Embed Size (px)
Citation preview
State-of-the-art Survey on Cloud
Computing Security Challenges,
Practices and Solutions
Farrukh ShahzadKing Fahd University of Petroleum and Minerals, Dhahran, KSA
September 2014
The 6th International Symposium on Applications of Ad hoc
and Sensor Networks
(AASNET’14)
OUTLINE
Introduction
Cloud Computing Models
Security in the Cloud
Cloud Storage Security
Case Study: Amazon’s AWS Security
Implementation/Demo of SAFE
Conclusion
2
INTRODUCTION
Cloud Computing: Highly scalable, technology-enabled services easily consumed over the
Internet on an as-needed basis.
Big Players: Amazon, Google, Microsoft, Yahoo, Sun, Salesforce.
Different implementation depends on type of Services: SAAS ,PAAS, IAAS, etc.
User data is processed and/or stored remotely in machines owned and operated by someone
else.
Pros : Convenience, efficiency
Cons : Users’ fear of confidential data leakage and loss of privacy in the cloud.
Three main challenges in adapting Cloud Services:
How to identify a cloud provider that meet user’s privacy requirements?
How to establish a common privacy policy between the user and the provider?
Is the user’s data is actually handled as agreed by the parties?
3
CLOUD OVERVIEW4
C L O U D C O M P U T I N G M O D E L5
Essential Characteristics
Service Models
Deployment Models
C L O U D C O M P U T I N G C H A R A C T E R I S T I C S
Resource Pooling
Broad Network Access
Rapid Elasticity
Measured Service
On-demand Self-service
6
C L O U D S E R V I C E M O D E L S
7
C L O U D D E P L O Y M E N T M O D E L S
Public Cloud (Amazon AWS)
Private Cloud
Hybrid Cloud
Community Cloud
8
C L O U D S E C U R I T Y R I S K F A C T O R S
Outsourcing
Extensibility and Shared Responsibility
Virtualization
Multi-tenancy
Service Level Agreement
Heterogeneity
9
C L O U D S E C U R I T Y M AT R I X
Application & Interface Security
Audit Assurance & Compliance
Business Continuity Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information Life-cycle Management
Data-center Security
Encryption & Key Management
Governance and Risk Management
Human Resources
Identity & Access Management
Infrastructure & Virtualization Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-Discovery & Cloud
Forensics
Supply Chain Management, Transparency and Accountability
Threat and Vulnerability Management
10
S E C U R I T Y A S A S E R V I C E
Identity Services and Access Management Services
Data Loss Prevention (DLP)
Web Security
Email Security
Security Assessments
Intrusion Management, Detection, and Prevention
(IDS/IPS)
Security Information and Event Management (SIEM)
Encryption
Business Continuity and Disaster Recovery
Network Security
11
S O M E C L O U D S E C U R I T Y I S S U E S
The eDDoS (economic Distributed
Denial of Service)
Economic Denial of Sustainability
(EDoS)
Cloud Storage Security and Privacy
12
ED D OS
Distributed Denial of Service (DDoS) attacks target web sites,
hosted applications or network infrastructures by absorbing all
available bandwidth and disrupting access for legitimate
customers and partners.
The eDDoS (economic Distributed Denial of Service) in cloud is
due to the DDoS attack, where the service to the legitimate user
is never restricted. This leads to Economic Denial of
Sustainability (EDoS) as user will be billed for this undesired
resources.
13
CLOUD STORAGE
Cloud Storage Model
New business solution for remote backup outsourcing
Reduces data management costs
APIs, web based user interfaces, and cloud storage gateways.
Cloud Storage Providers for individuals
iCloud
Dropbox
Google Drive
Amazon S3
14
CLOUD STORAGE
Advantages of Cloud Storage
Fault tolerance
Immediate access
Streaming
Problems
Access control
Assured deletion?
Multiple copies for fault tolerance
15
SECURITY GOALS
Threat Model:
Active files: Oscar should not be able to access the file.
Deleted files: if the files are actually deleted by the provider if requested.
Avoid unauthorized access
policy-based access control
Unrecoverable deleted files
policy based assured deletion
16
C A S E S T U D Y : A M A Z O N W E B S E R V I C E S
Compute (Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic MapReduce
(Amazon EMR), Auto Scaling, Elastic Load Balancing)
Networking (Amazon Virtual Private Cloud (Amazon VPC), Amazon Route 53, AWS Direct
Connect)
Storage (Amazon S3, Amazon Glacier, Amazon Elastic Block Storage (EBS), AWS Storage Gateway, AWS
Import/Export)
Content Delivery - Amazon CloudFront
Database (Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon
ElastiCache, Amazon Redshift)
Deployment & Management (AWS Identity and Access Management (IAM), Amazon
CloudWatch, AWS Elastic Beanstalk, AWS CloudFormation, AWS Data Pipeline, AWS OpsWorks)
Application Services (Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification
Service (Amazon SNS), Amazon Simple Workflow Service (Amazon SWF), Amazon Simple Email Service
(Amazon SES), Amazon CloudSearch, Amazon Elastic Transcoder)
17
A W S G E N E R A L S E C U R I T Y M E A S U R E S
Certifications and accreditations
Physical security
Secure services
Data privacy
18
A W S I N F R A S T R U C T U R E S E C U R I T Y
( S H A R E D R E S P O N S I B I L I T Y )
AWS Compliance Program (SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), HIPAA)
Physical and Environmental Security Fire detection, Power, temperature Control, Storage Device Decommissioning
Business Continuity Management (Availability, Incident Reporting, Communication)
Network Security Secure Network Architecture
Fault‐Tolerant Design
Network Monitoring and Protection (protection against, DDoS, MITM, IP Spoofing, Port scanning)
AWS Access (Account Review and Audit, background checks, Password policy)
Secure Design Principles
Change Management
AWS Account Security Features AWS Identity and Access Management (AWS IAM)
Key Management and Rotation
Temporary Security Credentials
AWS Multi‐Factor Authentication (AWS MFA)
19
A W S S E C U R I T Y B E S T P R A C T I C E S
Protect your data in transit
Protect your stored data
Protect your cloud account (AWS)
credentials
Manage multiple users with IAM
Secure your Applications
20
C O N C L U S I O N
The revolution of cloud computing has provided opportunities for
research in all aspects of cloud computing.
Research in the secure cloud storage is compounded by the fact
that users data may be kept at several locations for either
redundancy/fault tolerance or because the service is provided
through a chain of service providers.
We explored the security measures adopted by the largest cloud
service provider (Amazon web services or AWS) including their
infrastructure security and security best practices followed by AWS.
21
A C K N O W L E D G E M E N T
The support provided by the department of
Information and Computer Science and
Deanship of Scientific Research at King
Fahd University of Petroleum and Minerals
(KFUPM).
22
R E F E R E N C E S
23
SAFE(DEMO) SUMMARY
The Secure Access controlled File Encryption (SAFE) system is an overlay which
works seamlessly over the existing cloud storage services without any changes on
the cloud side. Furthermore, the implementation only requires basic data access
API functions like put (upload) and get (download).
In SAFE, a file is encrypted with a data key by the owner of the file, using the
SAFE client. The data key is further encrypted with a secret key which is in turn is
encrypted with a control key, based on the access control policy selected by the
owner, with the help of a separate key server. The encrypted keys are stored as a
separate metadata file, along with the encrypted data file.
The purpose of SAFE is to achieve policy-based access control and assured
deletion.
24
S A F E O V E RV I E W25
SAFE client: This is an interface application between client’s or user’s storage system and the cloud
storage. It communicates with Key server securely (SSL protocol) to request appropriate cryptographic
operations. The application performs all required upload, download, encryption and decryption
functions.
Key Server: This is a multi-threaded server application which provides all needed backend services
to SAFE clients. It utilizes SSL socket to communicates with SAFE clients securely. It provides storage
for users, policies and corresponding public/private key pair.
POLICY MANAGEMENT
The owner of the file needs to select proper policy for the file which needs to be
uploaded to the cloud. There are two types of policies:
1) Individual. Each user of the SAFE system is assigned a unique individual
policy at the time he/she register with the Key server.
2) Group Policy. Separate policies can be added for a group of users. For
example, a department in a company can have a group policy so that the
employees of that department can share files on the cloud, if the owner of
the file, uploads the file with the group policy assigned to that department.
Similarly, there could be group policy for a team project so all members can
share files related to the project.
26
C RY P TO G R A P H I C K E Y S
SAFE uses three types of cryptographic keys to protect the data files stored on the cloud.
1) Data key. A data key is a random secret that is generated by a SAFE client. It is used
for encrypting or decrypting data files via symmetric (AES) key encryption.
2) Secret key. Similar to the data key, a secret key is generated by a SAFE client. It is
used for encrypting or decrypting the data key via symmetric (AES) key encryption.
3) Policy key. This key is associated with a particular policy. It is represented by a public-
private key pair, which is maintained by the key server. It is used to encrypt/decrypt the
secret key of the file via RSA. To ensure file deletion (inaccessibility), the corresponding
policy can be revoked.
27
UPLOAD OPERATION OF SAFE
28
The file upload function is shown below. The client first requests the public key Ppub of policy
P from the key server. Then the client generates two random keys K and S and perform the
encryption eS(K), ePpub(S) and eK(F). Finally, the client sends eK(F) i.e. the encrypted file and P,
eS(K) , ePpub(S) (as metadata) to the cloud. The client should discard K and S. There will be two
objects on the cloud: One the encrypted client’s file and the other is the corresponding
metadata text file containing policy and related keys (encrypted).
DOWNLOAD OPERATION OF SAFE
29
The client fetches the metadata file to get P, eS(K) , ePpub(S) from the storage system.
Then the client sends ePpub(S) to the key server for decryption. The key server
decrypts using the policy’s private key and returns S = dPprv(ePpub(S)) to the client.
The client can now decrypt eS(K) to get K. The client finally fetches the actual
encrypted file eK(F) and decrypt with K to get the original file F. The client should
immediately discard K and S.
UPDATE POLICY
30
• Only needs to download the corresponding metadata
file.
• Update the last line (secret key encrypted with new
policy key) .
• Write back the modified metadata file.
• There is no need to access the actual encrypted data
file.
IMPLEMENTATION
The SAFE is implemented purely in Java based on design framework
presented in the previous section.. All the libraries used are third party or
built in Java libraries including the following:
javax.swing (for SAFE GUI)
com.amazonaws (for amazon S3 APIs)
com.dropbox (for Dropbox APIs)
org.apache.log4j (for interactive on-screen and file logging)
javax.crypto and javax.Security for crypto-graphical operations like AES/RSA
encryption/decryption, Key generation, etc.
Many other built-in libraries for File I/O, SSL socket programming. There are
also other external Java libraries which are used by Amazon and Dropbox
APIs.
31
IMPLEMENTATION - METADATA
Here is an example of a metadata file generated after an upload to the cloud:
SAFE0001
6B6C379A35A8A17CF005F8CE850D0F45A24C86747DB1D83E167A46ADBBF8CF03
4A31EAF4FFC824ADD69D327D551705F2CB164D23AC47D0B85E47D1BCFEBA342F7
C886C3292DBDB590348FC900F210D56DEC21E1177A0CFC17138ACB41193AC9DEE
CCC74D0B72A1599026A3FD1A0BEBA1E08DA716CE7C58BA77BD79E42E1E85033EA
1F1A2B785F939F47BE421A9A2EA82005AFB81B50D628ABDA43AEFC989B788
This metadata file is saved along with the encrypted file on the cloud with
extension ‘.safe’.
32
IMPLEMENTATION - UPLOAD
2013-05-21 14:22:36 File will be uploaded from: C:\Users\
2013-05-21 14:22:36 Encrypting ..
2013-05-21 14:22:36 Uploading a new object to S3 ..
2013-05-21 14:22:38 Uploading the corresponding metadata ..
2013-05-21 14:22:39 Uploaded file: abc.pdf Done.
33
IMPLEMENTATION - DOWNLOAD
2013-05-22 05:51:26 Downloading the object metadata.
2013-05-22 05:51:24 Downloading the object
2013-05-22 05:51:26 File Name: abc.pdf
2013-05-22 05:51:27 Decrypting ..
2013-05-22 05:52:13 File will be saved to: C:\abc.pdf
34
IMPLEMENTATION - INTERFACE
35
