security-on-the-cloud by lanyuehua

VIEWS: 6 PAGES: 34

									Data Security on the Cloud




                  Name
               Joas Schilling
                 E-Mail Address
     schilljs@studi.informatik.uni-stuttgart.de
Table of Contents

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                              2
Definitions – Cloud Computing

   Definitions
       Cloud Computing
       Security / Data Security
   Security Advantages
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                                   3
4
Definitions – Cloud Computing 2

   NIST: National Institute of Standards and Technologies
       Definition of Cloud Computing September 2011

       “Cloud Computing is a model for enabling … network access to
        a shared pool of configurable computing resources… “
                              http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909616



   Types of Resources
       Software
       Platform
       Infrastructure




                                                                                   5
Definitions – Cloud Computing 3

   Resources
       On-Demand
       Resource-pool
       Network-Access
       Measured service
       Rapid Elastic


   Deployment Models
       Private
       Community
       Public
       Hybrid: of 2 or more different models


                                                6
Definitions – Security

   Definitions
       Cloud Computing
       Security / Data Security
   Security Advantages
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                                   7
Definitions – Security

   Confidentiality
       Unauthorized reading


   Integrity
       Unauthorized modification


   Availability
       Availability of the data to authorized users




                                                       8
Security Advantages – Private Users

   Definitions
   Security Advantages
       Private Users
       Enterprise Users
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                                      9
Security Advantages – Private Users 2

   Private users
       Availability
            Anytime
            Anywhere


       Synchronisation
            Laptop
            Smartphone
            Desktop


       Back-Up
            Restore
                             Image: http://www.pcgameshardware.de




                                                                    10
Security Advantages – Enterprise Users

   Definitions
   Security Advantages
       Private Users
       Enterprise Users
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                                         11
Security Advantages – Enterprise Users 2

   Enterprise users
       Unknown location
           Where to attack?!



       Easy Resource Allocation
           High-load => add additional resource


       Server Software
           Up-to-date
           No manual work required




                                                   12
Risk of Cloud Computing – “Advantages“

   Definitions
   Security Advantages
   Risk of Cloud Computing
       Problem of the Advantages
       Data Protection
       Further Problems
   Solutions
   Conclusion and Outlook




                                         13
Risk of Cloud Computing – “Advantages“ 2

   Problems of the “Advantages”
       Server Software
           really up-to-date?


       Unknown Location
           Location is not really unknown
           Amazon EC2 placement




                                             14
Risk of Cloud Computing – Amazon EC2

   Paper by Thomas Ristenpart 2009:
       Placing an instance on the same physical machine
       Cross-VM attacks

                     # of victims   # of probes   coverage
        Zone 1            1              20           1/1
                          10             20          5 / 10
                          20             20          7 / 20
        Zone 2            1              20           0/1
                          10             20          3 / 10
                          20             20          8 / 20
        Zone 3            1              20           1/1
                          10             20          2 / 10
                          20             20          8 / 20
                                                              15
Risk of Cloud Computing – Cloud Providers

   Definitions
   Security Advantages
   Risk of Cloud Computing
       Problem of the Advantages
       Data Protection
           Current Cloud Providers
           Cloud Provider: Usability and Phishing
           Compliance Issues
       Further Problems
   Solutions
   Conclusion and Outlook


                                                     16
Risk of Cloud Computing – Cloud Providers 2

   Frauenhofer Institute SIT

   Problems of current Cloud Providers
       Registration and Login
            Username and password


       Transport Security
            SSL / TLS


       Encryption
            Stored encrypted


       Server Location
            EU / US / elsewhere
                                              17
Risk of Cloud Computing – Cloud Providers 3

   Definitions
   Security Advantages
   Risk of Cloud Computing
       Problem of the Advantages
       Data Protection
           Current Cloud Providers
           Cloud Provider: Usability and Phishing
           Compliance Issues
       Further Problems
   Solutions
   Conclusion and Outlook


                                                     18
Risk of Cloud Computing – Cloud Providers 4

   Security Issues or Wrong Usage
       Google Docs
            Image: http://docs.google.com/File?id=dtfqs27_1f3vfmkcz_b


   Phishing
       Just username and password


   Cloud Provider Vulnerabilities
       SQL Injection salesforce.com




                                                                         19
Risk of Cloud Computing – Compliance Issues

   Definitions
   Security Advantages
   Risk of Cloud Computing
       Problem of the Advantages
       Data Protection
           Current Cloud Providers
           Cloud Provider: Usability and Phishing
           Compliance Issues
       Further Problems
   Solutions
   Conclusion and Outlook


                                                     20
Risk of Cloud Computing – Compliance Issues 2

   Can Cloud Providers be forced to give access?

       Germany
           Federal Data Protection Act §11


       European Union
           Directive 95/46/EC => Safe Harbour
           “EU-Mustervertragsklauseln” for Microsoft´s Office 365


       USA PATRIOT Act




                                                                     21
Risk of Cloud Computing – Further Problems

   Definitions
   Security Advantages
   Risk of Cloud Computing
       Problem of the Advantages
       Data Protection
       Further Problems
   Solutions
   Conclusion and Outlook




                                             22
Risk of Cloud Computing – Further Problems 2

   Migration to and from the Cloud
       Migrate to almost any Cloud
       Migrate from Google products: dataliberation.org


   Data Deletion
       Software as a Service
       Platform/Infrastructure as a Service




                                                           23
Solutions – Encryption

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
       Encryption
       “Private” Cloud
       Cloud Provider Validation
   Conclusion and Outlook




                                    24
Solutions – Encryption 2

   Encryption
       “Onion” encryption
           Example for onion encryption in databases




       Previous presentation



                                                        25
Solutions – “Private” Cloud

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
       Encryption
       “Private” Cloud
       Cloud Provider Validation
   Conclusion and Outlook




                                    26
Solutions – “Private” Cloud 2

   “Private” Cloud
       ownCloud
            Access, Sync, Share




                                   27
Solutions – Cloud Provider Validation

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
       Encryption
       “Private” Cloud
       Cloud Provider Validation
   Conclusion and Outlook




                                        28
Solutions – Cloud Provider Validation 2

   Cloud Provider Validation
       SAP demands “Gold Standard”




       Berlin Group appeals to the politic




                                              29
Conclusion and Outlook

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook




                              30
Conclusion and Outlook 2

   Regulations need to be adjusted

   Cloud provider need to focus

   “Don’t believe that any utility company is going to run its
    billing for 50 million consumers on the cloud!”

                                   Leo Apotheker, 11/24/08, searchSAP.com




                                                                        31
Conclusion and Outlook

   Definitions
   Security Advantages
   Risk of Cloud Computing
   Solutions
   Conclusion and Outlook
   References




                              32
References
   Ade Barkah. Security issues with google docs http://peekay.org/2009/03/26/security-issues-with-google-docs/ .
    March 2009.
   Richard Chow et al. Controlling data in the cloud: Outsourcing computation without outsourcing control. ACM Press,
    November 2009.
   Carlo Curino et al. Relational cloud: A database service for the cloud. January 2011.
   Fraunhofer Institute for Secure Information Technology. On the security of cloud storage services
    http://www.sit.fraunhofer.de/content/dam/sit/en/studies/Cloud-Storage-Security_a4.pdf . March 2012.
   Google Docs Jonathan Rochelle, Product Manager. Just to clarify... http://googledocs.blogspot.de/2009/03/just-to-
    clarify.html . March 2009.
   Jason Kincaid. The ap reveals details of facebook/connectu settlement with greatest hack ever
    http://techcrunch.com/2009/02/11/the-ap-reveals-details-of-facebookconnectu-settlement-with-the-best-hack-ever/
    February 2009.
   Stefan Krempl. Datenschuetzer formulieren Anforderungen an die Cloud http://www.heise.de/-1563975 . April 2012.
   Stefan Krempl. SAP fordert "Gold-Standard" fuer Datensicherheit in der Cloud http://www.heise.de/-1476078 .
    March 2012.
   P. Mell and T. Grance. The NIST definition of cloud computing
    http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909616 . September 2011.
   European Network and Information Security Agency. Cloud computing: benefits, risks and recommendations for
    information security http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-
    assessment . Novemeber 2009.
   ownCloud. Lightning-fast innovation gives ownclouds latest community release greater exibility, ease-of-use
    http://owncloud.org/owncloud-4-release-annoucement/ . May 2012.
   Thomas Ristenpart et al. Hey, you, get of off my cloud! Exploring information leakage in third-party compute clouds.
    In Somesh Jha and Angelos Keromytis, editors, Proceedings of CCS 2009, pages 199 - 212. ACM Press,
    November 2009.
   Prof. Dr. Kurt Rothermel. Distributed systems, 2010.
   http://www.zurmat.com/2012/02/07/%E2%80%98deleted%E2%80%99-facebook-photos-still-available/ 'Deleted'
    Facebook Photos Still Available. February 2012.

   All links were last followed on May 23, 2012.



                                                                                                                           33
End Of Document

								
To top