Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Published byHarold Lawrence Modified over 9 years ago

Similar presentations

Presentation on theme: "Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing."— Presentation transcript:

1 Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing

2 Threats, vulnerabilities, and enemies 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan2 Goal Learn the cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud Technique Apply different threat modeling schemes

3 Assignment for next class Review: Thomas Ristenpart et al., Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds, proc. ACM CCS 2009. Format: – Summary: A brief overview of the paper, 1 paragraph (5 / 6 sentences) – Pros: 3 or more issues – Cons: 3 or more issues – Possible improvements: Any possible suggestions to improve the work Due: 2.59 pm 2/8/2010 Submission: By email to rhasan7@jhu.edu (text only, no attachments please) 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan3

4 Threat Model A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions Steps: – Identify attackers, assets, threats and other components – Rank the threats – Choose mitigation strategies – Build solutions based on the strategies 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan4

5 Threat Model Basic components Attacker modeling – Choose what attacker to consider – Attacker motivation and capabilities Assets / Attacker Goals Vulnerabilities / threats 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan5

6 Recall: Cloud Computing Stack 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan6

7 Recall: Cloud Architecture 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan7 Client SaaS / PaaS Provider Cloud Provider (IaaS)

8 Attackers 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan8

9 Who is the attacker? 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan9 Insider? Malicious employees at client Malicious employees at Cloud provider Cloud provider itself Outsider? Intruders Network attackers?

10 Attacker Capability: Malicious Insiders At client – Learn passwords/authentication information – Gain control of the VMs At cloud provider – Log client communication 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan10

11 Attacker Capability: Cloud Provider What? – Can read unencrypted data – Can possibly peek into VMs, or make copies of VMs – Can monitor network communication, application patterns 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan11

12 Attacker motivation: Cloud Provider Why? – Gain information about client data – Gain information on client behavior – Sell the information or use itself Why not? – Cheaper to be honest? Why? (again) – Third party clouds? 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan12

13 Attacker Capability: Outside attacker What? – Listen to network traffic (passive) – Insert malicious traffic (active) – Probe cloud structure (active) – Launch DoS 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan13

14 Attacker goals: Outside attackers Intrusion Network analysis Man in the middle Cartography 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan14

15 Assets 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan15

16 Assets (Attacker goals) Confidentiality: – Data stored in the cloud – Configuration of VMs running on the cloud – Identity of the cloud users – Location of the VMs running client code 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan16

17 Assets (Attacker goals) Integrity – Data stored in the cloud – Computations performed on the cloud 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan17

18 Assets (Attacker goals) Availability – Cloud infrastructure – SaaS / PaaS 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan18

19 Threats 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan19

20 Organizing the threats using STRIDE Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan20

21 Typical threats 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan21 [STRIDE]

22 Typical threats (contd.) 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan22 [STRIDE]

23 Summary A threat model helps in designing appropriate defenses against particular attackers Your solution and security countermeasures will depend on the particular threat model you want to address 2/1/2010en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan23

24 2/1/201024en.600.412 Spring 2010 Lecture 2 | JHU | Ragib Hasan Further Reading Frank Swiderski and Window Snyder, “Threat Modeling “, Microsoft Press, 2004 The STRIDE Threat Model

Download ppt "Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 1 08/16/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 1 08/16/2011 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Hey, You, Get Off of My Cloud

Hey, You, Get Off of My Cloud
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 7 03/29/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 7 03/29/2010 Security and Privacy in Cloud Computing.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.

Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 1 01/31/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 1 01/31/2011 Security and Privacy in Cloud Computing.

Similar presentations

Ads by Google