Tunis, Tunisia, 28 April 2014 Security Issues for Cloud and Future Networks Noureddine Boudriga, Director CN&S, University of Carthage [email protected]

Tunis, Tunisia, 28 April 2014

Security Issues for Cloud and Future Networks

Noureddine Boudriga,Director CN&S, University of Carthage

[email protected]

2nd SG 13 Regional Workshop for Africa on“Future Networks: Cloud Computing, Energy

Saving, Security & Virtualization”

(Tunis, Tunisia, 28 April 2014)

Talk Objectives

Present a discussion of common fundamental challenges and issues/characteristics of cloud computing and future networksIdentify security and privacy issues challenging future networksDiscuss approaches to address the security issuesExplain the need for a new security engineering

Tunis, Tunisia, 28 April 2014 2


Summary

IntroductionSecurity Issues in Cloud ComputingSecurity and Privacy Issues in Future Networks Security SolutionsTowards new security engineeringGlobal Cybersecurity


1. Introduction

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources” (NIST) Attributes: Rapid deployment, Low startup costs/ capital investments, Costs based on utilization or subscription, Multi-tenant sharing of services/resourcesCharacteristics: On demand service, Ubiquitous network access, Location independent resource pooling, Rapid elasticity.

Introduction: Cloud and FN Models

Delivery Models: SaaS, PaaS, and IaaS, for cloudService Delivery workflows and control, services’ Brokering and composition, and Flow and Content mapping to Services, for FN

Deployment Models: Private, Community, Public, HybridManagement Models: Self-managed or 3rd party managed (e.g. public clouds, VPN/C)


Introduction: features

Common features: massive concentration of shared resources and an important emergence of risk, since any loss from a single breach can significantly affect larger structures/pools.Additional features for FNs: a massive data to transmit, a massive traffic to relay, a large node mobilityHidden concepts: network topology, perimeter, traffic granularity.



2. Security Issues in Cloud Computing

Notorious threats include: Data Breaches, Data Loss, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Denial of ServiceMalicious Insiders, Abuse of Cloud, Services Insufficient due Diligence, Shared Technology Vulnerabilities

Most security problems stem from: Loss of control, weak trust relationships, and Multi-tenancy. Problems exist mainly with 3rd party management models. Little involvement of the operators


Security issues: loss of control

Data, applications, and resources are located within the provider controlled infrastructureCustomer identity management is handled by the cloud. Cyustomer access control rules, security policies, and enforcement are managed by the cloud providerConsumer relies on provider to address: Data security and Privacy, Resource availability control, Monitoring of resources, and Repairing.


Security issues: weak trust relashionships

Trust relationships at any point of the delivery chain may be weak due to the loss of control in passing sensitive dataTrust along the delivery chain from customer to cloud providers may be non transitive due to the lack transparency The lack of consensus about what trust management techniques should be utilized for cloud environmentsStandardized trust models are needed; but, none of trust models related to data is acceptable

Security issues: Multi-tenancy

Conflict between tenants’ opposing goals and goals

Tenants can share pools of resources and apply conflicting rules

Limited efficiency techniques to provide separation/interoperation between tenantsCloud Computing brings new threats

Multiple independent users share the same physical infrastructure Attackers can legitimately be managed by the same physical machine as their target


3. Security and Privacy Issues in FNs

Availability: Questions about what happens for customer critical systems/data, if the provider is attacked or when it goes out of business.Confidentiality: Questions about whether the sensitive/private data stored (on a cloud, for instance) remain confidential, and about leaking of confidential customer informationIntegrity: Questions about How the cloud/FN provider performs correctly integrity computations, and How the cloud provider really stores user data without altering it.


Security and Privacy issues

Massive data mining: Providers store data from a large number of customers, and run data mining algorithms to retrieve large amounts of information.New classes of harmful attacks: Attackers can target the communication link between provider and customer, and Provider employees can be phishedDigital forensics: Audit data and forensics are hard to perform since customers don’t maintain data locally.Legal and transitive trust issues: Who is responsible for complying with regulations.


Security and privacy issues in FNs

AT the customer side, an attacker can Learn passwords/authentication information and gain control of the VMs, if anyAt the provider side, an attacker can Log customer communication, read non encrypted data, look into VMs, make copies of VMs, or monitor network communication and application patterns. External attackers can Listen to network traffic, Insert malicious traffic, Investigate (cloud) structure, or launch DoS, Intrusion, and Network analysis.



4. Security solutions

Minimize Loss of Control Activity Monitoring (e.g. payment, delegation, usage, and storage control)Access control and interoperation management

Minimize the weakness of Trust relationshipsSecurity Policy (description language, policy validation, and conflict mgt) Certification infrastructure (integrity and authentication)

Identity Management, Coordination and interoperation of Multi-tenancy

Security solutions: Monitoring

Provide mechanisms that enable the providers to act on the attacks they can handle:

infrastructure remapping and fault repairingshutting down offending components or targets

Provide mechanisms that enable the consumer to act on attacks targeting application-level.

Risk-adaptable Access ControlProvide ability to move the user’s application to another provider


Security solutions: Identity management

IdM in traditional application-centric model assumes each application to keep track of identifying information of its users. Existing systems assume the availability of a trusted third party.Users have multiple accounts associated with multiple service providers (in cloud).Sharing sensitive identity information between services can lead to undesirable mapping of the identities to the user.


Security solutions: goals for IdM

Authenticate without disclosing identifying informationAbility to securely use a service while on an untrusted host (VM on the cloud)Minimal disclosure and minimized risk of disclosure during communication between user and service provider (Man in the Middle, Side Channel and Correlation Attacks) Protection of Identity Information in Cloud and FNs without Trusted Third Party


5. Towards new security engineering

Challenges: techniques for:Identifying cloud security-critical assets and

evaluating the costs of their breaches.Identifying potential future network security

threats and evaluating their feasibility.Identifying feasible (cloud) protections &

countermeasures and evaluate their adequacyVerifying proper implementation, security

policy, and investigating incidentsModelling threats and developing a useful

framework for security measurement.



Towards new security engineering

Major tasks to perform:Design and analysis of robust security solution;Estimate solution costs, risk evolutionBuild techniques coping with “infinity”Tools for the analysis of robustness.

Major models to provide: Security policy models Threat evolutionary modeling Verification, validation models Visibility modeling.

6. Security Cybersecurity: challenges

Security breaches will be constantPassword-based security will become essentially useless. Most services should offer a multi-factor authentication capabilityMobile (smartphones) are used by people with minimal technical skill, virtually no attention to security.Cloud failures will result in substantial data loss. Security-as-a-Service becomes a new cloud market. Nation-state cyberwar escalates. Rogue nations use cybercrime


Global Cybersecurity: Objectives

To create an assurance framework for design of security policies and promotion and enabling actions for compliance to global security standardsTo strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACETo create workforce of skilled professionals To enable Protection of information while in process, handling, storage & transitTo enable effective prevention, investigation and prosecution of cybercrimes



GCS: Security factors limiting cloud and FN usage in Africa

IT experts estimate an 80 infection rate on all PCs continent-wide (in Africa) including government computers. As internet and cloud penetration increases across Africa, so does the risk of sophisticated cyber-attacks, threatening African nations' securityIncreasing bandwidth and use of wireless technologiesLack of cyber security awareness. Ineffec-tive legislation and policies, Insufficient operator involvement.

Conclusion

Cloud computing is evolving and future networks are mergingNeed for a new role for SPs and network oprators, as part of Cyber Security ecosystem.Need Extend the role of Computing incident Response Team


Documents

Tunis, Tunisia, 28 April 2014 Security Issues for Cloud and Future Networks Noureddine Boudriga, Director CN&S, University of Carthage [email protected]