slide 1 security challenges in a networked world theo dimitrakos chief security researcher...
TRANSCRIPT
Slide 1
Security challenges in a networked world Theo Dimitrakos
Chief Security Researcher –Security Futures Practice, BT Research & Technology
Professor of Computer Science – School of Computing, University of Kent
© British Telecommunications plc
Slide 2
Overview
• Change factors • New security threats• Research challenges
© British Telecommunications plc
Slide 3
Change factors
Cloud Computing
• Disappearing perimeters• Business services distributed over the network • Global operations• Big data at rest on the network / exposed via the network
Network Virtualisation• Virtualisation of networks and network devices • New ways of operating network infrastructures
Internet of Things• Massive interconnection of cloud services and smart devices • Global distribution (Smart Cities, Smart Health, Smart Energy, etc.) • Fusion of services with nw areas that did not rely on IT networks
Content Networks & New Media
• New and more complex content• Complex content and media delivery schemes
Mobile Network Evolution • 4G evolution and deployment• BOYD proliferation
Social Networks• Complex interleaving communication channels• New socio-technical models
Cyber Crime• Fusion of traditional and internet crime• Reputation damage and attacks
Cyber Terrorism• Network increasingly a theatre of state, group and activist terrorism• Complex supply chains• Fusion of civil/defence networks
© British Telecommunications plc
Slide 4
Commonly referenced cloud security incidents
Amazon: Hey Spammers, Get Off My Cloud! (2008) Megaupload US prosecutor investigation (2012)
Amazon: Hey Spammers, Get Off My Cloud! (2008) Megaupload US prosecutor investigation (2012)Bad co-hosts
Bitbucket's Amazon DDoS - what went wrong (2009)AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursqaure
Bitbucket's Amazon DDoS - what went wrong (2009)AWS EBS cloud storage services outage (2011) – impact on Netflix vs. Foursqaure
Service Availability
Diginotar (June 2011) RSA SecureID (March2011)
Diginotar (June 2011) RSA SecureID (March2011)
Risk communication& Response
Security issues with Google Docs Security Issues with Sony User Network
Security issues with Google Docs Security Issues with Sony User Network
EntitlementManagement
An Empirical Study into the Security Exposure to Hosts of HostileVirtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf
Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html
Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
An Empirical Study into the Security Exposure to Hosts of HostileVirtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf
Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html
Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
Hypervisor & Virtual Machine Vulnerabilities
Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine Crypto Opsin VM
In-cloud federatedIdentity Management
Lack of Standards
Data ProvanenceWhere did the data come from?
Data RemanenceYou can check out but can’t leave
Location & PrivacyWho looks at/after your data? And where? Jurisdictions?
© British Telecommunications plc
Slide 5
Cloud Security: the challenges
Robust at system level (modulo kernel bugs)Issues at management plane Memory hijacking
Cloud&Virtual
Infrastructure
Security
Active Shielding
Isolation(Inter-VM & Hypervisor)
VM Security
Hypervisor Security
Physical -to- Virtual Mapping
End-to-end
Virtualisation
Data Leakage
Prevention
Near real-time virtual patchingIntrusion Prevention at Hypervisor level – below Guest OSMalware prevention / detection at Hypervisor level
Hypervisor / trusted VM: • the best place to secure• Limited compute resources• Security API standardsDifficult to exploit but high-impactDo you trust Microsoft? Do you trust VMWare?
Guest OS needs
security protection
Resilient VM lifecycle• dynamic• at massive scale
Crypto doesn’t like virtual
Current algorithms set to
optimise resource pooling
Can’t always use specialised HW
Encryption key management
Co-ordinate security
policies & provisioning for
network & server virtualisation
Location/resource optimisation
CSPs don’t: • allow clients to classify data
• offer different levels of security based upon data sensitivity
• offer DLP services
© British Telecommunications plc
Slide 6
Cloud Security: the challenges
Cloud Data &
Services
Security
Law & Compliance
Data Location &
Mobility
Resilience & Availability
Security in Depth
Data Comingling
Multi-tenancy
Cloud Platform Lock-in
VMs provided by IaaS providerPlatform stack by PaaS providerIaaS, PaaS issues + application security
Lack of standards Lack of interoperability
Limited service portabilityIncompatible management processes
Provider & resource / data locationCross-border data movementPII and privacy obligations (HIPAA, GLBA)Auditing and compliance (PCI, ISO 27001)Poor quality of evidence
EU vs. US vs. China (Gov. access)
Differences in data protection
Cost of keeping data hosting in EU
Audit data legally owned by CSP
refusal to ‘hand over audit logs?
Difficult to involve law enforcement
with CSP activities
Latency sensitive applicationsEnforcement of SLA obligationsInsufficient capabilities to cater for managing critical data
In-cloud segregation of data: difficult
Accidental seizure of customer data
during forensic investigations
Security of shared resources
Process isolation
Data segregation
“Data sharding”
(fragment across images)
Entitlement & Access Mgmt
(policy issuing authority)
© British Telecommunications plc
Slide 7
Cloud Security: the challenges
ProvisioningIdentity IntegrationUser Management
Credential ManagementEntitlement Management
Device Credentials, PKI Infrastructure
Active Directory/LDAP - Attributes, Credentials and Groups for Edge servers
Cloud
Application
Security
Distributed Access
Management
Virtual Directory
Services
Application Service
Integration
Identity Lifecycle
Management
Credential MappingAuthorization with Constrained Delegation(Policy Integrity & Recognition of Authority)Trust & FederationSecurity Auditing
Federation and Edge Server Security – Secure Application Integration Fabric (Secure ESB Gateway)
© British Telecommunications plc
Slide 8
Questions
For more information please contact: