This is some input for a panel discussion about "Security and Safety in Cloud-based Systems and Services" (9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018) in Barcelona, Spain in February 2018).
Although it might be hard to accept. By principle, attackers can establish footholds in our systems whenever they want (zero-day exploits). Cloud application security engineering efforts focus to harden the "fortress walls". Therefore, cloud applications rely on these defensive walls but seldom attack intruders actively. There is the somehow the need for a more reactive component. A component that could be inspired by biological systems. Biological systems consider by design that defensive "walls" can be breached at several layers. So, biological systems provide an additional active defense system to attack potential successful intruders - an immune system. Although several experts find this approach "intriguing", there are follow-up questions arising. What is about exploits that adapt to bio-inspired systems? How to protect the immune system against direct attacks? Are cloud immune systems prone to phenomenons like fever (running hot) or auto-immune diseases (self-attacking)?
There is no impenetrable system - So, why we are still waiting to get breached?
1. There is no impenetrable system
So, why we are still waiting to get
breached?
Nane Kratzke
Panel Discussion: “Security and Safety in Cloud-based Systems and Services“
9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018); Barcelona, Spain, 2018
2. The Fortress Walls of Cloud Applications
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
2
• Security Groups
• Firewalls
• VPNs
• Intrusion Detection Systems
• Unattended Security Updates
• Symmetric and asymmetric
encryption
• Password (checks)
• SSH Keys
• Authentication
• Authorization
• Two (Multi) Factor Authentication
• …
3. How to defense against unknown
vulnerabilities?
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
3
Reported in January 2018. Mainly x86 microprocessors with out-of-order
execution and branch-prediction affected since 1995 (says Google).
CVE-2017-5754
CVE-2017-5715
CVE-2017-5753
I started my
computer science
studies in 1996!
My microprocessorprofessor told me,out-of-order
execution and
branch-prediction isone of the coolestthings on earth.
4. How long can presence be maintained?
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
4
Answer: Surprisingly long!
5. Some scary considerations
• In principle attackers can establish footholds in our
systems whenever they want (zero-day exploits)
• Cloud application security engineering efforts focus to
harden the fortress walls.
• Cloud applications rely on their defensive walls but
seldom attack intruders actively.
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
5
6. We need a reactive component as well
Biological systems are
different.
Defensive “walls” can be
breached at several layers.
An additional active defense
system is needed to attack
potential successful intruders -
an immune system.
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
6
7. Let us make the game more challenging
for the attacker (act, do not react)
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
7
We can create a race between
a manual (time-intensive)
breach and a fully automatic
(and fast) regeneration.
Regenerated node (randomly chosen at some point in time)
Successfully breached node (lateral movement)
8. It is all about Pets versus Cattle
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
8
• Assume you are a rancher
• Assume one of your cattle is deadly infectious
• Be professional, shoot – and replace it
• Yes, life is not fair (maybe for the cute kitty)
• However, we should remember that for
security (and that zero-day attacks are not fair
as well)
9. Immune systems for cloud applications?
Yes, there are questions worth to be discussed …
• Can we reduce regenerations?
• Can we identify suspect nodes automatically?
• Limited to what kind of applications?
• What is about exploits/attacks that are adaptable to bio-
inspired systems?
• How to protect the regeneration mechanism against
attackers?
• Are cloud immune systems prone to phenomenons like
fever (running hot) or auto-immune diseases (self-
attacking)?
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
9
10. Acknowledgement
• Ninja: Pixabay (CC0 Public Domain)
• Fortress: Pixabay (CC0 Public Domain)
• Bowman: Pixabay (CC0 Public Domain)
• Cattle: Pixabay (CC0 Public Domain)
• Cell: Pixabay (CC0 Public Domain)
• Air Transport: Pixabay (CC0 Public Domain)
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
10
Picture Reference
Our research is funded by German Federal Ministry of Education
and Research (13FH021PX4).
Presentation URL
11. About
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
11
Nane Kratzke
CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke
Blog: http://www.nkode.io
Twitter: @NaneKratzke
GooglePlus: +NaneKratzke
LinkedIn: https://de.linkedin.com/in/nanekratzke
GitHub: https://github.com/nkratzke
ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke
SlideShare: http://de.slideshare.net/i21aneka