Unit 4 - Cloud Computing - WWW - Rgpvnotes.in PDF
Unit 4 - Cloud Computing - WWW - Rgpvnotes.in PDF
E
Subject Name: Cloud Computing
Subject Code: CS-8002
Semester: 8th
Downloaded from be.rgpvnotes.in
Subject Notes
CS 8002 - Cloud Computing
Unit-4
Cloud evolution can be considered synonymous to banking system evolution. Earlier people used to
keep all their money, movable assets (precious metals, stones etc.) in their personal possessions and
even in underground lockers as they thought that depositing their hard earned money with bank can
be disastrous. Banking system evolved over the period of time. Legal and security process compliances
protected by Law played a big role in making banking and financial systems trustworthy. Now, people
hardly keep any cash with them. Most of us carry plastic money and transact digitally. Cloud computing
is also evolving the same way.
Robust cloud architecture with strong security implementation at all layers in the stack powered with
legal o plia es a d go e e t p ote tio is the ke to loud se u it . As Ba ks did t vanish
despite frauds, thefts and malpractices, cloud security is going to get evolved but as much faster rate.
Digital world has zero tolerance for waiting! Evolution is natural and is bound to happen.
Cloud is complex and hence security measures are not simple too. Cloud needs to be secured at all
la e s i its sta k. Let s iefl look i to ajo a eas.
At infrastructure level: A sysadmin of the cloud provider can attack the systems since he/she has got all
the admin rights. With root privileges at each machine, the sysadmin can install or execute all sorts of
software to perform an attack. Furthermore, with physical access to the machine, a sysadmin can
perform more sophisticated attacks like cold boot attacks and even tamper with the hardware.
Protection measures:
2. Provider should deploy stringent security devices, restricted access control policies, and surveillance
mechanisms to protect the physical integrity of the hardware.
3. Thus, we assume that, by enforcing a security processes, the provider itself can prevent attacks that
require physical access to the machines.
5. TCG (trusted computing group), a consortium of industry leader to identify and implement security
measures at infrastructure level proposes a set of hardware and software technologies to enable the
o st u tio of t usted platfo s suggests use of e ote attestatio a e ha is to dete t
ha ges to the use s o pute s autho ized pa ties .
At Platform level:
Security model at this level relies more on the provider to maintain data integrity and availability.
Platform must take care of following security aspects:
1. Integrity
2. Confidentiality
3. Authentication
5. SLA
At Application level:
The following key security elements should be carefully considered as an integral part of the
2. Data security
3. Network security
4. Regulatory compliance
5. Data segregation
6. Availability
7. Backup/Recovery Procedure
Most of the above are provided by PaaS and hence optimal utilization of PaaS in modeling SaaS
is very important.
Some of the steps which can be taken to make SaaS secured are:
• Secure Deployment
At Data level:
Apart from securing data from corruption and losses by implementing data protection mechanism at
infrastructure level, one needs to also make sure that sensitive data is encrypted during transit and at
rest.
Apart from all the above measures, stringent security process implementation should also be part of
making cloud secure. Periodic audits should happen. Governing security laws should be amended with
advent in technologies, ethical hacking and vulnerability testing should be performed to make sure the
cloud is secure across all layers.
That s h se u it as a se i e companies have become vital for anyone looking to deploy security
for everything from documents to your entire business.
“ all usi esses a e efit f o this ki d of dist i utio odel e ause it does t e ui e a ig IT o
secu it tea s to get it up a d u i g. Of ou se, ou e t usti g a lot of ou se u it to a othe
company, but in reality these security-focused third parties have more resources (read: time and
money) to focus on security than you do.
So what are the best security-as-a-service products out there? We talked to experts in the security
community to compile this initial list of the top-tier providers.
VentureBeat
It is esea hi g loud platfo s a d e e looki g for your help. We e sta ti g ith a keti g
spe ifi all a keti g auto atio . Help us filli g out a su e , a d ou ll get the full epo t he it s
complete.
Qualys
Qualys secures your devices and web apps, while helping you remain compliant through i ts cloud-only
solution — no hardware or software required. The company analyzes threat information to make sure
nothing gets in your system. If some malware already happens to be there, it will give you the steps to
fix the problem. Beyond that, Qualys will verify that the issue has been fixed. It scans any and all web
apps you use for vulnerabilities as well, keeping your data safe while you head out in the wonderful
world of SaaS, IaaS, and PaaS. In the future, Qualys plans to create a cloud-only firewall to even further
protect your websites from harm.
Proofpoint
When we talk about attack vectors — holes in the network where bad guys can get in — email pops
out as one of the weakest links. Proofpoint focuses specifically on email, with cloud-only services
tailored to both enterprises and small to medium sized businesses. Not only does it make sure none of
the bad stuff gets in, but it also protects any outgoing data. Proofpoint further promises that while it
stores that data to prevent data loss, it does not have the keys to decrypt any of the information.
Zscaler
)s ale alls its p odu t the Di e t to Cloud Net o k, a d like a of these p odu ts, oasts that it s
much easier to deploy and can be much more cost efficient than traditional appliance security. The
o pa s p odu ts p ote t ou f o ad a ed pe siste t th eats o ito i g all the t affi that
o es i a d out of ou et o k as a ki d of he kpost i the loud. But ou do t ha e to filte all
that traffic in from one central point. You can monitor specific, local networks as well given the
flexibility of the cloud. Zscaler also protects iOS and Android devices within your company, which can
then be monitored through its special mobile online dashboard.
CipherCloud
DocTrackr
DocTrackr is a security layer that sits on top of file sharing services such as Box and Microsoft
Sharepoint. It is built on the idea that once you send a document out of your system, it is truly out of
your hands: People can save it, change it, send it, and more a d ou e lost o t ol of it. Do T a k
aims to stop that from happening. It lets you set user privileges for each person you share a document
ith. It fu the t a ks e e o e ho ope s the file, so ou k o ho s looki g at ou stuff — and you
a e e pull do u e ts a k, effe ti el u sha i g the , if you want.
1. Authentication: The process of providing identity is called authentication. Most computer system
uses a user ID and password combination for identity and authentication. You identity yourself using a
use ID a d authe ti ate ou ide tit ith a pass o d. Let s look at some examples of authentication
from everyday life: at an automatic bank machine, you identify yourself using bank card, when you use
a credit card etc.
2. Single sing on:Single sing on (SSO) is a session/user authentication process that permits a user to
enter one name and password in order to access multiple applications. The process authenticates the
user for all the applications they have been given rights to and eliminates further prompts when they
switch applications during a particular session.
3. Delegation: If a computer user temporarily hands over his authorizations to another user then this
process is called delegation. There are two classes of delegation.
4. Confidentiality: confidentiality assures you that cannot be viewed by unauthorized people. The
confidentiality service protects system data and information from unauthorized disclosure. When data
lea e o e e t e e of a s ste su h as lie t s o pute i a network, it ventures out into a non-
trusting environment. So, the recipient of data may not fully trust that no third party like a
cryptanalysis or a man-in-the middle has eavesdropped on the data.
5. Integrity: It assures you that data has not changed without your knowledge (the information
cannot be altered in storage or transit sender and receiver without the alteration being detected).The
integrity can be used in reference to proper functioning of a network, system, or application.
7. Privacy: Internet privacy involves the desire or mandate of personal privacy concerning transaction
or transmission of data via the internet. It also involves the exercise of control over the type and
amount of information revealed about person on the internet and who mat access said information
personal information should be managed as part of the data use organization. It should be manage
from the time the information is conceived through to its final disposition.
8. Trust: O ga izatio s elief i the elia ilit , t uth, a ilit , o st e gth of so eo e o so ethi g.
T ust e ol es a ou d assu a e a d o fide e that people, data e tities, i fo atio o p o esses
will function or behave in expected ways. Trust may be human to human, machine to machine, human
to machine or machine to human. At a deeper level, trust might be regarded as a consequence of
progress towards security or privacy objectives.
9. Policy: The term policy is high-level requirement that specify which access is managed and who,
under what circumstances, may access what information. A security policy should fulfill many
purposes. It should protect people and information, and set the rules for expected behavior by users,
system administrators, management, and security personnel.
10. Authorization: Authorization is the act of checking to see if a user has the proper permission to
access a particular file or perform a particular action. It enables us to determine exactly what a user is
allowed to do. Authorization typically implemented through the use of access control. While
determining what access will be provided to the parties to whom we have provided authorized access,
there is an important concept we should consider, called the principle of least privilege.
11. Accounting: accounting services keep track of usage of services by other services/ users so that
they can be charged accordingly.
Clouds are everywhere these days. They are often cheaper, more powerful, compatible with single
sign-on (SSO) and often accessible via a Web browser. There are four main types of clouds: on-
premises, or clouds hosted by the customer; off-premises, or clouds hosted by a vendor; dedicated,
which are clouds used only for a particular tenant; and shared, a cloud where resources are spread
among many tenants.
These categories are more descriptive than public and private clouds. There are also virtual machine-
based clouds where several separate computing environments can be used, versus bare-metal, where
each compute node is a separate physical machine.
The fi st a d ost da ge ous th eat i a IT s ste is the i side th eat. It s espe iall ha d to defend
against because users, and particularly administrators, have usually been granted some degree of
trust. Technological countermeasures can usually be circumvented if the user has the right level of
access. This is why it is critical for organizations to have an efficient off boarding process so that
disgruntled released employees do not have access to the systems.
Side-channel threats occur when an attacker has the ability to obtain information from another
te a t s ode easu i g so e side effe t of the s ste s use. These ha e ee popula ized i the
research community but, to IBM X-Fo e s knowledge; have not been seen in the real world.
Perhaps the most dangerous real-world threat is the loss of authority over the cloud control interface.
We a e t talki g a out the p o isio i g po tal ut athe the ad i ist ati e i te fa e of ou
e te p ise s loud. Thi k of it as a o t ol o sole fo ou loud odes.
In the right situation, this can lead to a complete loss of integrity, confidentiality and availability. Note
that the atta k he e is agai st the i te fa e s We se e , o a oss-site scripting (XSS) or cross-site
e uest fo gi g C“‘F atta k agai st the ad i ist ato s We o se .
Make su e the i te fa e s We se e is up to date a d that the interface does not have any XSS or
CSRF vulnerabilities. These are just good security practices in general and are not unique to the cloud.
If you use SSO, be sure your security assertion markup language (SAML) implementation follows the
recommended specification.
Additionally, use two-factor authentication. Note that this is good practice for restricting access to any
sensitive servers and data.
There is a somewhat rare attack called virtual host confusion. It is often seen with content delivery
networks and shared platform-as-a-service (PaaS) clouds. This attack can allow for server
impersonation under the right circumstances. Once again, the X-Force team is not aware of this being
exploited in the wild. For mo e i fo atio , ead the pape Net o k-based Origin Confusion Attacks
agai st HTTP“ Vi tual Hosti g.
This attack is from the same group that identified Logjam, FREAK, SLOTH and others. To prevent this
attack, never use certificates for more than one domain. Avoid using wildcard certificates and carefully
configure TLS caching and ticketing parameters to be different for every Web server. Finally, make sure
your domain fallback page is an error page.
Shared data and computations on shared (typically off-premises) clouds can be exposed in the right
circumstances. This particularly applies to MapReduce operations. To prevent this leakage, consider
dedicated clouds, where there is a lesser chance of malicious actors having a presence.
Never make the mistake of assuming that on-premises or dedicated clouds need not be secured
according to industry best practices. These clouds are often considered a more valuable target by
attackers.
Finally, there is shadow IT, or the inability of IT to monitor the activities of the user. This happens when
the use s lie t is o e ted to a loud ith a e pted o e tio . I that ase, the use a
interact with the cloud and perhaps perform unauthorized actions. To combat this, consider
federating. Monitor your logs to see which applications are in use and use a proxy to intercept cloud
traffic. You can also use an analytics engine and create relevant rules at your endpoint device.
Overcoming Challenges
In general, what can be done to improve cloud security? Always follow the best security practices
whether you are a tenant or a provider, such as tracking new vulnerabilities and attacks against
components of your cloud. If you are a cloud provider, do background research on entities that wish to
join your environment.
If you are a tenant, always understand your cloud model and compensate for any weaknesses inherent
in that type. Be sure to support TLS 1.2 access. This ensures stronger cryptography and is the latest
secure protocol for connections to Web servers.
Both providers and tenants should institute regular vulnerability scanning as frequently as is feasible.
They should also lock IP addresses so only authorized networks are able to access your cloud or site. If
this is not possible as a provider, then be sure to employ strong authentication and access controls.
As a tenant, make sure all software is up to date. PaaS providers need to do the same with their
environments. In one of the most important measures, tenants must encrypt data. This is critical for
data protection, but be sure to implement cryptography correctly. There are solutions available to
minimize the ciphertext reduplication problem.
2011 ended with the popularization of an idea: Bringing VMs (virtual machines) onto the cloud. Recent
years have seen great advancements in both cloud computing and virtualization On one hand there is
the ability to pool various resources to provide software-as-a-service, infrastructure-as-a-service and
platform-as-a-service. At its most basic, this is what describes cloud computing. On the other hand, we
have virtual machines that provide agility, flexibility, and scalability to the cloud resources by allowing
the vendors to copy, move, and manipulate their VMs at will. The term virtual machine essentially
describes sharing the resources of one single physical computer into various computers within itself.
VMware and virtual box are very commonly used virtual systems on desktops. Cloud computing
effectively stands for many computers pretending to be one computing environment. Obviously, cloud
computing would have many virtualized systems to maximize resources.
Keeping this information in mind, we can now look into the security issues that arise within a cloud-
o puti g s e a io. As o e a d o e o ga izatio s follo the I to the Cloud o ept, ali ious
hackers keep finding ways to get their hands on valuable information by manipulating safeguards and
breaching the security layers (if any) of cloud environments. One issue is that the cloud-computing
scenario is not as transparent as it claims to be. The service user has no clue about how his information
is processed and stored. In addition, the service user cannot directly control the flow of
data/information storage and processing. The service provider usually is not aware of the details of the
service running on his or her environment. Thus, possible attacks on the cloud-computing environment
can be classified in to:
1. Resource attacks:
These kinds of attacks include manipulating the available resources into mounting a large-scale
botnet attack. These kinds of attacks target either cloud providers or service providers.
2. Data attacks: These kinds of attacks include unauthorized modification of sensitive data at
nodes, or performing configuration changes to enable a sniffing attack via a specific device etc.
These attacks are focused on cloud providers, service providers, and also on service users.
3. Denial of Service attacks: The creation of a new virtual machine is not a difficult task, and thus,
creating rogue VMs and allocating huge spaces for them can lead to a Denial of Service attack
for service providers when they opt to create a new VM on the cloud. This kind of attack is
generally called virtual machine sprawling.
4. Backdoor: Another threat on a virtual environment empowered by cloud computing is the use
of backdoor VMs that leak sensitive information and can destroy data privacy.
5. Having virtual machines would indirectly allow anyone with access to the host disk files of the
VM to take a snapshot or illegal copy of the whole System. This can lead to corporate espionage
and piracy of legitimate products.
With so many obvious security issues (and a lot more can be added to the list), we need to enumerate
some steps that can be used to secure virtualization in cloud computing.
The most neglected aspect of any organization is its physical security. An advanced social engineer can
take advantage of weak physical-se u it poli ies a o ga izatio has put i pla e. Thus, it s i po ta t
to have a consistent, context-aware security policy when it comes to controlling access to a data
center. Traffic between the virtual machines needs to be monitored closely by using at least a few
standard monitoring tools.
Architecting appropriate security controls that protect the CIA of information in the cloud can mitigate
cloud security threats. Security controls can be delivered as a service (Security-as-a-Service) by the
provider or by the enterprise or by a 3rd party provider. Security architectural patterns are typically
expressed from the point of security controls (safeguards) – technology and processes. These security
controls and the service location (enterprise, cloud provider, 3rd party) should be highlighted in the
security patterns.
Security architecture patterns serve as the North Star and can accelerate application migration to
clouds while managing the security risks. In addition, cloud security architecture patterns should
highlight the trust boundary between various services and components deployed at cloud services.
These patterns should also point out standard interfaces, security protocols (SSL, TLS, IPSEC, LDAPS,
SFTP, SSH, SCP, SAML, OAuth, Tacacs, OCSP, etc.) and mechanisms available for authentication, token
management, authorization, encryption methods (hash, symmetric, asymmetric), encryption
algorithms (Triple DES, 128-bit AES, Blowfish, RSA, etc.), security event logging, source-of-truth for
policies and user attributes and coupling models (tight or loose).Finally the patterns should be
leveraged to create security checklists that need to be automated by configuration management tools
like puppet.
In general, patterns should highlight the following attributes (but not limited to) for each of the
security services consumed by the cloud application figure 4.1:
Logical location – Native to cloud service, in-house, third party cloud. The location may have an
implication on the performance, availability, firewall policy as well as governance of the service.
Protocol – What protocol(s) are used to invoke the service? For example REST with X.509 certificates
for service requests.
Service function – What is the function of the service? For example encryption of the artifact, logging,
authentication and machine finger printing.
Input/Output – What are the inputs, including methods to the controls, and outputs from the security
service? For example, Input = XML doc and Output =XML doc with encrypted attributes.
Control description – What security control does the security service offer? For example, protection of
information confidentiality at rest, authentication of user and authentication of application.
Actor – Who are the users of this service? For example, End point, End user, Enterprise administrator,
IT auditor and Architect.
P
r
Platform and Infrastructure Security
o
v
i
d Pass Services-NoSQL, API, Message Quues, Storage
e
r
Web Resources:
https://aws.amazon.com/security/introduction-to-cloud-security/
https://www.fortinet.com/solutions/enterprise-midsize-business/cloud-security.html
https://www.solutionary.com/managed-security-services/cloud-security/
http://www.csoonline.com/article/3053159/security/cloud-security-challenges.html