3. Overview
■ Cloud is a target-rich environment for malicious individuals and
criminal organizations.
■ Outsourcing to a cloud generates new security and privacy
concerns.
■ Many issues related to privacy, security, and trust in cloud
computing are far from being settled.
■ Service Level Agreements (SLAs) do not provide adequate legal
protection for cloud computer users
Remote data security refers to the protection process for the
outsourced data from malicious access or modifications by
unauthorized users.
4. Main Security Factors
■ Confidentiality, integrity and availability (CIA) are the main
security factors
■ Confidentiality means ensuring that only authorized users
with the appropriate privileges can access the data.
■ Remote data integrity is ensuring the completeness, accuracy
and consistency of the outsourced data.
■ Availability refers to ensuring that the stored data/service is
always available to be delivered to the users.
What is Privacy?
■ Assuring that users control what information related to them
may be collected and stored and by whom and to whom that
information may be disclosed.
5. Major Cloud User’s Security
Concerns
■ Multi-tenancy (The shared infrastructure) is the root cause of
many user concerns
■ Users no longer physically possess the storage of their data
The unauthorized access to confidential information and the
data theft
A dishonest CSP may sell the confidential information to the
competitors
the CSP might reclaim storage for monetary reasons by
discarding data that has not been or is rarely accessed or even
hide data loss incidents to maintain a reputation
6. Major Cloud User’s Security
Concerns
■ The user control over the lifecycle of data: It is virtually
impossible for a user to determine if data that should have
been deleted was actually deleted or the next user can recover
confidential data
■ Lack of standardization: there are no inter-operability
standards.What can be done when service provided by the
CSP is interrupted?
■ The legal framework for enforcing cloud security:The data
centers of a CSP may be located in several countries and it is
unclear what laws apply, the laws of the country where
information is stored and processed, the laws of the countries
the information crossed when sent by the user, or the laws of
the user’s country.
7. Cloud Security Risks
There are three broad classes:
1. Traditional security threats,
2. Threats related to system availability
3. Threats related to third-party data control.
8. Traditional SecurityThreats
■ Impact amplified due to:
– The vast amount of cloud resources
– The large user population that can be affected.
– The fuzzy bounds of responsibility between the providers of
cloud services and users
– The difficulties to accurately identify the cause.
■ The traditional threats begin at the user site.
The user must protect the infrastructure used to connect to the
cloud
This task is more difficult because some components of this
infrastructure are outside the firewall protecting the user.
9. Traditional SecurityThreats
■ Authentication and authorization:
– User authentication is the process of verifying the
identity of a user.
– Authorization: Granting access to specific
services and/or resources based on the
authentication.
– Different individuals should be assigned distinct
levels of privilege based on their role in the
organization.
– It is also nontrivial to merge or adapt the internal
policies and security metrics of an organization
with the ones of the cloud.
10. Traditional SecurityThreats
Most common attacks
■ Distributed Denial of Service (DDoS): prevents
legitimate users to access cloud services
■ SQL injection: An SQL command entered in a web form
causes the contents of a database used by the web site to
be either dumped to the attacker or altered
■ Cross-site scripting: permits the attacker to insert client-
scripts into the web pages and thus, bypass the access
controls at the web site.
■ Phishing aims to gain information from a database by
masquerading as a trustworthy entity. Such information
could be SSN and credit card numbers.
11. New Cloud SecurityThreats
■ Cloud servers host multipleVMs
■ Multiple applications may run under eachVM.
■ Multi-tenancy and vm vulnerabilities open new attack
channels for malicious users.
■ Identifying the path followed by an attacker is more
difficult in a cloud environment
12. Availability of cloud services
■ System failures, power outages, and other catastrophic
events could shutdown services for extended periods of
time.
■ Data lock-in and lack of interoperability could prevent a
large organization whose business model depends on
these data to function properly,
13. Third-party control
■ It generates a spectrum of concerns caused by the lack of
transparency and limited user control.
■ For example, a cloud provider may subcontract some
resources from a third party whose level of trust is
questionable.
14. Top threats to cloud computing
■ Identified by a 2016 Cloud Security Alliance (CSA) report
1. Data breaches.
2. Compromised credentials and broken authentication.
3. Hacked interfaces and APIs.
4. Exploited system vulnerabilities.
5. Account hijacking
6. Malicious insiders
7. advanced persistent threats (APTs)
8. permanent data loss
9. inadequate diligence,
10. cloud service abuse,
11. DoS attacks
15. Top threats to cloud
computing
■ Identified by a 2022 Cloud SecurityAlliance (CSA) report
1. Insufficient identity, credential, access and key management (#4)
2. Insecure interfaces and APIs (#7)
3. Misconfiguration and inadequate change control (#2)
4. Lack of cloud security architecture and strategy (#3)
5. Insecure software development
6. Unsecure third-party resources
7. System vulnerabilities
8. Accidental cloud data disclosure/disclosure
9. Misconfiguration and exploitation of serverless and container
workloads
10. Organized crime/hackers/APT
11. Cloud storage data exfiltration
16. Legal protection of cloud users
The contract between the user and the Cloud Service
Provider (CSP) should spell out explicitly:
■ CSP obligations to handle securely sensitive information
and its obligation to comply to privacy laws.
■ CSP liabilities for mishandling sensitive information.
■ CSP liabilities for data loss.
■ The rules governing ownership of the data.
■ The geographical regions where information and backups
can be stored.
Editor's Notes
Security has been a concern since the early days of computing when a computer was isolated
Once computers were able to communicate with one another the Pandora box of threats was wide opened.
Cloud users are concerned about insider attacks (Employees of the CSP)
Cloud users are concerned about insider attacks (Employees of the CSP)
Users cannot properly transmit his data to another CSP/vendor