Learning Center
Plans & pricing Sign in
Sign Out



									Security in Cloud Computing
    Thanks to Research talk at UA | Ragib Hasan | | UAB CIS 12/02/11
                  Calvin Vreeland
• How do you know data in cloud is safe and
• Even reputable providers can be hacked
                What the “experts” are
                   [Cloud Computing] is a
                   security nightmare and it
                   can't be handled in
John Chambers      traditional ways.

  It’s stupidity. It’s
  worse than stupidity
                                Richard Stallman
                                GNU                3
Businesses don’t trust clouds (yet)

                          Almost 75%
                          of business
                          CFOs are still
                          afraid to use
                          clouds for
                          data due to
                          lack of
Traditional systems security
 Cloud Computing Security

Securing a traditional   Securing a cloud

Traditional systems security
 Cloud Computing Security


 Securing a house                    Securing a motel

  Owner and user are               Owner and users are almost
 often the same entity              invariably distinct entities

Traditional systems security
 Cloud Computing Security

  Securing a house          Securing a motel

 Biggest user concerns     Biggest user concern
  Securing perimeter      Securing room against
 Checking for intruders    (the bad guy in next
    Securing assets        room | hotel owner)
Cloud security involves securing across
   multiple dimensions of the cloud
               Data and computation
               integrity and confidentiality

                         Data Privacy          topology

  Networking                    Forensics

       Research on Cloud Computing
        Security: A High Level View
•   Novel attacks
•   Trustworthy cloud architectures
•   Data integrity and availability
•   Computation integrity
•   Data and computation privacy
•   Data forensics
•   Misbehavior detection
•   Malicious use of clouds
•   Economic attacks
       Co-tenancy in clouds creates new
                attack vectors
                             A cloud is shared by multiple users

                             Malicious users can now legally be in the
                             same infrastructure
                                 Misusing co-tenancy, attackers can
                                 launch side channel attacks on victims
                       any attack based on information gained from the physical
                       implementation of a cryptosystem, rather than brute force or
                       theoretical weaknesses in the algorithms. E.g., timing information,
                       power consumption, electromagnetic leaks or even sound can
                       provide an extra source of information which can be exploited to
                       break the system
Example: the Topology attack on Amazon EC2 (“Hey You! Get
off of my Cloud …” CCS 2009)                                                          10
   Today’s cloud architectures act like
             big black boxes
                    Clients have no idea of or control over what is
                    happening inside the cloud

                  Clients are forced to trust cloud providers completely

Existing Approaches: TCCP (uses TPM), CloudProof
        The Trusted Platform Module (TPM) installed on certain motherboards is
        an extra chip that is designed to aid in the generation of certain types of
        cryptographic keys to use in various parts of the computer.

 Today’s clouds provide no guarantee
       about outsourced data
Dishonest cloud providers can throw data away or lose data.
Malicious intruders can delete or tamper with data.
       Clients need reassurance that the outsourced data is
       available, has not been tampered with, and remains

           Example Approaches: Provable Data Possession (PDP), Proof of
           Retrievability (PoR), HAIL
 Ensuring confidentiality of data in
outsourced computation is difficult
Most type of computations require decrypting data before
any computations

If the cloud provider is not trusted, this may result in
breach of confidentiality

Existing Approaches: Homomorphic encryption, TCCP

Privacy is often the victim when using
               a cloud …
It is almost impossible to provide privacy of sensitive
personal information in computation outsourcing
      Using Google spreadsheets to maintain SSN

Popular distributed computation systems such as
MapReduce are NOT designed with privacy in mind

     Clients have no way of verifying
   computations outsourced to a Cloud
 User sends her data processing job to the cloud.
 Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.)
Problem: Users have no way of evaluating the correctness of results

Existing Approaches: Runtime Attestation, Majority voting, Redundant operations
Assessing the Capability of a Cloud Provider
   is difficult due to the black box model
Availability, fault-tolerance, and resilience are important to
clients for mission-critical data

  But cloud providers do not want to reveal their capability
                                            or redundancy

So, clients need a way to remotely verify the capability

Data Forensics in Clouds is difficult
Certain Government regulations mandate the ability to audit
and run forensic analysis on critical business or healthcare data

    Clouds complicate forensic analysis, since the same storage
    infrastructure is shared by many clients

                Cloud providers are not willing to open up their
                entire storage for forensic investigations.

  Clouds can be used for malicious
                            Adversaries can rent clouds
                            temporarily to create a large scale
                            botnet very quickly

                              Clouds can be used for spamming,
                              Denial of service, brute force
                              password breaking, and other
Example: – Claims to break WPA passwords for
$17 in under 20 minutes, using a cloud

            Economy matters!
Sometimes, economic targets are more effective
than technical targets

  Attacks can target economic viability of cloud users
(by consuming extra resources), or of cloud providers
        (by fraudulently consuming cloud resources)

                     Hassan strategy
Question: How can we make clouds more accountable?

Approach: By maintaining secure and verifiable provenance
chains for all data and computations outsourced to a cloud,
clients can get more accountability.

 Provenance of data                                       Provenance of computations
 What happened to the data object                         How was a particular result
 while it was inside the cloud? (i.e.,                    computed inside a cloud?
 entire history of the data object)

 Challenges: How to ensure correct collection of provenance inside a cloud,
 even when the cloud provider may not be trustworthy?
                     Owner, source
                     History of ownership of a valued object
        (Largely) Unexplored Areas
Legal/policy issues and regulatory compliance:
How does cloud computing fit in with data security laws
and regulations such as SOX, HIPAA?
        Sarbanes Oxley – result of Enron, accuracy of financial
reporting data

For example,
   If I store my data in Amazon, can the Govt. subpoena Amazon
   to access my data without violating 4th amendment?
         unreasonable search and seizure
   Will a cloud based storage system comply with SOX?

Issues related to users of the cloud
• Sensitive Information
   – SLA may allow access and catalog and use info in ways
     never intended
       • Share data with marketing firm
   – Google’s policy – company will share data with gov if “good
     faith belief” access is necessary to fulfill lawful requests
   – Government can more easily subpoena 3rd party than
     privately owned
   – Closed Subpoena – provider legally prohibited from telling
     customers data has been given to the government
   – Google’s problem or SLA may say not responsible
Today’s clouds provide no guarantee
      about outsourced data

      Amazon’s Terms of services

The government – yes it can be good
 – Governmental regulations:
   • If doing business for EU, cannot store in US
   • If credit card data, restrictions on where can store data,
     cannot allow free block to be included in another
     customer’s block of storage
        Examples of problems
• AOL releated 650k customer search terms on
  public web page
• MS released search data to US DOD in child
  porn case
• British gov misplaced 25 M taxpayer records
• Retailers lose credit card numbers
“A short account of an interesting or amusing nature”
Locked Out

Nick Saber isn’t happy now. Monday afternoon, after lunch, Nick came back
from lunch to find out that he couldn’t get into his Gmail account. Further, he
couldn’t get into anything that Google made (beside search) where his
account credentials once worked. When attempting to log in, Nick got a single
line message:

Sorry, your account has been disabled. [?]

That’s it.

No, Google, that’s not it. Somewhere, deep inside the bowels of Google-land,
something went wrong and an innocent person suffers the loss of his data.

This is serious failure!

One point the story highlights is a hard lesson for users: Don’t trust the cloud
at this early stage in its evolution.
Cloud Goes Dark Web Service's hosted storage service went down Friday
morning, frustrating many Web site customers and refreshing concerns      with
the ballyhooed approach of cloud computing.

An online forum spiked with customer complaints Friday morning as some
people found that content stored on Amazon's Simple Storage Service (S3)
was unavailable or performed slowly.

The service was restored a few hours later, according to an Amazon
technician. The first forum posting was timed at 5 a.m. PT, and the service
was back up at just past 9 a.m.

The glitch sent a ripple through the blogosphere as Web entrepreneurs, who
are increasingly using Amazon's hosted computing services, pondered
whether they needed a back-up plan or a more traditional hosting provider.

On the forum, some people complained about how the service glitch
essentially put them out of business temporarily.
Google Docs Down

Google's Documents and Spreadsheets service went down for approximately
45 minutes earlier this morning.

The service, Google's online productivity suite, went from having some
features not working, like the log-out button and the document creation drop-
down menu, to coming up with a 404 page.

The downtime calls into question the importance that online Web applications
play in business use, as well as how Google's free document services have
come to replace software solutions such as Microsoft Office for some users or
teams that use Google's real-time collaboration features.
Digital Railroad

"Everyone is downloading now and their FTP has slowed to a crawl," one Digital Railroad
member told News Photographer magazine earlier this afternoon, before the site went dark.
It's estimated that there may have been as many as 1,900 client archives on Digital Railroad's
servers as of today.
      Security Benefits in the Cloud
• Centralized data – can make it more secure
• Reduced data loss (12K laptops lost in US
    – How secure are laptops?
•   If limit employee downloads, can limit data loss
•   Easier to monitor security if only one location
•   Can move data to another machine
•   Logging is better in the cloud (C2 audit trail)
    – High overhead, but the cloud can handle it
    Security Benefits in the Cloud
• Security bundled in, no need to buy 3rd party
  security SW
• Can perform patches and upgrades offline, test
  off-line versions of production environment
• Vendors more likely to develop more efficient
  security SW
• SaaS/PaaS providers do security testing (lower
  cost for security testing split amongst all users)
              Regulatory Issues
• No existing regulation
• Despite its size, Google could still fail (look at
  GM or those banks that were too big to fail…)
• Government backed insurance?
• Should government regulate the cloud?
   – Safe guard for loss or theft?
• Who owns the data?
   – Law enforcement easier access to cloud than PC?
              Regulatory Issues
• Do people really understand privacy and security
  implications of email, Facebook, etc?
• US courts ruled private data in cloud does not have
  same level of protection from law enforcement
• 49% concerned if cloud shared files with law
• 80% concerned if used photos for marketing
• 68% concerned is used personal information for
  personalized ads
• 63% concerned if provider kept data after used
           Regulatory Issues
• Should government agencies store data on
• Procurement regulations will have to change
• GSA pushing for cloud to reduce energy
• US gov. spends $480 M on electricity for
             Security in Clouds
• Security hackers:
  – Sell proprietary info to competition
  – Encrypt storage until pay (ransom/blackmal?)
  – Erase everything to damage business
  – DDOS, botnets attack network
     • Tokyo firm pay $31K to stop it
  – Not even clear who should pay ransom
• In a cloud at the mercy of their security
  Final Observations: What’s wrong
 with today’s cloud security research
Failure to look at reality
   – Many security schemes impose unrealistic overheads (e.g.,
     >35%!!) – no one will use them in real life clouds

Failure to consider economy
   – Security schemes would cause significant changes to
     existing cloud infrastructures
   – Many attacks simply don’t make any economic sense

Lack of realistic threat models
   – Many papers present unrealistic threat models, (“Solutions
     in search of a problem”)

  Clouds can be used for malicious
                            Adversaries can rent clouds
                            temporarily to create a large scale
                            botnet very quickly

                              Clouds can be used for spamming,
                              Denial of service, brute force
                              password breaking, and other
Example: – Claims to break WPA passwords for
$17 in under 20 minutes, using a cloud

Cloud Computing......
   Design for Disaster?

To top