The Security and Privacy Threats to Cloud Computing
Upcoming SlideShare
Loading in...5
×
 

The Security and Privacy Threats to Cloud Computing

on

  • 5,732 views

 

Statistics

Views

Total Views
5,732
Views on SlideShare
5,731
Embed Views
1

Actions

Likes
7
Downloads
594
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Security and Privacy Threats to Cloud Computing The Security and Privacy Threats to Cloud Computing Presentation Transcript

    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2]Project for Trustworthy Cloud Computing and Conclusion Bibliography The Security and Privacy Threats to Cloud Computing Ankit Singh Frankfurt am Main, Germany April 23, 2012 Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2]Project for Trustworthy Cloud Computing and Conclusion Bibliography 1 Introduction to Cloud Computing Cloud Computing Example Three Cloud Service Models Threats to Cloud Computing 2 In-depth Security Analysis for Cloud Computing [2] Security weakness in Cloud Computing Data protection requirements for cloud computing services Government and the Cloud 3 Project for Trustworthy Cloud Computing and Conclusion The TClouds Project Conclusion of the Talk 4 Bibliography Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyQuick Introduction to Cloud Computing I “Cloud computing is a term from information technology (IT) and means that software, memory capacity and computer power can be accessed via a network, for instance, the Internet or within a Virtual Private Network (VPN), as and when it is needed. The IT landscape (e.g. data processing centre, data storage facilities, e-mail and collaboration software, development environments and special software such as Customer Relationship Management [CRM]) is no longer owned and run by the company or institution, but is a service which can be rented from one or more cloud service providers” [1] Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyCloud Computing Example I Figure: Cloud Computing Example (adapted from wikipedia) Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyThree Cloud Service Models [1] [2] I Software as a Service (SaaS): Users as consumers. e.g. Accounting, collaboration tools, CRM etc. Platform as Service (PaaS): Data processing services. e.g Google App Engine and Microsoft Azure Platform. Infrastructure as Service (IaaS): Hosting services. e.g webspaces like Amazon EC2, Go Daddy etc. - The Cloud Computing Service models viewed as layers in same sequence shown above. - These models are deployed on top of cloud infrastructure as defined by NIST’s [3]. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyList of Threats to Cloud Computing [4] I 1 Abuse of Cloud computing: Effected Services:- Iaas, PaaS: - Absuing service due to anonymity due to loose registration and validation process. - Adversaries usage the models for spamming, writing malicious code etc. 2 Insecure Interfaces and APIs: Effected Services:- IaaS, Paas, SaaS: - Interfaces or APIs provided by service providers to customers to manage and interact with cloud services. - The security and availability of cloud services is dependent upon the security of these basic API’s. - Interfaces must be designed to protect against accidental and malicious attempts to mislead the policy. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyList of Threats to Cloud Computing [4] II 3 Malicious Insiders: Effected Services:- Iaas, Paas, SaaS: - An adversary can harvest confidential data or gain complete controls over cloud services depending on the level of access. 4 Shared Technology Issues: Effected Services:- IaaS: - The disk partitions, CPU caches and GPUs and other shared elements were never designed for strong compartmentalization. - A virtualization hypervisor addresses this gap which mediates access between guest operating systems and physical compute resources. - The hypervisors have the flaw which may result in gaining inappropriate levels of control or influence on the underlying platform. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyList of Threats to Cloud Computing [4] III 5 Data Loss or Leakage: Effected Services:- IaaS, PaaS, SaaS: - Deletion or alteration of records without a backup of the original content. - Unlinking a record from a larger context may render it unrecoverable. - Unauthorized parties must be prevented from gaining access to sensitive data. - Examples: Insufficient authentication, authorization and audit (AAA) controls Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Cloud Computing Example In-depth Security Analysis for Cloud Computing [2] Three Cloud Service ModelsProject for Trustworthy Cloud Computing and Conclusion Threats to Cloud Computing BibliographyList of Threats to Cloud Computing [4] IV 6 Account or Service Hijacking: Effected Services:- IaaS, PaaS, SaaS: - Attack methods such as phishing, fraud and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused. 7 Unknown Risk Profile: Effected Services:- IaaS, PaaS, SaaS: - Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts are the factors for estimating company’s security posture. - Some questions which need to addressed like how data and related logs are stored and who has access to them? what information may be disclosed in case of security breach? etc. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographySecurity weakness in Cloud Computing I Cloud Providers fail to provide encryption to their users: - Cloud service providers not providing encrypted access to their Web applications Man in the middle attacks: -Attackers redirects traffic between a client and a server through him. - Achieved by forging DNS packets, DNS cache poisoning, or ARP spoofing. - Prevention: DNSSEC and HTTPS/TLS are two technologies which can prevent this attack. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographySecurity weakness in Cloud Computing II Data encryption caveats: - Where will the encryption key be stored? - Where will the encryption and decryption processes be performed? User interface attacks: - A Web browser is used for accessing Web applications. Thus, browser’s user interface becomes an important security factor. - Example: An attacker tries to fool the user into thinking that she is visiting a real website instead of a forgery. Techniques used here include fake HTTPS lock icons. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographyResearch Recommendations by ENISA [5] I Research recommendations by European Network and Information Security Agency (ENISA): Building Trust in the Cloud: Certification processes and standards for clouds: COBIT (52), ITIL (53) etc. Metrics for security in cloud computing Effects of different forms of reporting breaches on security Increasing transparency while maintaining appropriate levels of security End-to-end data confidentiality Extending cloud-based trust to client-based data and applications Data Protection in Large-Scale Cross-Organizational Systems: Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographyResearch Recommendations by ENISA [5] II Data destruction and lifecycle management Integrity Verification - of backups and archives in the cloud and their version management Forensics and evidence gathering mechanisms Incident resolution and rules of evidence International differences in relevant regulations, including data protection and privacy i.e legal means to facilitate the smooth functioning of multi-national cloud infrastructures. Lage-Scale Computer Systems Engineering: Security in depth within large-scale distributed computer systems Security services in the cloud i.e adaptation of traditional security perimeter control technologies to the cloud like HSM, web filters, firewalls, IDS etc. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographyResearch Recommendations by ENISA [5] III Resource isolation mechanisms - data, processing, memory, logs, etc. Interoperability between cloud providers Portability of VM, data and VM security settings from one cloud provider to another (to avoid vendor lock-in), and maintaining state and session in VM backups. Standardization of interfaces to feed data, applications and whole systems to the cloud. Resource (bandwidth and CPU, etc) provisioning and allocation at scale (elasticity) Scalable security management (policy and operating procedures) within cloud platforms Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographyGovernment and the Cloud [2] I United States: One of the most important legal tools used by the U.S. Government to force cloud providers to hand them users’ private data is the third-party doctrine. Other relevant laws include the Wiretap Act, the All Writs Act and the Foreign Intelligence Surveillance Act. Example: Facebook can provide complete profile information and uploaded photos to law enforcement irrespective of her privacy Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing Security weakness in Cloud Computing In-depth Security Analysis for Cloud Computing [2] Data protection requirements for cloud computing servicesProject for Trustworthy Cloud Computing and Conclusion Government and the Cloud BibliographyGovernment and the Cloud [2] II Germany: §§111 and 112 of the 2004 Telecommunications Act (Telekommunikationsgesetz in German) allow the government to force telecommunication service providers (which include cloud service providers like webmail) to hand over information such as a customer’s name, address, birthdate, and email address, without a court order, through an automated query system that includes a search function in case law enforcement has incomplete request data. Example: court-ordered surveillance in Germany is the Java Anonymous Proxy (JAP), which is an open source software for anonymously browsing websites. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2] The TClouds ProjectProject for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk BibliographyThe TClouds Project I Trustworthy Clouds - TClouds is a European Commission funded project. GOAL: To develop a trustworthy cloud computing infrastructure, which enables a comprehensible and audit proof processing of personal or otherwise sensitive data in a cloud without limiting the solution to just a physically separated private cloud [6]. Target Scenarios: Energy Sector: Potugal’s leading energy supplier Energias de Portugal (EDP) and electronics company EFACEC in field of smart power grid Healthcare Sector: Italian hospital San Raffaele in Milano Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2] The TClouds ProjectProject for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk BibliographyThe TClouds Project II Techinical Implementation: Focuses on communication protocols between different cloud service providers, new open security standards, APIs and effective management components for cloud security. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2] The TClouds ProjectProject for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk BibliographyConclusion I Cloud computing is a upcoming field due to attractive services provided by cloud computing service providers. Privacy and data security are the biggest challenges when it comes to storing and processing critical business or personal data in a cloud. There are many challenges that we can only face if we understand what we are dealing with, how it may a affect us and which possible solutions exist. We must convince cloud providers and users of the importance of implementing available security technologies. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2] The TClouds ProjectProject for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk BibliographyConclusion II The requirements of national and international data protection laws are a major concern. As a consequence, this leads to a stronger market growth of just so-called private and community clouds which are aligned more to the specific requirements of single customers or a narrowly defined user group. The data which are sensitive and private should be avoided to put on the cloud due to current security threats. Ankit Singh The Security and Privacy Threats to Cloud Computing
    • Introduction to Cloud Computing In-depth Security Analysis for Cloud Computing [2]Project for Trustworthy Cloud Computing and Conclusion BibliographyBibliography I SWISS - Guide to cloud computing, Federal Data Protection and Information Commissioner FDPIC. Security, Privacy and Cloud Computing, Jose Tomas Robles Hahn, Future Internet Seminar - Winter Term 2010/2011, Chair for Network Architectures and Services, Faculty of Computer Science, Technische Universit¨t M¨nchen. a u National Institute of Standards and Technology, U.S. Department of Commerce, Guidelines on Securtiy and Privacy in Public Cloud Computing, Wayne Jansen, Timothy Grance. Top Threats to Cloud Computing 2010, Prepared by the Cloud Security Alliance, March 2010 Cloud Computing, Benefits, risks and recommendations for information security, European Network and Information Security Agency. Trustworthy Clouds (TClouds) - Privacy meets Innovation by Eva Schlehahn and Marit Hansen, Independent Centre for Privacy Protection Schleswig-Holstein, Germany. Cloud security alliance (CSA) https://cloudsecurityalliance.org/ Last Access: April 23, 2012 Ankit Singh The Security and Privacy Threats to Cloud Computing