Friday, February 27, 2015

Is your data more (or less) secure in the cloud?

The basic concept behind public cloud computing is to consolidate traditional behind the firewall services, data, and applications into an elastic on-demand multi-tenant third-party hosted environment. So, is your data more secure in the cloud compared to in the enterprise? One could argue both ways.

Less secure:
- cloud is more attractive and a lucrative target for hackers - higher RoI - if hacked, they get access to consolidated data of all customers.
- virtualization/multi-tenancy creates more attack surface compared to traditional computing model
- you loose control of your data

More secure:
- cloud may protect your data with the very latest security technologies by an expert security team while enterprises may not have that luxury.
- security patches/updates may be updated timely and in a consistent manner across all resources (better security management).
- easier to protected centralized consolidated resources than distributed resources.
- have the ability to correlate audit information from multiple customers to provide better detection and mitigation of attacks.

Monday, January 5, 2015

[Research] Privacy Preserving Data Services in the Cloud

When you utilize a data service in the cloud to store your business data, among other concerns, there are security and privacy implications. Two key concerns are data confidentiality and access privacy. In this post, I am briefly discussing these two concerns and highlight the related research work.

Data confidentiality - prevent the cloud from seeing the plaintext data.
Access Privacy - prevent the cloud from inferring information about data from the queries made.

Data confidentiality research:

  • The challenge is to allow query processing while keeping the data and query oblivious
  • Researchers have mainly taken two approaches

Access Privacy research:

  • The challenge is to support minimal leakage of query access pattern while keeping the computational cost to reasonably low so that the approach is practical.
  • There are two main paths that researchers have taken to solve this problem:
    • Private Information Retrieval (PIR) based approaches [1]
    • Oblivious RAM (ORAM) based approaches  [1

Friday, January 2, 2015

[Basics] Two-factor authentication

It's also called token based authentication. It sounds like something new, but we have been using it for ages. Virtually all ATMs use two-factor authentication for debit cards.

What is two-factor authentication?
Before I explain, what two-factor authentication is, let me list the three possible way to authenticate a person or a thing based on the following criteria:
- what you know (e.g. password, pin)
- what you have (e.g. debit card, mobile phone, USB stick token)
- what you are (e.g. fingerprint, iris, face)

Most systems reply only on one of the above three factors to authenticate a user. For example, a bank website asks you only for your username and password (what you know) to login to their site. The idea behind two-factor authentication is simple; use two of the above factors to authenticate a user.

Examples of two-factor authentication
As mentioned above, debit cards on ATMs use two factor authentication:
- Debit card (what you have)
- 4 digit PIN (what you know)

Google supports mobile based two factor authentication. You use your regular username and password (what you know) along with the code sent to your mobile phone (what you have).
- mobile phone (what you have)
- username and password (what you know)

RSA SecurID supports two factor authentication.
- token generated either from a hardware device (USB dongle) or a software app. (what you have)
- any of the other two factors listed above

Most common form of  two factor authentication is to use a token and a username/password. So, it is important to safeguard tokens to have a secure two factor authentication system. Tokens are basically OTPs.

Where can an attacker exploit in a token based authentication flow?
- token infrastructure
- token vendor
- token itself
- client using the token (mostly attackers exploit this as clients are usally the weakest link the whole flow)

Example attacks on token based authentication systems
- Attack on RSA SecurID (attacking token vendor)
- Differential power analysis attacks to recover tokens/keys (attacking token itself) - recovering DES/AES keys, recovering smartcard keys
- malwares to steal tokens from clients (attacking clients) - Zeus trojan in 2007-2009

There are security measures that you can take in order to defend against above types of attacks.