Cloud Computing Security and

Management

Unit I: Security Overview

Typical Cloud Clou
d API

m m m m m
m m m m m 1 2 3 4 5
1 2 3 4 5 m m m m m
1 2 3 4 5
hypervisor
hypervisor
hypervisor
hw
m m m m m
hw hw
1 2 3 4 5
m m m m m
1 2 3 4 5
hypervisor

hypervisor
hw m m m m m
m m m m m 1 2 3 4 5 hw
1 2 3 4 5
m m m m m hypervisor
1 2 3 4 5 hypervisor
hw
hypervisor hw
hw
Typical Server Virtualization Deployment
Win 2003 Win 2008 Redhat Ubuntu
A A A A A A A A A A A A
p p p p p p p p p p p p
p p p p p p p p p p p p
A A A A A A A A A A A A
M
p p p p p p p p p p p p
a
p p p p p p p p p p p p
n
a
g
e
m OS OS OS OS
e
n
t

Hypervisor

Hardware
Typical VDI Deployment
desktop desktop desktop desktop desktop desktop

Dom0
OS OS OS OS OS OS

Enterprise Hypervisor
Hardware

Thin client
Thin client

Thin client Thin client Thin client Thin client

Cloud Computing Background
• Features
• Use of internet-based services to support business process
• Rent IT-services on a utility-like basis
• Attributes
• Rapid deployment
• Low startup costs/ capital investments
• Costs based on usage or subscription
• Multi-tenant sharing of services/ resources
• Essential characteristics
• On demand self-service
• Ubiquitous network access
• Location independent resource pooling
• Rapid elasticity
• Measured service
• “Cloud computing is a compilation of existing techniques and technologies, packaged within a new
infrastructure paradigm that offers improved scalability, elasticity, business agility, faster startup time, reduced
management costs, and just-in-time availability of resources”

From [1] NIST

A Massive Concentration of
Resources
• Also a massive concentration of risk
• expected loss from a single breach can be significantly larger
• concentration of “users” represents a concentration of threats
• “Ultimately, you can outsource responsibility but you can’t outsource
accountability.”

From [2] John McDermott, ACSAC 09

If cloud computing is so great,
why isn’t everyone doing it?
• The cloud acts as a big black box, nothing inside the cloud is visible to
the clients
• Clients have no idea or control over what happens inside a cloud
• Even if the cloud provider is honest, it can have malicious system
admins who can tamper with the VMs and violate confidentiality and
integrity
• Clouds are still subject to traditional data confidentiality, integrity,
availability, and privacy issues, plus some additional attacks

10
Cloud Computing: who should use it?
• Cloud computing definitely makes sense if your own security is weak,
missing features, or below average.
• Ultimately, if
• the cloud provider’s security people are “better” than yours (and
leveraged at least as efficiently),
• the web-services interfaces don’t introduce too many new
vulnerabilities, and
• the cloud provider aims at least as high as you do, at security
goals,
then cloud computing has better security.

From [2] John McDermott, ACSAC 09

5 Essential Cloud Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Location independence
• Rapid elasticity
• Measured service

12
3 Cloud Service Models
• Cloud Software as a Service (SaaS)
• Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
• Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
• Rent processing, storage, network capacity, and other
fundamental computing resources

• To be considered “cloud” they must be deployed on top

of cloud infrastructure that has the key characteristics

13
Service Model Architectures
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service
PaaS PaaS (SaaS)
SaaS SaaS SaaS Architectures

Cloud Infrastructure Cloud Infrastructure

IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures

Cloud Infrastructure
IaaS Infrastructure as a Service (IaaS)
Architectures

14
Cloud Models
• Delivery Models
• SaaS
• PaaS
• IaaS
• Deployment Models
• Private cloud
• Community cloud
• Public cloud
• Hybrid cloud
• We propose one more Model: Management Models (trust and tenancy
issues)
• Self-managed
• 3rd party managed (e.g. public clouds and VPC)
From [1] NIST
Delivery Models

While cloud-based software services are maturing,

Cloud platform and infrastructure offering are still in their early stages !
From [6] Cloud Security and Privacy by Mather and Kumaraswamy 16
Impact of cloud computing on the
governance structure of IT organizations

17
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
4 Cloud Deployment Models
• Private cloud
• enterprise owned or leased
• Community cloud
• shared infrastructure for specific community
• Public cloud
• Sold to the public, mega-scale infrastructure
• Hybrid cloud
• composition of two or more clouds

18
Four Deployment Models
Four Deployment Models
Four Deployment Models
Four Deployment Models
Common Cloud Characteristics
• Cloud computing often leverages:
• Massive scale
• Homogeneity
• Virtualization
• Resilient computing
• Low cost software
• Geographic distribution
• Service orientation
• Advanced security technologies

23
Overview of Cloud Security
• Some key issues:
• trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can be reduced to simple
primitives that are replicated thousands of times and common
functional units
• Cloud security is a tractable problem
• There are both advantages and challenges

Former Intel CEO, Andy Grove: “only the paranoid survive”

25
Is Cloud Computing Secure?
• For most organizations, the journey to cloud is no longer a question of “if”
but rather “when”, and a large number of enterprises have already
travelled some way down this path.
• Is cloud computing secure?
• A simple answer is: Yes, if you approach cloud in the right way, with the
correct checks and balances to ensure all necessary security and risk
management measures are covered.

26
Is Cloud Computing Secure?

• Companies ready to adopt cloud services are right to place security at the top of
their agendas.

• the consequences of getting your cloud security strategy wrong could not be more
serious.

• As many unwary businesses have found to their cost in recent high-profile cases, a
single cloud-related security breach can result in an organization severely
damaging its reputation – or, worse, the entire business being put at risk.
27
Is Cloud Computing Secure?
• Those further along their cloud path are finding that, like all forms of
information security, the question boils down to effective risk management.
we outlined the different layers in the cloud services stack:
• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Software-as-a-Service (SaaS)
• Business Process-as-a-Service (BPaaS).
• These layers – and their associated standards, requirements and solutions –
are all at different levels of maturity.
28
Is Cloud Computing Secure?
• The world of business is becoming more uncertain, as with new system
architectures come new cyber threats. No longer can the mechanisms
deployed in the past be relied on for protection”
--Nick Gaines, Group IS Director, Volkswagen UK

• Different types of cloud have different security characteristics. The table in

next page shows a simple comparison. (The number of stars indicates how
suitable each type of cloud is for each area.)
• We choose to characterize these types as private, public and community
clouds – or “hybrid” to refer to a combination of approaches.
29
Security Issues
• Hypervisor is the underlying component of all these architectures. It is a new
layer which needs to be protected
• Scale of deployments – Just the sheer scale of deployments make this a security
nightmare. Imagine 150 machines running a simultaneous scheduled AV scan on
the same physical host. Chokes IO/Disk bandwidth.
• Isolation - Machines of a company and its competitor could be running on the
same physical machine. Insufficient isolation could lead to disaster
• New API’s to access Virtualization/Cloud services. Bugs in these could lead to
compromise of entire infrastructure.
Sample Hypervisor Security Issues
• CVE-2007-4496, CVE-2007-4497 – ESX3.01, guest operating system
can cause buffer overflow and arbitrary code execution in the host
• CVE-2007-0948 – Virtual PC – Heap overflow which could cause
arbitrary privilege escalation
• CVE-2007-4993 – Xen 3.0.3 – User can escape to domain0 via
grub.conf and pygrub
Security Issues – Why?
• Hypervisors are written by humans. They have bugs –
typically buffer overflows
• Hypervisor are complex – Xen is about 300K source
lines of code
• Complete isolation is hard – Most systems don’t have
IOMMU’s which make it possible to DMA to arbitrary
physical memory
• Compromised Domain0 on Xen pretty much means a
hosed hypervisor. Domain0 runs commodity OS’s
which could have bugs.
Security Issues – Why?
• DMA is a big problem on non IOMMU based systems:
• Xen can setup DMA
• Dom0 can setup DMA
• Driver domains can setup DMA
• The range of physical addresses is not verified
• IOMMU based systems can restrict the range of
addresses but they are not present in commodity
hardware
• There are some techniques to even bypass IOMMU
checks
Security Solutions
• Trusted hypervisor
• Hyperguard – Phoenix Technologies – A hypervisor integrity scanner in SMM.
• Deepwatch – Intel project – Virtualization rootkit scanner
• Domain 0 Hardening – Various security solutions to white-list and
harden Dom0
Security Opportunities
• New breed of security products is now possible to protect guest OS’s
from being hijacked
• Hypervisor based security suites cannot be detected by malware
running in the guest
• Hypervisors allow introspection of very early boot sequences of the
guest, thereby making possible an entire need breed of BIOS rootkit
and kernel rootkit scanners
Security Opportunities
• API’s like VMSAFE from VMWare allow introspection of interesting
system events in the guests
• These events can then be processed on a dedicated security appliance
• These events include CPU state monitoring, page faults,
memory/register accesses, File-system events, network events etc.
Security Risks
• Organizations with defined controls for externally sourced services or access to IT risk-assessment
capabilities should still apply these to aspects of cloud services where appropriate.

• But while many of the security risks of cloud overlap with those of outsourcing and offshoring, there
are also differences that organizations need to understand and manage.

“When adopting cloud services, there are four key considerations:

1. Where is my data?
2. How does it integrate?
3. What is my exit strategy?
4. What are the new security issues?”
--Tony Mather, CIO, Clear Channel International
37
Security Risks
• Processing sensitive or business-critical data outside the enterprise introduces a level of risk
because any outsourced service bypasses an organization's in-house security controls. With cloud,
however, it is possible to establish compatible controls if the provider offers a dedicated service.
An organisation should ascertain a provider’s position by asking for information about the control
and supervision of privileged administrators.
• Organizations using cloud services remain responsible for the security and integrity of their own
data, even when it is held by a service provider. Traditional service providers are subject to
external audits and security certifications. Cloud providers may not be prepared to undergo the
same level of scrutiny.
• When an organisation uses a cloud service, it may not know exactly where its data resides or
have any ability to influence changes to the location of data.
38
Security Risks
• Most providers store data in a shared environment. Although this may be segregated from
other customers’ data while it’s in that environment, it may be combined in backup and archive
copies. This could especially be the case in multi-tenanted environments.
• Companies should not assume service providers will be able to support electronic discovery,
or internal investigations of inappropriate or illegal activity. Cloud services are especially difficult
to investigate because logs and data for multiple customers may be either co-located or spread
across an ill-defined and changing set of hosts.
• Organisations need to evaluate the long-term viability of any cloud provider. They should
consider the consequences to service should the provider fail or be acquired, since there will be far
fewer readily identifiable assets that can easily be transferred in-house or to another provider.

39
Cloud Security Simplified

• As with all coherent security strategies, cloud security can seem dauntingly complex, involving many different

aspects that touch all parts of an organization.

• CIOs and their teams need to plot effective management strategies as well as understand the implications for

operations and technology.

• we outline the key considerations.

• Management

• Operation
40
• Technology
Cloud Security Simplified
• Management
1. Updated security policy
2. Cloud security strategy
3. Cloud security governance
4. Cloud security processes
5. Security roles & responsibilities
6. Cloud security guidelines
7. Cloud security assessment
8. Service integration
9. IT & procurement security requirements
10. Cloud security management
41
Cloud Security Simplified
• Operation
1. Awareness & training
2. Incident management
3. Configuration management
4. Contingency planning
5. Maintenance
6. Media protection
7. Environmental protection
8. System integrity
9. Information integrity
10. Personnel security
42
Cloud Security Simplified
• Technology
1. Access control
2. System protection
3. Identification
4. Authentication
5. Cloud security audits
6. Identity & key management
7. Physical security protection
8. Backup, recovery & archive
9. Core infrastructure protection
10. Network protection
43
General Security Advantages

• Shifting public data to a external cloud reduces the exposure of the

internal sensitive data
• Cloud homogeneity makes security auditing/testing simpler
• Clouds enable automated security management
• Redundancy / Disaster Recovery

44
Cloud Security Advantages

• Data Fragmentation and Dispersal

• Dedicated Security Team
• Greater Investment in Security Infrastructure
• Fault Tolerance and Reliability
• Greater Resiliency
• Hypervisor Protection Against Network Attacks
• Possible Reduction of C&A Activities (Access to Pre-
Accredited Clouds)

45
Cloud Security Advantages

• Simplification of Compliance Analysis

• Data Held by Unbiased Party (cloud vendor assertion)
• Low-Cost Disaster Recovery and Data Storage
Solutions
• On-Demand Security Controls
• Real-Time Detection of System Tampering
• Rapid Re-Constitution of Services
• Advanced Honeynet Capabilities

46
General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control

47
Cloud Security Challenges

• Data dispersal and international privacy laws

• EU Data Protection Directive and U.S. Safe Harbor program
• Exposure of data to foreign government and data subpoenas
• Data retention issues
• Need for isolation management
• Multi-tenancy
• Logging challenges
• Data ownership issues
• Quality of service guarantees
48
Cloud Security Challenges

• Dependence on secure hypervisors

• Attraction to hackers (high value target)
• Security of virtual OSs in the cloud
• Possibility for massive outages
• Encryption needs for cloud computing
• Encrypting access to the cloud resource control interface
• Encrypting administrative access to OS instances
• Encrypting access to applications
• Encrypting application data at rest
• Public cloud vs internal cloud security
• Lack of public SaaS version control 49
Security Relevant Cloud Components

• Cloud Provisioning Services

• Cloud Data Storage Services
• Cloud Processing Infrastructure
• Cloud Support Services
• Cloud Network and Perimeter Security

• Elastic Elements: Storage, Processing, and Virtual Networks

50
Provisioning Service
• Advantages
• Rapid reconstitution of services
• Enables availability
• Provision in multiple data centers / multiple instances
• Advanced honey net capabilities
• Challenges
• Impact of compromising the provisioning service

51
Data Storage Services
• Advantages
• Data fragmentation and dispersal
• Automated replication
• Provision of data zones (e.g., by country)
• Encryption at rest and in transit
• Automated data retention
• Challenges
• Isolation management / data multi-tenancy
• Storage controller
• Single point of failure / compromise?
• Exposure of data to foreign governments
53
Cloud Processing Infrastructure
• Advantages
• Ability to secure masters and push out secure images
• Challenges
• Application multi-tenancy
• Reliance on hypervisors
• Process isolation / Application sandboxes

64
Cloud Support Services
• Advantages
• On demand security controls (e.g., authentication, logging, firewalls…)
• Challenges
• Additional risk when integrated with customer applications
• Needs certification and accreditation as a separate application
• Code updates

65
Cloud Network and Perimeter Security
• Advantages
• Distributed denial of service protection
• VLAN capabilities
• Perimeter security (IDS, firewall, authentication)
• Challenges
• Virtual zoning with application mobility

66
Causes of Problems Associated
with Cloud Computing
• Most security problems stem from:
• Loss of control
• Lack of trust (mechanisms)
• Multi-tenancy
• These problems exist mainly in 3rd party management models
• Self-managed clouds still have security issues, but not related to above
Loss of Control in the Cloud
• Consumer’s loss of control
• Data, applications, resources are located with provider
• User identity management is handled by the cloud
• User access control rules, security policies and enforcement are managed by
the cloud provider
• Consumer relies on provider to ensure
• Data security and privacy
• Resource availability
• Monitoring and repairing of services/resources
Lack of Trust in the Cloud
• A brief deviation from the talk
• (But still related)
• Trusting a third party requires taking risks
• Defining trust and risk
• Opposite sides of the same coin (J. Camp)
• People only trust when it pays (Economist’s view)
• Need for trust arises only in risky situations
• Defunct third party management schemes
• Hard to balance trust and risk
• e.g. Key Escrow (Clipper chip)
• Is the cloud headed toward the same path?
Multi-tenancy Issues in the Cloud
• Conflict between tenants’ opposing goals
• Tenants share a pool of resources and have opposing goals
• How does multi-tenancy deal with conflict of interest?
• Can tenants get along together and ‘play nicely’ ?
• If they can’t, can we isolate them?
• How to provide separation between tenants?

• Cloud Computing brings new threats

• Multiple independent users share the same physical infrastructure
• Thus an attacker can legitimately be in the same physical machine as the target
Taxonomy of Fear
• Confidentiality
• Fear of loss of control over data
• Will the sensitive data stored on a cloud remain confidential?
• Will cloud compromises leak confidential client data
• Will the cloud provider itself be honest and won’t peek into the data?
• Integrity
• How do I know that the cloud provider is doing the computations correctly?
• How do I ensure that the cloud provider really stored my data without
tampering with it?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

71
Taxonomy of Fear (cont.)
• Availability
• Will critical systems go down at the client, if the provider is attacked in a
Denial of Service attack?
• What happens if cloud provider goes out of business?
• Would cloud scale well-enough?
• Often-voiced concern
• Although cloud providers argue their downtime compares well with cloud user’s own
data centers

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

72
Taxonomy of Fear (cont.)
• Privacy issues raised via massive data mining
• Cloud now stores data from a lot of clients, and can run data mining
algorithms to get large amounts of information on clients
• Increased attack surface
• Entity outside the organization now stores and computes data, and so
• Attackers can now target the communication link between cloud provider and
client
• Cloud provider employees can be phished

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

73
Taxonomy of Fear (cont.)
• Auditability and forensics (out of control of data)
• Difficult to audit data held outside organization in a cloud
• Forensics also made difficult since now clients don’t maintain data locally
• Legal quagmire and transitive trust issues
• Who is responsible for complying with regulations?
• e.g., SOX, HIPAA, GLBA ?
• If cloud provider subcontracts to third party clouds, will the data still be
secure?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

74
Taxonomy of Fear (cont.)
Cloud Computing is a security
nightmare and it can't be handled
in traditional ways.
John Chambers
CISCO CEO

• Security is one of the most difficult task to implement in

cloud computing.
• Different forms of attacks in the application side and in the
hardware components
• Attacks with catastrophic effects only needs one security
flaw
(http://www.exforsys.com/tutorials/cloud-computing/cloud-computing-security.html)
75
Threat Model
• A threat model helps in analyzing a security problem,
design mitigation strategies, and evaluate solutions
•Steps:
• Identify attackers, assets, threats and other components
• Rank the threats
• Choose mitigation strategies
• Build solutions based on the strategies

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

76
Threat Model
• Basic components
• Attacker modeling
• Choose what attacker to consider
• insider vs. outsider?
• single vs. collaborator?
• Attacker motivation and capabilities
• Attacker goals
• Vulnerabilities / threats

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

77
What is the issue?
• The core issue here is the levels of trust
• Many cloud computing providers trust their customers
• Each customer is physically commingling its data with data from anybody else
using the cloud while logically and virtually you have your own space
• The way that the cloud provider implements security is typically focused on
they fact that those outside of their cloud are evil, and those inside are good.
• But what if those inside are also evil?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

78
Attacker Capability: Malicious Insiders
• At client
• Learn passwords/authentication information
• Gain control of the VMs
• At cloud provider
• Log client communication
• Can read unencrypted data
• Can possibly peek into VMs, or make copies of VMs
• Can monitor network communication, application patterns
• Why?
• Gain information about client data
• Gain information on client behavior
• Sell the information or use itself

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

79
Attacker Capability: Outside attacker

• What?
• Listen to network traffic (passive)
• Insert malicious traffic (active)
• Probe cloud structure (active)
• Launch DoS
• Goal?
• Intrusion
• Network analysis
• Man in the middle
• Cartography
From [5] www.cs.jhu.edu/~ragib/sp10/cs412

80
Challenges for the attacker
• How to find out where the target is located?
• How to be co-located with the target in the same
(physical) machine?
• How to gather information about the target?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

81
Infrastructure Security
• Network Level
• Host Level
• Application Level

82
The Network Level
• Ensuring confidentiality and integrity of your organization’s data-in-
transit to and from your public cloud provider
• Ensuring proper access control (authentication, authorization, and
auditing) to whatever resources you are using at your public cloud
provider
• Ensuring availability of the Internet-facing resources in a public cloud
that are being used by your organization, or have been assigned to
your organization by your public cloud providers
• Replacing the established model of network zones and tiers with
domains From [6] Cloud Security and Privacy by Mather and Kumaraswamy

83
The Network Level - Mitigation
• Note that network-level risks exist regardless of what aspects of
“cloud computing” services are being used
• The primary determination of risk level is therefore not which *aaS is
being used,
• But rather whether your organization intends to use or is using a
public, private, or hybrid cloud.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

84
The Host Level
• SaaS/PaaS
• Both the PaaS and SaaS platforms abstract and hide the host OS from end
users
• Host security responsibilities are transferred to the CSP (Cloud Service
Provider)
• You do not have to worry about protecting hosts
• However, as a customer, you still own the risk of managing information hosted
in the cloud services.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

85
Local Host Security
• Are local host machines part of the cloud infrastructure?
• Outside the security perimeter
• While cloud consumers worry about the security on the cloud provider’s site, they may easily
forget to harden their own machines
• The lack of security of local devices can
• Provide a way for malicious services on the cloud to attack local networks through these
terminal devices
• Compromise the cloud and its resources for other users
Local Host Security (Cont.)
• With mobile devices, the threat may be even stronger
• Users misplace or have the device stolen from them
• Security mechanisms on handheld gadgets are often times insufficient compared to say, a
desktop computer
• Provides a potential attacker an easy avenue into a cloud system.
• If a user relies mainly on a mobile device to access cloud data, the threat to availability is also
increased as mobile devices malfunction or are lost
• Devices that access the cloud should have
• Strong authentication mechanisms
• Tamper-resistant mechanisms
• Strong isolation between applications
• Methods to trust the OS
• Cryptographic functionality when traffic confidentiality is required

87
The Application Level
• DoS
• EDoS(Economic Denial of Sustainability)
• An attack against the billing model that underlies the cost of providing a
service with the goal of bankrupting the service itself.
• End user security
• Who is responsible for Web application security in the cloud?
• SaaS/PaaS/IaaS application security
• Customer-deployed application security
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

88
Data Security and Storage
• Several aspects of data security, including:
• Data-in-transit
• Confidentiality + integrity using secured protocol
• Confidentiality with non-secured protocol and encryption
• Data-at-rest
• Generally, not encrypted , since data is commingled with other users’ data
• Encryption if it is not associated with applications?
• But how about indexing and searching?
• Then homomorphic encryption vs. predicate encryption?
• Processing of data, including multitenancy
• For any application to process data, not encrypted

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

89
Data Security and Storage (cont.)
• Data lineage
• Knowing when and where the data was located w/i cloud is
important for audit/compliance purposes
• e.g., Amazon AWS
• Store <d1, t1, ex1.s3.amazonaws.com>
• Process <d2, t2, ec2.compute2.amazonaws.com>
• Restore <d3, t3, ex2.s3.amazonaws.com>
• Data provenance
• Computational accuracy (as well as data integrity)
• E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?
• Correct : assuming US dollar
• How about dollars of different countries?
• Correct exchange rate?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

90
Data Security and Storage
• Data remanence
• Inadvertent disclosure of sensitive information is possible
• Data security mitigation?
• Do not place any sensitive data in a public cloud
• Encrypted data is placed into the cloud?
• Provider data and its security: storage
• To the extent that quantities of data from many companies are centralized, this collection
can become an attractive target for criminals
• Moreover, the physical security of the data center and the trustworthiness of system
administrators take on new importance.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

91
What is Privacy?
• The concept of privacy varies widely among (and sometimes within) countries, cultures,
and jurisdictions.
• It is shaped by public expectations and legal interpretations; as such, a concise definition
is elusive if not impossible.
• Privacy rights or obligations are related to the collection, use, disclosure, storage, and
destruction of personal data (or Personally Identifiable Information—PII).
• At the end of the day, privacy is about the accountability of organizations to data subjects,
as well as the transparency to an organization’s practice around personal information.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 92

What Are the Key Privacy Concerns?
• Typically mix security and privacy
• Some considerations to be aware of:
• Storage
• Retention
• Destruction
• Auditing, monitoring and risk management
• Privacy breaches
• Who is responsible for protecting privacy?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 93

Storage
• Is it commingled with information from other organizations that use
the same CSP?
• The aggregation of data raises new privacy issues
• Some governments may decide to search through data without necessarily
notifying the data owner, depending on where the data resides
• Whether the cloud provider itself has any right to see and access
customer data?
• Some services today track user behaviour for a range of purposes,
from sending targeted advertising to improving services

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 94

Retention
• How long is personal information (that is transferred to the cloud)
retained?
• Which retention policy governs the data?
• Does the organization own the data, or the CSP?
• Who enforces the retention policy in the cloud, and how are
exceptions to this policy (such as litigation holds) managed?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

95
Destruction
• How does the cloud provider destroy PII at the end of the retention
period?
• How do organizations ensure that their PII is destroyed by the CSP at the
right point and is not available to other cloud users?
• Cloud storage providers usually replicate the data across multiple
systems and sites—increased availability is one of the benefits they
provide.
• How do you know that the CSP didn’t retain additional copies?
• Did the CSP really destroy the data, or just make it inaccessible to
the organization?
• Is the CSP keeping the information longer than necessary so that it
can mine the data for its own use?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 96

Auditing, monitoring and risk management
• How can organizations monitor their CSP and provide assurance to
relevant stakeholders that privacy requirements are met when their PII
is in the cloud?
• Are they regularly audited?
• What happens in the event of an incident?
• If business-critical processes are migrated to a cloud computing
model, internal security processes need to evolve to allow multiple
cloud providers to participate in those processes, as needed.
• These include processes such as security monitoring, auditing, forensics,
incident response, and business continuity
From [6] Cloud Security and Privacy by Mather and Kumaraswamy 97
Privacy breaches
• How do you know that a breach has occurred?
• How do you ensure that the CSP notifies you when a breach occurs?
• Who is responsible for managing the breach notification process (and
costs associated with the process)?
• If contracts include liability for breaches resulting from negligence of
the CSP?
• How is the contract enforced?
• How is it determined who is at fault?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 98

Who is responsible for protecting privacy?

• Data breaches have a cascading effect

• Full reliance on a third party to protect personal data?
• In-depth understanding of responsible data stewardship
• Organizations can transfer liability, but not accountability
• Risk assessment and mitigation throughout the data life cycle is
critical.
• Many new risks and unknowns
• The overall complexity of privacy protection in the cloud represents a bigger
challenge.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy 99

Top Security Threats

• Abuse and nefarious use of cloud computing

• Insecure interfaces & API’s
• Unknown risk profile
• Malicious insiders
• Shared technology issues
• Data loss or leakage
• Account or service hijacking
Threat Mitigation
Abuse and nefarious  Stricter initial registration and validation processes.
 Enhanced credit card fraud monitoring and
use of cloud coordination.
computing  Comprehensive introspection of customer network
traffic.
 Monitoring public blacklists for one’s own network
blocks.
Insecure interfaces &  Analyze the security model of cloud provider
interfaces.
API’s  Ensure strong authentication and access controls
are
implemented in concert with encrypted transmission.
 Understand the dependency chain associated with
the API.
Unknown risk profile  Disclosure of applicable logs and data.
Partial/full disclosure of infrastructure details
 Monitoring and alerting on necessary information.
Threat Mitigation
Malicious insiders  Enforce strict supply chain management and conduct
a comprehensive supplier assessment.
 Specify human resource requirements as part of
legal contracts.
 Require transparency into overall information security
and management practices, as well as compliance
reporting.
 Determine security breach notification processes.

Shared technology  Implement security best practices for installation and

configuration.
issues  Monitor environment for unauthorized
changes/activity.
 Promote strong authentication and access control for
administrative access and operations.
 Enforce service level agreements for patching and
vulnerability remediation.
 Conduct vulnerability scanning and configuration
audits.
Threat Mitigation
Data loss or  Implement strong API access control.
leakage  Encrypt and protect integrity of data in transit.
 Analyze data protection at both design and run time.
 Implement strong key generation, storage and
management, and destruction practices.
 Contractually demand providers wipe persistent
media before it is released into the pool.
 Contractually specify provider backup and retention
strategies.
Account or  Prohibit the sharing of account credentials between
users and services.
service  Leverage strong two-factor authentication
hijacking techniques where possible.
 Employ proactive monitoring to detect unauthorized
activity.
 Understand cloud provider security policies and
SLAs.
Security Issues in the Cloud
• In theory, minimizing any of the issues would help:
• Loss of Control
• Take back control
• Data and apps may still need to be on the cloud
• But can they be managed in some way by the consumer?
• Lack of trust
• Increase trust (mechanisms)
• Technology
• Policy, regulation
• Contracts (incentives): topic of a future talk
• Multi-tenancy
• Private cloud
• Takes away the reasons to use a cloud in the first place
• VPC: its still not a separate system
• Strong separation
Security is hard – at all levels
• A prisoner was wrongly released after a fax was received
from a grocery store stating that the Kentucky Supreme
Court had demanded his release:
http://www.cnn.com/2007/US/04/21/wrongly.freed.ap/in
dex.html
Security principles
• Open design:you need all the help you can get
• Economy of mechanism: fewer things to get right
• Minimize secrets: secrets don’t remain secret
• Fail-safe defaults: most users won’t change them
• Least privilege: limit the damage of an accident
• Separation of privilege: dangerous operation should require multiple
principals
• Complete mediation: check every operation
Possible Solutions
• Minimize Lack of Trust
• Policy Language
• Certification
• Minimize Loss of Control
• Monitoring
• Utilizing different clouds
• Access control management
• Identity Management (IDM)
• Minimize Multi-tenancy

107
Minimize Lack of Trust:
Policy Language
• Consumers have specific security needs but don’t have a say-so in
how they are handled
• What the heck is the provider doing for me?
• Currently consumers cannot dictate their requirements to the provider (SLAs
are one-sided)
• Standard language to convey one’s policies and expectations
• Agreed upon and upheld by both parties
• Standard language for representing SLAs
• Can be used in a intra-cloud environment to realize overarching security
posture
Minimize Lack of Trust:
Policy Language (Cont.)
• Create policy language with the following characteristics:
• Machine-understandable (or at least processable),
• Easy to combine/merge and compare
• Examples of policy statements are, “requires isolation between VMs”,
“requires geographical isolation between VMs”, “requires physical separation
between other communities/tenants that are in the same industry,” etc.
• Need a validation tool to check that the policy created in the standard language
correctly reflects the policy creator’s intentions (i.e. that the policy language is
semantically equivalent to the user’s intentions).

109
Minimize Lack of Trust: Certification
• Certification
• Some form of reputable, independent, comparable assessment and description
of security features and assurance
• Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud
environment?)
• Risk assessment
• Performed by certified third parties
• Provides consumers with additional assurance
Minimize Loss of Control:
Monitoring
• Cloud consumer needs situational awareness for
critical applications
• When underlying components fail, what is the effect of the
failure to the mission logic
• What recovery measures can be taken (by provider and
consumer)
• Requires an application-specific run-time monitoring
and management tool for the consumer
• The cloud consumer and cloud provider have different
views of the system
• Enable both the provider and tenants to monitor the
components in the cloud that are under their control
Minimize Loss of Control:
Monitoring (Cont.)
– Provide mechanisms that enable the provider to
act on attacks he can handle.
• infrastructure remapping (create new or move
existing fault domains)
• shutting down offending components or targets
(and assisting tenants with porting if necessary
• Repairs
– Provide mechanisms that enable the consumer to
act on attacks that he can handle (application-level
monitoring).
• RAdAC (Risk-adaptable Access Control)
• VM porting with remote attestation of target
physical host
• Provide ability to move the user’s application to
another cloud
112
Minimize Loss of Control:
Utilize Different Clouds
• The concept of ‘Don’t put all your eggs in one basket’
• Consumer may use services from different clouds through an intra-cloud or multi-cloud
architecture
• Propose a multi-cloud or intra-cloud architecture in which consumers
• Spread the risk
• Increase redundancy (per-task or per-application)
• Increase chance of mission completion for critical applications
• Possible issues to consider:
• Policy incompatibility (combined, what is the overarching policy?)
• Data dependency between clouds
• Differing data semantics across clouds
• Knowing when to utilize the redundancy feature (monitoring technology)
• Is it worth it to spread your sensitive data across multiple clouds?
• Redundancy could increase risk of exposure
Minimize Loss of Control:
Access Control
• Many possible layers of access control
• E.g. access to the cloud, access to servers, access to services, access to
databases (direct and queries via web services), access to VMs, and
access to objects within a VM
• Depending on the deployment model used, some of these will be
controlled by the provider and others by the consumer
• Regardless of deployment model, provider needs to
manage the user authentication and access control
procedures (to the cloud)
• Federated Identity Management: access control management burden
still lies with the provider
• Requires user to place a large amount of trust on the provider in terms
of security, management, and maintenance of access control policies.
This can be burdensome when numerous users from different
organizations with different access control policies, are involved
Minimize Loss of Control:
Access Control (Cont.)
• Consumer-managed access control
– Consumer retains decision-making process to retain
some control, requiring less trust of the provider
(i.e. PDP is in consumer’s domain)
– Requires the client and provider to have a pre-
existing trust relationship, as well as a pre-
negotiated standard way of describing resources,
users, and access decisions between the cloud
provider and consumer. It also needs to be able to
guarantee that the provider will uphold the
consumer-side’s access decisions.
– Should be at least as secure as the traditional
access control model.
– Facebook and Google Apps do this to some degree,
but not enough control
– Applicability to privacy of patient health records
115
Minimize Loss of Control: IDM
Present IDMs
• IDM in traditional application-centric IDM model
• Each application keeps track of identifying information of its users.
• Existing IDM Systems
• Microsoft Windows CardSpace [W. A. Alrodhan]
• OpenID [http://openid.net]
• PRIME [S. F. Hubner]

These systems require a trusted third party and

do not work on an untrusted host.

If Trusted Third Party is compromised, all the identifying information of the users
is also compromised
[Latest: AT&T iPad leak]
Minimize Loss of Control: IDM
Issues in Cloud Computing
• Cloud introduces several issues to IDM
• Users have multiple accounts associated with multiple service
providers.
• Lack of trust
• Use of Trusted Third Party is not an option
• Cloud hosts are untrusted
• Loss of control
• Collusion between Cloud Services
• Sharing sensitive identity information between
services can lead to undesirable mapping of the
identities to the user.

IDM in Cloud needs to be user-centric

Minimize Loss of Control: IDM
Goals of Proposed User-Centric IDM for the Cloud
1.Authenticate without disclosing identifying information
2.Ability to securely use a service while on an untrusted
host (VM on the cloud)
3.Minimal disclosure and minimized risk of disclosure
during communication between user and service provider
(Man in the Middle, Side Channel and Correlation
Attacks)
4.Independence of Trusted Third Party
AUTHENTICATION IN
the CLOUD
Are we really safe in the cloud?
Security Problem Selected
The security problem that G Force has selected is the
authentication of different devices and users in cloud
computing.
This is an important issue all of our employers have in
common as more companies migrate to cloud
computing and they need more secure solutions
implemented. Corporate concerns are:
• Single point of failure for authentication
• Data breaches because of weak authentication
• Security in the cloud is the #1 concern of businesses
All sectors are migrating to cloud computing because
IT costs can be cut, it reduces capital expenses, and is a
viable option to modernize legacy systems.
Businesses and cloud
• Business requirements: Netflix, Adobe connect, Expense
reporting, Timesheet, Payroll systems
• Support customers with multiple devices accessing their
system
• Moving existing applications out of the datacenter and into
virtual private and fully public clouds.
• Fully embracing virtual datacenters, which means
consolidating physical datacenters, and (if the company’s
large enough) forming a private cloud.
• Outsourcing applications. There’s SaaS applications like
Workday, ADP, Concur, and SalesForce.com that have
replaced functions that used to run in the datacenter, and then
there’s also custom apps for data that’s proprietary, sensitive
or regulated, which many people are running in a platform-as-
a-service (PaaS) extension.
Cloud models and Issues
o Different deployment models: Private, Public, and Hybrid
o Private: Issue “still have to buy, build, and manage them”
o Public: No direct connection and control. Amazon, Microsoft and
Google
o Hybrid : lack the flexibility, security and certainty of in-
house applications
The difference
• Internal System
• More secure authentication like LDAP, KERBOES
• Company has a control over the data and process
• User management is easy and more controlled
• Cloud System
• Proprietary authentication system
• It is a nightmare to manage the users remotely. We wont know what the
vendor is doing
• Migration is very difficult. It is difficult to synchronise login and
authentication data between external clouds and internal systems without
exposing internal security data.
Cloud Authentication issues
• Cloud service providers request customers to store their account information in the cloud, cloud
service providers have the access to these information. This presents a privacy issue to the customer’s
privacy information.
• Many SLAs have specified the privacy of the sensitive information, however, it is difficult for
customers to make sure the proper rules are enforced. There is a lack of transparency in the cloud that
allows the customers to monitor their own privacy information.
• When a customer decide to use multiple cloud service, the customer will have to store his/her
password in multiple cloud, the more cloud service the customer is subscript to, the more copy of the
user’s information will be. This is a security issue for the customers and the cloud service providers.
• The multiple copies of account will lead to multiple authentication processes. For every cloud
service, the customer needs to exchange his/her authentication information. This redundant actions
may lead to an exploit of the authentication mechanism.
• Cloud service providers use different authentication technologies for authenticating users, this may
have less impact on SaaS than PaaS and IaaS, but it is present a challenge to the customers.
Authentication issues - contd
• Wells Fargo Customer Data Breached – How Did Cyber-
Criminals Get The Access Codes? – Why No Strong
Authentication?
• Dictionary attack?
• Security issues in cloud computing has played a major role
in slowing down its acceptance, in fact security ranked first
as the greatest challenge issue of cloud computing as
depicted in the chart.
Public Key Cryptography
• New paradigm introduced by Diffie and Hellman
• The mailbox analogy:
• Bob has a locked mailbox
• Alice can insert a letter into the box, but can’t unlock it to take mail out
• Bob has the key and can take mail out

• Encrypt messages to Bob with Bob’s public key

• Can freely distribute
• Bob decrypts his messages with his private key
• Only Bob knows this
Requirements
• How should a public key scheme work?
• Three main conditions
• It must be computationally easy to encrypt or decrypt a message given the
appropriate key
• It must be computationally infeasible to derive the private key from the public
key
• It must be computationally infeasible to determine the private key from
chosen plaintext attack
• Attacker can pick any message, have it encrypted, and obtain the ciphertext
Exchanging keys
• Alice and Bob want to communicate using a block cipher to encrypt
their messages, but don’t have shared key
• How do Alice and Bob get a shared key?
Solution 1
• Alice sends the key along with her encrypted message

• Eve sees encrypted message and key

• Uses key to decrypt message

L!
I
FA
Solution 2
• Alice sends the key at some time prior to sending Bob the encrypted
message

• Eve has to wait longer

• If she saw the key transmission, she has the key
• Uses key to decrypt message

L!
I
FA
Solution 3 – Use public key crypto
• Diffie Hellman Key Exchange
• All users share common modulus, p, and element g
• g ≠ 0, g ≠ 1, and g ≠ p-1
• Alice chooses her private key, kA
• Computes KA = gkA mod p and sends it to Bob in the clear
• Bob chooses his private key, kB
• Computes KB = gkB mod p and sends it to Alice in the clear
• When Alice and Bob want to agree on a shared key, they compute a shared secret
S
• SA,B = KBkA mod p
• SB,A = KAkB mod p
Why does DH work?
• SA,B = SB,A
• (gkA) kB mod p = (gkB) kA mod p

• Eve knows
• g and p
• KA and KB
• Why can’t Eve compute the secret?

SA,B = KBkA mod p

SB,A = KAkB mod p
• This was the first public key cryptography scheme
Hard problems
• Public key cryptosystems are based on hard problems
• DH is based on the Discrete Logarithm Problem (DLP)

• Given:
• Multiplicative group G
• Element a in G
• Output b
• Find:
• Unique solution to ax = b in G
• x is loga b

• No polynomial time algorithm exists to solve this*

*On classical computers
Could it fail?
• Eve could fool Alice and Bob
• Man in the middle / bucket brigade

My key is My key is My key is My key is

KA K’B K’A KB

Eve Bob
Alice

Alice has no guarantee that the person she’s establishing

a key with is actually Bob
RSA
• Rivest-Shamir-Adleman
• Probably the most well-known public key scheme
• First, some background
Euler’s Totient
• Totient function (n)
• Number of positive numbers less than n that are relatively prime to n
• Two numbers are relatively prime when their greatest common divisor is 1

• Example: (10) = 4
• 1, 3, 7, 9

• Example: (7) = 6
• 1, 2, 3, 4, 5, 6
• If n is prime, (n) = n-1
RSA keys
• Choose 2 large primes, p and q
• N = pq
• (N) = (p-1)(q-1)
• Choose e < N such that gcd(e, (N))=1
• d such that ed = 1 mod (N)

• Public key: {N, e}

• Private key: {d}
• p and q must also be kept secret
RSA encryption/decryption
• Alice wants to send Bob message m
• She knows his public key, {N,e}

c = me mod N m = cd mod N

Bob
Alice
Toy example
• p=7, q=11
• N=77
• (N) = (6)(10) = 60
• Bob chooses e=17
• Uses extended Euclidean algorithm to find inverse of e mod 60
• Finds d=53

• Bob makes {N, e} public

Toy example (continued)
• Alice wants to send Bob “HELLO WORLD”
• Represent each letter as a number 00(A) to 25(Z)
• 26 is a space
• Calculates:
• 0717 mod 77 = 28, 0417 mod 77 = 16, …, 0317 mod 77 = 75
• Sends Bob 28 16 44 44 42 38 22 42 19 44 75
• He decrypts each number with his private key and gets “HELLO
WORLD”
What could go wrong?
• What was wrong with the toy example?
• Eve can easily find the encryption of each letter and use that as a key to
Alice’s message
• Even without knowing the public key, can use statistics to find likely messages
• Like cryptogram puzzles
How it should really happen
• p and q should be at least 512 bits each
• N at least 1024 bits
• The message “HELLO WORLD” would be converted into one very
large integer
• That integer would be raised to the public/private exponent
• For short message, pad them with a random string
The Application Level (Security threats)
• DoS
• EDoS(Economic Denial of Sustainability)
• An attack against the billing model that underlies the cost of providing a
service with the goal of bankrupting the service itself.
• End user security
• Who is responsible for Web application security in the cloud?
• SaaS/PaaS/IaaS application security
• Customer-deployed application security
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

197
Data Security and Storage (Application-Level Security)

• Several aspects of data security, including:

• Data-in-transit
• Confidentiality + integrity using secured protocol
• Confidentiality with non-secured protocol and encryption
• Data-at-rest
• Generally, not encrypted , since data is commingled with other users’ data
• Encryption if it is not associated with applications?
• But how about indexing and searching?
• Then homomorphic encryption vs. predicate encryption?
• Processing of data, including multitenancy
• For any application to process data, not encrypted

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

198
Data Security and Storage (Application-level)
• Data lineage
• Knowing when and where the data was located w/i cloud is
important for audit/compliance purposes
• e.g., Amazon AWS
• Store <d1, t1, ex1.s3.amazonaws.com>
• Process <d2, t2, ec2.compute2.amazonaws.com>
• Restore <d3, t3, ex2.s3.amazonaws.com>
• Data provenance
• Computational accuracy (as well as data integrity)
• E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?
• Correct : assuming US dollar
• How about dollars of different countries?
• Correct exchange rate?

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

199
Data Security and Storage
• Data remanence
• Inadvertent disclosure of sensitive information is possible
• Data security mitigation?
• Do not place any sensitive data in a public cloud
• Encrypted data is placed into the cloud?
• Provider data and its security: storage
• To the extent that quantities of data from many companies are centralized, this collection
can become an attractive target for criminals
• Moreover, the physical security of the data center and the trustworthiness of system
administrators take on new importance.

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

200
Definition
• Virtualization is the ability to run multiple operating
systems on a single physical system and share the
underlying hardware resources*
• It is the process by which one computer hosts the
appearance of many computers.
• Virtualization is used to improve IT throughput and
costs by using physical resources as a pool from which
virtual resources can be allocated.

*VMWare white paper, Virtualization Overview

Virtualization Architecture
• A Virtual machine (VM) is an isolated runtime
environment (guest OS and applications)
• Multiple virtual systems (VMs) can run on a single
physical system
Benefits of Virtualization
• Sharing of resources helps cost reduction
• Isolation: Virtual machines are isolated from each
other as if they are physically separated
• Encapsulation: Virtual machines encapsulate a
complete computing environment
• Hardware Independence: Virtual machines run
independently of underlying hardware
• Portability: Virtual machines can be migrated between
different hosts.
Virtualization in Cloud Computing
Cloud computing takes virtualization one step further:
• You don’t need to own the hardware
• Resources are rented as needed from a cloud
• Various providers allow creating virtual servers:
• Choose the OS and software each instance will have
• The chosen OS will run on a large server farm
• Can instantiate more virtual servers or shut down existing
ones within minutes
• You get billed only for what you used
Virtualization Security Challenges
The trusted computing base (TCB) of a virtual machine is
too large.
• TCB: A small amount of software and hardware that
security depends on and that we distinguish from a much
larger amount that can misbehave without affecting
security*
• Smaller TCB  more security

*Lampson et al., “Authentication in distributed systems: Theory

and practice,” ACM TCS 1992
Virtualization Security Requirements

• Scenario: A client uses the service of a cloud computing

company to build a remote VM
• A secure network interface

• A secure secondary storage

• A secure run-time environment

• Build, save, restore, destroy
Virtualization Security Requirements

• A secure run-time environment is the most fundamental

• The first two problems already have solutions:

• Network interface: Transport layer security (TLS)
• Secondary storage: Network file system (NFS)

• The security mechanism in the first two rely on a secure run-

time environment
• All the cryptographic algorithms and security
protocols reside in the run-time environment
Hypervisor Vulnerabilities
Malicious software can run on the same server:
• Attack hypervisor
• Access/Obstruct other VMs

Guest VM1 Guest VM2

App App
s s
OS OS

Hypervisor
servers
Physical Hardware
208
NoHype*
• NoHype removes the hypervisor
• There’s nothing to attack
• Complete systems solution
• Still retains the needs of a virtualized cloud infrastructure

Guest VM1 Guest VM2

App App
s s
OS OS

No hypervisor
Physical Hardware
209

*NoHype: Virtualized Cloud Infrastructure without the Virtualization. E. Keller, J. Szefer, J.

Rexford, R. Lee. ISCA 2010.
Roles of the Hypervisor
• Isolating/Emulating resources
• CPU: Scheduling virtual machines Push to HW /
• Memory: Managing memory Pre-allocation
• I/O: Emulating I/O devices
• Networking Remove
• Managing virtual machines
Push to side
Removing the Hypervisor
• Scheduling virtual machines
• One VM per core
• Managing memory
• Pre-allocate memory with processor support
• Emulating I/O devices
• Direct access to virtualized devices
• Networking
• Utilize hardware Ethernet switches
• Managing virtual machines
• Decouple the management from operation
Safe Sharing
• Protecting a single computer with one user is easy
• Prevent everybody else from having access
• Encrypt all data with a key only one person knows
• Sharing resources safely is hard
• Preventing some people from reading private data (e.g. grades)
• Prevent some people from using too many resources (e.g. disk space)
• Prevent some people from interfering with other programs (e.g. inserting key
strokes / modifying displays)
Why is security hard?
• Security slows things down
• Security gets in the way
• Security adds no value if there are no attacks
• Only the government used to pay for security
• The Internet made us all potential victims
Trusted Computing Base (TCB)
• Think carefully about what you are trusting with your information
• if you type your password on a keyboard, you’re trusting:
• the keyboard manufacturer
• your computer manufacturer
• your operating system
• the password library
• the application that’s checking the password
• TCB = set of components (hardware, software, wetware) that you trust your secrets with
• Public web kiosks should *not* be in your TCB
• should your OS?
• but what if it is promiscuous? (e.g., IE and active-X extensions)
• how about your compiler?
• A great read: “Reflections on Trusting Trust”.
Security Techniques
• Authentication – identifying users and programs
• Authorization – determining what access users and programs have to
things
• Complete mediation: check every access to every protected object
• Auditing – record what users and programs are doing for later analysis
Authentication
• How does a computer know who I am?
• User name / password
• How do it store the password?
• How do it check the password?
• How secure is a password?
• Public/Private Keys
• Biometrics
• What does the computer do with this information?
• Assign you an identifier
• Unix: 32 bit number stored in process structure
• Windows NT: 27 byte number, stored in an access token in kernel
Aside on Encryption
• Encryption: takes a key and data and creates ciphertext
• {Attack at dawn}key=h8JkS! = 29vn&#9njs@a
• Decryption: takes cipertext and a key and recovers data
• {29vn&#9njs@a}key=h8JkS! = Attack at dawn
• Without key, can’t convert data into ciphertext or vice-versa

• Hashing: takes data and creates a fixed-size fingerprint, or hash

• H(Attack at Dawn) = 183870
• H(attack at dawn) = 465348
• Can’t determine data from hash or find two pieces of data with same hash
Storing passwords
• CTSS (1962): password file Bob: 14: “12.14.52”
David: 15: “allison”
Mary: 16: “!ofotc2n”

Bob: 14: S6Uu0cYDVdTAk

• Unix (1974):
K=[0]
encrypt passwords with passwords
David: 15: J2ZI4ndBL6X.M
allison
Mary: 16: VW2bqvTalBJKg

Bob: 14: S6Uu0cYDVdTAk: 45

K=[0]allison392
• Unix (1979): salted passwords David: 15: J2ZI4ndBL6X.M: 392
Mary: 16: VW2bqvTalBJKg: 152
More Storing Passwords
• Unix-style password file
• Password file not protected, because information in it
can’t be used to logon
• Doesn’t work for network authentication
• Doesn’t contain any secret information

• Windows-NT style password file

• Contains MD4 hash of passwords
• Hash must be protected because it can be used to log on
• Hidden from users
• Encrypted by random key
• Physical security required
Password Security
• 26 letters used, 7 letters long
• 8 billion passwords (33 bits)
• Checking 100,000/second breaks in 22 hours
• System should make checking passwords slow

• Adding symbols and numbers and longer passwords

• 95 characters, 14 characters long
• 1027 passwords = 91 bits
• Checking 100,000/second breaks in 1014 years

• SDSC computed 207 billion hashes for 50 million passwords in

80 minutes.
• Hashing all passwords for one salt takes 20 minutes on a P4
Do longer passwords work?
• People can’t remember 14-character strings of random characters
• Random number generators aren’t always that good.
• People write down difficult passwords
• People give out passwords to strangers
• Passwords can show up on disk
Authorization
• How does the system know what I’m allowed to do?
• Authorization matrix:
• Objects = things that can be accessed
• Subjects = things that can do the accessing (users or programs)
• What are the limits?
• Time of day
• Ranges of values

Alice Bob Carl

/etc Read Read Read
Write
/homes Read Read Read
Write Write Write
/usr None None Read
Access Control Lists
• Representation used in Windows NT, Unix for files
• Stored on each file / directory
Bob Read, Write,
Delete
Students Read
Everyone Read
Unix:
Fixed set of permissions (read,write,delete)
Three sets of subjects (owner, group, world)
Windows NT
Arbitrary number of entries
16 permissions per object
Capabilities
• Once granted, can be used to get access to an object
• Implemented as a protected pointer
1 Used in Unix, Windows NT for files, sockets, kernel
User objects
2
program Capability obtained after ACL check
3
Kernel
Boundary

Capability
List
1 2 3 4 5 6
Which one is better
• ACLs:
• Can have large numbers of objects
• Easy to grant access to many objects at once
• Require expensive operation on every access
• Capabilities
• Hard to manage huge number of capabilities
• They have to come from somewhere
• They are fast to use (just pointer dereferences)
• Most systems use both
• ACLs for opening an object (e.g. fopen())
• Capabilities for performing operations (e.g. read())
Protection Domain Concept
• A protection domain is the set of objects and permissions on those objects that executing code may
access
• e.g. a process
• memory
• files
• sockets
• also: a device driver, a user, a single procedure
• Capabilities:
• protection domain defined by what is in the capability list
• ACLs
• protection domain defined by the complete set of objects code could access
How does this get implemented?
• Originally:
• every application had its own security checking code,
• Separate set of users
• Separate set of objects
• Separate kinds of ACLs, capabilities
• This makes the trusted computing base) huge!!!
• You have to trust all applications do to this correctly!
• Now: Reference monitor
• Manages identity
• Performs all access checks
• Small, well-tested piece of code
Modern security problems
• Confinement
• How do I run code that I don’t trust?
• E.g. RealPlayer, Flash
• How do I restrict the data it can communicate?
• What if trusted code has bugs?
• E.g. Internet Explorer
• Concepts:
• Least Privilege: programs should only run with the minimal amount of privilege necessary
• Solutions:
• Restricted contexts - let the user divide their identity
• ActiveX – make code writer identify self
• Java – use a virtual machine that intercepts all calls
• Binary rewriting - modify the program to force it to be safe
Key Distribution
• Have network with n entities
• Add one more
• Must generate n new keys
• Each other entity must securely get its new key
• Big headache managing n2 keys!
• One solution: use a central keyserver
• Needs n secret keys between entities and keyserver
• Generates session keys as needed
• Downsides
• Only scales to single organization level
• Single point of failure
235
Symmetric Key Distribution
• How does Andrew do this?

Andrew Uses Kerberos, which relies on a

Key Distribution Center (KDC) to establish
shared symmetric keys.

236
Key Distribution Center (KDC)
• Alice, Bob need shared symmetric key.
• KDC: server shares different secret key with each registered
user (many users)
• Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for
communicating with KDC.
KDC

KA-KDC KP-KDC
KX-KDC
KP-KDC KB-KDC
KY-KDC

KZ-KDC
KA-KDC KB-KDC

237
Key Distribution Center (KDC)
Q: How does KDC allow Bob, Alice to determine shared
symmetric secret key to communicate with each other?
KDC
generates
KA-KDC(A,B)
R1

Alice KA-KDC(R1, KB-KDC(A,R1) ) Bob knows to

knows use R1 to
R1 KB-KDC(A,R1) communicate
with Alice

Alice and Bob communicate: using R1 as

session key for shared symmetric encryption
238
How Useful is a KDC?
• Must always be online to support secure communication
• KDC can expose our session keys to others!
• Centralized trust and point of failure.

In practice, the KDC model is mostly used within single organizations

(e.g. Kerberos) but not more widely.

239
Asymmetric Key: Confidentiality
Bob’s public
KB key
Bob’s private
KB-1 key

encryption ciphertext decryption plaintext

algorithm algorithm message
KB (m) m = KB-1 (KB (m))

240
Asymmetric Key: Sign & Verify
• If we are given a message M, and a value S such
that KB(S) = M, what can we conclude?

• The message must be from Bob, because it must be the case that
S = KB-1(M), and only Bob has KB-1 !

• This gives us two primitives:

• Sign (M) = KB-1(M) = Signature S
• Verify (S, M) = test( KB(S) == M )

241
Asymmetric Key: Integrity & Authentication

• We can use Sign() and Verify() in a similar manner as

our HMAC in symmetric schemes.

S = Sign(M) Message M
Integrity:
Receiver must only check Verify(M, S)

Nonce
Authentication:
S = Sign(Nonce)
Verify(Nonce, S)

242
Multi-factor What
Authentication (MFA)
is Multi-Factor Authentication??

Multi-factor authentication, also referred to as advanced or two-factor

authentication, provides an additional layer of security when logging in
or performing transactions online.

When logging in, a user is required to enter a password and also

authenticate using a second factor, typically a phone or hardware token.
Multi-factor Authentication (MFA)
Why do we need it?

• Prevent unauthorized users from logging into your account

• Protect your identity

• Protect your data

• Protect your money!

Ways of MFA Authentication

• Call your phone (desk or cell)

• Send text message with pass codes to cell

• Use the Duo Mobile app to create a pass code or send a notification to
cell

• YubiKey authentication
Multi-factor Authentication Options
Demonstrations
How do I set this stuff up?!?

1) Registering/Activating MFA on your account

2) Setting up devices for MFA

3) Configuring and using your YubiKey

4) Choosing websites to use MFA

MFA Options – Phone Call
On the MFA homepage, select Add a basic cell phone or home/office phone

Fill out the form and click Continue

• Click on the multi-factor authentication home page link to return home

MFA Options – Phone Call
• Call your phone (desk or cell)

• Select the Call my phone work (or whatever you named it)
• You will receive a call from ‘Toll Free Call’
“Welcome to Duo. If you are not expecting this call, please hangup. Otherwise, press any key on
your phone to login.”

• Press any key on the phone

• Click Enter
MFA Options – Text Message
• Text your cell phone

• Select the Send SMS pass codes to cell

• You will receive a text from a random number with 10 passcodes

• Type any of the 10 passcodes into the MFA screen

MFA Options – Duo Mobile app
• Download the Duo Mobile app from the App Store or Play Store
(Smartphones only)
MFA Options – Duo Mobile app
On the MFA homepage, select Add a basic cell phone or home/office phone

Fill out the form and click Continue

• Click on the multi-factor authentication home page link to return home

MFA Options – Duo Mobile app
In Duo Mobile, click the Add Account button and then click Scan Barcode

Scan the QR code at the bottom of the screen and the Duke University account will load on your
phone. Click Continue on the webpage when complete.

Click on the multi-factor authentication home page link to return home

Recovery Models
• Full Recovery Model
• All activities that affects the database are logged.
• Bulk-Logged Recovery Model
• Some actions are logged as having occurred but individual rows affected are
not logged.
• Simple Recovery Model
• The inactive portion of the log is truncated every time a checkpoint is issued.
Full Recovery Model
• All activities that affects the database are logged.
• The transaction log contains a record of all the modifications to the
database.
Bulk-Logged Recovery Model
• Minimal logging
• Some actions are logged as having occurred but individual rows
affected are not logged.
• During next BACKUP LOG event the affected physical extents are
copied to the log backup.
Simple Recovery Model
• The inactive portion of the log is truncated every time a checkpoint is
issued.
• Transaction log cannot be backed up and used for data recovery since
it does not have a complete record of all the transactions that have
modified the database.
Backup Types
• Full Backup
• Differential Backup
• File/Filegroup Backup
• File/Filegroup with Differential
• Transaction Log Backup
• Partial Backup
• Copy Only Backup
Full Backup
• Backups up all the data in the database and records all database file
locations.
• SQL Server logs the beginning of a Full database backup in the
transaction log and then records all modifications made to the database
for the duration of the backup in the transaction log.
• The portion of the transaction log that occurred during the backup is
saved to the backup media.
Differential Backup
• Backups on the data that has changed since the last Full backup.
• Includes the portion of the transaction log that contains database
modifications that occurred during the backup.
File/Filegroup Backup
• Backup files and filegroups individually.
File/Filegroup with Differential
• Like Differential
• Only available if database is in Full or Bulk-Logged recovery model.
• Also available if filegroup is marked as Read Only and database is in
Simple Model.
Transaction Log Backup
• Available in Full or Bulk-Logged Recovery Models.
• Three forms:
• Pure Log Backup
• Bulk Log Backup
• Tail Log Backup
Partial Backup
• Consists of the Primary filegroup, Read Write filegroups, and any
Read only filegroup specified.
• Idea is to separate filegroups that can change for filegroups that cannot
change.
Copy Only Backup
• Creates a backup without affecting the chain of backups required to
restore a database.
• They are non-logged backups that can be used outside the
maintenance envrionment.
Backup Options
• Backup Stripe
• Mirrored Backup
• Compressed Backup
Backup Strategies
• Full Backup Only
• Bull Backup with Differential
• Full Backup with Transaction Log
• Full and Differential Backup with Transaction Log
• File and Filegroup Backup
• Filegroup with Differential
• Partial Backup
Restoring Databases
• A three phase process
• Data Copy
• Data copied
• Redo Phase
• Committed transactions are restored from the log
• Undo Phase
• Uncommitted transactions are rolled back from the log
Database Restore Preparation
• Isolate the database by placing it in SINGLE_USER mode (if it is
accessible).
• Backup up the tail of the transaction log if in Full or Bulk-Logged
recovery model.
• Gather information about all the backups that are required to restore
the database to the most recent state.
Importance of Cybersecurity
 The internet allows an attacker to work from anywhere on the
planet.

 Risks caused by poor security knowledge and practice:

 Identity Theft
 Monetary Theft
 Legal Ramifications (for yourself and your organization)
 Sanctions or termination if policies are not followed

 According to the SANS Institute, the top vectors for

vulnerabilities available to a cyber criminal are:
 Web Browser
 IM Clients
 Web Applications
 Excessive User Rights
270
Cybersecurity is Safety

Security: We must protect our computers and data

in the same way that we secure the doors to
our homes.
Safety: We must behave in ways that protect us
against risks and threats that come with technology.

271
User Awareness

Cyber-Criminals System Administrators

Some scripts appear useful
to manage networks…
Cracker:
Computer-savvy Posts to
programmer creates Hacker Bulletin Board
attack software SQL Injection
Buffer overflow
lo a ds Password Crackers
Script Kiddies: wn
Do Password Dictionaries
Unsophisticated
computer users who
R ep
know how to o rt s
execute programs Successful attacks!
Crazyman broke into …
s to
P ost CoolCat penetrated…
Criminals: Create & sell bots
-> generate spam Malware package earns $1K-2K
Sell credit card numbers, 1 M Email addresses earn $8
etc… 10,000 PCs earn $1000 272
Leading Threats
Viruses
Worms
Trojan Horses / Logic Bombs
Social Engineering
Rootkits
Botnets / Zombies

273
Viruses
 A virus attaches itself to a program, file,
or disk. Program
 When the program is executed, the A
virus activates and replicates itself. Extra Code
 The virus may be benign or malignant
but executes its payload at some point
(often upon contact).
infects
 Viruses can cause computer crashes and loss
of data.
 In order to recover or prevent virus
attacks: Program
 Avoid potentially unreliable websites/emails. B
 System Restore.
 Re-install operating system.
274
 Use and maintain anti-virus software.
Worms
Independent program that replicates itself and sends copies from computer to
computer across network connections.
Upon arrival, the worm may be activated to replicate.

To Joe
To Ann
To Bob

Email List:
[email protected]
[email protected]
[email protected]
275
Logic Bombs and Trojan Horses

Logic Bomb: Malware logic executes upon certain conditions.

The program is often used for otherwise legitimate reasons.
Examples:
Software which malfunctions if maintenance fee is not paid.
Employee triggers a database erase when he is fired.

Trojan Horse: Masquerades as a benign program while quietly

destroying data or damaging your system.
Download a game: It may be fun but contains hidden code that gathers personal information
without your knowledge.

276
Social Engineering
Social engineering manipulates people into performing actions or divulging confidential
information. Similar to a confidence trick or simple fraud, the term applies to the use of deception
to gain information, commit fraud, or access computer systems.
Email:
ABC Bank has
Phone Call: noticed a
This is John, the problem with
System In Person: your account…
Administrator. What ethnicity
What is your are you? Your I have come
password? mother’s maiden to repair your
name? machine…
and have
some lovely
software
patches!

277
Phishing: Counterfeit Email

Phishing: A seemingly
trustworthy entity asks for
sensitive information such as
SSN, credit card numbers,
login IDs or passwords via e-
mail.

278
Pharming: Counterfeit Web Pages

Wiping over,
but not
clicking the
link may
reveal a
different
Misspelled address.

With whom?
Copyright
date is old

The link provided in the e-mail leads to a counterfeit webpage

which collects important information and submits it to the owner.
The counterfeit web page looks like the real thing
Extracts account information
279
Botnet
 A botnet is a number of compromised computers used to create and send
spam or viruses or flood a network with messages as a denial of service
attack.
 The compromised computers are called zombies.

280
Man In The Middle Attack

An attacker pretends to be your final destination on the network. When a

person tries to connect to a specific destination, an attacker can mislead him
to a different service and pretend to be that network access point or server.

281
Rootkit

 Upon penetrating a computer, a

hacker may install a collection
of programs, called a rootkit.
 May enable:
 Easy access for the hacker (and
others)into the enterprise
 Keystroke logger
Backdo
 Eliminates evidence of break- or
Keystro entry user
in. ke Logg den
er Hid
 Modifies the operating system.
282
Password Cracking
Dictionary Attack and Brute Force
Pattern Calculation Result Time to Guess
(2.6x1018 tries/month)
Personal Info: interests, relatives 20 Manual 5 minutes
Social Engineering 1 Manual 2 minutes
American Dictionary 80,000 < 1 second
4 chars: lower case alpha 264 5x105
8 chars: lower case alpha 268 2x1011
8 chars: alpha 528 5x1013
8 chars: alphanumeric 628 2x1014 3.4 min.
8 chars alphanumeric +10 728 7x1014 12 min.
8 chars: all keyboard 958 7x1015 2 hours
12 chars: alphanumeric 6212 3x1021 96 years
12 chars: alphanumeric + 10 7212 2x1022 500 years
12 chars: all keyboard 9512 5x1023
16 chars: alphanumeric 6216 5x1028

283
Georgia Data Breach Notification Law

O.C.G.A. §§10-1-910, -911, -912

An unauthorized acquisition of electronic data that
compromises the security, confidentiality or integrity of
“personal information.”
Personal Information
Social Security Number.
Driver’s license or state ID number.
Information permitting access to personal accounts.
Account passwords or PIN numbers or access codes.
Any of the above in connection with a person’s name if the
information is sufficient to perform identity theft against the
individual.
284
Identifying Security Compromises

 Symptoms:
 Antivirus software detects a problem.
 Disk space disappears unexpectedly.
 Pop-ups suddenly appear, sometimes selling security software.
 Files or transactions appear that should not be there.
 The computer slows down to a crawl.
 Unusual messages, sounds, or displays on your monitor.
 Stolen laptop: 1 stolen every 53 seconds; 97% never recovered.
 The mouse pointer moves by itself.
 The computer spontaneously shuts down or reboots.
 Often unrecognized or ignored problems.
285
Malware detection
• Spyware symptoms:
• Changes to your browser homepage/start page.
• Ending up on a strange site when conducting a search.
• System-based firewall is turned off automatically.
• Lots of network activity while not particularly active.
• Excessive pop-up windows.
• New icons, programs, favorites which you did not add.
• Frequent firewall alerts about unknown programs when trying
to access the Internet.
• Poor system performance.

286
Best Practices to avoid these threats

Defense in depth uses multiple layers of defense to address

technical, personnel and operational issues.

User Account Controls

287
Anti-virus and Anti-spyware Software

• Anti-virus software detects certain types of malware and can

destroy it before any damage is done.
• Install and maintain anti-virus and anti-spyware software.
• Be sure to keep anti-virus software updated.
• Many free and commercial options exist.
• Contact your Technology Support Professional for assistance.

288
Host-based Firewalls
• A firewall acts as a barrier between your computer/private network
and the internet. Hackers may use the internet to find, use, and
install applications on your computer. A firewall prevents many
hacker connections to your computer.
• Firewalls filter network packets that enter or leave your computer

289

Protect your Operating System
Microsoft regularly issues patches or updates to solve security problems in their software. If
these are not applied, it leaves your computer vulnerable to hackers.
 The Windows Update feature built into Windows can be set up to automatically download and
install updates.
 Avoid logging in as administrator
 Apple provides regular updates to its operating system and software applications.
 Apply Apple updates using the App Store application.

290
Use Strong Passwords

Make passwords easy to remember but hard to guess

• USG standards:
• Be at least ten characters in length
• Must contain characters from at least two of the following four types
of characters:
• English upper case (A-Z)
• English lower case (a-z)
• Numbers (0-9)
• Non-alphanumeric special characters ($, !, %, ^, …)
• Must not contain the user’s name or part of the user’s name
• Must not contain easily accessible or guessable personal information
about the user or user’s family, such as birthdays, children’s names,
addresses, etc.
291
Creating Strong Passwords
• A familiar quote can be a good start:

“LOVE IS A SMOKE MADE WITH THE FUME OF

SIGHS”
William Shakespeare

• Using the organization standard as a guide, choose

the first character of each word:
• LIASMWTFOS
• Now add complexity the standard requires:
• L1A$mwTF0S (10 characters, 2 numerals, 1 symbol, mixed
English case: password satisfies all 4 types).
• Or be more creative!
292
Password Guidelines
• Never use admin, root, administrator, or a default account or
password for administrative access.
• A good password is:
• Private: Used by only one person.
• Secret: It is not stored in clear text anywhere,
including on Post-It® notes!
• Easily Remembered: No need to write it down.
• Contains the complexity required by your organization.
• Not easy to guess by a person or a program in a reasonable time,
such as several weeks.
• Changed regularly: Follow organization standards.
• Avoid shoulder surfers and enter your credentials carefully! If
a password is entered in the username field, those attempts
usually appear in system logs.
293
Avoid Social Engineering
and Malicious Software
• Do not open email attachments unless you are
expecting the email with the attachment and you
trust the sender.
• Do not click on links in emails unless you are
absolutely sure of their validity.
• Only visit and/or download software from web
pages you trust.

294
Avoid Stupid Hacker Tricks
 Be sure to have a good firewall or pop-up blocker installed.
 Pop-up blockers do not always block ALL pop-ups so
always close a pop-up window using the ‘X’ in the upper
corner.
 Never click “yes,” “accept” or even “cancel.”

 Infected USB drives are often left unattended by hackers in

public places.

295
Secure Business Transactions

 Always use secure browser to do online activities.

 Frequently delete temp files, cookies, history, saved passwords etc.
https://

Symbol indicating
enhanced security

296
Backup Important Information

 No security measure is 100% reliable.

 Even the best hardware fails.
 What information is important to you?
 Is your backup:
Recent?
Off-site & Secure?
Process Documented?
Encrypted?
Tested?

297
Cyber Incident Reporting

If you suspect a cybersecurity incident, notify your organization’s help

desk or the USG ITS help desk immediately. Be prepared to supply the
details you know and contact information.

1. Do not attempt to investigate or remediate the incident on your own.

2. Inform other users of the system and instruct them to stop work
immediately.
3. Unless instructed, do not power down the machine.
4. Unless instructed, do not remove the system from the network.

The cybersecurity incident response team will contact you as soon as

possible to gather additional information.

Each USG organization is required to have a specific plan to handle

cybersecurity incidents. Refer to local policies, standards and guidelines
for specific information.
298
Fraud

 Organizations lose 5-6% of

Internal Fraud Recovery
revenue annually due to
internal fraud = $652 Billion in
U.S. (2006)
 Average scheme lasts 18
months, costs $159,000
 25% costs exceed $1M
 Smaller companies suffer $0 Recovered
greater average dollar losses Recovery<=25%
Substantial Recovery
than large companies
Essentials of Corporate Fraud, T L Coenen,
2008, John Wiley & Sons 299
Fraud Discovery
How Fraud is Discovered

40
35
30
25
20

%
15
10
5
0
Tip By Accident Internal Audit Internal Controls External Audit Notified by
Police

Tips are the most common way fraud is discovered.

Tips come from:
Employee/Coworkers 64%,
Anonymous 18%,
Customer 11%,
Vendor 7%
If you suspect possible fraud, report it anonymously to the USG ethics hot line at 877-516-3466.

Essentials of Corporate Fraud, T L

Coenen, 2008, John Wiley & Sons 300
Zero Trust

Untrusted Untrusted
Core concepts of Zero Trust
All resources are accessed in a secure manner
regardless of location.

Access control is on a “need-to-know” basis and is

strictly enforced.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the inside out.

Zero Trust is . . .

A new model of information security that identifies the fundamental problem as a

broken trust model where users and traffic inside the network are trusted, and those
external to the network are untrusted.
Zero Trust is the answer!
Zero Trust: scalable and segmented
WL MCAP

DB MCAP User MCAP

APPS
MCAP WAF

CHD MCAP

MGMT SIM NAV WW

W

server DAN MCAP WWW MCAP

Augment hierarchal networks IPS
with Zero Trust
WL MCAP

IPS WAF
WWW farm

User MCAP
DAM DB farm

IPS
IPS
CHD Server
MCAP farm
MGMT SIM NAV
server DAN MCAP WAN
Zero Trust network architecture is SDN- and fabric-friendly

VM
VM
VM
VMHypervisor

vSwitch
Open vSwitch vSwitch

VM
VM

VM
vSwitch
VM

vSwitch
Extend Zero Trust to the cloud
Zero Trust Is designed to stop malware propagation
and data exfil

Physical segmentation gateway

(PSG)
All traffic in a Zero
Trust Network is fully
inspected by a
segmentation gateway
during each
transaction
Virtual segmentation gateway (VSG)
Thank You!