Presentation is loading. Please wait.

Presentation is loading. Please wait.

| nectar.org.au NECTAR TRAINING Module 8 Security.

Published byMyron Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "| nectar.org.au NECTAR TRAINING Module 8 Security."— Presentation transcript:

1 communications@nectar.org.au | nectar.org.au NECTAR TRAINING Module 8 Security

2 Is cloud computing safe? What are the common security concerns, and how justified are they? Key security issues and consequences when running a virtual machine in the cloud. Practical advise for making your machine secure. Introduction to data encryption.

3 Security concerns Common perception: cloud computing poses a whole lot of new risks. But: Security is often as good as or better than in traditional systems—the cloud is professionally managed. More trust is needed in the administrators of cloud computing infrastructure!

4 Security concerns Source: The Databarracks 2014 Data Health report

5 Main lesson Human error is among the most common causes of data loss. Attending this course will enable to you minimise the human error. Module 5 provides a detailed overview of the steps you need to take.

6 General security threats

7 Cyber attack. Includes use of malware, DDoS attacks, phishing, fraud and exploitation of software vulnerabilities. Protection from the provider: Protection measures like firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or Network Access Control (NAC) Protection from you: Be careful which software you install, and only free up necessary ports in the firewall rules.

8 General security threats Hardware failure and data loss When hardware fails, the state of the VM and data may be lost. Protection from the provider: Create separate backups of all hard-drives. NeCTAR uses RAID systems on most storage types, but: “all care taken, no guarantees given”: you have to do your own backups. Protection from you: Backup your data and VM at regular intervals

9 General security threats Access security: Authentication, access control and data encryption: How secure are the services? Protection from the provider: Data encryption and complete deletion of resources which have been released. Protection from you: Access your services via secure connections only. Never share your private key with anyone! Encrypt your sensitive data. Request complete removal of your data.

10 Cloud specific security threats

11 Access to your data The cloud provider can potentially access the data that is on the cloud at any time. They can even be obliged to share information with third parties if necessary for purposes of law and order, even without a warrant. Protection from you: Encrypt your sensitive data.

12 Cloud specific security threats Data loss & leakage / Risks of multi-tenancy Risks of multi-tenancy: “Noisy neighbours” take up resources. Data leakage between tenants. Flaws in one client’s application could allow an attacker access to another clients data. Protection from provider: good protection software and setting it up securely. Protection from you: Encrypt your sensitive data; keep off-line backups of your data; securely erase storage when releasing it.

13 Cloud-specific threats Legal data ownership NeCTAR never lays claims on ownership of your data. Malicious insiders Intentional misuse of current/past access by a former employee, contractor, or other business. Availability / Lack of Internet: Service interruptions Protection from the provider: Ensure service availability best as possible. Protection from you: Choose a reliable Internet Provider.

14 Cloud-specific security threads Insufficient knowledge Human error: knowledge about the potential issues and risks is required to mitigate them. Protection by you: Pay attention in this Module and you will have the required knowledge to protect your resources adequately.

15 Hypervisor-specific vulnerabilities Fortunately, these security concerns can be addressed effectively in a well-managed cloud like NeCTAR. Hyperjacking Modifying the hypervisor to be malicious, or inserting a malicious hypervisor (a “rogue” hypervisor). VM Escape A malicious program manages to “escape” out of a virtual machine and compromising the hypervisor. VM Theft Theft of a virtual machine file electronically

16 Hypervisor-specific vulnerabilities What you can do to ensure protection: Install an Anti-Virus protection software. Regularly update your VM’s operating system.

17 Security benefits of the Cloud

18 Simplicity of Hypervisors Hypervisors are much simpler than traditional operating systems, and are therefore much easier to secure. Off-premise data storage Harder for someone to steal the data: they would have to break into the data center and identify the physical hard-drive. Data availability Object storage has great performance and data integrity.

19 Security benefits of the Cloud Hardware abstraction Unauthorized access on the physical machine (and manipulating it) more difficult. State restore It is easy to restore the state of a VM, and return to a state prior to an attack or data loss. External monitoring The hypervisor runs outside the VM and may also monitor for malware (in addition to the anti-virus on the VM).

20 Summary of your responsibilities Install an Anti Virus Protection on your instance. Regularly update your VMs operating system. Only free up necessary ports in the firewall rules. Do not install potentially harmful software on your VM. Encrypt sensitive data on the cloud storage to prevent unauthorized access. Regularly back up your data (see Module 9).

21 Summary of your responsibilities Securely erase all data when you release your storage resources (see Module 9). Always choose secure passwords! And never share your passwords or private ssh keys with anyone. Be aware of the risks: information given in this Module helps you to avoid potential security problems. [optional] Keep off-line backups of your important data – however only do this if you can store the backups at a safe place.

22 Cloud deployment models

23 Cloud Deployment Models Private cloud Owned by one organization (infrastructure on or off premises). Public cloud Computing services are publicly accessible over the Internet. Hybrid cloud Employing both private and public infrastructures. Using private infrastructure for sensitive data or processes only. Community cloud Shared by multiple organizations with common concerns.

24 Cloud Deployment models Private clouds are regarded as more secure because they provide more control over the data and equipment. However: setting up a private cloud infrastructure comes at a significant expense. A public cloud is instead more flexible and is often a more affordable investment. However: control of the cloud infrastructure is in the hands of the cloud provider.

25 Data encryption

26 File and Volume Encryption We can broadly distinguish two types of file encryption: 1.encrypting an entire volume and 2.encrypting individual files.

27 Why encrypt data? While access to your Object Store is secured with your OpenStack credentials, the transfer of your files via the network is not secure. Use per-file encryption To protect your data on a Volume against data breaches Use volume encryption

28 File encryption

29 Some tools for per-file encryptions include GnuPG AESCrypt Encrypted zip files Beware the standard zip encryption scheme which is not secure! On a Mac: Disk utility In this course we will learn how to use GnuPG. See On-Line Documentation for other tools.

30 File encryption GnuPG is an implementation of Pretty Good Privacy (PGP). PGP has excellent security. GnuPG is open-source and accessible through a variety of different clients and tools. You will have to generate a key pair to use GnuPG.

31 File encryption Exercise 1: Create a GnuPG key pair. Windows: Install GpgForWin www.gpg4win.org. Make sure Kleopatra is checked. www.gpg4win.org Kleopatra  File  New Certificate Mac OSX: Download & Install from www.gnupg.orgwww.gnupg.org Open “GPG Keychain”, click on “New” to generate key. Linux (Ubuntu): $ sudo apt-get install gpnupg $ gpg --gen-key

32 File encryption Exercise 2: Encrypt / decrypt a file with GnuPG. Windows: Right-click on file in the Windows explorer. Select “Sign and encrypt.” (“Decrypt and Verify” to decrypt) Select your key and click “Add”, then “Encrypt”, and finally “Finish”. Mac OSX: Right-click on file in the Finder. Select Services  OpenPGP: Encrypt file (OpenPGP:Decrypt to decrypt) Select the key and click “Ok”. Linux (Ubuntu): Encrypt: $ gpg --output --encrypt --recipient Decrypt: $ gpg --output --decrypt

33 Volume encryption

34 Disks which can be mounted are also suitable for Volume Encryption. Choose a passphrase and encrypt the whole volume. The encrypted drive will be mounted on the instance. Volume encryption is happening in the background. You can use the drive as usual.

35 Volume encryption Everyone who accesses your VM, can access your data. Limit access to your VM while decryption is active. The data cannot be accessed without the decryption keys from outside your instance. When your storage is released, all remnant data remains encrypted.

36 Volume Encryption New risks introduced: If you forget your password, access to your data will be lost forever. Drive can only be unlocked with the same encryption algorithm / tool. Read/Write Performance of the Volume will degrade.

37 Volume Encryption on Ubuntu The next exercise will encrypt your Volume on your Ubuntu instance. We will use a standard procedure on Linux to encrypt drives with the Linux Unified Key Setup (LUKS). Doing the exercise will erase all data on the volume! If you have any files on it, make sure to back them up first.

38 Volume Encryption on Ubuntu Exercise 3: Set up Volume Encryption. $ sudo lsblk -l to find out your device name (say it is vdc) $ mount | grep vdc and unmount the device if it is mounted: $ sudo umount /dev/vdc $ sudo apt-get install cryptsetup $ sudo modprobe dm-crypt $ sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/vdc $ sudo cryptsetup luksOpen /dev/vdc MySecureDrive $ sudo mkfs.ext4 /dev/mapper/MySecureDrive $ sudo mkdir /MyMountedDrive $ sudo mount /dev/mapper/MySecureDrive /MyMountedDrive

39 Volume Encryption on Ubuntu Exercise 4 Release the drive: $ sudo umount /MyMountedDrive $ sudo cryptsetup luksClose MySecureDrive To re-enable encryption: $ sudo cryptsetup luksOpen /dev/vdc MySecureDrive $ sudo mount /dev/mapper/MySecureDrive /MyMountedDrive

40 Closing note Well done! You now are aware of general security concerns in the cloud, know how risks can be mitigated and know how to encrypt your data

41

42

Download ppt "| nectar.org.au NECTAR TRAINING Module 8 Security."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
AmadeusCybersecurity: the essentials12 th November 2014 Alex van Someren Family Office Forum 12 th November 2014, Zurich Cybersecurity: the essentials.

AmadeusCybersecurity: the essentials12 th November 2014 Alex van Someren Family Office Forum 12 th November 2014, Zurich Cybersecurity: the essentials.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.

Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
 Lesson 05: Computer Maintenance. Keep Software Up-To-Date Patches Security Holes Improves Software Stability Improves Software Performance Adds.

 Lesson 05: Computer Maintenance. Keep Software Up-To-Date Patches Security Holes Improves Software Stability Improves Software Performance Adds.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google