Cloud computing

1

Risk in CloudComputing Environment

Presented by,

Akanksha Botke

CEH, VAPT Auditor

22

Agenda

Introduction

Cloud Computing Models

Cloud Computing Architecture

Cloud Computing Characteristics

Purpose and Benefits

Cloud-Sourcing

Risk In Cloud Computing

Data Security In Cloud Computing

Vulnerabilities In Cloud Computing

Hardening Cloud Security

Conclusion

33

Introduction

Cloud computing is typically defined as a type of computing thatrelies on sharing computing resources rather than having localservers or personal devices to handle applications.

In cloud computing, the word cloud (also phrased as "the cloud")is used as a metaphor for "the Internet," so the phrase cloudcomputing means "a type of Internet-based computing," wheredifferent services — such as servers, storage and applications —are delivered to an organization's computers and devices throughthe Internet.

44


1. Software as a Service (Saas)

The capability provided to the consumer is to use the provider’s

applications running on a cloud infrastructure. The applications are

accessible from various client devices through a thin client interface

such as a web

Characteristics of SaaS:

Its easy to work under administration

It can be globally access

The software can be updated automatically

All license holder user will have same version of software

55

Cloud Computing of Models

2. Platform as a Service (PaaS)

The capability provided to the consumer is to deploy onto the cloud

infrastructure his own applications without installing any platform or

tools on their local machines. PaaS refers to providing platform layer

resources, including operating system support and software

development frameworks that can be used to build higher-level

services.

Characteristics of PaaS:

No need of downloading and installing operating System.

It saves Customers money.

It mainly deals for delivering operating systems over Internet.

Software can be developed, tested and deployed

66


3. Infrastructure as a Service (IaaS).

The capability provided the sharing of hardware resources for executing

services, typically using Virtualization technology. Infrastructure as a

Service is an equipment which is used to support hardware, software,

storage, servers and mainly used for delivering software application

environments

Characteristics of IaaS:

Policy based Services

Utility computing Services

Dynamic Scaling

Internet Connectivity

77

Cloud Computing Architecture

88

Cloud Computing Characteristics

Common Characteristics:

Massive Scale

Homogeneity

Virtualization

Low Cost Software

Resilient Computing

Geographic Distribution

Service Orientation

Advanced Security

9

Data: Bibliographic, Digital, Administrative, License, Access and

Preservation.

Content: Collections, Subscriptions, Print, Publishing.

Services: Library as Place, Content Access, Content Creation,

Instruction, Research, Preservation.

Experience: Research, Study Support, Peer based Collaboration, IT

Exploration

9

Use of Cloud Computing in Library

1010

Purpose and Benefits

Cloud computing enables companies and applications, which are system

infrastructure dependent, to be infrastructure-less.

By using the Cloud infrastructure on “Pay per use and On Demand”, which all

of us can save in capital and operational investment!

• Pay per use - Computing resources are measured at a granular level, allowing

users to pay only for the resources and workloads they use.

• On Demand - End users can spin up computing resources for almost any type

of workload on-demand

Clients can:

• Put their data on the platform instead of on their own desktop PCs and/or

on their own servers.

• They can put their applications on the cloud and use the servers within the

cloud to do processing and data manipulations etc.

1111

Cloud-Sourcing

Why is it becoming a Big Deal:

• Using high-scale/low-cost providers,

• Any time/place access via web browser,

• Rapid scalability; incremental cost and load sharing,

• Can forget need to focus on local IT.

Concerns:

• Performance, reliability, and SLAs,

• Control of data, and service parameters,

• Application features and choices,

• Interaction between Cloud providers,

• No standard API – mix of SOAP and REST!

• Privacy, security, compliance, trust…

1212

Risk In Cloud Computing

1313


Data outsourcing - Users are relieved from the burden of data storage

and maintenance. When users put their data (of large size) on the cloud,

the data integrity protection is challenging.

Cloud computing is built on top of virtualization, if there are security issues

with virtualization, then there will also security issues with cloud computing.

Data segregation - Data in the cloud is typically in a shared environment

alongside data from other customers. Encryption is effective but isn't a

cure-all. The cloud provider should provide evidence that encryption

schemes were designed and tested by experienced specialists.

A data center full of servers supporting cloud computing is internally and

externally indistinguishable from a data center full of "regular" servers. In

each case, it will be important for the data center to be physically secure

against unauthorized access

1414


Computer and network security is fundamentally about three

goals/objectives:

-- Confidentiality (C)

-- Integrity (I)

-- Availability (A)

Confidentiality – Its refers to keeping data private. Privacy is the amount

importance as data leaves the borders of the organization. Not only

internal secrets and sensitive personal data, but metadata and

transactional data can also leak important details about firms or

individuals. Confidentiality is supported by, technical tools such as

encryption and access control, as well as legal protections.

1515


Integrity is a degree confidence that the data in the cloud is protected

against accidental or intentional alteration without authorization. It also

extends to the hurdles of synchronizing multiple databases. Integrity is

supported by well audited code, well-designed distributed systems, and

robust access control mechanisms.

Availability means being able to use the system as anticipated. Cloud

technologies can increase availability through widespread internet-enabled

access, but the client is dependent on the timely and robust provision of

resources. Availability is supported by capacity building and good

architecture by the provider, as well as well-defined contracts and terms of

agreement.

1616


Insecure interfaces and APIs

Unlimited allocation of resources

Data-related vulnerabilities

Vulnerabilities in Virtual Machines

Vulnerabilities in Virtual Machine Images

Vulnerabilities in Virtual Networks

Vulnerabilities in Hypervisors

Local Host Security

1717


Insecure interfaces and APIs

Cloud providers offer services that can be accessed through APIs (SOAP,

REST, or HTTP with XML/JSON) The security of the cloud depends upon

the security of these interfaces. Some problems are:

a) Weak credential

b) Insufficient authorization checks

c) Insufficient input-data validation

Also, cloud APIs are still immature which means that are frequently

updated. A fixed bug can introduce another security hole in the application.

1818


Unlimited allocation of resources

Inaccurate modeling of resource usage can lead to overbooking or over-

provisioning.

Due to the heterogeneous and time-variant environment in a Cloud, the

resource provisioning becomes a complex task, forcing the mediation

system to respond with minimal turnaround time in order to maintain the

developer’s quality requirements.

1919


Data-related vulnerabilities

Data can be collocated with the data of unknown owners (competitors, or

intruders) with a weak separation.

Data may be located in different jurisdictions which have different laws.

Incomplete data deletion – data cannot be completely removed.

Data backup done by untrusted third-party providers.

Information about the location of the data usually is unavailable or not

disclosed to users.

Data is often stored, processed, and transferred in clear plain text.

2020


Vulnerabilities in Virtual Machines

Possible covert channels in the collocation of VMs.

Unrestricted allocation and deallocation of resources with VMs.

Uncontrolled Migration - VMs can be migrated from one server to another

server due to fault tolerance, load balance, or hardware maintenance.

Uncontrolled snapshots – VMs can be copied in order to provide flexibility,

which may lead to data leakage.

Uncontrolled rollback could lead to reset vulnerabilities - VMs can be

backed up to a previous state for restoration, but patches applied after the

previous state disappear.

VMs have IP addresses that are visible to anyone within the cloud -

attackers can map where the target VM is located within the cloud (Cloud

cartography).

2121


Vulnerabilities in Virtual Machine Images

Uncontrolled placement of VM images in public repositories.

VM images are not able to be patched since they are dormant artifacts.

Vulnerabilities in Virtual Networks

The cloud characteristic ubiquitous network access means that cloud

services are accessed via network using standard protocols. In most

cases, this network is the Internet, which must be considered untrusted.

Internet protocol vulnerabilities - such as vulnerabilities that allow man-in-

the-middle attacks - are therefore relevant for cloud computing.

Sharing of virtual bridges by several virtual machines.

2222


Vulnerabilities in Hypervisors

Complex hypervisor code.

Flexible configuration of VMs or hypervisors to meet organization needs can be

exploited.

Any remote user can initiate an attack on a Hypervisor and its guest VMs if it is

located in a subnet from which the machine running the Hypervisor is reachable.

Almost any code can be executed from a guest VM’s Ring 3; however, some

functionality will be limited by the OS or the Hypervisor (causing an exception).

Nevertheless, it is easiest to get user-space code to run, so any exploits from this

ring are attractive to an attacker.

An attack from a Guest VM’s Kernel-Space, as it requires control over the

paravirtualized front-end driver.

The Hypervisor can access any resource in the host system (i.e. memory,

peripherals, CPU state, etc.), which means that it can access every guest VM’s

resources.

2323


Local Host Security

Are local host machines part of the cloud infrastructure? • Outside the security perimeter.• While cloud consumers worry about the security on the cloud provider’s

site, they may easily forget to harden their own machines

The lack of security of local devices can • Provide a way for malicious services on the cloud to attack local

networks through these terminal devices.• Compromise the cloud and its resources for other users.

2424


With mobile devices, the threat may be even stronger• Users misplace or have the device stolen from them.• Security mechanisms on handheld gadgets are often times insufficient

compared to say, a desktop computer.• Provides a potential attacker an easy avenue into a cloud system.• If a user relies mainly on a mobile device to access cloud data, the

threat to availability is also increased as mobile devices malfunction orare lost .

Devices that access the cloud should have• Strong authentication mechanisms• Tamper-resistant mechanisms• Strong isolation between applications• Methods to trust the OS• Cryptographic functionality when traffic confidentiality is required.

2525


Secure Logic Migration and Execution Technology

Data Traceability Technology

Authentication and Identity

Application of Encryption for Data in Motion:

Data Masking Technology

2626


Secure Logic Migration and Execution TechnologyFor confidential data that cannot be released outside of thecompany, even formed by concealing certain aspects of the data,by simply defining the security level of data.

Data Traceability TechnologyThe information gateway tracks all information flowing into andout of the cloud, so these flows and their content can be checked.

Data traceability technology uses the logs obtained on data trafficas well as the characteristics of the related text to make visiblethe data used in the cloud

2727


Authentication and Identity

Maintaining confidentiality, integrity, and availability for data security

is a function of the correct application and configuration of familiar

network, system, and application security mechanisms at various

levels in the cloud infrastructure.

Authentication of users takes several forms, but all are based on a combination of authentication factors: something an individual knows (such as a password), something they possess (such as a security token), or some measurable quality that is intrinsic to them (such as a fingerprint).

2828


Application of Encryption for Data in Motion:

Encryption is used to assure that if there was a breach of

communication integrity between the two parties that the data

remains confidential.

Authentication is used to assure that the parties communicating data

are who they say they are.

Common means of authentication themselves employ cryptography

in various ways.

2929


Data Masking Technology

Data masking is a technique that is intended to remove all

identifiable and distinguishing characteristics from data in order to

render it anonymous and yet still be operable.

This technique is aimed at reducing the risk of exposing sensitive

information.

Data masking has also been known by such names as data

obfuscation, de-identification, or depersonalization.

3030

Conclusion

Cloud computing is sometimes viewed as a re-creation of theclassic mainframe client-server model.

However, resources are ubiquitous, scalable, highly virtualized.

Contains all the traditional threats, as well as new ones.

In developing solutions to cloud computing security issues it maybe helpful to identify the problems and approaches in terms of CIA(Confidentially, Integrity and Availability ).

Date post:	15-Jul-2015
Category:	Engineering
Upload:	akanksha-botke
View:	59 times
Download:	0 times

Cloud computing

Engineering