Cloud-Security: Show-Stopper or Enabling Technology?

Claudia Eckert Claudia Eckert

Fraunhofer‐Institute for Secure Information Technology (SIT)  Technische Universität München

Open Grid Forum, 16.3,. 2010, Munich

Cloud-Security:

Show-Stopper or Enabling Technology?

Claudia Eckert 3

1. Cloud-Computing

Cloud:  • Pool of networked IT‐components Cloud‐Characteristics

• Resourceswill be provided on demand 

• User don’t have to maintain/operate anown infrastructure

• An ‚unlimited‘ amount of resources: capacities can be dynamically added: • Scalability, flexibility, on‐demand usage, 

• Access to outsourced data: at anytime, from anywhere

Claudia Eckert 5

1. Cloud-Computing

Main aspects forming the Cloud • Types • Features • Models/Modes • Stakeholders • Benefitss • And: legislation! Claudia Eckert 6

1. Cloud-Computing:

Typs Virtualization

Infrastructure layer

Platform layer

Software layer

IaaS

PaaS

SaaS

User / Customer Infrastructure as a Service (IaaS)

e.g.: Elastic Compute Cloud

(Amazon): providing virtual Server

Platform‐as‐a‐Service (PaaS)

e.g.: Google App Engine:  Framework for application development & upload

Claudia Eckert

1. Cloud-Computing: Show-Stopper Security?

7

Claudia Eckert

2. Security Implications

• User: e.g. Enterprises

Claudia Eckert

9

2. Security implications: Scenario

enterprise collaboration service end user Cloud-provider #3 Backup-service email-service social network Cloud-provider #1 Cloud-provider #2 Claudia Eckert 10

2. Security Implications

Cloud‐Characteristics and their effects on security • Resources will be provided on demand:

• Confidentiality?Where is ‘my’ data (in which country?), which crypto  regulation rules apply, e.g. key‐escrow requirements? • „unlimited“ amount  of resources: • Privacy? compliant with privacy legislation?  • Development of new web‐ applications as services • Trustworthiness  of Cloud‐Service ? How  does the Cloud platform  handle access rights, key‐management, certificate management, etc.? • Accesses to outsourced data: at anytime, from anywhere  • Availability?Which measures against DoS, risk of Data‐Lock‐in, ….

Claudia Eckert

2. Security Implication

Top Threats in Cloud Computing:  source: http://cloudsecurityalliance.org/topthreats.html • Abuse of Cloud Computing Resources • Shared Technology Vulnerabilities • Data Loss Leakage • Insecure Application Programmer Interface • Account, Service & Traffic Hijacking • Malicious Insiders • Unknown risk profile Some threats in more detail Claudia Eckert

2. Security Implication

Abuse  of Cloud Computing Resources Problem‐Statement:

• IaaS provider offer ‘unlimited’ resource usages coupled with frictionless  registration process, i.e. users might act relatively anonymously

• Spammers, Malicous Code authors other attackers take advantage of that

Attacks like DDoS, Passwort Cracking, controlling botnets, ….  Remediations: e.g.

• Improved initial registration and validation processes

Claudia Eckert

3. Attacks

Example: Virtualization layer • Vulnerable VMMonitor: access to all data  Possible Attack Scenario • Distribution of virtual machines via public market places  • Amazon Machine Image (AMI) market place for EC2: Amazon: “AMIs are launched at the user's own risk. Amazon cannot vouch for the integrity or 

security of AMIs shared by other users. […] Ideally, you should get the AMI ID from a  trusted source (a web site, another user, etc). If you do not know the source of an AMI,  we recommended that you search the forums for comments on the AMI before  launching it.” • Attack: Setup of Bot‐nets,  information leakages, … 17 Claudia Eckert

3. Attacks

DDos‐ attack on Bitbucket.org(Amazon)

Claudia Eckert

3. Attacks

Cracking keys  in the Cloud (10/2009) • Costs for breaking a PGP‐ key with utilization of EDPR on Amazon  EC2 Resources 19 source: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html Claudia Eckert

3. Attacks

Misuse of Google App Engine for controlling Bot‐Nets (11/2009)

Claudia Eckert

Risk Assessment

Cloud‐Security‐Studyfrom Fraunhofer SIT,  See: http://www.sit.fraunhofer.de/EN/News1.jsp

Aim: Framework and guidelines for risk assessments

Classification Application

and Platform

Infrastructure Administration Compliance

Data protection Legal framework Governance Interoperability and Portability Testing Key management Host Virtualization Network Data security Security as a service Application security Physical security

Identity and access management Platform security

Risk management

Claudia Eckert

4. Identity Management in the Cloud

Claudia Eckert

4. Identity Management in the Cloud

Core IdM Challenges • Identity provisioning and deprovisioning: • secure and timely management of on‐boarding (provisioning) and  off‐boarding (deprovisioning) of users in the cloud.  • Extend user management processes within an enterprise to cloud services.  • Authorization & user profile management • Establishing trusted user profile and policy information to control  access within the cloud service, and doing this in an auditable way.  • Delegation and Federation • exchanging identity attributes surely and trustworthy,  • Establishing a identity lifecycle management Claudia Eckert

4. Identity Management in the Cloud

Claudia Eckert

4. Identity Management in the Cloud

Authentication: Scenario SaaS SaaS Cloud-based Authentication Service e.g. FireID Cloud-based Service e.g. Mail-Servce Enterprise User A

One Time Pad Authenticatio_{n Service}

Claudia Eckert

27

Thank you for your kind attention

Contact: Claudia Eckert

Fraunhofer Institute for Secure Information Technology Tel: +49 89 3 22 99 86-292

+49 6151 869-285