Email: cychen07@nuk.edu.tw

1
??????-CSA
??????
??? ?401 Email cychen07_at_nuk.edu.tw
??100/12/12
2
(??????????2010?11?26??)????????????????????,?????
?,???????????????????????,???????????????-???????
?????,???????????????2010???????????,?????????????
?? ???????????????????????,?????????????????????,?
???????????????????,???????????30??,?????
3
(??????????2010?11?26??) ??,????????????,???????
5???,??????????????????,??????????,??????,????????
?? ??????(Cloud Security Alliance,CSA)??????(Tim
Mather)??,??????????????,?????????????????????????
?????????????,??????????????,????????? ???????????
?????????????,???????????????,????????????????????
WiMAX??????????????????????????
4
????
??????(CSA, Cloud Security Alliance) ?2009??????,
??????????????????????
Security Guidance for Critical Areas of Focus in
Cloud Computing
http//www.cloudsecurityalliance.org/guidance/csag
uide.v2.1.pdf
Top Threats to Cloud Computing http//www.cloudsec
urityalliance.org/topthreats/csathreats.v1.0.pdf
???? ??????????? http//cyrilwang.pixnet.net/blo
g/post/30895717
5
??????,???????????,????? (Governance) ???
(Operation),???? 5 ?? 7 ???,?? 12 ?????
(Governance) 1.????????? (Governance and
Enterprise Risk Management) 2.????????? (Legal
and Electronic Discovery) 3.??????? (Compliance
and Audit) 4.???????? (Information Lifecycle
Management) 5.??????? (Portability and
Interoperability)
Security Guidance for Critical Areas of Focus in
Cloud Computing
6
?? (Operation) 1.???????????????? (Traditional
Security, Business Continuity, and Disaster
Recovery) 2.?????? (Data Center Operations)
3.?????????? (Incident Response, Notification,
and Remediation) 4.?????? (Application Security)
5.??????? (Encryption and Key Management)
6.??????? (Identity and Access Management)
7.??? (Virtualization)
Security Guidance for Critical Areas of Focus in
Cloud Computing
7
?? (Governance)
1.????????? (Governance and Enterprise Risk
Management)
well-developed information security governance
processes
The fundamental issues
concern the identification and implementation of
the appropriate organizational structures,
processes, and controls to maintain effective
information security governance, risk management,
and compliance.
Organizations should also assure reasonable
information security across the information
supply chain, encompassing providers and
customers of Cloud Computing services and their
supporting third party vendors, in any cloud
deployment model.
8
?? (Governance)
2.????????? (Legal and Electronic Discovery)
Cloud Computing creates new dynamics in the
relationship between an organization and its
information, involving the presence of a third
party the cloud provider.
9
?? (Governance)
2.????????? (Legal and Electronic Discovery)
The fundamental issues
The functional dimension determining which
functions and services in Cloud Computing have
legal implications for participants and
stakeholders. The jurisdictional dimension
involves the way in which governments administer
laws and regulations impacting Cloud Computing
services, the stakeholders, and the data assets
involved. The contractual dimension involves
the contract structures, terms and conditions,
and enforcement mechanisms through which
stakeholders in Cloud computing environments can
address and manage the legal and security issues.
10
?? (Governance)
3.??????? (Compliance and Audit)
Regulatory applicability for the use of a given
cloud service Division of compliance
responsibilities between cloud provider and cloud
customer Cloud providers ability to produce
evidence needed for compliance Cloud customers
role in bridging the gap between cloud provider
and auditor/assessor
11
?? (Governance)
4.???????? (Information Lifecycle Management)
The Data Security Lifecycle is different from
Information Lifecycle Management, reflecting the
different needs of the security audience. The
Data Security Lifecycle consists of six phases
12
?? (Governance)
4.???????? (Information Lifecycle Management)
13
?? (Governance)
4.???????? (Information Lifecycle Management)
Data security Confidentiality, Integrity,
Availability, Authenticity, Authorization,
Authentication, and Non-Repudiation.
Location of the data There must be assurance
that the data, including all of its copies and
backups, is stored only in geographic locations
permitted by contract, SLA, and/or regulation.
For instance, use of compliant storage as
mandated by the European Union for storing
electronic health records can be an added
challenge to the data owner and cloud service
provider.
14
?? (Governance)
4.???????? (Information Lifecycle Management)
Data remanance or persistence Data must be
effectively and completely removed to be deemed
destroyed. Therefore, techniques for completely
and effectively locating data in the cloud,
erasing/destroying data, and assuring the data
has been completely removed or rendered
unrecoverable must be available and used when
required.
Commingling data with other cloud customers Data
especially classified / sensitive data must
not be commingled with other customer data
without compensating controls while in
use,storage, or transit. Mixing or commingling
the data will be a challenge when concerns are
raised about data security and geo-location.
15
?? (Governance)
4.???????? (Information Lifecycle Management)
Data backup and recovery schemes for recovery and
restoration Data must be available and data
backup and recovery schemes for the cloud must be
in place and effective in order to prevent data
loss, unwanted data overwrite, and destruction.
Dont assume cloud-based data is backed up and
recoverable.
Data discovery As the legal system continues to
focus on electronic discovery, cloud service
providers and data owners will need to focus on
discovering data and assuring legal and
regulatory authorities that all data requested
has been retrieved. In a cloud environment that
question is extremely difficult to answer and
will require administrative, technical and legal
controls when required.
16
?? (Governance)
4.???????? (Information Lifecycle Management)
Data aggregation and inference With data in the
cloud, there are added concerns of data
aggregation and inference that could result in
breaching the confidentiality of sensitive and
confidential information. Hence practices must be
in play to assure the data owner and data
stakeholders that the data is still protected
from subtle breach when data is commingled
and/or aggregated, thus revealing protected
information (e.g., medical records containing
names and medical information mixed with
anonymous data but containing the same crossover
field).
17
?? (Governance)
5.??????? (Portability and Interoperability)
An unacceptable increase in cost at contract
renewal time. A provider ceases business
operations. A provider suddenly closes one or
more services being used, without acceptable
migration plans. Unacceptable decrease in
service quality, such as a failure to meet key
performance requirements or achieve service level
agreements (SLAs). A business dispute between
cloud customer and provider.
18
?? (Operation)
1.???????????????? (Traditional Security,
Business Continuity, and Disaster Recovery)
The body of knowledge accrued within traditional
physical ecurity, business continuity planning
and disaster recovery remains quite relevant to
Cloud Computing.
19
?? (Operation)
2.?????? (Data Center Operations)
The number of Cloud Computing providers continues
to increase as business and consumer IT services
move to the cloud. There has been similar growth
in data centers to fuel Cloud Computing service
offerings.
Sharing IT resources to create efficiencies and
economies of scale
20
?? (Operation)
3.?????????? (Incident Response, Notification,
and Remediation)
The nature of Cloud Computing makes it more
difficult to determine who to contact in case of
a security incident, data breach, or other event
that requires investigation and reaction.
Standard security incident response mechanisms
can be used with modifications to accommodate the
changes required by shared reporting
responsibilities. This domain provides guidance
on how to handle these incidents.
21
?? (Operation)
4.?????? (Application Security)
Applications in cloud environments will both
impact and be impacted by the following major
aspects
Application Security Architecture Software
Development Life Cycle (SDLC) Compliance
Tools and Services Vulnerabilities
22
?? (Operation)
5.??????? (Encryption and Key Management)
Cloud customers and providers need to guard
against data loss and theft Cloud customers want
their providers to encrypt their data to ensure
that it is protected no matter where the data is
physically located. Likewise, the cloud provider
needs to protect its customers sensitive data.
23
?? (Operation)
5.??????? (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Cloud environments are shared with many tenants,
and service providers have privileged access to
the data in those environments. Thus confidential
data hosted in a cloud must be protected using a
combination of access control (see Domain 12),
contractual liability (see Domains 2, 3, and 4),
and encryption, which we describe in this
section. Of these, encryption offers the benefits
of minimum reliance on the cloud service provider
and lack of dependence on detection of
operational failures.
24
?? (Operation)
5.??????? (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data in transit over networks There
is the utmost need to encrypt multi-use
credentials, such as credit card numbers,
passwords, and private keys, in transit over the
Internet. Although cloud provider networks may be
more secure than the open Internet, they are by
their very architecture made up of many disparate
components, and disparate organizations share the
cloud. Therefore it is important to protect this
sensitive and regulated information in transit
even within the cloud providers network.
Typically this can be implemented with equal ease
in SaaS, PaaS, and IaaS environments.
25
?? (Operation)
5.??????? (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data at rest Encrypting data on disk
or in a live production database has value, as it
can protect against a malicious cloud service
provider or a malicious co-tenant as well as
against some types of application abuse.
Encrypting data at rest is common within IaaS
environments, using a variety of provider and
third party tools. Encrypting data at rest within
PaaS environments is generally more complex,
requiring instrumentation of provider offerings
or special customization. Encrypting data at rest
within SaaS environments is a feature cloud
customers cannot implement directly, and need to
request from their providers.
26
?? (Operation)
5.??????? (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data on backup media This can protect
against misuse of lost or stolen media. Ideally,
the cloud service provider implements it
transparently. However, as a customer and
provider of data, it is your responsibility to
verify that such encryption takes place. One
consideration for the encryption infrastructure
is dealing with the longevity of the data.
27
?? (Operation)
5.??????? (Encryption and Key Management)
Key Management
Secure key stores Key stores must themselves be
protected, just as any other sensitive data. They
must be protected in storage, in transit, and in
backup. Improper key storage could lead to the
compromise of all encrypted data.
Access to key stores Access to key stores must
be limited to the entities that specifically need
the individual keys. There should also be
policies governing the key stores, which use
separation of roles to help control access an
entity that uses a given key should not be the
entity that stores that key.
28
?? (Operation)
5.??????? (Encryption and Key Management)
Key Management
Key backup and recoverability Loss of keys
inevitably means loss of the data that those keys
protect. While this is an effective way to
destroy data, accidental loss of keys protecting
mission critical data would be devastating to a
business, so secure backup and recovery solutions
must be implemented.
29
?? (Operation)
5.??????? (Encryption and Key Management)
Key Management
There are a number of standards and guidelines
applicable to key management in the cloud. The
OASIS Key Management Interoperability Protocol
(KMIP) is an emerging standard for interoperable
key management in the cloud. The IEEE 1619.3
standards cover storage encryption and key
management, especially as they pertain to storage
IaaS.
30
?? (Operation)
6.??????? (Identity and Access Management)
Managing identities and access control for
enterprise applications remains one of the
greatest challenges facing IT today.
cloud-based Identity and Access Management (IAM)
Identity provisioning/deprovisioning
Authentication Federation Authorization
user profile management
31
?? (Operation)
6.??????? (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Identity Provisioning One of the major
challenges for organizations adopting Cloud
Computing services is the secure and timely
management of on-boarding (provisioning) and
off-boarding (deprovisioning) of users in the
cloud. Furthermore, enterprises that have
invested in user management processes within an
enterprise will seek to extend those processes
and practice to cloud services.
32
?? (Operation)
6.??????? (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Authentication When organizations start to
utilize cloud services, authenticating users in a
trustworthy and manageable manner is a vital
requirement. Organizations must address
authentication-related challenges such as
credential management, strong authentication
(typically defined as multi-factor
authentication), delegated authentication, and
managing trust across all types of cloud services.
33
?? (Operation)
6.??????? (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Federation In a Cloud Computing environment,
Federated Identity Management plays a vital role
in enabling organizations to authenticate their
users of cloud services using the organizations
chosen identity provider (IdP). In that context,
exchanging identity attributes between the
service provider (SP) and the IdP in a secure way
is also an important requirement.
34
?? (Operation)
6.??????? (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Authorization user profile management The
requirements for user profiles and access control
policy vary depending on whether the user is
acting on their own behalf (such as a consumer)
or as a member of an organization (such as an
employer, university, hospital, or other
enterprise). The access control requirements in
SPI environments include establishing trusted
user profile and policy information, using it to
control access within the cloud service, and
doing this in an auditable way.
35
?? (Operation)
7.??? (Virtualization)
The ability to provide multi-tenant cloud
services at the infrastructure, platform, or
software level is often underpinned by the
ability to provide some form of virtualization to
create economic scale.
If Virtual Machine (VM) technology is being used
in the infrastructure of the cloud services, then
we must be concerned about compartmentalization
and hardening of those VM systems.
The reality of current practices related to
management of virtual operating systems is that
many of the processes that provide
security-by-default are missing, and special
attention must be paid to replacing them.
36
????????
??????????????????????????
??? ??????????????????? ??? ???????????????????
????????SSL???????
37
????????
??????????????? ??????????????
???????????????? ??BotNet???????
??,??????????????????????????????????
?????
?????? ?????
?????? ?(Inter-VM)
??????
??????
38
????????
39
???????????
CSA (Cloud Security Alliance) ? (2010 ? 3 ?)
??????????,??? Top Threats to Cloud Computing
V1.0,???????????????????
1.???????????????? (Abuse and Nefarious Use of
Cloud Computing)
??????????????????????????????? (??? IaaS ? PaaS
???) ?????????,???????????????????????????????????
???,??????????????????????????????????????????,???
????????????????,?????????????????????????????????
??
40
???????????
1.???????????????? (Abuse and Nefarious Use of
Cloud Computing)
Examples
IaaS offerings have hosted the Zeus botnet,
InfoStealer trojan horses, and downloads for
Microsoft Office and Adobe PDF exploits. Additiona
lly, botnets have used IaaS servers for command
and control functions. Spam continues to be a
problem as a defensive measure, entire blocks
of IaaS network addresses have been publicly
blacklist.
41
???????????
1.???????????????? (Abuse and Nefarious Use of
Cloud Computing)
Remediation ? Stricter initial registration and
validation processes. ? Enhanced credit card
fraud monitoring and coordination. ?
Comprehensive introspection of customer network
traffic. ? Monitoring public blacklists for ones
own network blocks.
42
???????????
2.??????? APIs (Insecure Interface and APIs)
????????????  APIs ???????????,??????? APIs
?????????????????????????????????????????,APIs
????????,??????????????,?????????????,????????
APIs ??????????????
43
???????????
2.??????? APIs (Insecure Interface and APIs)
Examples
Anonymous access and/or reusable tokens or
passwords, clear-text authentication or
transmission of content, inflexible access
controls or improper authorizations, limited
monitoring and logging capabilities, unknown
service or API dependencies.
44
???????????
2.??????? APIs (Insecure Interface and APIs)
Remediation 1. Analyze the security model of
cloud provider interfaces. ?2.Ensure strong
authentication and access controls are
implemented in concert with encrypted
transmission. ?3. Understand the dependency chain
associated with the API.
45
???????????
3.??????? (Malicious Insiders) ??????????,???????
??????????,???????????????????????????????????????
??????????????????????,???????????????????????????
??,??????????,???????????????????????????,??????
??????,????????????????????????
46
???????????
3.??????? (Malicious Insiders)
Examples
?
47
???????????
3.??????? (Malicious Insiders)
Remediation
1.Enforce strict supply chain management and
conduct a comprehensive supplier
assessment. 2.Specify human resource requirements
as part of legal contracts. 3.Require
transparency into overall information security
and management practices, as well as compliance
reporting. 4.Determine security breach
notification processes.
48
???????????
4.?????????? (Shared Technology Issues)
??????????? (??? IaaS) ?????????????,????????????
????????????????????????????????????????????,?????
??????????????,??????????????????,????????????????
???
49
???????????
4.?????????? (Shared Technology Issues)
Examples
Joanna Rutkowskas Red and Blue Pill
exploits Kortchinksys CloudBurst presentations
50
???????????
4.?????????? (Shared Technology Issues)
Remediation
1.Implement security best practices for
installation/configuration. 2.Monitor environment
for unauthorized changes/activity. 3.Promote
strong authentication and access control for
administrative access and operations. 4. Enforce
service level agreements for patching and
vulnerability remediation. 5.Conduct
vulnerability scanning and configuration audits.
51
???????????
5.??????? (Data Loss or Leakage)
????????????????????????????,????????????????????
????????,??????????????????????????????? AAA
(????????)????????????????????????????????????????
??????????,??????????????
52
???????????
5.??????? (Data Loss or Leakage)
Examples
Insufficient authentication, authorization, and
audit (AAA) controls inconsistent use of
encryption and software keys operational
failures persistence and remanence challenges
disposal challenges risk of association
jurisdiction and political issues data center
reliability disaster recovery.
53
???????????
5.??????? (Data Loss or Leakage)
Remediation ? 1.Implement strong API access
control. ? 2.Encrypt and protect integrity of
data in transit. ? 3.Analyzes data protection at
both design and run time. ? 4.Implement strong
key generation, storage and management,
and destruction practices. ? 5.Contractually
demand providers wipe persistent media before it
is released into the pool. ?
6.Contractually specify provider backup and
retention strategies.
54
???????????
6.???????? (Account or Service Hijacking)
?????????????????,???????????????????????????????
?? IT ??????????,?????????????,????????????,??????
??????????????????? IT ???,????????????????,??????
??????????,??????????????????,????????????????????
??????,???????????????,?????????????????????????
55
???????????
6.???????? (Account or Service Hijacking)
Examples
?
56
???????????
6.???????? (Account or Service Hijacking)
Remediation
1.Prohibit the sharing of account credentials
between users and services. 2.Leverage strong
two-factor authentication techniques where
possible. 3.Employ proactive monitoring to detect
unauthorized activity. 4.Understand cloud
provider security policies and SLAs.
57
???????????
7.??????? (Unknown Risk Profile)
???????,????????,??????????,???????????????????
,??? IaaS?PaaS?SaaS ?????????????????????????,????
???????????????????,????????????????????????????
?????????????????????????????????,????????????????
?????????
58
???????????
7.??????? (Unknown Risk Profile)
Examples
IRS asked Amazon EC2 to perform a CA Amazon
refused. http//news.qualys.com/newsblog/forrester
-cloud-computingqa. html Heartland Data Breach
Heartlands payment processing systems were using
known-vulnerable software and actually infected,
but Heartland was willing to do only the
bare minimum and comply with state laws instead
of taking the extra effort to notify every single
customer, regardless of law, about whether their
data has been stolen. http//www.pcworld.com/arti
cle/158038/heartland_has_no_hea rt_for_violated_cu
stomers.html
59
???????????
7.??????? (Unknown Risk Profile)
Remediation
1.Disclosure of applicable logs and
data. 2.Partial/full disclosure of infrastructure
details (e.g., patch levels, firewalls,
etc.). 3.Monitoring and alerting on necessary
information.
60
(No Transcript)
61
??ISMS(Information Security Management System)
??
????????(?)??ISMS(Information Security Management
System)??????????????????,?????????(?)????????????
?????????????A??????(?)??96??B??????(?)??97??????
????
??????(Information Security)
???(Confidentiality) ?????????????????????????
???? ???(Integrity) ??????????,????????????? ?
??(Availability) ???????????????????????? ???(
Legality) ???????????
62
??ISMS(Information Security Management System)
??ISMS
?????????????,???????????,???????????????,????????
???????????????????????? ?ISMS????????,?CNS
178002002/BS 7799-22002??????2005?10?15???????(I
SO)????ISO/IEC 270012005????,?????????????????CNS
27001200X(??),???CNS 178002002??????ISMS??????

63
????????
IBM ?????????,????Web AP Security ??
IBM ??????????,?VPC Gateway?Cloud Safety Box (??????)
Novell ???????(CSA)????Trusted Cloud ,?????????
VMWare ??VMSafe API ????????????????
???? ????????????Deep Security?????????????????????
VPC Gateway ???????????????????????Virtual
Private Cloud(Amazon Virtual Private
Cloud),??????????? Cloud Safety Box ??Amazon
S3???,???????????????????????????????