1 / 22

Cloud Security Policies

Cloud Security Policies. By. M. J. Hill & Casey Cook. Outline. General SaaS PaaS IaaS Botnet. General. Location Cloud providers can have data centers distributed worldwide Legal issues Different levels of security Principle of weakest link Virtualization

dalton
Télécharger la présentation

Cloud Security Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Security Policies By. M. J. Hill & Casey Cook

  2. Outline • General • SaaS • PaaS • IaaS • Botnet

  3. General • Location • Cloud providers can have data centers distributed worldwide • Legal issues • Different levels of security • Principle of weakest link • Virtualization • Escaping the virtual machine can potentially lead to a compromise of the cloud • Authentication • Internet and customer support

  4. General • Recovery • Data back ups • User specifies cloud location what about backup • Redundancy

  5. SaaS • Strengths • Limited attack surface • Harder for attackers to find a weakness • Limited access • Weaknesses • Session hijacking • Most use web based interfaces and are vulnerable because of these interfaces • Data being used by the cloud can't be encrypted • No control over how data is stored • Data can be stored in plain text with only the API preventing unauthorized access

  6. SaaS • Policy Solutions • Disable all debugging • Monitoring tool for unusually access of data • Encrypt data at-rest • Roll based access to data • Multi-part log in

  7. PaaS • Strengths • Pay as you go • Allows VMs to only be active when needed and can limit the time available for attack • Easy to replace compromised VMs • Host can force certain VMs to insure security updates • Limit attack surface • No communication between VMs

  8. PaaS • Weaknesses • Pay as you go • A VM can be infected, but it goes unnoticed for longer because the VM doesn't run all the time • If there is no processing cap one VM can starv(DoS) others on the same hardware • Encryption key must be stored on the VM for it to use/un-encrypt data • Attacking the hypervisor can bring down a physical machine or give attacker access to all the virtual machines • VMs can be cloned and then attacked later • Admin can access VM when powered off

  9. PaaS • Policy Solutions • Resource cap on VMs • Force patch updates • No VM communication • Force slack space to be 0/1 or clean physical space when creating new VM and copy entire disk when moving • Multiple Admin • Log all Admin actions

  10. IaaS • All the strengths and weaknesses of PaaS • Strengths • Easy to replace a compromised virtual machine • Can implement modern prevention systems • Weaknesses • Virtual Network has to be updated by customer • One customer who doesn't keep his IaaS secure can compromise an entire cloud • A compromised virtual machine can potentially allow an attacker to listen to all network traffic • Admin has access to virtual environment • can monitor traffic and VMs

  11. IaaS • Policy Solutions • Switches over hubs and bridges • Ignore changes in MAC • Reject modified outbound MACs • Prevent NICs from listening to any transmission not for their MAC • Multiple Admin • Log all Admin actions • Training • Paid solutions(partnered) for IDS, IPS, and firewall on both machines and network traffic

  12. Botnets A bot is a partially autonomous piece of software that can be controlled remotely The person controlling a bot is referred to as a botmaster A group of bots under the control of a botmaster is called a botnet

  13. Botnets A botnet is constructed by installing the bot software on a target machine. This allows the machine to contact the botmaster and be made part of the botnet The botnets can be very large. For example, the BredoLab botnet was estimated to contain 30 million bots.

  14. Botclouds Rather than build a network of infected machines, botmasters can now use cloud services to build a botnet Botmasters purchase a large number of machines from a cloud service provider and install the bot on each one

  15. Botclouds vs. Botnets - Creation and Usage A traditional botnet could take a substantial amount of time to build, but a botcloud could be made operational in minutes. A botnet could lose power if any number of infected machines became powered off or unavailable A botcloud, on the other hand, would have constant access to its bots

  16. Botnets vs. Botclouds - Usage A botnet cannot fully utilize the processor or resources of an infected machine due to the constant threat of detection and computer use by the owner A botcloud can be fully utilized with no fear of interruption

  17. Botnets vs. Botclouds - Types of Attacks DDoS Sending spam and malware Click Fraud

  18. Botnets vs. Botclouds - Detection Honeypots and intrusion detection tools are typically used to discover the presence of botnets Porting these methods to defend against botclouds is not an easy, straightforward process

  19. Botnets vs. Botclouds - Detection Deploying honeypots in the cloud requires that a cloud vendor monitors all activity on all or a subset of machines used by the cloud vendor's customers Deploying intrusion detection would require working closely with each individual customer to establish the normal incoming traffic baseline for the IDS; this is probably impractical

  20. Botclouds Incorporating the two aforementioned solutions into a cloud vendor's security policy might be a hard sell to customers. On one hand, security of the system could be increased, but it could come at the cost of privacy of non-malicious users The paper mentioned extrusion detection as a possible alternative

  21. Hybrid botnet/botcloud Would it be possible to increase the power of an existing botnet by incorporating a botcloud into it? Would it made the attacker harder to catch if they could dramatically scale the size of their botnet up or down using a botcloud?

  22. Questions?

More Related