2 SG 13 Regional Workshop for Africa on Saving, Security & Virtualization”

2nd SG 13 Regional Workshop for Africa on
“Future Networks: Cloud Computing, Energy
Saving, Security & Virtualization”
(Tunis, Tunisia, 28 April 2014)
Security Issues for Cloud and Future
Noureddine Boudriga,
Director CN&S, University of Carthage
Tunis, Tunisia, 28 April 2014
Talk Objectives
Present a discussion of common
fundamental challenges and
issues/characteristics of cloud computing
and future networks
Identify security and privacy issues
challenging future networks
Discuss approaches to address the
security issues
Explain the need for a new security
Tunis, Tunisia, 28 April 2014
Security Issues in Cloud Computing
Security and Privacy Issues in Future
Security Solutions
Towards new security engineering
Global Cybersecurity
Tunis, Tunisia, 28 April 2014
1. Introduction
“Cloud computing is a model for enabling
convenient, on-demand network access to
a shared pool of configurable computing
resources” (NIST)
Attributes: Rapid deployment, Low startup
costs/ capital investments, Costs based on
utilization or subscription, Multi-tenant
sharing of services/resources
Characteristics: On demand service,
Ubiquitous network access, Location
independent resource pooling, Rapid
Tunis, Tunisia, 28 April 2014
Introduction: Cloud and FN Models
Delivery Models:
SaaS, PaaS, and IaaS, for cloud
Service Delivery workflows and control,
services’ Brokering and composition, and
Flow and Content mapping to Services, for
Deployment Models: Private, Community,
Public, Hybrid
Management Models: Self-managed or 3rd
party managed (e.g. public clouds, VPN/C)
Tunis, Tunisia, 28 April 2014
Introduction: features
Common features: massive concentration
of shared resources and an important
emergence of risk, since any loss from a
single breach can significantly affect larger
Additional features for FNs: a massive
data to transmit, a massive traffic to
relay, a large node mobility
Hidden concepts: network topology,
perimeter, traffic granularity.
Tunis, Tunisia, 28 April 2014
2. Security Issues in Cloud Computing
Notorious threats include:
Data Breaches, Data Loss, Account or Service
Traffic Hijacking, Insecure Interfaces and APIs,
Denial of Service
Malicious Insiders, Abuse of Cloud, Services
Insufficient due Diligence, Shared Technology
Most security problems stem from: Loss of
control, weak trust relationships, and Multitenancy.
Problems exist mainly with 3rd party
management models. Little involvement of the
Tunis, Tunisia, 28 April 2014
Security issues: loss of control
Data, applications, and resources are
located within the provider controlled
Customer identity management is handled
by the cloud. Cyustomer access control
rules, security policies, and enforcement
are managed by the cloud provider
Consumer relies on provider to address:
Data security and Privacy, Resource
availability control, Monitoring of
resources, and Repairing.
Tunis, Tunisia, 28 April 2014
Security issues: weak trust
Trust relationships at any point of the
delivery chain may be weak due to the loss of
control in passing sensitive data
Trust along the delivery chain from customer
to cloud providers may be non transitive due
to the lack transparency
The lack of consensus about what trust
management techniques should be utilized
for cloud environments
Standardized trust models are needed; but,
none of trust models related to data is
Tunis, Tunisia, 28 April 2014
Security issues: Multi-tenancy
Conflict between tenants’ opposing goals
and goals
Tenants can share pools of resources and
apply conflicting rules
Limited efficiency techniques to provide
separation/interoperation between tenants
Cloud Computing brings new threats
Multiple independent users share the same
physical infrastructure
Attackers can legitimately be managed by
the same physical machine as their target
Tunis, Tunisia, 28 April 2014
3. Security and Privacy Issues in FNs
Availability: Questions about what happens for
customer critical systems/data, if the provider
is attacked or when it goes out of business.
Confidentiality: Questions about whether the
sensitive/private data stored (on a cloud, for
instance) remain confidential, and about
leaking of confidential customer information
Integrity: Questions about How the cloud/FN
provider performs correctly integrity
computations, and How the cloud provider
really stores user data without altering it.
Tunis, Tunisia, 28 April 2014
Security and Privacy issues
Massive data mining: Providers store data from
a large number of customers, and run data
mining algorithms to retrieve large amounts of
New classes of harmful attacks: Attackers can
target the communication link between
provider and customer, and Provider
employees can be phished
Digital forensics: Audit data and forensics are
hard to perform since customers don’t
maintain data locally.
Legal and transitive trust issues: Who is
responsible for complying with regulations.
Tunis, Tunisia, 28 April 2014
Security and privacy issues in FNs
AT the customer side, an attacker can Learn
passwords/authentication information and
gain control of the VMs, if any
At the provider side, an attacker can Log
customer communication, read non encrypted
data, look into VMs, make copies of VMs, or
monitor network communication and
application patterns.
External attackers can Listen to network
traffic, Insert malicious traffic, Investigate
(cloud) structure, or launch DoS, Intrusion,
and Network analysis.
Tunis, Tunisia, 28 April 2014
4. Security solutions
Minimize Loss of Control
Activity Monitoring (e.g. payment,
delegation, usage, and storage control)
Access control and interoperation
Minimize the weakness of Trust relationships
Security Policy (description language, policy
validation, and conflict mgt)
Certification infrastructure (integrity and
Identity Management, Coordination and
interoperation of Multi-tenancy
Tunis, Tunisia, 28 April 2014
Security solutions: Monitoring
Provide mechanisms that enable the
providers to act on the attacks they can
infrastructure remapping and fault repairing
shutting down offending components or
Provide mechanisms that enable the
consumer to act on attacks targeting
Risk-adaptable Access Control
Provide ability to move the user’s application
to another provider
Tunis, Tunisia, 28 April 2014
Security solutions: Identity
IdM in traditional application-centric model
assumes each application to keep track of
identifying information of its users.
Existing systems assume the availability of
a trusted third party.
Users have multiple accounts associated
with multiple service providers (in cloud).
Sharing sensitive identity information
between services can lead to undesirable
mapping of the identities to the user.
Tunis, Tunisia, 28 April 2014
Security solutions: goals for IdM
Authenticate without disclosing identifying
Ability to securely use a service while on
an untrusted host (VM on the cloud)
Minimal disclosure and minimized risk of
disclosure during communication between
user and service provider (Man in the
Middle, Side Channel and Correlation
Protection of Identity Information in Cloud
and FNs without Trusted Third Party
Tunis, Tunisia, 28 April 2014
5. Towards new security engineering
Challenges: techniques for:
Identifying cloud security-critical assets and
evaluating the costs of their breaches.
Identifying potential future network security
threats and evaluating their feasibility.
Identifying feasible (cloud) protections &
countermeasures and evaluate their adequacy
Verifying proper implementation, security
policy, and investigating incidents
Modelling threats and developing a useful
framework for security measurement.
Tunis, Tunisia, 28 April 2014
Towards new security engineering
Major tasks to perform:
Design and analysis of robust security solution;
Estimate solution costs, risk evolution
Build techniques coping with “infinity”
Tools for the analysis of robustness.
Major models to provide:
Security policy models
Threat evolutionary modeling
Verification, validation models
Visibility modeling.
Tunis, Tunisia, 28 April 2014
6. Security Cybersecurity: challenges
Security breaches will be constant
Password-based security will become
essentially useless. Most services should offer
a multi-factor authentication capability
Mobile (smartphones) are used by people
with minimal technical skill, virtually no
attention to security.
Cloud failures will result in substantial data
loss. Security-as-a-Service becomes a new
cloud market.
Nation-state cyberwar escalates. Rogue
nations use cybercrime
Tunis, Tunisia, 28 April 2014
Global Cybersecurity: Objectives
To create an assurance framework for design
of security policies and promotion and
enabling actions for compliance to global
security standards
To strengthen the Regulatory Framework for
To create workforce of skilled professionals
To enable Protection of information while in
process, handling, storage & transit
To enable effective prevention, investigation
and prosecution of cybercrimes
Tunis, Tunisia, 28 April 2014
GCS: Security factors limiting cloud
and FN usage in Africa
IT experts estimate an 80 infection rate on
all PCs continent-wide (in Africa) including
government computers.
As internet and cloud penetration increases
across Africa, so does the risk of
sophisticated cyber-attacks, threatening
African nations' security
Increasing bandwidth and use of wireless
Lack of cyber security awareness. Ineffec-tive
legislation and policies, Insufficient operator
Tunis, Tunisia, 28 April 2014
Cloud computing is evolving and
future networks are merging
Need for a new role for SPs and
network oprators, as part of Cyber
Security ecosystem.
Need Extend the role of Computing
incident Response Team
Tunis, Tunisia, 28 April 2014