Scribd
Upload
113 views31 pages

Cloud Computing Security

This document discusses cloud computing security. It covers common security services like confidentiality, integrity and availability. It then discusses some key cloud computing security issues like loss of control, lack of trust and multi-tenancy. It also discusses potential attackers like malicious insiders and outsiders. Finally, it provides recommendations for securing cloud computing through approaches like identity and access management, legal compliance, and incident response.

Uploaded by

Garvit Tyagi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views31 pages

Cloud Computing Security

This document discusses cloud computing security. It covers common security services like confidentiality, integrity and availability. It then discusses some key cloud computing security issues like loss of control, lack of trust and multi-tenancy. It also discusses potential attackers like malicious insiders and outsiders. Finally, it provides recommendations for securing cloud computing through approaches like identity and access management, legal compliance, and incident response.

Uploaded by

Garvit Tyagi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Cloud Computing Security

Agenda

• Cloud Computing Security


 Computer Security
 Computer Security Services
 Cloud Computing Security Issues
 Dangers and Vulnerabilities
 Attackers
 Threats , Concerns, Assets
 Cloud Computing Security Domains
 Solutions and Recommendations
Security Services

Confidentiality

Availability Integrity
4

Confidentiality

Authorized to Know
5

Integrity

Data Has Not Been


Tampered With
6

Availability

Data Never Lost


Machine Never Fail
7

Cloud Security !! A major Concern

• Security concerns arising because both customer data and


program are residing at Provider Premises.

Customer
Data

Customer
Customer
Code

Provider Premises
8

Security Is the Major Challenge


9
Why Cloud Computing brings new
threats?
Traditional system security mostly means keeping
bad guys out

The attacker needs to either compromise the


auth/access control system, or impersonate existing
users
10
Why Cloud Computing brings new
threats?

• Cloud Security problems are coming from :

 Loss of control
 Lack of trust
 Multi-tenancy

• These problems exist mainly in 3rd party


management models
 Self-managed clouds still have security issues, but not
related to above
11
Why Cloud Computing brings new
threats?
Consumer’s loss of control

 Data, applications, resources are located with provider

 User identity management is handled by the cloud

 User access control rules, security policies and


enforcement are managed by the cloud provider

 Consumer relies on provider to ensure



Data security and privacy

Resource availability

Monitoring and repairing of services/resources
12
Why Cloud Computing brings new
threats?
Multi-tenancy :

Multiple independent users share the same physical


infrastructure

So, an attacker can legitimately be in the same


physical machine as the target
13

Who is the attacker?

Insider?
• Malicious employees at client
• Malicious employees at Cloud
provider
• Cloud provider itself

Outsider?
• Intruders
• Network attackers?
14
Attacker Capability: Malicious
Insiders

• At client
 Learn passwords/authentication information
 Gain control of the VMs

• At cloud provider
 Log client communication
15

Attacker Capability: Cloud Provider

• What?

 Can read unencrypted data

 Can possibly peek into VMs, or make copies of VMs

 Can monitor network communication, application patterns


16
Attacker Capability: Outside
attacker
• What?

 Listen to network traffic (passive)

 Insert malicious traffic (active)

 Probe cloud structure (active)

 Launch DoS
17

Challenges for the attacker

How to find out where the target is located

How to be co-located with the target in the same


(physical) machine

How to gather information about the target


18

Threats
19
Organizing the threats using
STRIDE
• Spoofing identity

One person or program successfully pose as another by falsifying
data, thereby gaining an illegitimate advantage

• Tampering with data

• Repudiation

To repudiate means to deny

• Information disclosure

• Denial of service

• Elevation of privilege
20

Security Issues from Virtualization

• Instance Isolation: ensuring that different instances running on


the same physical machine are isolated from each other.

• Control of Administrator on Host O/s and Guest o/s.


• Current VMs do not offer perfect isolation: Many bugs have
been found in all popular VMMs that allow to escape from
VM!

• Virtual machine monitor should be ‘root secure’,


meaning that no level of privilege within the
virtualized guest environment permits interference
with the host system.
21
Streamlined Security Analysis
Process
• Identify Assets

 Which assets are we trying to protect?


 What properties of these assets must be maintained?

• Identify Threats

 What attacks can be mounted?


 What other threats are there (natural disasters, etc.)?

• Identify Countermeasures

 How can we counter those attacks?


22

Legal and Regulatory Issues

• Threats
 Laws and regulations may prevent cloud computing
 Requirements to retain control
 Certification requirements not met by provider
 Geographical limitations – EU Data Privacy

New locations may trigger new laws and regulations

• Countermeasures
 Evaluate legal issues
 Require provider compliance with laws and regulations
 Restrict geography as needed
23
Integrating Provider and Customer
Security

• Threat
 Disconnected provider and customer security systems
 Fired employee retains access to cloud
 Misbehavior in cloud not reported to customer

• Countermeasures
 At least, integrate identity management
 Consistent access controls
 Better, integrate monitoring and notifications
24

Evaluate the Asset

• How would we be harmed if



The asset became widely public & widely distributed?

An employee of our cloud provider accessed the asset?

The process of function were manipulated by an outsider?

The process or function failed to provide expected results?

The info/data was unexpectedly changed?

The asset were unavailable for a period of time?
25

Map Asset to Models

• 4 Cloud Models
 Public
 Private (internal, external)
 Community

multi-tenant infrastructure that is shared among
several organizations from a specific group with
common computing concerns.
 Hybrid

• Which cloud model addresses your security


concerns?
26

Legal
• Both parties must understand each other’s roles

• Provider must save primary and secondary (logs)


data

• Where is the data stored?


 laws for cross border data flows

• Plan for unexpected contract termination and


orderly return or secure disposal of assets

• You should ensure you retain ownership of your


data in its original form
27

Compliance & Audit

• Right to Audit clause

• Analyze compliance scope

• Regulatory impact on data security


28

Portability, Interoperability

• When you have to switch cloud providers

• Contract price increase

• Provider service shutdown

• Decrease in service quality

• Business dispute
29

Incident Response

l Cloud apps aren’t always designed with data


integrity, security in mind

 Provider keep app, firewall, IDS logs?

 Provider deliver snapshots of your virtual


environment?
30

Identity and Access Mgt

• Determine how provider handles:


 Provisioning, deprovisioning
 Authentication
 Federation
 Authorization, user profile mgt
31

Virtualization

• What type of virtualization is used by the provider?

• What 3rd party security technology augments the


virtual OS?

• Which controls protect admin interfaces exposed


to users?

You might also like