THE CLOUD. Who Owns Your Data?

Transcription

1 THE CLOUD Who Owns Your Data? Seite 1

2 TABLE OF CONTENTS Introduction App Server Storage Network / location Seite 2

3 THIS IS NOT A TALK ABOUT What the cloud is Why to use the cloud Which cloud to use Also, there will not be any cloud products mentioned in this presentation Seite 3

4 ABOUT ME Peter Heinemann IT Forensic / IT Security Consultant Seite 4

5 TRUST Scanzoni (1979): Vertrauen beinhaltet, das eigene Schicksal in die Hände eines anderen zu legen, ohne in der Lage zu sein, sich zu versichern, dass keine unvorteilhaften Konsequenzen resultieren werden. Translation: Trust includes putting your own destiny into the hands of another person, without being able to ensure that no disadvantagous consequences are the result Seite 5

6 CLOUD SECURITY AND PRIVACY From Cloud Security and Privacy by Mather, Kumaraswamy and Latif Seite 6

7 TABLE OF CONTENTS Introduction App Server Storage Network / Location Seite 7

8 APPLICATION SECURITY Who has which responsibilities? Security responsibility regulated in SPI / SLA Security requirements same as in traditional model Web application security -> OWASP TOP 10 Injection (SQL, Command, ) Cross-Site Scripting Privilege Escalation Seite 8

9 CONFIDENTIALITY Who is an illegal user? CSP? Employees? Use privilege management Implementation often incomplete (Fully) holomorphic encryption Seite 9

10 TABLE OF CONTENTS Introduction App Server Storage Network / Location Seite 10

11 HOSTING Shared or dedicated Servers? Patch management of the VMs, especially in the shared environment? Patch management of the servers and VM hosts? Linux kernel updates? Network separation of VMs and servers? Who maintains security updates for application images, used in creation of a new VM? Seite 11

12 HOSTING Side-channel attacks on other VMs This years pwn2own competition showed a successful exploitation of a Vmware host just by visiting a webpage with Windows Edge browser Also a guest-to-host Vmware Workstation exploit was shown on pwn2own 2017 Another guest-to-host exploit for Vmware was fixed and published in March 2017 Guest-to-host exploits exist for every hypervisor, and regular security updates are a must in cloud security Mitigation is possible through ACLs on the host and implementation of new technologies, such as RAM based encryption Seite 12

13 TABLE OF CONTENTS Introduction App Server Storage Network / Location Seite 13

14 DATA PERSISTENCY What happens with deleted data in the cloud? Backups can be both a blessing and a curse Change of cloud provider: Is really everything securely deleted? Seite 14

15 ENCRYPTION Storage encryption Standardized vs. proprietary encryption schemes Data encryption Client-side encryption/decryption with own keys possible? Key management Who owns which keys? Seite 15

16 TABLE OF CONTENTS Introduction App Server Storage Network / Location Seite 16

17 LOCATION Where is the server located? Which is the local law and who can get access to the data center according to it? Seite 17

18 LEGAL REGULATIONS Does the cloud provider comply with: Swiss Data Protection Act Swiss Federal Data Protection Ordinance Is it allowed to transfer data outside of Switzerland? Seite 18

19 OFFLINE What happens if the cloud is offline? One hour, one day, one week Failures in the connection between company and cloud can occure in many places Construction site cutes the internet cable of your company Floods, landslide, other catastrophes damage internet cable Seite 19

20 REFERENCES Flaticon.com for the icons Gregor Cresnar Smartline Smashicons Scanzoni, J. (1979). Social exchange and behavioral interdependence. In R. L. Burgess & T. L. Huston (Eds.), Social exchange in developing relationships. New York: Academic Cloud Security and Privacy by Tim Mather, Subra Kumarswamy and Shahed Latif ISBN Seite 20

21 Seite 21