You are on page 1of 41

Seminar on

Cloud Computing : Security


and Forensics

Govind Maheswaran
govindmaheswaran@gmail.com
facebook.com/govindmaheswara
n
twitter.com/RestlessMystic

Cloud Computing
Cloud security

Risk Assesment

Cloud Forensics
Conclusion

Contents

Biggest Paradigm Shift in 20 years

Game

The cloud is for


everyone. The cloud is
Changers
a democracy.

Cloud
Just On
Computing
Pay As You Go

Cloud is loud
From 46.4 billion $ to 150.8 billion $ in an ye
Tremendous Cost Cutting

Defining the Cloud


Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management
effort or service provider interaction. This cloud model promotes
availability and is composed of five essential characteristics, three
service models, and four deployment models

In Simple English,
I can get my data when I want, over some kind of network, and even though
the data might be coming from different places and my computing power
shared with others, somehow the back end is going to scale up or down to
fulfill my needs, and interestingly, bills me for only what I use.

Essential Characteristics
On-Demand
Self-Service

Unilaterally provision computing capabilities as needed


automatically, without requiring human interaction with a
service provider

Resource
Pooling

The providers computing resources are pooled to serve multiple


consumers using a multi-tenant model
Shared pools are assigned and reallocated as per requirement

Rapid Elasticity

Upgrade? More memory required? New software version?


Incompatibility with current version?
The Cloud Almighty has it all

Broad Network
Access

Available over the network and accessed through standard


mechanisms

Measured
Service

Metering capability
Resource usage can be monitored, controlled, and reported
providing transparency for both the provider and consumer

Service Models
Servers and Network
connections.
User needs to install
Required OS and Platform
and Applications.(some
vendors provide OS)
Eg: Windows Azure

Cloud OS and Platforms


All the user needs is to
put up his applications.
Eg : Windows Hyper V
Cloud, Amazon EC2

User gets the software as


a web service.
Eg : Google Docs, Office
365, Amazon S3

Infrastructure
as a Service
[IaaS]

Platform as a
Service
[PaaS]

Software as a
Service
[SaaS]

Processor
Memory
Storage

Operating
System

Runtime
API
Web Server

Application
Web Service
Web UI

Deployment Models

Public Cloud

Community
Cloud

Private Cloud

Hybrid Cloud

A few cloud services

Windows Azure
ricing..

Compute

Storage

Database

Transaction

Scale vs. Cost


Multiplatform
support
Encapsulated
Change
Management
Next-Gen
Architecture

Cons

Pros

Why/Why Not Cloud?

Lack of Control
Reliability
Issues
Lock In
Data out of
Premises
Security

They're certainly a threat, and would be easy to make maliciou

technology demands of
We were hackedtheThe
cybersecurity adviser's job
are relatively trivial..

Cloud Security

May be I am an Idiot,but
Cloud Computing is Non-Sensical
click-and-pawn kind of situation

Cloud is vapourware

We are taking this incident very seriously.

Cloud Security
*Cloud is a relatively newer technology. So, its
security domains are not fully known.
*Cloud based Security Risks => CRISKS

Targets
* Hardware
* Data
* Applications
* (in short, everything in the cloud)
Some
Some major
major security
security Issues
Issues are
are discussed
discussed in
in the
the following
following slides
slides

1. Shared Service
Consequences

Any kind of intentional and un-intentional


malicious activity carried out or executed on a
shared platform may affect the other tenants and
associated stake holders.
Eg : Blocking of IP Ranges, Confiscation of
resources etc
Sudden increase in the resource usage by one
application can drastically affect the performance
and availability of other applications shared in the
same cloud infrastructure.

2. Run-on-the-cloud

Bankruptcy and catastrophes does not come with


an early warning.
Such a run-on-the-cloud may lead to acquisitions
or mergers.
Sudden take over can result in a deviation from
the agreed Terms of Use & License Agreement
which may lead to a Lock-In situation.

3. Lock In

Migrating from cloud is difficult, as different cloud


providers use various OS n middleware and APIs
Also, sudden change of provider policies may
make the user stuck with the cloud.
The user may want to quit, but he cannot as his
data is in the cloud.
Lock-In Situation

4. Data protection

Handled by the Provider


User rarely has information about the protection
facilities.
Prevent unauthorized access by the priviledged
employees of Service Provider

5. Lack of Transparency

The service provider may be following good


security procedures, but it is not visible to the
customers and end users.
May be due to security reasons.
End user questions remains un-answered:

how the data is backed up, who back up the data,whether the cloud service
provider does it or has they outsourced to some third party,

6. Privacy

Confidential data remains confidential.


The information deleted by the customer may be
available to the cloud solution provider as part of
their regular backups.
Insecure and inefficient deletion of data where
true data wiping is not happening, exposing the
sensitive information to other cloud users.

7. Application security

Vulnerabilities applicable to programs running in


the conventional systems & networks are also
applicable to cloud infrastructure.
It also requires application security measures
(application-level firewalls) be in place in the
production environment.

8. Record Keeping

The cloud provider maintains logs of


none/some/all of the cloud activities
The end user has no access to these logs,neither
are they aware of what exactly are being logged.

Security Testing in
Security testing is a process to determine that
Cloud

an information system protects data and


maintains functionality as intended.
Cloud security testing is futile, due to the
following reasons.

Permission Issues
If a user traverse through unauthorised areas of a cloud,
he may reach a black hole.
An application is tested today and found vulnerable or
not, how do you know that the app tested tomorrow is
the same one that was tested yesterday?

Who protects my data?

hould I put my data in the Cloud?

15$ per user per mont

Risk
Assesment

w-value assets doesnt need the


me level of security controls

risk based approach

Are we to skip on-site


inspections, discoverability,
and complex encryption
schemes..

Risk Assesment Framework


for Cloud

Although Cloud can be considered a failure in


terms of Security, there are still many takers for
it.
This is mainly due to the Multi-tenancy(cost
sharing) aspect.
A risk based approach needs to be adopted, after
considering the profit and loss involved in moving
the assets to the cloud.
An RA Framework is
presented in the coming
slides

Risk Assesment
Framework

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Sketch the
Potential
Data Flow

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Sketch the
Potential
Data Flow

Assets can be Data or Applications. Choose which all needs to be


migrated to the cloud.
In cloud, data and application need not reside at the same location.
Thus,even parts of functions can be shifted to the cloud.
Make the choice based upon current data usage, and potential data
usage.

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Determine how Important and sensitive the asset is to the


organisation.
In short, evaluate the asset on the basis of Confidentiality and
availability.

Sketch the
Potential
Data Flow

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Sketch the
Potential
Data Flow

Determine which deployment model is good for the organizational


requirement
Decide whether the organization can accept the risks implicit to the
various deployment models (private, public, community, or hybrid).

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Sketch the
Potential
Data Flow

Determine which service deployment model is good for the


organizational requirement
Decide whether the organization is competent enough to implement
the extra layers (in case of IaaS or PaaS)

Identify
the Asset

Evaluate
The Asset

Map the
asset to
Existing
cloud
Deployment
Models

Evaluate
Cloud
Service
Models and
Providers

Sketch the
Potential
Data Flow

Required to analyse how and when data will move In and Out the
cloud..

They're certainly a threat, and would be easy to make maliciou

Swift as the Wind

Quiet as the forest

Cloud
Forensics

Conquer like the fire

click-and-pawn kind of situation

Steady as the mountain

Digital Forensics = Laws of human vs Laws of Computing

Digital Forensics
Science
DEFINITION:
The use of scientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events
found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to
planned operations.
Cloud Forensics refers to the usage of Digital
Forensics Science in Cloud computing models.

Opportunities

Cloud forensics is more cost effective than


conventional Digital forensic methodologies.
In case a cloud need to be shut down for data
collection,it can be implemented with very less
extra work (transfering data to another data
center within the same cloud)
Forensics may be implemented as a Cloud
Service.

Challenges
Legal Regulations
Legal & regulatory requirements and compliances
may be lacking in the location(s) where the data is
actually stored.
Record Retention Policies
There exists no standardized logging format for the
cloud.
Each provider logs in different formats,
making log crunching for forensics difficult in case of
Cloud.
Identity Management
There exists no proper KYC norms in case of Cloud
Providers. Anyone with a credit card can purchase
a cloud account.

Challenges
Continously Overwriten Logs
The cloud keeps working, and its logs are replicated
and overwritten continously. So it poses a great
challenge to the forensic scientist to spot the state of
the log file at the time of an attempted crime..
Admissibility
Along with finding the evidence, the scientist must
also prove it to a legal non technical person. This part
is worser than the real forensics process.
Privacy
Someone hacked something somewhere. Why
should a Forensic guy check the data that i have put in
my cloud ..?

Cloud
Conclusion

Conclusion
Cloud is changing the way systems and services are

provided and utilized.


The more informed IT departments are about the cloud,
the better the position they will be in when making
decisions about deploying, developing, and maintaining
systems in the cloud.
With so many different cloud deployment and service
models, and their hybrid permutations - no list of security
controls can cover all these circumstances.
Cloud has just crossed its inception states, and Researches
on cloud security are still going on.

Conclusion
Use a Risk Assesment framework before data is put on the
cloud.
Cloud forensics, being younger than Cloud computing, has
very less to offer as of now.
Watch your activities, keep in touch with your cloud
service provider, read the user manual carefully.

References

Cloud Security Alliance, a non Profit Cloud


Evangelists Group
https://cloudsecurityalliance.org/
Microsoft Corporation, Windows Azure
http://www.microsoft.com/windowsazure
IEEE Paper Cloud Computing: The impact on
digital forensic investigations
IEEE Paper Cloud computing: Forensic
challenges for law enforcement
Cyber Forensics by Albert J Marcella and Robert greenfield

Questions..?

Thank you..!

Drop me a mail : govindmaheswaran@gmail.com