DataLoss / Data theftData may get lost because of facts like equipments/software failures or stolen by hackers because of shared resource nature of Cloud. The providers must make efforts to overcome such problems as they may loose trust of their clientsSystem BoundariesDue to virtual nature of cloud, there is no specific system boundary. Resources are shared across clouds and so any data transferred should be properly encrypted using proper encryption algorithms and SSL-encrypted communication based on sensitivity of dataData ConfidentialityDue to virtual nature of cloud, one cannot be sure where the data or/and application are physically located and what is the protective mechanism in that place. The existence of a “super user” in the enterprise providing cloud computing services to carry out the management and maintenance of data, is a serious threat to user privacy.Data AccessPredictable access to their data and application at all times and conditions.Failure management and recovery
The traditional architecture has a server connected to a network on which application resides.So you have only a single access point for the network into the server. In contrast the cloud environment resides on a virtualization framework. So the network now goes into theVirtualization layer. Thus you have more than one access points and environment to manage. This includes managing network switching policies, firewall policies and access policies.
1. In a traditional system architecture we have an appln running on one particular server2. Now in a cloud there are multiple servers and the application migrates from one server to another for load balancing, failure recovery etc.3. This migration is not guaranteed to be in the same data center/server farm .4. There is always a question if the new location shares the same security policies on each of the layers is not exposed to any specific vulnerability.
1. In a typical system, the user had the control to separate applications completely and make them run separately on servers .2. Thus a nice isolation layer can be created between them using firewall or any other hardware features.3. In a cloud, we may have multiple applications running on same server. 4. We cannot guarantee if the two applications may interact. For all we know one app may be snooping traffic /data of another application?Hence It’s a challenge to maintain the isolation between the applications and scale it on multiple physical servers with mobility
To handle the above security challenges following levels of security should be applied.
In Cloud architecture data is stored at the CSP’s side. So we have mentioned Dependencies:No or little knowledge of the way the backup or restore of data is done.No easy migrations to an other CSP.In cloud architecture you only pay for what you use. So measurement of resource usage lies in hands of the CSP.Tied to the financial health of CSP.Quality problems with CSP. (e.g. CSP might use cheap disk drives etc)No influence on data maintenance.
Customer should know the physical location of their data so as to be clear of the provisions of prevailing law in particular nation.Same as screenWill the Insurance company compensate for loss of your business?Same as screenThough all the CSP’s try their best to provide data security, no security is assumed to be full proof. So if data centre is hacked can you move against vendor/CSP.What means do you have if data gets infringed.The customer must always be notified when vendors provide third party access to customers stored data, whether it is a legal authority or internal employee.
Transcript of "Bright and Gray areas of Clound Computing"
Cloud Computing By Pallavi Khandekar & Jacob Bennett
Cloud Service Models• Software as a Service (SaaS) – It is a software product that is provided to you when you logon to the cloud – These services are meant to be accessible to everyone with a computer and an internet provider – Unless you have dialup. – It is used for creating, storing, accessing, and manipulating your files from any internet connection. – Some examples are: Boise State Gmail, Google Docs, or any other application you access exclusively through the internet.
Cloud Service Models• Infrastructure as a Service (IaaS) – It is a computer/s that exist on the cloud. – It is used for adding virtual machines to a network or for the capacity to expand and contract dynamically as you need it. – As a user, my computer becomes nothing but the means to access another more powerful computer. • Do NOT need corporate software installed on the company PC! • Do NOT need a specific operating system!
Cloud Service Models• Platform as a Service (PaaS) – Like IaaS, PaaS is geared towards providing a platform on which a developer may develop, publish, and maintain their source code. – It can be defined as an IaaS that will connect to a PC instead of the other way around. – Think, email that is pushed to your phone and not pulled.
Current Concerns and Challenges• Security• Dependency• Legal Issues• Decreased flexibility
Security Security of Cloud Computing refers to policies, technologies and controls deployed to protect data, application and the associated infrastructure. Security and PrivacySecurity Issues faced by Cloud providers Security Issues faced by Cloud customers• Data Loss / Data theft • Data/ Service Access• System Boundaries • Data confidentiality
Traditional System Cloud Architecture architecture App App Server Server virtualization port Network Network
Mobility App App AppServer Server 1 Server 2 virtualization virtualization portNetwork Network Network Do they share same policy/security layer?
Are they interacting? Co-existenceApp 1 App 2 App 1 App 2Server 1 Server 2 Server 1 virtualization port portNetwork Network Network
Multiple Level SecurityDatacenter facility security Operating systems and application level• Physical controls • Directory Federation (SAML)• Access controls • Access control and monitoring• Video surveillance • Anti malware and anti-Spam• Background checks • Patch and configuration management • Secure engineering.Network Level Data Level• Edge routers • Access control lists• Multiple-layer firewalls • User level access and authorization.• Intrusion detection • Field and data integrity.• Vulnerability scanning• Encryption
Dependency (loss of control)• No or little insight in CSP contingency procedures. Especially backup, restore and disaster recovery.• No easy migration to an other CSP.• Measurement of resource usage and end user activities lies in the hands of the CSP• Tied to the financial health of another Company.• Quality problems with CSP(Cloud Service Providers).• No influence on maintenance levels and fix frequency when using cloud services from a CSP
Legal and Contractual issues around Cloud ComputingFew important legal issues that must be taken care before signing up with the CSP:1. Physical Location of data: • Customer should know actual physical location of their data. • In case of dispute arises between vendor and customer which country’s court system will settle the conflict? (e.g. customer is in China and vendor is in US.)2. Responsibility of your data: • What if data center is hit by a disaster? • Is there any liability coverage for breach of data? • What can be done if data center gets hacked?3. Intellectual Property Rights: • Is your data protected under the intellectual property rights? • Third party access