Theo Dimitrakos Chief Security Researcher Security Futures Practice BT Research amp Technology Professor of Computer Science School of Computing University of Kent Overview Change factors ID: 187451
Download Presentation The PPT/PDF document "S ecurity challenges in a networked worl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security challenges in a networked world
Theo Dimitrakos
Chief Security Researcher –Security Futures
Practice, BT Research & Technology
Professor of Computer Science –
School of Computing, University of Kent Slide2
Overview
Change factors
New security threats
Research challenges Slide3
Change factorsSlide4
Commonly referenced cloud security incidents
Amazon
: Hey Spammers, Get Off My Cloud
! (2008)
Megaupload
US prosecutor investigation (2012)
Bad co-hosts
Bitbucket's
Amazon
DDoS
- what went wrong (2009) AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursqaure
Service Availability
Diginotar (June 2011) RSA SecureID (March2011)
Risk communication& Response
Security issues with Google Docs Security Issues with Sony User Network
EntitlementManagement
An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
Hypervisor & Virtual Machine Vulnerabilities
Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine
Crypto Opsin VM
In-cloud federated
Identity Management
Lack of Standards
Data Provanence
Where did the data come from?
Data Remanence
You can check out but can’t leave
Location & Privacy
Who looks at/after your data? And where? Jurisdictions?Slide5
Cloud Security: the challenges
Robust at system level (modulo kernel bugs)
Issues at management plane Memory hijacking
Near real-time virtual patching
Intrusion Prevention at Hypervisor level – below Guest OS
Malware prevention / detection at Hypervisor level
Hypervisor / trusted VM:
the best place to secure
Limited compute resources
Security API standards
Difficult to exploit but high-impact
Do you trust Microsoft?
Do you trust VMWare?
Guest OS needs
security protection Resilient VM lifecycle dynamic at massive scaleCrypto doesn’t like virtualCurrent algorithms set to
optimise resource poolingCan’t always use specialised HWEncryption key management
Co-ordinate security
policies & provisioning fornetwork & server virtualisationLocation/resource optimisationCSPs don’t:
allow clients to classify data offer different levels of security based upon data sensitivity offer DLP servicesSlide6
Cloud Security: the challenges
VMs provided by
IaaS
provider
Platform stack by
PaaS
provider
IaaS
,
PaaS
issues + application security
Lack of standards Lack of interoperabilityLimited service portabilityIncompatible management processesProvider & resource / data locationCross-border data movement
PII and privacy obligations (HIPAA, GLBA)Auditing and compliance (PCI, ISO 27001)Poor quality of evidence
EU vs. US vs. China (Gov. access)
Differences in data protectionCost of keeping data hosting in EUAudit data legally owned by CSP refusal to ‘hand over audit logs?Difficult to involve law enforcement with CSP activities
Latency sensitive applicationsEnforcement of SLA obligationsInsufficient capabilities to cater for managing critical data
In-cloud segregation of data: difficult
Accidental seizure of customer data during forensic investigations Security of shared resourcesProcess isolation
Data segregation“Data sharding” (fragment across images)
Entitlement & Access Mgmt
(policy issuing authority)Slide7
Cloud Security: the challenges
Provisioning
Identity Integration
User Management
Credential Management
Entitlement Management
Device Credentials, PKI Infrastructure
Active Directory/LDAP - Attributes, Credentials and Groups for Edge servers
Credential Mapping
Authorization with Constrained
Delegation
(Policy Integrity & Recognition of Authority)Trust & Federation
Security AuditingFederation and Edge Server Security – Secure Application Integration Fabric (Secure ESB Gateway)Slide8
Questions
For more information please contact:
theo.dimitrakos@bt.com
theo.dimitrakos@ifiptm.org