2. Summary
1.
2.
3.
4.
5.
Cloud Computing : Definition and
Trends
Security in the Cloud Computing :
Barriers to adoption?
Intrusion Detection Systems
Application of IDS in Cloud
Environment
Conclusion
3. Definition of Cloud Computing (NIST)
“Cloud computing is a model for enabling
convenient, on-demand network access
to a shared pool of configurable
computing resources
that can be rapidly provisioned and
released with minimal management effort
or service provider interaction. “
5. 3 Cloud Service Models
1.
Cloud Software as a Service (SaaS)
2.
Cloud Platform as a Service (PaaS)
3.
Use provider’s applications over a network
Deploy customer-created applications to a cloud
Cloud Infrastructure as a Service (IaaS)
Rent processing, storage, network capacity, and other
fundamental computing resources
6. 4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
7. All of this TOGETHER: The
Cloud
Hybrid Clouds
Deployment
Models
Service
Models
Community
Cloud
Private
Cloud
Software as a
Service (SaaS)
Public Cloud
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
On Demand Self-Service
Essential
Characteristics
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Common
Characteristics
Broad Network Access
Resilient Computing
Homogeneity
Geographic Distribution
Virtualization
Service Orientation
Low Cost Software
Advanced Security
12. 13
What is Different about Cloud?
SERVICE OWNER
SaaS
PaaS
IaaS
Data
Joint
Tenant
Tenant
Application
Joint
Joint
Tenant
Compute
Provider
Joint
Tenant
Storage
Provider
Provider
Joint
Network
Provider
Provider
Joint
Physical
Provider
Provider
Provider
13. Traditional systems security
vs Cloud Computing Security
Securing a house
Biggest user
concerns
Securing perimeter
Checking for
intruders
Securing a motel
Biggest user
concern
Securing room
against (the bad guy
in next room | hotel
15. Cloud “Threats” (CSA)
1.
2.
3.
4.
5.
6.
7.
Abuse & Nefarious Use of Cloud
Computing
Insecure Interfaces & APIs
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile
16
16. 17
Cloud Risks (ENISA)
1.
2.
3.
4.
5.
6.
7.
8.
Loss of governance
Lock-in
Isolation failure
Compliance risks
Management interface compromise
Data protection
Insecure or incomplete data deletion
Malicious insider
17. Who is the attacker?
Insider?
• Malicious employees at client
• Malicious employees at Cloud provider (or
Cloud provider itself)
Outsider?
•Intruders
•Network attackers
19. IDS OVERVIEW
Intrusion Detection System (IDS) : a system that
monitors network for suspicious activity and alerts
the administrator of the system or network.
3 Approaches :
Network
Intrusion Detection Systems (NIDS)
Host Intrusion Detection Systems (HIDS)
Virtual Machine Intrusion Detection Systems (VM-IDS)
2 techniques :
Statistical
anomaly based (Behavioral)
Signature based (Scenario)
20. Architecture of an IDS
Normal internal user
Internal Intruder
Sensor
Classification
Package Actions
Analyser
Clustering
Normal External user
External user
Sensor
Data Mining
The sensor : collects information on the evolution of the state of the
system and provides a sequence of events that reflect this evolution.
The analyzer : determines which part, fitting to a pattern of events
provided by the sensor, is characteristic of a malicious activity.
The manager : collects the received alerts from the sensor and
presents them to the operator for further actions.
21. The IDS Matrix diagram
TRUE
FALSE
POSITIVE
True-Positive
(Rule matched and attack present)
False-Positive
(Rule matched and no attack
present)
NEGATIVE
True-Negative
(No rule matched and no attack
present)
False-Negative
(No rule matched and attack
present)
22. Behavioral approach
+++ The ability to detect new attacks.
Types of monitoring
systems
Host Based
IDS
Analysis types
Network
Based IDS
Scenario
approach
Phase 1 : Training
Behavior
approach
Phase 2 : détection
Real
Activities
Compared
Model of normal behavior
(Trafic, System performance,
memory performance…)
--- Many false positives because attacks
can be new normal activities.
Normal
behavior
Undeflected
Defleclected
Possible attack
23. Scenario approach
+++ Techniques are easy and quick to
implement.
Types of monitoring
systems
Host Based
IDS
Analysis types
Network
Based IDS
Scenario
approach
Behavior
approach
Ex: if (src_ip = dst_ip)
then “land a ack”
Real Activities
Signatures (rules,
patterns) known
attacks
--- Problem of reliability remains valid
for false alarms
Normal
Not matched
Matched
attack
25. Architecture 1 : Distributed the IDS
on the nodes of grid
+++ Apply the two methods
of intrusion detection
(Scenario Based &
Behavioral Based)
--- The prototype is
expensive in terms of
resource consumption,
--- It cannot discover new
types of attacks and
creating an attack database
which must be considered
during implementing IDS
26. Architecture 2 : Distributed Cloud
Intrusion Detection Model
+++ high performance in terms of processing and execution
time.
CSP Infrastructure
Cloud User
Organization
Network Cloud
Cloud IDS
Intrusion
Alarm
Alert
reports
--- it is difficult to discover new types
of attacks and create a new scenario
while it still needs many works to be
done to improve the concept.
Advisory
Reports
Third party IDS monitoring &
Advisory Service
27. Architecture 2 : Distributed Cloud
Intrusion Detection Model
Input Packets
ICMP
IP
UDP
Multi-Threaded Queue
Thread 0 - n
TCP
Rule Set Matching
False
Reject
True
IDS Rule Set
Intrusion alarm/ Log
Cloud User
CSP
28. Architecture 3 : Cloud Intrusion
Detection System Service
Collector
Event Publisher
IDS Controller
Detection Engine
Intrusion Detection System Component
Cloud Computer Service
Component
+++ Quick and fast
analyse and detection
Cloud Computer Service
Component
Secure Connection (VPN)
Agent
Agent Group
Agent
Agent Group
User Internal Network
--- detecting many falsepositive
29. Architecture 4 : Cloud-based
intrusion detection service
framework (CBIDS)
Cloud IDS
Cloud Intrusion Detection Component
Analysis Engine
Service Console
Detection Engine /
Signature Database
User database
Cloud Service Component
Cloud Service Component
VPN
Users Cloud
User Data Collector
User Network
--- detecting many falsepositive
30. Architecture 5 : VM-integrated IDS
Management
+++ Can be implemented
on the three levels
--- The use of centralized
collector can be a target
of Denial of Service.
32. Conclusions
Many IDS solutions have emerged for Cloud
environment
It could be implemented either by the
provider or the tenant
Combining Behavior and Scenario
approaches is the best way to get rid of
intrusion.
This is an oversimplification of the cloud security issues but it is definitely correct on a high level: there is only so much you can do to improve security if you use a software as a service provider (SaaS), who is hell bent on not being supportive of your security requirements
Source: CSA standard slideThis is where the mysteries of PCI in the cloud start to come to life : Especially note those yellow boxes with the word JOINT (which, sadly, often means finger pointing and glaring security holes)Also, note that for cloud security (and for cloud Payment security as well as PCI ) you will have to trust the provider in regards to physical security.
It is funny that this view of the world and of the cloud also has a hidden implication : if you neighbor is hacked in a traditional environment , you have a perfectly good grounds for saying “I don’t care.” But in case of shared infrastructure – cloud! – Being able to say that because more and more rare – or more and more risky.
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdfThe purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document: Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk ProfileThe threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report
LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computingCOMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud providerDATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is