3. “The cloud is for everyone.
The cloud is a democracy.”
4. Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal management effort
or service provider interaction. This cloud model promotes
availability and is composed of five essential characteristics, three
service models, and four deployment models
In Simple English,
I can get my data when I want, over some kind of network, and even though
the data might be coming from different places and my computing power
shared with others, somehow the back end is going to scale up or down to
fulfill my needs, and interestingly, bills me for only what I use.
5. On-Demand • Unilaterally provision computing capabilities as needed
automatically, without requiring human interaction with a
Self-Service service provider
Resource • The provider’s computing resources are pooled to serve multiple
consumers using a multi-tenant model
Pooling • Shared pools are assigned and reallocated as per requirement
• Upgrade? More memory required? New software version?
Rapid Elasticity Incompatibility with current version?
• “The Cloud Almighty” has it all…
Broad Network • Available over the network and accessed through standard
Access mechanisms
Measured • Metering capability
• Resource usage can be monitored, controlled, and reported —
Service providing transparency for both the provider and consumer
6. •Servers and Network •Cloud OS and Platforms •User gets the software as
connections. •All the user needs is to a web service.
•User needs to install put up his applications. •Eg : Google Docs, Office
Required OS and Platform •Eg : Windows Hyper V 365, Amazon S3
and Applications.(some Cloud, Amazon EC2
vendors provide OS)
•Eg: Windows Azure
Infrastructure Platform as a Software as a
as a Service Service Service
[IaaS] [PaaS] [SaaS]
Processor Runtime Application
Operating
Memory API Web Service
System
Storage Web Server Web UI
7. Public Cloud Community
Cloud
Private Cloud Hybrid Cloud
10. • Scale vs. Cost • Lack of Control
Pros
Cons
• Multiplatform • Reliability
support Issues
• Encapsulated • Lock In
Change • Data out of
Management Premises
• Next-Gen • Security
Architecture
11. “They're certainly a threat, and would be easy to make malicious.”
“The technology demands of the
cybersecurity adviser's job are
relatively trivial..”
12. * Cloud is a relatively newer technology. So, its
security domains are not fully known.
* Cloud based Security Risks => CRISKS
* Hardware
* Data
* Applications
* (in short, everything in the cloud)
Some major security Issues are discussed in the following slides
13.
14. • Any kind of intentional and un-intentional malicious activity
carried out or executed on a shared platform may affect the
other tenants and associated stake holders.
• Eg : Blocking of IP Ranges, Confiscation of resources etc
• Sudden increase in the resource usage by one application can
drastically affect the performance and availability of other
applications shared in the same cloud infrastructure.
15. • Bankruptcy and catastrophes does not come with an early
warning.
• Such a run-on-the-cloud may lead to acquisitions or mergers.
• Sudden take over can result in a deviation from the agreed
Terms of Use & License Agreement which may lead to a Lock-
In situation.
16. • Migrating from cloud is difficult, as different cloud providers
use various OS n middleware and APIs
• Also, sudden change of provider policies may make the user
stuck with the cloud.
• The user may want to quit, but he cannot as his data is in the
cloud.
• Lock-In Situation
17. • Handled by the Provider
• User rarely has information about the protection facilities.
• Prevent unauthorized access by the priviledged employees of
Service Provider
18. • The service provider may be following good security
procedures, but it is not visible to the customers and end
users.
• May be due to security reasons.
• End user questions remains un-answered:
• how the data is backed up, who back up the data,whether the cloud service
provider does it or has they outsourced to some third party,
19. • Confidential data remains confidential.
• The information deleted by the customer may be available to
the cloud solution provider as part of their regular backups.
• Insecure and inefficient deletion of data where true data
wiping is not happening, exposing the sensitive information
to other cloud users.
20. • Vulnerabilities applicable to programs running in the
conventional systems & networks are also applicable to cloud
infrastructure.
• It also requires application security measures (application-
level firewalls) be in place in the production environment.
21. • The cloud provider maintains logs of none/some/all of the
cloud activities
• The end user has no access to these logs,neither are they
aware of what exactly are being logged.
22. • Security testing is a process to determine that an information
system protects data and maintains functionality as intended.
• Cloud security testing is futile, due to the following reasons.
Permission Issues
If a user traverse through unauthorised areas of a cloud,
he may reach a black hole.
An application is tested today and found vulnerable or
not, how do you know that the app tested tomorrow is
the same one that was tested yesterday?
23. “Who protects my data?”
“Are we to skip on-site inspections,
discoverability, and complex
encryption schemes..”
24. • Although Cloud can be considered a failure in terms of
Security, there are still many takers for it.
• This is mainly due to the Multi-tenancy(cost sharing) aspect.
• A risk based approach needs to be adopted, after considering
the profit and loss involved in moving the assets to the cloud.
An RA Framework is
presented in the coming
slides…
25. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
26. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
• Assets can be Data or Applications. Choose which all needs to be
migrated to the cloud.
• In cloud, data and application need not reside at the same location.
• Thus,even parts of functions can be shifted to the cloud.
• Make the choice based upon current data usage, and potential data
usage.
27. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
• Determine how Important and sensitive the asset is to the
organisation.
• In short, evaluate the asset on the basis of Confidentiality and
availability.
28. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
• Determine which deployment model is good for the organizational
requirement
• Decide whether the organization can accept the risks implicit to the
various deployment models (private, public, community, or hybrid).
29. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
• Determine which service deployment model is good for the
organizational requirement
• Decide whether the organization is competent enough to implement
the extra layers (in case of IaaS or PaaS)
30. Map the
Evaluate
asset to
Cloud Sketch the
Identify Evaluate Existing
Service Potential
the Asset The Asset cloud
Models and Data Flow
Deployment
Providers
Models
• Required to analyse how and when data will move In and Out the
cloud..
31. “They're certainly a threat, and would be easy to make malicious.”
“Quiet as the forest”
32. DEFINITION:
“The use of scientifically derived and proven methods toward
the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital
evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to be
criminal, or helping to anticipate unauthorized actions shown to
be disruptive to planned operations.”
Cloud Forensics refers to the usage of Digital Forensics Science in
Cloud computing models.
33. • Cloud forensics is more cost effective than conventional
Digital forensic methodologies.
• In case a cloud need to be shut down for data collection,it can
be implemented with very less extra work (transfering data to
another data center within the same cloud)
• Forensics may be implemented as a Cloud Service.
34. Legal Regulations
Legal & regulatory requirements and compliances may be
lacking in the location(s) where the data is actually stored.
Record Retention Policies
There exists no standardized logging format for the cloud.
Each provider logs in different formats, making log
crunching for forensics difficult in case of Cloud.
Identity Management
There exists no proper KYC norms in case of Cloud
Providers. Anyone with a credit card can purchase a cloud
account.
35. Continously Overwriten Logs
The cloud keeps working, and its logs are replicated and
overwritten continously. So it poses a great challenge to
the forensic scientist to spot the state of the log file at the
time of an attempted crime..
Admissibility
Along with finding the evidence, the scientist must also
prove it to a legal non technical person. This part is worser
than the real forensics process.
Privacy
Someone hacked something somewhere. Why should a
Forensic guy check the data that i have put in my cloud ..?
36.
37. • Cloud is changing the way systems and services are
provided and utilized.
• The more informed IT departments are about the cloud,
the better the position they will be in when making
decisions about deploying, developing, and maintaining
systems in the cloud.
• With so many different cloud deployment and service
models, and their hybrid permutations - no list of security
controls can cover all these circumstances.
• Cloud has just crossed its inception states, and Researches
on cloud security are still going on.
38. • Use a Risk Assesment framework before data is put on the
cloud.
• Cloud forensics, being younger than Cloud computing, has
very less to offer as of now.
• Watch your activities, keep in touch with your cloud
service provider, read the user manual carefully.
39. • Cloud Security Alliance, a non Profit Cloud Evangelists Group
https://cloudsecurityalliance.org/
• Microsoft Corporation, Windows Azure
http://www.microsoft.com/windowsazure
• IEEE Paper “Cloud Computing: The impact on digital forensic
investigations “
• IEEE Paper “Cloud computing: Forensic challenges for law
enforcement “
• Cyber Forensics by Albert J Marcella and Robert greenfield