Cloud Computing:
Security and Privacy
Prepared by
Istiyak Hossain Siddiquee
2009331009

Supervised by
Dr. Mohammed Jahirul...
“Cloud Computing is an important transition, a paradigm shift in IT services delivery - one that
has broad impact and can ...
An
IT
model
or
computing
environment
composed
of
IT
components
(hardware, software, networking, and services) as well as t...
“Cloud Computing refers to both the applications delivered as services over
Internet and the hardware and systems software...
Why Cloud
Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power
Source: The Future of Cloud Computing rd Annual Survey
by NorthBridge and Gigaom
Source:

Outlook on Technology, a survey conducted by PCConnection
Source: Leveraging the cloud for law enforcement Survey Result
IACP, SafeGov, January 31, 2013
Essential Characteristics of Cloud Computing According to NIST






On-demand Self Service
Broad network access
Reso...
So, the attractive points of cloud computing are











Efficiency
Scalability
Elasticity
Availability
Agilit...
Cloud Service Delivery Model
defined by NIST
Source: 2013 Outlook on Technology, PC Connection Survey
Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power
IaaS
The
capability
provided
to
the
consumer
is
to
provision
processing, storage, networks, and other fundamental computin...
Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
Examples of IaaS












Amazon EC2
Eucalyptus
CSC
GoGrid
IBM
OpenStack
Rackspace
Savvis
Terremark
VMWare
PaaS
The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired appli...
Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
Examples of PaaS














Google App Engine
Windows Azure
Force.com
Engine Yard
AT&T Synaptic
Boomi
Citri...
SaaS
The capability provided to the consumer is to use the provider’s applications running
on a cloud infrastructure. The ...
Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
Examples of SaaS













Web Mail
Google Docs
Facebook
Salesforce
LinkedIn
Workday
Netsuite
ServiceNow
Ath...
Cloud Deployment Models
Among these models, which one is more popular ??
Source The Future of Cloud Computing

rd Annual Survey

by NorthBridge and Gigaom
PC Connection CC Survey

Results
Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be
owned, managed, and ope...
Examples of Public Cloud







Amazon Elastic Compute Cloud (EC2)
IBM’s Blue Cloud
SunCloud
Google AppEngine
Windows...
Private Cloud

The cloud infrastructure is provisioned for exclusive use by a single
organization comprising multiple cons...
Examples of Private Cloud










Amazon Virtual Private Cloud
IBM SmartCloud Foundation
Microsoft Private Cloud...
Hybrid Cloud

The cloud infrastructure is a composition of two or more
distinct cloud infrastructures (private, community,...
Community Cloud
The cloud infrastructure is shared by several organizations
and supports a specific community that has sha...
Source: Luth research and Vanson Bourne, 2013
2013 Outlook on Technology Cloud Computing Survey Results by PC Connection
Are these survey
results exaggerated ?
Let’s review this survey result...

Cloud Computing Vulnerability Incidents A Statistical Overview, by CSA
American information
technology research and
advisory firm Gartner
have identified seven
cloud computing risks.
These are
...
So we can classify these threats into these categories







Confidentiality and Privacy
Availability
Integrity
Audi...
Confidentiality and Privacy
While considering cloud computing security, one word that comes most often is confidentiality of data.
Privacy is also rel...
Threats from Insider There are two types of threat here.

Firstly from a current or former employee, contractor, or other
...
Threats from Outsider There are the
threats that make companies
worried. There can be many types of
threat from outsider. ...
Cloud malware injection attack A research paper
described this type of attack. They said, an attacker first
attempts to in...
Account or service hijacking Account or service hijacking
is not new Attack methods such as phishing, fraud, and
exploitat...
VMWare Secuirty Problem Recent researches show that it is
possible to locate a clients’ physical address on cloud precisel...
Flooding Attacks It consists of DoS (Denial of Service), DDoS, and EDoS It is
a very old problem in computer technology an...
Data Security Data can be hijacked while it is in transit.
This problem is trivial actually. We may encrypt the data or
se...
Hypervisor Vulnerability Hypervisor is a critical piece of virtualized
cloud infrastructure that provide the software laye...
Shared Resources Issues Sharing of resources arise
some critical problems of unwanted data privacy
leakages. This is becau...
Compliance From the former NSA Agent Edward Snowden we
came to know that under long disputed PRISM Act, USA’s
organization...
Availability
Integrity
Auditability & Forensics
Other Issues
 Accidental Data Loss
 Insecure API
 Abuse of Cloud (DoS Attack Using Cloud)
Future.....
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
Upcoming SlideShare
Loading in …5
×

Cloud Computing : Top to Bottom

528 views
359 views

Published on

This presentation will provide you with all the information, you need to know about cloud computing. It will give a description of cloud computing and related issues from top to bottom with lots of survey results, definitions from different white papers and security concerns from worth mentioning research papers.

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
528
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Computing : Top to Bottom

  1. 1. Cloud Computing: Security and Privacy Prepared by Istiyak Hossain Siddiquee 2009331009 Supervised by Dr. Mohammed Jahirul Islam Associate Professor Dept. of Computer Science & Engineering Shahjalal University of Science & Technology Sylhet, Bangladesh.
  2. 2. “Cloud Computing is an important transition, a paradigm shift in IT services delivery - one that has broad impact and can present significant challenges. “ ---"Cloud Computing: Considerations and Next Steps", published by Intel “It's stupidity. It's worse than stupidity. It's a marketing hype campaign.” ---Richard Stallman, President, Free Software Foundation
  3. 3. An IT model or computing environment composed of IT components (hardware, software, networking, and services) as well as the processes around the deployment of these elements that together enable us to develop and deliver cloud services via the Internet or a private network. --- Securing the Cloud, Winkler Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). --- Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 By Cloud Security Alliance, CSA Cloud computing is an evolution in which IT consumption and delivery are made available in a self– service fashion via the Internet or internal network, with a flexible pay-as-you-go business model and requires a highly efficient and scalable architecture. --- Cloud Computing: Considerations and Next Steps, Intel
  4. 4. “Cloud Computing refers to both the applications delivered as services over Internet and the hardware and systems software in the datacenters that provide those services.” Above the Clouds A Berkeley View on Cloud Computing, University of California Berkeley “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” National Institute of Standard and Technology (NIST)
  5. 5. Why Cloud
  6. 6. Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power
  7. 7. Source: The Future of Cloud Computing rd Annual Survey by NorthBridge and Gigaom
  8. 8. Source: Outlook on Technology, a survey conducted by PCConnection
  9. 9. Source: Leveraging the cloud for law enforcement Survey Result IACP, SafeGov, January 31, 2013
  10. 10. Essential Characteristics of Cloud Computing According to NIST      On-demand Self Service Broad network access Resource pooling Rapid elasticity Measured service • Cost containment • Innovation speed • Availability • Scalability • Efficiency • Elasticity Schweizerische Akademie der Technischen Wissenschaften (SATW)
  11. 11. So, the attractive points of cloud computing are          Efficiency Scalability Elasticity Availability Agility Recovery No upfront cost Pay as you go Innovation speed
  12. 12. Cloud Service Delivery Model
  13. 13. defined by NIST
  14. 14. Source: 2013 Outlook on Technology, PC Connection Survey
  15. 15. Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power
  16. 16. IaaS The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). ----According to NIST provides virtual machines and other abstracted hardware and operating systems which may be controlled through a service API. ----According to ENISA delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking. Rather than purchasing servers, software, data-center space, or network equipment, clients instead buy those resources as a fully outsourced service ----According to CSA
  17. 17. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
  18. 18. Examples of IaaS           Amazon EC2 Eucalyptus CSC GoGrid IBM OpenStack Rackspace Savvis Terremark VMWare
  19. 19. PaaS The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. ----According to NIST allows customers to develop new applications using APIs deployed and configurable remotely. The platforms offered include development tools, configuration management, and deployment platforms. ----According to ENISA the delivery of a computing platform and solution stack as a service. PaaS offerings facilitate deployment of applications without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities. This provides all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet. ----According to CSA
  20. 20. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
  21. 21. Examples of PaaS             Google App Engine Windows Azure Force.com Engine Yard AT&T Synaptic Boomi Citrix Red Hat OpenShift Heroku AppFog Amazon AWS Caspio
  22. 22. SaaS The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. ----According to NIST is software offered by a third party provider, available on demand, usually via the Internet configurable remotely. ----According to ENISA a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet. ----According to CSA
  23. 23. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)
  24. 24. Examples of SaaS            Web Mail Google Docs Facebook Salesforce LinkedIn Workday Netsuite ServiceNow Athenahealth Medidata Cornerstone OnDemand
  25. 25. Cloud Deployment Models
  26. 26. Among these models, which one is more popular ??
  27. 27. Source The Future of Cloud Computing rd Annual Survey by NorthBridge and Gigaom
  28. 28. PC Connection CC Survey Results
  29. 29. Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. ---- According to NIST The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. ----According to ENISA public cloud refers to solutions where resources are dynamically provisioned over the Internet from an offsite third-party provider who shares resources and bills on a finegrained utility computing basis. ----According to Ajilitee
  30. 30. Examples of Public Cloud      Amazon Elastic Compute Cloud (EC2) IBM’s Blue Cloud SunCloud Google AppEngine Windows Azure Services Platform
  31. 31. Private Cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. --- According to NIST The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise. --- According to CSA
  32. 32. Examples of Private Cloud         Amazon Virtual Private Cloud IBM SmartCloud Foundation Microsoft Private Cloud Cisco Private Cloud solutions VMware Private Cloud Computing Dell Cloud Solutions Rackspace Private Cloud Citrix CloudPlatform
  33. 33. Hybrid Cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds)
  34. 34. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on premise or off-premise. --- According to CSA This cloud overlaps to grid to some extent. Several organizations with similar concerns about mission, security requirements, policy, and compliance considerations in a private community share cloud infrastructure
  35. 35. Source: Luth research and Vanson Bourne, 2013
  36. 36. 2013 Outlook on Technology Cloud Computing Survey Results by PC Connection
  37. 37. Are these survey results exaggerated ?
  38. 38. Let’s review this survey result... Cloud Computing Vulnerability Incidents A Statistical Overview, by CSA
  39. 39. American information technology research and advisory firm Gartner have identified seven cloud computing risks. These are        Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long term viability In CSA released a worth mentioning document with a title The Notorious Nine: Cloud Computing Top Threats in Here they idenfied nine security problem as top threat for the year          Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues
  40. 40. So we can classify these threats into these categories      Confidentiality and Privacy Availability Integrity Auditability and Forensics Other Issues Let us get through these point...
  41. 41. Confidentiality and Privacy
  42. 42. While considering cloud computing security, one word that comes most often is confidentiality of data. Privacy is also related to confidentiality as because revealation of a confidential data means the violation of privacy Confidentiality and privacy leakages can occur in two wasys Loosing control over data Customers often become anxious about their data confidentiality, this is because of losing control over data. when they host their classified information to cloud they usually lose the control over their data, though they have the authorization to access data Privacy and Confidentiality Compromised One of the most common threat to computing technology as well as cloud computing technology is “compromise”. To describe this in detail we will sub-divide this point
  43. 43. Threats from Insider There are two types of threat here. Firstly from a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Secondly, from the company itself. What if the company is running a Cheap Data Mining process on your confidential data ? Or even they can espoinage on your data.
  44. 44. Threats from Outsider There are the threats that make companies worried. There can be many types of threat from outsider. These are         Cloud malware injection attack Account or service hijacking VMWare Secuirty Problem Flooding Attacks Data Security Hypervisor Vulnerability Shared Resources Issue Compliance
  45. 45. Cloud malware injection attack A research paper described this type of attack. They said, an attacker first attempts to inject malware service implementation of virtual machine into the cloud system. This instance then serves several purposes ranging from eavesdropping via subtle data modification to full functonality changes or blockings. Attacker may also apply sql injection cross site scripting attacks to acquire sensitive data
  46. 46. Account or service hijacking Account or service hijacking is not new Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker.
  47. 47. VMWare Secuirty Problem Recent researches show that it is possible to locate a clients’ physical address on cloud precisely So an attacker can use those algothims to locate a consumer and gather intelligence about his classified data in cloud. Again, another research showed that it is possible to place attacker’s virtual machine beside the victim’s virtual machine, physically and then create a side channel between both the machines which can enable the attacker to steal password information by initiating SSH keystroke timing attack
  48. 48. Flooding Attacks It consists of DoS (Denial of Service), DDoS, and EDoS It is a very old problem in computer technology and hence for cloud computing also, which basically consists in an attacker sending a huge amount of nonsense requests. As each of these requests need to be identified as nonsese some computation power is required to face such attacks. Thus sometimes the server doesn’t response in time that is it Denies of Service. Sometimes attacker attacks the cloud using botnets which we call Distributed Denial of service. It is much harder to tackle as there are huge amount of nonsense request at a time There is another sort of DoS, this is called EDoS. In this, attacker attacks the billing system of a cloud service provide with an attemp to make the CSP a bankrupt
  49. 49. Data Security Data can be hijacked while it is in transit. This problem is trivial actually. We may encrypt the data or secure the connection between browser and server
  50. 50. Hypervisor Vulnerability Hypervisor is a critical piece of virtualized cloud infrastructure that provide the software layer that sits between the hardware and VMs and allows multiple VMs to share a single hardware platform. Not surprisingly, hypervisor vulnerabilities are a major source of concern for IT professionals. If a hypervisor is vulnerable to security attacks, then the integrity of the entire public or private cloud implementation is at serious risk.
  51. 51. Shared Resources Issues Sharing of resources arise some critical problems of unwanted data privacy leakages. This is because data remanence in an multitenant hardware implementation Another example of shared resources vulnerability is Reputaion Fate Sharing
  52. 52. Compliance From the former NSA Agent Edward Snowden we came to know that under long disputed PRISM Act, USA’s organization, National Security Agency (NSA) had been able to access the emails, Facebook accounts and videos of citizens across the world. Even, it had secretly acquired the phone records of millions of Americans and other important persons of the world like Angela Merkel etc. Through a secret court, it has been able to bend nine US internet companies to its demands for access to their users' data.
  53. 53. Availability
  54. 54. Integrity
  55. 55. Auditability & Forensics
  56. 56. Other Issues  Accidental Data Loss  Insecure API  Abuse of Cloud (DoS Attack Using Cloud)
  57. 57. Future.....

×