1 / 18

Security in the Clouds

Security in the Clouds. Professor Sadie Creese London Hopper 2010 May 2010. What is cloud computing?. Service Model. Gmail, Google Docs. Google App Engine. Amazon S3/SimpleDB. VMWare/XEN. Amazon EC2. 3. Cloud Market Drivers. Enterprise Drivers Compression of deployment cycles

sheera
Télécharger la présentation

Security in the Clouds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in the Clouds Professor Sadie Creese London Hopper 2010 May 2010

  2. What is cloud computing?

  3. Service Model Gmail, Google Docs Google App Engine Amazon S3/SimpleDB VMWare/XEN Amazon EC2 3

  4. Cloud Market Drivers • Enterprise Drivers • Compression of deployment cycles • Instant upgrade and try-it-out • Elasticity • Cost alignment • Reduction of IT team costs • Accessibility and sharing • Dependability • Waste reduction and carbon footprint • Consumer drivers • Up to speed with latest apps • Pay-as-you-use • Accessibility and sharing • Dependability

  5. Cloud Ecosystems User Broker VM VM VM VM VM VM VM VM VM 5

  6. Why are we concerned?

  7. Significant investment Services market currently at $56b, $150b in 2013 (Gartner March 09) Services market to be worth $160b in 2011 (Merril Lynch May 08) Services market currently worth $16.2b, $42b in 2012 (IDC Dec 08) Hosted apps market currently at $6.4b, $14.8b in 2012 (Gartner Dec 08)

  8. Large Cloud Application Service Provider Space Extract from slides : “Prophet a Path out of the cloud”, Best Practical, Presented at O’Reilly Open Source Conf, 2008 8

  9. People Are Worried • Key barriers to uptake, as recognised in the community: • Data security concerns • Privacy compromise/ practice • Service dependability and QoS • Loss of control over IT and data • Management difficulties around performance, support and maintenance • Service integration • Lock-in • Usability • Lack of market maturity

  10. What’s different about the Cloud?

  11. Scale and Business Models • Length and depth of relationships • Mobility of data • Volumes of data • Nature of data (more sensitive) • Lack of perimeter • Global nature • Location of control

  12. Futures – Scenarios High Cost/Low Payback for an attacker. Most successful threat agents, likely to be insider’s within the silo High Cost/High Payback for an attacker. Most successful threat agent, likely to be insider managing resource distribution or a malicious service provider. Low Cost/Low Payback for an attacker. Threat agents will include external attackers utilising mixture of technology and social engineering. Low Cost/High Payback for an attacker. External attackers using the distributed scale to attack multiple systems and users simultaneously. E.G Bot and application framework based attacks.

  13. Thinking Like an Attacker

  14. (A few) potential future attack scenarios • Denial of service • resource consumption, traffic redirection, inter-cloud and user to cloud • Trojan Clouds • Imitate providers, infiltrate supply chains, sympathetic cloud • Inference Attacks • Due to privileged (~admin) roles, cohabiting risks (via hypervisor) • Application Framework attacks • Repeatable, pervasive • Sticky Clouds • Lack of responsiveness, complex portability • Onion storage • Moving global location, fragmenting, encrypting • Covert channels within the cloud network across services

  15. And?

  16. (A few) Implications for Security • Regulatory/Legislation • Nothing is transparent about data handling in cloud, privacy protection • Investigations • Technical forensics and legal, across borders • Monitoring/Auditing • Mechanisms • Encryption • At some point decryption happens for anything other than storage... • Recent IBM breakthrough indicates potential for processing encrypted data but not practical yet.. • Contracting/Due Diligence • Service Level Agreements

  17. Our current research directions... • Digital Forensics • Vulnerability Models / Threat Models and Cascade Effects • Service Level Agreements • Enterprise Capability Maturity Model • Designing in Privacy -> via patterns and architectures • Insider Threat Detection

  18. Thank-you Questions?

More Related