Upload
vanessa-snow
View
213
Download
0
Embed Size (px)
Citation preview
Tunis, Tunisia, 28 April 2014
Security Issues for Cloud and Future Networks
Noureddine Boudriga,Director CN&S, University of Carthage
2nd SG 13 Regional Workshop for Africa on“Future Networks: Cloud Computing, Energy
Saving, Security & Virtualization”
(Tunis, Tunisia, 28 April 2014)
Talk Objectives
Present a discussion of common fundamental challenges and issues/characteristics of cloud computing and future networksIdentify security and privacy issues challenging future networksDiscuss approaches to address the security issuesExplain the need for a new security engineering
Tunis, Tunisia, 28 April 2014 2
Tunis, Tunisia, 28 April 2014 3
Summary
IntroductionSecurity Issues in Cloud ComputingSecurity and Privacy Issues in Future Networks Security SolutionsTowards new security engineeringGlobal Cybersecurity
Tunis, Tunisia, 28 April 2014 4
1. Introduction
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources” (NIST) Attributes: Rapid deployment, Low startup costs/ capital investments, Costs based on utilization or subscription, Multi-tenant sharing of services/resourcesCharacteristics: On demand service, Ubiquitous network access, Location independent resource pooling, Rapid elasticity.
Introduction: Cloud and FN Models
Delivery Models: SaaS, PaaS, and IaaS, for cloudService Delivery workflows and control, services’ Brokering and composition, and Flow and Content mapping to Services, for FN
Deployment Models: Private, Community, Public, HybridManagement Models: Self-managed or 3rd party managed (e.g. public clouds, VPN/C)
Tunis, Tunisia, 28 April 2014 5
Introduction: features
Common features: massive concentration of shared resources and an important emergence of risk, since any loss from a single breach can significantly affect larger structures/pools.Additional features for FNs: a massive data to transmit, a massive traffic to relay, a large node mobilityHidden concepts: network topology, perimeter, traffic granularity.
Tunis, Tunisia, 28 April 2014 6
Tunis, Tunisia, 28 April 2014 7
2. Security Issues in Cloud Computing
Notorious threats include: Data Breaches, Data Loss, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Denial of ServiceMalicious Insiders, Abuse of Cloud, Services Insufficient due Diligence, Shared Technology Vulnerabilities
Most security problems stem from: Loss of control, weak trust relationships, and Multi-tenancy. Problems exist mainly with 3rd party management models. Little involvement of the operators
Tunis, Tunisia, 28 April 2014 8
Security issues: loss of control
Data, applications, and resources are located within the provider controlled infrastructureCustomer identity management is handled by the cloud. Cyustomer access control rules, security policies, and enforcement are managed by the cloud providerConsumer relies on provider to address: Data security and Privacy, Resource availability control, Monitoring of resources, and Repairing.
Tunis, Tunisia, 28 April 2014 9
Security issues: weak trust relashionships
Trust relationships at any point of the delivery chain may be weak due to the loss of control in passing sensitive dataTrust along the delivery chain from customer to cloud providers may be non transitive due to the lack transparency The lack of consensus about what trust management techniques should be utilized for cloud environmentsStandardized trust models are needed; but, none of trust models related to data is acceptable
Security issues: Multi-tenancy
Conflict between tenants’ opposing goals and goals
Tenants can share pools of resources and apply conflicting rules
Limited efficiency techniques to provide separation/interoperation between tenantsCloud Computing brings new threats
Multiple independent users share the same physical infrastructure Attackers can legitimately be managed by the same physical machine as their target
Tunis, Tunisia, 28 April 2014 10
3. Security and Privacy Issues in FNs
Availability: Questions about what happens for customer critical systems/data, if the provider is attacked or when it goes out of business.Confidentiality: Questions about whether the sensitive/private data stored (on a cloud, for instance) remain confidential, and about leaking of confidential customer informationIntegrity: Questions about How the cloud/FN provider performs correctly integrity computations, and How the cloud provider really stores user data without altering it.
Tunis, Tunisia, 28 April 2014 11
Security and Privacy issues
Massive data mining: Providers store data from a large number of customers, and run data mining algorithms to retrieve large amounts of information.New classes of harmful attacks: Attackers can target the communication link between provider and customer, and Provider employees can be phishedDigital forensics: Audit data and forensics are hard to perform since customers don’t maintain data locally.Legal and transitive trust issues: Who is responsible for complying with regulations.
Tunis, Tunisia, 28 April 2014 12
Security and privacy issues in FNs
AT the customer side, an attacker can Learn passwords/authentication information and gain control of the VMs, if anyAt the provider side, an attacker can Log customer communication, read non encrypted data, look into VMs, make copies of VMs, or monitor network communication and application patterns. External attackers can Listen to network traffic, Insert malicious traffic, Investigate (cloud) structure, or launch DoS, Intrusion, and Network analysis.
Tunis, Tunisia, 28 April 2014 13
Tunis, Tunisia, 28 April 2014 14
4. Security solutions
Minimize Loss of Control Activity Monitoring (e.g. payment, delegation, usage, and storage control)Access control and interoperation management
Minimize the weakness of Trust relationshipsSecurity Policy (description language, policy validation, and conflict mgt) Certification infrastructure (integrity and authentication)
Identity Management, Coordination and interoperation of Multi-tenancy
Security solutions: Monitoring
Provide mechanisms that enable the providers to act on the attacks they can handle:
infrastructure remapping and fault repairingshutting down offending components or targets
Provide mechanisms that enable the consumer to act on attacks targeting application-level.
Risk-adaptable Access ControlProvide ability to move the user’s application to another provider
Tunis, Tunisia, 28 April 2014 15
Security solutions: Identity management
IdM in traditional application-centric model assumes each application to keep track of identifying information of its users. Existing systems assume the availability of a trusted third party.Users have multiple accounts associated with multiple service providers (in cloud).Sharing sensitive identity information between services can lead to undesirable mapping of the identities to the user.
Tunis, Tunisia, 28 April 2014 16
Security solutions: goals for IdM
Authenticate without disclosing identifying informationAbility to securely use a service while on an untrusted host (VM on the cloud)Minimal disclosure and minimized risk of disclosure during communication between user and service provider (Man in the Middle, Side Channel and Correlation Attacks) Protection of Identity Information in Cloud and FNs without Trusted Third Party
Tunis, Tunisia, 28 April 2014 17
5. Towards new security engineering
Challenges: techniques for:Identifying cloud security-critical assets and
evaluating the costs of their breaches.Identifying potential future network security
threats and evaluating their feasibility.Identifying feasible (cloud) protections &
countermeasures and evaluate their adequacyVerifying proper implementation, security
policy, and investigating incidentsModelling threats and developing a useful
framework for security measurement.
Tunis, Tunisia, 28 April 2014 18
Tunis, Tunisia, 28 April 2014 19
Towards new security engineering
Major tasks to perform:Design and analysis of robust security solution;Estimate solution costs, risk evolutionBuild techniques coping with “infinity”Tools for the analysis of robustness.
Major models to provide: Security policy models Threat evolutionary modeling Verification, validation models Visibility modeling.
6. Security Cybersecurity: challenges
Security breaches will be constantPassword-based security will become essentially useless. Most services should offer a multi-factor authentication capabilityMobile (smartphones) are used by people with minimal technical skill, virtually no attention to security.Cloud failures will result in substantial data loss. Security-as-a-Service becomes a new cloud market. Nation-state cyberwar escalates. Rogue nations use cybercrime
Tunis, Tunisia, 28 April 2014 20
Global Cybersecurity: Objectives
To create an assurance framework for design of security policies and promotion and enabling actions for compliance to global security standardsTo strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACETo create workforce of skilled professionals To enable Protection of information while in process, handling, storage & transitTo enable effective prevention, investigation and prosecution of cybercrimes
Tunis, Tunisia, 28 April 2014 21
Tunis, Tunisia, 28 April 2014 22
GCS: Security factors limiting cloud and FN usage in Africa
IT experts estimate an 80 infection rate on all PCs continent-wide (in Africa) including government computers. As internet and cloud penetration increases across Africa, so does the risk of sophisticated cyber-attacks, threatening African nations' securityIncreasing bandwidth and use of wireless technologiesLack of cyber security awareness. Ineffec-tive legislation and policies, Insufficient operator involvement.
Conclusion
Cloud computing is evolving and future networks are mergingNeed for a new role for SPs and network oprators, as part of Cyber Security ecosystem.Need Extend the role of Computing incident Response Team
Tunis, Tunisia, 28 April 2014 23