Cloud Computing Security

Outline
 Cloud computing overview
 Security in the Cloud
 Data security issues
 Case of study: AWS security
 Compliance in the Cloud
 Demo
CLOUD COMPUTING OVERVIEW
 Cloud characteristics
 On-Demand Self-Service of resources1
Accessible without human intervention
 Broad network access1
Allowing access from different types of clients
 Resource pooling1
Sharing of resources
 Rapid elasticity1
Resources are quickly allocated or released
 Measured service1
Resources are monitored and allocated appropriately
 Multitenancy2
Multiple unrelated clients sharing the same resources or hosts

[1] (Mell and Grance, 2011) [2] (CSA, 2017)

 Building Blocks

Source: CCSP exam cram, Peter Zerger

Service Models

Source: Buecker et al.( 2009)

Deployment models

Source: Vold (2012)

SECURITY IN THE CLOUD
Cloud security challenges
Data security : Where data is and what control has the cloud provider over
the data security and location?

Identity Management: Who has access to the data and how?

Trusted execution environment: is data protected and secured within the

cloud?
How to securely adopt the cloud?
 Develop a cloud-centric cybersecurity model
• Make choices about how to manage the perimeter in the cloud and how much apps need to be re-
architected in a way that aligns with their risk tolerance, existing application architecture, resources
available, and overall cloud strategy.
 Redesign a full set of cybersecurity controls for the cloud
• For each individual control, companies need to determine who should provide it and how rigorous they
need to be.
 Applying DevOps to Security (DevSecOps)
• If a developer can spin up a server in seconds but have to wait two weeks for the security team to sign
off on the configurations, then the cloud is not fast and agile anymore. Highly automated security
services should be made available to developers via APIs.
 Clarifying internal responsibilities for cybersecurity, compared to what providers will do
• Public cloud requires a shared responsibility model, with providers and their customers each responsible
for specific functions.

Yuri, D. (2022)
Shared responsibility model
The “Pizza as a Service” analogy
Shared responsibility model
Different responsibilities according to the service model selected
Data protection obligations

• Cloud providers should make written commitments to

customers about the privacy of the customer data stored within
their cloud
• Cloud providers should detail how they address privacy and
security best practices, data use limitations and regulatory and
compliance aspects.
• Certifications and audit reports must be issued to
demonstrate compliance
• Customers shouldn’t migrate data if there are no warranties
that the cloud provider can properly address data protection
needs.
Security threats in the Cloud
 Diverse views on number and grouping of security issues
 Cloud based security challenges include:

Insecure Availability Account Insecure Malicious

Deletion Chain Hijacking Interfaces Insiders

Poor Due Shared Loss

DoS Technologies Lock-in
Diligence Governance

Data Data Identity Legal Issues

Trust
Breaches Loss Management

 Data Security is fundamental to many of these…

Data security
 Consensus that Data Security is a common to all
 Data security issues apply to data life cycle1,2
Data Security aspects
 Data confidentiality
 Issue: Large number of access points in cloud
Confidentiality
 Threat: Data breach by unauthorised parties
 Mitigate: CIA principles and encryption used

Source: HPCS (no date)

Source: (Islam, Manivannan and Zeadally, 2016), (Sun et al., 2014)

 Data integrity
 Issue: Reliability of data
Integrity
 Threat: Data tampering or corruption
 Mitigate: Hashing, encryption and digital signatures

Source: Shead, no date)

Source: (Islam, Manivannan and Zeadally, 2016), (Vyas and Modi, 2017), (Sun et al., 2014)
 Data provenance
 Issue: Source of data
Provenance
 Threat: Mining of metadata to reconstruct profiles
 Mitigate: SLA, Metadata to be removed on upload

Source: Sweepatic (2017)

Source: (Islam, Manivannan and Zeadally, 2016)

 Data Backups
 Issue: Data loss through no backups
Backups
 Threat: Backups not performed or corrupted
 Mitigate: SLA to guarantee backups in place

Source: (Kaseya,2018)

Source: (Islam, Manivannan and Zeadally, 2016), (Ali, Khan and Vasilakos, 2015)
 Data Sanitisation
 Issue: Data not deleted fully when required
Sanitization
 Threat: Data reconstruction via malicious scripts
 Mitigate: Difficult to achieve, as multiple data locations

Source: (Doyle, 2015)

Source: (Mather, 2009), (Ali, Khan and Vasilakos, 2015), (Islam, Manivannan and Zeadally, 2016).
 Data Isolation
 Issue: Data located on shared resources
Isolation
 Threat: Data can leak between VMs, e.g. in RAM
 Mitigate: Data Loss Prevention monitoring

Source: (Storware, 2018)

Source: (Eric et al., 2015), (Islam, Manivannan and Zeadally, 2016)

Data availability
 Issue: Data not available due to downtime or attack
Availability
 Threat: DDoS or Disk failure
 Mitigate: Client has SLA to ensure data availability
CSP has used redundancy to mirror data

Copy 1

CSP
Copy 2
(Sen, 2013), (Islam, Manivannan and Zeadally, 2016),
CASE OF STUDY: AWS SECURITY
Case of study: AWS Security
Case of study: AWS Security
Case of study: AWS Security
Case of study: AWS Security best pratices
 Manage AWS accounts, IAM users, Groups and Roles
 Secure your data:
 Resource access authorization
 Storing and managing encryption keys in the cloud
 Protect data at rest
 Protect data in transit
Case of study: AWS Security best pratices
 Secure your operating systems and apps
 Creating custom AMIs
 Bootstraping
 Managing patches
 Controlling security for public AMIs
 Protecting your system from malware
 Mitigating compromise and abuse
 Use additional application security practices
Case of study: AWS Security best pratices
 Secure your infrastructure:
 Use amazon VPCs
 Use security zoning and network
segmentation
 Securing periphery systems: DNS,
NTP, etc.
 Mitigating and protecting against DoS
& DDoS attacks
Case of study: AWS Security best pratices
 Manage security monitoring, alerting, audit trail and
incident response
 Use change management logs
 Managing logs for critical transactions
 Protecting log information
 Logging faults
COMPLIANCE IN THE CLOUD
Compliance in the cloud
 Compliance is a certification or confirmation that the system or an
organization meets the requirements of specified standards, established
legislation, regulatory guidelines or industry best practices that can be
jointly defined as compliance framework
 A compliance framework can include business processes and internal
controls the organization has in place to adhere to these standards and
requirements
 The framework should also map different requirements to internal controls
and processes to eliminate redundancies
Compliance in the cloud – General standards
 ISO/IEC 27001:2005  HIPAA / HITECH
 ITAR
 SOC 1, SOC2, SOC3
 DIACAP and FISMA
 FIPS 140-2
 FedRAMP(SM)
 CSA
 PCI DSS Level 1
CSA security governance, risk and compliance
stack
The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing cloud
computing and the use of cloud technologies to secure other forms of computing.
 Cloud control matrix 4.0
 Provides guidance on which security
controls should be implemented by
which actor
 Provides mapping with other security
standards (e.g PCI DSS, ISO 27001,
NIST 800-53..)
 17 Domains
 197 Controls

CCM 4.0: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

DEMO TIME
Outline
 Cloud computing overview
 Security in the cloud
 Data security issues
 Compliance in the Cloud
 Case of study: AWS security
 Demo