Document

Download Report

Transcript Document 

An Introduction to Issues Regarding
Data Integrity & Virtual Machine Security


What is Cloud Computing?
Data Management Issues





Data Integrity
Data Provenance
Data Remanence
Data Availability
Virtual Machine Security
 Cloud Mapping
 Co-Residence
 Side-Channeling
“The interesting thing about cloud computing is
that we’ve redefined cloud computing to include
everything that we already do… I don’t
understand what we would de differently in the
light of cloud computing other than change the
wording of some of our ads.” - Larry Ellison
Confusion Exists, Not Without
Reason
 The Future Of Computing for
Business & Home
 An Old Concept Revisited

Cloud Computing is a method in which the internet is used as a medium to
enable resource and application sharing





Remote Access To Centrally
Stored Data & Applications
Flexibility in Resource Sharing
and Allocation
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service
(IaaS)

2013 Figure 2 – H1 (encrypted and locked!)
2012 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
Coverage
Depth
20,000+ devices
14B analyzed
under contract
3,700+ managed
clients worldwide
13B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
web pages & images
40M spam &
phishing attacks
64K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples

Data Integrity
 Cloud Service Provider (CSP) Concerns
 Third Party Auditing (TPA)
 Encryption and Multitenancy



Data Provenance
Data Remanence
Data Availability
 Elasticity
 CSP Related Downtime
 Malicious Attacks

Cloud Service Provider (CSP) Concerns
 CSP Security
▪ Data Transfer
▪ Data-at-Rest
 CSP Data Loss
▪ Unintentional
▪ Intentional
 Third Party Auditing
▪ The Auditor
▪ Support for Dynamic Data

Encryption & Multitenancy
 Multitenancy – Storage of data from multiple
clients in a single repository
 Inability to use encryption in order to support
indexing
 Encryption largely irrelevant if data is analyzed on
the cloud, as analysis requires decryption.

Data Provenance – Calculation Accuracy
 Shared resources mean shared responsibility
 Difficulty / Impossibility in tracking involved
machines

Data Remanence – Data Cleansing
 “Ghost Data” – Left behind after deletion
 No remanence security plan for any major CSP
Cloud Service Provider (CSP) Concerns
Total Downtime (HH:MM:SS)
Availability
Per Day
Per Month
Per Year
99.999%
00:00:00.4
00:00:26
00:05:15
99.99%
00:00:08
00:04:22
00:52:35
99.9%
00:01:26
00:43:49
08:45:56
99%
00:14:23
07:18:17
87:39:29
Mather, Tim; Kumaraswamy, Subra; Latif, Shahed; Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media, Inc., 2009
Malicious Attacker Concerns
Distributed Denial of Service (DDoS)
Uses Port Flooding to Slow Systems or
Force Server Resets.
• External Attack Models
• Similar to Traditional Strikes
• Cloud Usage as Attacker
• Internal Attack Models
• Protection Responsibility Lies on
the User
• CSP Would Need to Detect
http://blog.bkis.com/en/korea-and-us-ddos-attacks-the-attacking-source-located-in-united-kingdom/



Up-Time
Jurisdiction
Data Ownership
 Escrow Data? Metadata?


Exit Clause
Testing for
 Disaster Recovery
 Incident Response
 E-Discovery

Right to Audit




Cloud Mapping
Co-Residence
Side-Channeling
Certificate Management

Cloud Mapping
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.

Co-Residence
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.

Side-Channeling
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds.CCS '09, November9-13, 2009, Chicago, Illinois, USA. Copyright 2009.






Armbrust, Michael; Fox, Armando; Griffith, Rean; Joseph, Anthony D.; Katz, Randy; Konwinski,
Andy; Lee, Gunho; Patterson, David; Rabkin, Ariel; Stoica, Ion; Zaharia, Matei. 2010. A view of
cloud computing. Commun. ACM 53, 4 (April 2010), 50-58. DOI=10.1145/1721654.1721672 http://0doi.acm.org.catalog.library.colostate.edu/10.1145/1721654.1721672
Brodkin, Jon; Gartner: Seven cloud-computing security risks. Network World. July 02, 2008 03:48
PM ET. http://www.networkworld.com/news/2008/070208-cloud.html"
Christodorescu, Mihai; Sailer, Reiner; Schales, Douglas Lee; Sgandurra, Daniele; Zamboni, Diego.
2009. Cloud security is not (just) virtualization security: a short paper. In Proceedings of the 2009
ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 97-102.
DOI=10.1145/1655008.1655022 http://doi.acm.org/10.1145/1655008.1655022
Cong Wang; Qian Wang; Kui Ren; Wenjing Lou; , "Privacy-Preserving Public Auditing for Data
Storage Security in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1-9, 14-19
March 2010 doi: 10.1109/INFCOM.2010.5462173 URL: http://0ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=5462173&isnu
mber=5461899
Cong Wang; Qian Wang; Kui Ren; Wenjing Lou; Dept. of ECE, Illinois Inst. of Technol., Chicago,
IL, USA This paper appears in: Quality of Service, 2009. IWQoS. 17th International Workshop
on Issue Date: 13-15 July 2009 On page(s): 1 - 9 Location: Charleston, SC ISSN: 1548-615X EISBN: 978-1-4244-3876-1 Print ISBN: 978-1-4244-3875-4 INSPEC Accession
Number: 10834827 Digital Object Identifier: 10.1109/IWQoS.2009.5201385 Date of Current
Version: 18 August 2009
Furht, Borko. “Cloud Computing Fundamentals.” Ed. B Furht & A Escalante. Handbook of Cloud
Computing May (2010) : 3-19.







Grossman, R.L.; , "The Case for Cloud Computing," IT Professional , vol.11, no.2, pp.23-27,
March-April 2009 doi: URL: http://0ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=4804045
&isnumber=480403410.1109/MITP.2009.40
Jaeger, Paul T; Lin, Jimmy; Grimes, Justin M. Cloud Computing and Information Policy:
Computing in a Policy Cloud? 933-1681, 2008, 5, 3, 269-283
Jensen, Meiko; Schwenk, Jörg; Gruschka, Nils; Lo Iacono, Luigi. "On Technical Security Issues
in Cloud Computing," cloud, pp.109-116, 2009 IEEE International Conference on Cloud
Computing, 2009
Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. 2009. Managing
security of virtual machine images in a cloud environment. In Proceedings of the 2009 ACM
workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 91-96.
DOI=10.1145/1655008.1655021 http://doi.acm.org/10.1145/1655008.1655021
Kaufman, L.M.; , "Data Security in the World of Cloud Computing," Security & Privacy, IEEE ,
vol.7, no.4, pp.61-64, doi: 10.1109/MSP.2009.87 July-Aug. 2009 URL: http://0ieeexplore.ieee.org.catalog.library.colostate.edu/stamp/stamp.jsp?tp=&arnumber=5189563&
isnumber=5189548
Krautheim, John F. 2009. Private virtual infrastructure for cloud computing. In Proceedings of
the 2009 conference on Hot topics in cloud computing (HotCloud'09). USENIX Association,
Berkeley, CA, USA, 5-5.
Leavitt, Neal. 2009. Is Cloud Computing Really Ready for Prime Time?. Computer 42, 1
(January 2009), 15-20. DOI=10.1109/MC.2009.20 http://dx.doi.org/10.1109/MC.2009.20






Lizhe Wang; Jie Tao; Kunze, M.; Castellanos, A.C.; Kramer, D.; Karl, W.; Res. Center Karlsruhe
Hermann-von-Helmholtz-Platz 1, Inst. for Sci. Comput., Karlsruhe Scientific Cloud Computing:
Early Definition and Experience.
Mather, Tim; Kumaraswamy, Subra; Latif, Shahed; Cloud Security and Privacy: An Enterprise
Perspective on Risks and Compliance. O'Reilly Media, Inc., 2009
Reference Type: Book Chapter Editor: Backes, Michael Editor: Ning, Peng Author: Wang, Qian
Author: Wang, Cong Author: Li, Jin Author: Ren, Kui Author: Lou, Wenjing Primary Title: Enabling
Public Verifiability and Data Dynamics for Storage Security in Cloud Computing Book Title:
Computer Security – ESORICS 2009 Book Series Title: Lecture Notes in Computer Science
Copyright: 2009 Publisher: Springer Berlin / HeidelbergIsbn: Start Page: 355 End Page: 370
Volume: 5789 Url: http://dx.doi.org/10.1007/978-3-642-04444-1_22 Doi: 10.1007/978-3-64204444-1_22
Ristenpart, Thomas; Tromer, Eran; Shacham, Hovav; Savage, Stefan. Hey, You, Get Off of My
Cloud: Exploring Information Leakage in Third-Party Compute Clouds.CCS '09, November9-13,
2009, Chicago, Illinois, USA. Copyright 2009.
Santos, Nuno. Gummadi, Krishna P.; Rodrigues, Rodrigo. 2009. Towards trusted cloud computing.
In Proceedings of the 2009 conference on Hot topics in cloud computing(HotCloud'09). USENIX
Association, Berkeley, CA, USA, 3-3.
White Paper: Author – Trend Micro Security. Cloud Computing Security: Making Virtual Machines
Cloud-Ready. May, 2010.