUD CHARACTERISTICS On-demand self-service Broad network access Resource pooling (multi-tenant model) Rapid elasticity Measured Service NIST - National Institute of Standards and Technology

SERVICE MODELS Cloud Software as a Service (SaaS) Cloud Platform as a Service (PaaS) Cloud Infrastructure as a Service (IaaS) NIST - National Institute of Standards and Technology

WHAT SECURITY SEES IN ALL THIS? Cloud computing will move slices of organizational data outside the company’s perimeter – out of company’s controls.

SECURITY CONTROL IN THE CLOUD PaaS SaaS IaaS CustomerCSP

VULNERABILITY TREND Source: SANSSANS

TYPICAL NETWORK PENTEST Reconnaissance Vulnerability Mapping Exploitation

IAAS: AMAZON AWS Vulnerability / Penetration Testing Request Form

IAAS: AMAZON

(Source)Source DoS

IAAS: SPECIFICS TOS explicitly excludes some tests we would normally do The tests are more analytical and less./execute Some CSPs exclude some tests, others may not Tests tend to be more customized to meet CSP demands

PAAS: WINDOWS AZURE Cloud OS as a Service (OSaaS) Source: MSDNMSDN

PAAS: SPECIFICS Check the contract and TOS for specific backend tests Testing one platform doesn’t necessary give you right to test other APIs Windows platform and SQL backend Frontend and backend are different infraestructures for the CSP Particularly bad for WebApp vulnerability assessment

SAAS: PENTEST? Most likely no test Availability depends on CSP

ADVICE

2 3 4 Customer Payment Gateway Merchant Issuing Bank 1 5

ADVICE Customer Payment Gateway Cloud Provider Issuing Bank 1 5

ADVICE 1)Am I allowed to run tests throught third-parties? 2)What are the tests I can run on CSP? 3)How flexible is the customization of contracts?

ADVICE 4)Where is your cloud placed, where is our data phisically stored?  Compliance with regional laws; 5)The data can be exported to another CSP?  Risk of Vendor / Data Lock-In; 6)Virtualization through instance-level isolation?  Data leakage;  Application conflicts;

ADVICE Some other questions the Cloud Provider should be asked: 7.Is there a DoS mitigation system in place? 8.What about packet sniffing by other tenants? 9.Is your cloud designed to be a disaster-tolerant solution? 10.How is your backup made? How long it takes for a full system restore? 11.Do you have a security policy and related standards? 12.When was the last time you tested your BCP and DRP? 13.How quickly you can increase the performance of your cloud? How quickly we get the required resources? 14.How many security incidents have you had in the past and which kind? 15.What's your downtime per year?

WRAP UP The cloud is a reality and pentesting isn’t much different Pentest / vuln. assessment will still exist to meet compliance requirements Specifics to cloud Work with the CSP: good SLA will help doing good tests Multi-tenant model brings its own limitation and risk to CSP Attacks must be carried out carefully to mitigate impact issues Watch out for compartmentalized architectures (PaaS) SaaS limitation Future Separation of duties – third-party testers

Q&A ?