Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Published byRebekah Alford Modified over 9 years ago

Similar presentations

Presentation on theme: "Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing."— Presentation transcript:

1 Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing

2 Basic security concepts 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20112 Goal 1.Crash course on computer security!! 1.Learn how to analyze the security of a system/scheme in a systematic manner. 2.Examine cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud

3 What is computer security? In a nutshell – – Knowing who is who, for real !! (authentication) – Keeping bad guys out, letting good guys in (authorization) – Ensuring secrecy of sensitive info (confidentiality and privacy) – Making sure no one broke anything (integrity) – Preventing bad guys from paralyzing systems through resource starvation (availability) 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20113

4 What makes computer security different from most other CS topics? Security is mostly a human problem Most security problems are as old as human civilization itself!! 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20114

5 Authentication Problem: How do we verify the identity of an entity? Solution: Use the common authentication factors: – What you know – What you have – What you are – Who you know How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20115

6 Authorization Problem: How do we figure out what an entity is allowed to access or do? Solution: Use access control rules/models/roles, capabilities, etc. How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20116

7 Confidentiality and Privacy Problem: How can we keep secret information secret? (i.e., prevent unauthorized entities from reading it) Solution: Encryption How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20117

8 Integrity Problem: How can we prevent/detect unauthorized modification of objects? Solution: Tamper proofing (hard to do!!) Tamper evidence (via signatures, hashes) How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20118

9 Availability Problem: How can we prevent malicious parties from overloading our system? Solution: Throttling, puzzles, ip blacklisting How does it relate to a cloud? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 20119

10 Threat Model A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: – Identify attackers, assets, threats, and other components – Rank the threats – Choose mitigation strategies – Build solutions based on the strategies 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201110

11 Threat Model Basic components Attacker modeling – Choose what attacker to consider – Attacker motivation and capabilities Assets / Attacker Goals Vulnerabilities / threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201111

12 Recall: Cloud Computing Stack 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201112

13 Recall: Cloud Architecture 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201113 Client SaaS / PaaS Provider Cloud Provider (IaaS)

14 Attackers 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201114

15 Who is the attacker? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201115 Insider? Malicious employees at client Malicious employees at Cloud provider Cloud provider itself Outsider? Intruders Network attackers?

16 Attacker Capability: Malicious Insiders At client – Learn passwords/authentication information – Gain control of the VMs At cloud provider – Log client communication 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201116

17 Attacker Capability: Cloud Provider What? – Can read unencrypted data – Can possibly peek into VMs, or make copies of VMs – Can monitor network communication, application patterns 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201117

18 Attacker motivation: Cloud Provider Why? – Gain information about client data – Gain information on client behavior – Sell the information or use itself Why not? – Cheaper to be honest? Why? (again) – Third party clouds? 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201118

19 Attacker Capability: Outside attacker What? – Listen to network traffic (passive) – Insert malicious traffic (active) – Probe cloud structure (active) – Launch DoS 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201119

20 Assets 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201120

21 Threat Model Basic components Attacker modeling – Choose what attacker to consider – Attacker motivation and capabilities Assets / Attacker Goals Vulnerabilities / threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201121

22 Attacker goals: Outside attackers Intrusion Network analysis Man in the middle Cartography 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201122

23 Assets (Attacker goals) Confidentiality: – Data stored in the cloud – Configuration of VMs running on the cloud – Identity of the cloud users – Location of the VMs running client code 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201123

24 Assets (Attacker goals) Integrity – Data stored in the cloud – Computations performed on the cloud 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201124

25 Assets (Attacker goals) Availability – Cloud infrastructure – SaaS / PaaS 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201125

26 Threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201126

27 Organizing the threats using STRIDE Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201127

28 Typical threats 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201128 [STRIDE]

29 Typical threats (contd.) 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201129 [STRIDE]

30 Summary A threat model helps in designing appropriate defenses against particular attackers Your solution and security countermeasures will depend on the particular threat model you want to address 8/18/2011Ragib Hasan | UAB CIS | CS491/691/791 Fall 201130

31 8/18/201131Ragib Hasan | UAB CIS | CS491/691/791 Fall 2011 Further Reading Frank Swiderski and Window Snyder, “Threat Modeling “, Microsoft Press, 2004 The STRIDE Threat Model

Download ppt "Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing."

Similar presentations

Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.

Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CLOUD PRIVACY AND SECURITY CS 595 LECTURE 15 4/15/2015.

CLOUD PRIVACY AND SECURITY CS 595 LECTURE 15 4/15/2015.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Similar presentations

Ads by Google