SlideShare a Scribd company logo
1 of 26
Download to read offline
CLOUD COMPUTING
CLOUD SECURITY II
PROF. SOUMYA K. GHOSH
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
IIT KHARAGPUR
Cloud Computing
• Cloud computing is a new computing paradigm, involving data and/or
computation outsourcing, with
– Infinite and elastic resource scalability
– On demand “just-in-time” provisioning
– No upfront cost … pay-as-you-go
• Use as much or as less you need, use only when you want,
and pay only what you use
2
Economic Advantages of Cloud Computing
• For consumers:
– No upfront commitment in buying/leasing hardware
– Can scale usage according to demand
– Minimizing start-up costs
• Small scale companies and startups can reduce CAPEX (Capital
Expenditure)
• For providers:
– Increased utilization of datacenter resources
3
Why aren’t Everyone using Cloud?
Clouds are still subject to traditional
data confidentiality, integrity,
availability, and privacy issues, plus
some additional attacks
4
Concern…
5
Survey on Potential Cloud Barriers
Source: IDC Ranking Security Challenges
6
Why Cloud Computing brings New Threats?
• Traditional system security mostly means keeping attackers out
• The attacker needs to either compromise the authentication/access control system,
or impersonate existing users
• But cloud allows co-tenancy: Multiple independent users share the same physical
infrastructure
– An attacker can legitimately be in the same physical machine as the target
• Customer’s lack of control over his own data and application.
• Reputation fate-sharing
7
Security Stack
• IaaS: entire infrastructure from facilities to hardware
• PaaS: application, middleware, database, messaging supported
by IaaS
– Customer-side system administrator manages the same with provider
handling platform, infrastructure security
• SaaS: self contained operating environment: content,
presentation, apps, management
– Service levels, security, governance, compliance, liability, expectations of the
customer & provider are contractually defined
IncreaseinProvider’sSecurity
Responsibility
IncreaseinCustomer’sSecurity
Responsibility
8
Sample Clouds
Source: “Security Guidance for Critical Areas of Focus in Cloud Computing” v2.1, p.18
9
Gartner’s Seven Cloud Computing Security Risks
• Gartner:
– http://www.gartner.com/technology/about.jsp
– Cloud computing has “unique attributes that require risk assessment in areas such as data
integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-
discovery, regulatory compliance and auditing,” Gartner says
• Security Risks
– Privileged User Access
– Regulatory Compliance & Audit
– Data Location
– Data Segregation
– Recovery
– Investigative Support
– Long-term Viability
10
Privileged User Access
• Sensitive data processed outside the enterprise brings with it an inherent
level of risk
• Outsourced services bypass the “physical, logical and personnel controls”
of traditional in-house deployments.
• Get as much information as you can about the people who manage your
data
• “Ask providers to supply specific information on the hiring and oversight
of privileged administrators, and the controls over their access,” Gartner
says.
11
Regulatory Compliance & Audit
• Traditional service providers are subjected to external audits and security
certifications.
• Cloud computing providers who refuse to undergo this scrutiny are “signaling that
customers can only use them for the most trivial functions,” according to Gartner.
• Shared infrastructure – isolation of user-specific log
• No customer-side auditing facility
• Difficult to audit data held outside organization in a cloud
– Forensics also made difficult since now clients don’t maintain data locally
• Trusted third-party auditor?
12
Data Location
• Hosting of data, jurisdiction?
• Data centers: located at geographically dispersed locations
• Different jurisdiction & regulations
– Laws for cross border data flows
• Legal implications
– Who is responsible for complying with regulations (e.g., SOX, HIPAA, etc.)?
– If cloud provider subcontracts to third party clouds, will the data still be secure?
13
Data Segregation
• Data in the cloud is typically in a shared environment alongside data from other
customers.
• Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data
at rest,” Gartner advises.
• Encrypt data in transit, needs to be decrypted at the time of processing
– Possibility of interception
• Secure key store
– Protect encryption keys
– Limit access to key stores
– Key backup & recoverability
• The cloud provider should provide evidence that encryption schemes were
designed and tested by experienced specialists.
• “Encryption accidents can make data totally unusable, and even normal encryption
can complicate availability,” Gartner says.
14
Recovery
• Even if you don’t know where your data is, a cloud provider should tell you what will happen
to your data and service in case of a disaster.
• “Any offering that does not replicate the data and application infrastructure across multiple
sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do
a complete restoration, and how long it will take.”
• Recovery Point Objective (RPO): The maximum amount of data that will be lost following an
interruption or disaster.
• Recovery Time Objective (RTO): The period of time allowed for recovery i.e., the time that is
allowed to elapse between the disaster and the activation of the secondary site.
• Backup frequency
• Fault tolerance
– Replication: mirroring/sharing data over disks which are located in separate physical locations to
maintain consistency
– Redundancy: duplication of critical components of a system with the intention of increasing reliability
of the system, usually in the case of a backup or fail-safe.
15
Investigative Support
• Investigating inappropriate or illegal activity may be impossible in cloud
computing
• Monitoring
– To eliminate the conflict of interest between the provider and the consumer, a neural
third-party organization is the best solution to monitor performance.
• Gartner warns. “Cloud services are especially difficult to investigate,
because logging and data for multiple customers may be co-located and
may also be spread across an ever-changing set of hosts and data centers.”
16
Long-term Viability
• “Ask potential providers how you would get your data back and if it would
be in a format that you could import into a replacement application,”
Gartner says.
• When to switch cloud providers ?
– Contract price increase
– Provider bankruptcy
– Provider service shutdown
– Decrease in service quality
– Business dispute
• Problem: vendor lock-in
17
Other Cloud Security Issues…
• Virtualization
• Access Control & Identity Management
• Application Security
• Data Life Cycle Management
18
Virtualization
• Components:
– Virtual machine (VM)
– Virtual machine manager (VMM) or hypervisor
• Two types:
– Full virtualization: VMs run on hypervisor that interacts with the hardware
– Para virtualization: VMs interact with the host OS.
• Major functionality: resource isolation
• Hypervisor vulnerabilities:
– Shared clipboard technology– transferring malicious programs from VMs to
host
19
Virtualization (contd…)
• Hypervisor vulnerabilities:
– Keystroke logging: Some VM technologies enable the logging of keystrokes and screen
updates to be passed across virtual terminals in the virtual machine, writing to host files
and permitting the monitoring of encrypted terminal connections inside the VM.
– Virtual machine backdoors: covert communication channel
– ARP Poisoning: redirect packets going to or from the other VM.
• Hypervisor Risks
– Rogue hypervisor rootkits
• Initiate a ‘rogue’ hypervisor
• Hide itself from normal malware detection systems
• Create a covert channel to dump unauthorized code
20
Virtualization (contd…)
• Hypervisor Risks
– External modification to the hypervisor
• Poorly protected or designed hypervisor: source of attack
• May be subjected to direct modification by the external intruder
– VM escape
• Improper configuration of VM
• Allows malicious code to completely bypass the virtual environment, and obtain full root or
kernel access to the physical host
• Some vulnerable virtual machine applications: Vmchat, VMftp, Vmcat etc.
– Denial-of-service risk
• Threats:
– Unauthorized access to virtual resources – loss of confidentiality, integrity,
availability
21
Access Control & Identity Management
• Access control: similar to traditional in-house IT network
• Proper access control: to address CIA tenets of information
security
• Prevention of identity theft – major challenge
– Privacy issues raised via massive data mining
• Cloud now stores data from a lot of clients, and can run data mining algorithms to
get large amounts of information on clients
• Identity Management (IDM) – authenticate users and services
based on credentials and characteristics
22
Application Security
• Cloud applications – Web service based
• Similar attacks:
– Injection attacks: introduce malicious code to change the course of execution
– XML Signature Element Wrapping: By this attack, the original body of an XML message is moved
to a newly inserted wrapping element inside the SOAP header, and a new body is created.
– Cross-Site Scripting (XSS): XSS enables attackers to inject client-side script into Web pages viewed
by other users to bypass access controls.
– Flooding: Attacker sending huge amount of request to a certain service and causing denial of
service.
– DNS poisoning and phishing: browser-based security issues
– Metadata (WSDL) spoofing attacks: Such attack involves malicious reengineering of Web Services’
metadata description
• Insecure communication channel
23
Data Life Cycle Management
• Data security
– Confidentiality:
• Will the sensitive data stored on a cloud remain confidential?
• Will cloud compromise leak confidential client data (i.e., fear of loss of
control over data)
• Will the cloud provider itself be honest and won’t peek into the data?
– Integrity:
• How do I know that the cloud provider is doing the computations
correctly?
• How do I ensure that the cloud provider really stored my data without
tampering with it?
24
Data Life Cycle Management (contd.)
• Availability
• Will critical systems go down at the client, if the provider is attacked in
a Denial of Service attack?
• What happens if cloud provider goes out of business?
• Data Location
• All copies, backups stored only at location allowed by contract, SLA
and/or regulation
• Archive
• Access latency
25
26
Thank You!
26

More Related Content

What's hot

On QoE Metrics and QoE Fairness for Network & Traffic Management
On QoE Metrics and QoE Fairness for Network & Traffic ManagementOn QoE Metrics and QoE Fairness for Network & Traffic Management
On QoE Metrics and QoE Fairness for Network & Traffic ManagementTobias Hoßfeld
 
Challenges and advantages of grid computing
Challenges and advantages of grid computingChallenges and advantages of grid computing
Challenges and advantages of grid computingPooja Dixit
 
Low-Power Wide Area - Overview
Low-Power Wide Area - OverviewLow-Power Wide Area - Overview
Low-Power Wide Area - OverviewM2M Alliance e.V.
 
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G Rohit Choudhury
 
mobile infrastructure management
mobile infrastructure managementmobile infrastructure management
mobile infrastructure managementAkhil Kumar
 
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTING
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTINGFUTURE OF E-GOVERNANCE WITH CLOUD COMPUTING
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTINGpremdeshmane
 
Key Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGKey Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGAtul Chounde
 
Mod05lec25(resource mgmt ii)
Mod05lec25(resource mgmt ii)Mod05lec25(resource mgmt ii)
Mod05lec25(resource mgmt ii)Ankit Gupta
 
Wireless Network Architecture
Wireless Network ArchitectureWireless Network Architecture
Wireless Network ArchitecturePawandeep Singh
 
Mobile Database ,alrazgi
Mobile Database ,alrazgiMobile Database ,alrazgi
Mobile Database ,alrazgialrazgi
 
Osi layer and network protocol
Osi layer and network protocolOsi layer and network protocol
Osi layer and network protocolNayan Sarma
 

What's hot (20)

On QoE Metrics and QoE Fairness for Network & Traffic Management
On QoE Metrics and QoE Fairness for Network & Traffic ManagementOn QoE Metrics and QoE Fairness for Network & Traffic Management
On QoE Metrics and QoE Fairness for Network & Traffic Management
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
 
Umts
UmtsUmts
Umts
 
Challenges and advantages of grid computing
Challenges and advantages of grid computingChallenges and advantages of grid computing
Challenges and advantages of grid computing
 
Low-Power Wide Area - Overview
Low-Power Wide Area - OverviewLow-Power Wide Area - Overview
Low-Power Wide Area - Overview
 
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G
Universal Mobile Telecommunication System (UMTS)- Evolution from 2G to 3G
 
Topic : B ISDN
Topic : B ISDNTopic : B ISDN
Topic : B ISDN
 
Basics of Cloud Computing
Basics of Cloud ComputingBasics of Cloud Computing
Basics of Cloud Computing
 
mobile infrastructure management
mobile infrastructure managementmobile infrastructure management
mobile infrastructure management
 
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTING
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTINGFUTURE OF E-GOVERNANCE WITH CLOUD COMPUTING
FUTURE OF E-GOVERNANCE WITH CLOUD COMPUTING
 
GSM Air Interface
GSM Air Interface GSM Air Interface
GSM Air Interface
 
FTTH Basics
FTTH BasicsFTTH Basics
FTTH Basics
 
MODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdfMODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdf
 
UMTS OVERVIEW
UMTS OVERVIEWUMTS OVERVIEW
UMTS OVERVIEW
 
Key Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGKey Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTING
 
IT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTINGIT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTING
 
Mod05lec25(resource mgmt ii)
Mod05lec25(resource mgmt ii)Mod05lec25(resource mgmt ii)
Mod05lec25(resource mgmt ii)
 
Wireless Network Architecture
Wireless Network ArchitectureWireless Network Architecture
Wireless Network Architecture
 
Mobile Database ,alrazgi
Mobile Database ,alrazgiMobile Database ,alrazgi
Mobile Database ,alrazgi
 
Osi layer and network protocol
Osi layer and network protocolOsi layer and network protocol
Osi layer and network protocol
 

Similar to Lecture27 cc-security2

Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud Cmputing Security
Cloud Cmputing SecurityCloud Cmputing Security
Cloud Cmputing SecurityDevyani Vaidya
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
12-cloud-security.ppt
12-cloud-security.ppt12-cloud-security.ppt
12-cloud-security.pptchelsi33
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptssuser3be95f
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptSameer Ali
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signatureArunsunaiComputer
 
Cloud complete
Cloud completeCloud complete
Cloud completeNavriti
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011Donald E. Hester
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerDavid Wallom
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET-  	  Continuous Auditing Approach to the Cloud Service Addressing Attri...IRJET-  	  Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...IRJET Journal
 

Similar to Lecture27 cc-security2 (20)

Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud Cmputing Security
Cloud Cmputing SecurityCloud Cmputing Security
Cloud Cmputing Security
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
12-cloud-security.ppt
12-cloud-security.ppt12-cloud-security.ppt
12-cloud-security.ppt
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signature
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud provider
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...
 
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET-  	  Continuous Auditing Approach to the Cloud Service Addressing Attri...IRJET-  	  Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
 

More from Ankit Gupta

Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningAnkit Gupta
 
Week2 cloud computing week2
Week2 cloud computing week2Week2 cloud computing week2
Week2 cloud computing week2Ankit Gupta
 
Week 8 lecture material
Week 8 lecture materialWeek 8 lecture material
Week 8 lecture materialAnkit Gupta
 
Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Ankit Gupta
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material ccAnkit Gupta
 
Week 1 lecture material cc
Week 1 lecture material ccWeek 1 lecture material cc
Week 1 lecture material ccAnkit Gupta
 
Mod05lec24(resource mgmt i)
Mod05lec24(resource mgmt i)Mod05lec24(resource mgmt i)
Mod05lec24(resource mgmt i)Ankit Gupta
 
Mod05lec23(map reduce tutorial)
Mod05lec23(map reduce tutorial)Mod05lec23(map reduce tutorial)
Mod05lec23(map reduce tutorial)Ankit Gupta
 
Mod05lec22(cloudonomics tutorial)
Mod05lec22(cloudonomics tutorial)Mod05lec22(cloudonomics tutorial)
Mod05lec22(cloudonomics tutorial)Ankit Gupta
 
Mod05lec21(sla tutorial)
Mod05lec21(sla tutorial)Mod05lec21(sla tutorial)
Mod05lec21(sla tutorial)Ankit Gupta
 
Lecture29 cc-security4
Lecture29 cc-security4Lecture29 cc-security4
Lecture29 cc-security4Ankit Gupta
 
Lecture28 cc-security3
Lecture28 cc-security3Lecture28 cc-security3
Lecture28 cc-security3Ankit Gupta
 
Lecture 30 cloud mktplace
Lecture 30 cloud mktplaceLecture 30 cloud mktplace
Lecture 30 cloud mktplaceAnkit Gupta
 
Week 7 lecture material
Week 7 lecture materialWeek 7 lecture material
Week 7 lecture materialAnkit Gupta
 
Gurukul Cse cbcs-2015-16
Gurukul Cse cbcs-2015-16Gurukul Cse cbcs-2015-16
Gurukul Cse cbcs-2015-16Ankit Gupta
 
Microprocessor full hand made notes
Microprocessor full hand made notesMicroprocessor full hand made notes
Microprocessor full hand made notesAnkit Gupta
 
Transfer Leaning Using Pytorch synopsis Minor project pptx
Transfer Leaning Using Pytorch  synopsis Minor project pptxTransfer Leaning Using Pytorch  synopsis Minor project pptx
Transfer Leaning Using Pytorch synopsis Minor project pptxAnkit Gupta
 
Intro/Overview on Machine Learning Presentation -2
Intro/Overview on Machine Learning Presentation -2Intro/Overview on Machine Learning Presentation -2
Intro/Overview on Machine Learning Presentation -2Ankit Gupta
 
Intro/Overview on Machine Learning Presentation
Intro/Overview on Machine Learning PresentationIntro/Overview on Machine Learning Presentation
Intro/Overview on Machine Learning PresentationAnkit Gupta
 
Cloud computing ebook
Cloud computing ebookCloud computing ebook
Cloud computing ebookAnkit Gupta
 

More from Ankit Gupta (20)

Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learning
 
Week2 cloud computing week2
Week2 cloud computing week2Week2 cloud computing week2
Week2 cloud computing week2
 
Week 8 lecture material
Week 8 lecture materialWeek 8 lecture material
Week 8 lecture material
 
Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Week 4 lecture material cc (1)
Week 4 lecture material cc (1)
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material cc
 
Week 1 lecture material cc
Week 1 lecture material ccWeek 1 lecture material cc
Week 1 lecture material cc
 
Mod05lec24(resource mgmt i)
Mod05lec24(resource mgmt i)Mod05lec24(resource mgmt i)
Mod05lec24(resource mgmt i)
 
Mod05lec23(map reduce tutorial)
Mod05lec23(map reduce tutorial)Mod05lec23(map reduce tutorial)
Mod05lec23(map reduce tutorial)
 
Mod05lec22(cloudonomics tutorial)
Mod05lec22(cloudonomics tutorial)Mod05lec22(cloudonomics tutorial)
Mod05lec22(cloudonomics tutorial)
 
Mod05lec21(sla tutorial)
Mod05lec21(sla tutorial)Mod05lec21(sla tutorial)
Mod05lec21(sla tutorial)
 
Lecture29 cc-security4
Lecture29 cc-security4Lecture29 cc-security4
Lecture29 cc-security4
 
Lecture28 cc-security3
Lecture28 cc-security3Lecture28 cc-security3
Lecture28 cc-security3
 
Lecture 30 cloud mktplace
Lecture 30 cloud mktplaceLecture 30 cloud mktplace
Lecture 30 cloud mktplace
 
Week 7 lecture material
Week 7 lecture materialWeek 7 lecture material
Week 7 lecture material
 
Gurukul Cse cbcs-2015-16
Gurukul Cse cbcs-2015-16Gurukul Cse cbcs-2015-16
Gurukul Cse cbcs-2015-16
 
Microprocessor full hand made notes
Microprocessor full hand made notesMicroprocessor full hand made notes
Microprocessor full hand made notes
 
Transfer Leaning Using Pytorch synopsis Minor project pptx
Transfer Leaning Using Pytorch  synopsis Minor project pptxTransfer Leaning Using Pytorch  synopsis Minor project pptx
Transfer Leaning Using Pytorch synopsis Minor project pptx
 
Intro/Overview on Machine Learning Presentation -2
Intro/Overview on Machine Learning Presentation -2Intro/Overview on Machine Learning Presentation -2
Intro/Overview on Machine Learning Presentation -2
 
Intro/Overview on Machine Learning Presentation
Intro/Overview on Machine Learning PresentationIntro/Overview on Machine Learning Presentation
Intro/Overview on Machine Learning Presentation
 
Cloud computing ebook
Cloud computing ebookCloud computing ebook
Cloud computing ebook
 

Recently uploaded

Tachyon 100G PCB Performance Attributes and Applications
Tachyon 100G PCB Performance Attributes and ApplicationsTachyon 100G PCB Performance Attributes and Applications
Tachyon 100G PCB Performance Attributes and ApplicationsEpec Engineered Technologies
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Apollo Techno Industries Pvt Ltd
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxjasonsedano2
 
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfSummer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfNaveenVerma126
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptxMUKULKUMAR210
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfJulia Kaye
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical SensorTanvir Moin
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Bahzad5
 
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdf
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdfRenewable Energy & Entrepreneurship Workshop_21Feb2024.pdf
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdfodunowoeminence2019
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technologyabdulkadirmukarram03
 
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxIT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxSAJITHABANUS
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxNaveenVerma126
 
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabuscloud computing notes for anna university syllabus
cloud computing notes for anna university syllabusViolet Violet
 
Engineering Mechanics Chapter 5 Equilibrium of a Rigid Body
Engineering Mechanics  Chapter 5  Equilibrium of a Rigid BodyEngineering Mechanics  Chapter 5  Equilibrium of a Rigid Body
Engineering Mechanics Chapter 5 Equilibrium of a Rigid BodyAhmadHajasad2
 
Carbohydrates principles of biochemistry
Carbohydrates principles of biochemistryCarbohydrates principles of biochemistry
Carbohydrates principles of biochemistryKomakeTature
 

Recently uploaded (20)

Tachyon 100G PCB Performance Attributes and Applications
Tachyon 100G PCB Performance Attributes and ApplicationsTachyon 100G PCB Performance Attributes and Applications
Tachyon 100G PCB Performance Attributes and Applications
 
Litature Review: Research Paper work for Engineering
Litature Review: Research Paper work for EngineeringLitature Review: Research Paper work for Engineering
Litature Review: Research Paper work for Engineering
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptx
 
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfSummer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptx
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical Sensor
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
 
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdf
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdfRenewable Energy & Entrepreneurship Workshop_21Feb2024.pdf
Renewable Energy & Entrepreneurship Workshop_21Feb2024.pdf
 
Lecture 2 .pdf
Lecture 2                           .pdfLecture 2                           .pdf
Lecture 2 .pdf
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technology
 
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxIT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
 
Présentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdfPrésentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdf
 
Présentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdfPrésentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdf
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
 
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabuscloud computing notes for anna university syllabus
cloud computing notes for anna university syllabus
 
Engineering Mechanics Chapter 5 Equilibrium of a Rigid Body
Engineering Mechanics  Chapter 5  Equilibrium of a Rigid BodyEngineering Mechanics  Chapter 5  Equilibrium of a Rigid Body
Engineering Mechanics Chapter 5 Equilibrium of a Rigid Body
 
Carbohydrates principles of biochemistry
Carbohydrates principles of biochemistryCarbohydrates principles of biochemistry
Carbohydrates principles of biochemistry
 

Lecture27 cc-security2

  • 1. CLOUD COMPUTING CLOUD SECURITY II PROF. SOUMYA K. GHOSH DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING IIT KHARAGPUR
  • 2. Cloud Computing • Cloud computing is a new computing paradigm, involving data and/or computation outsourcing, with – Infinite and elastic resource scalability – On demand “just-in-time” provisioning – No upfront cost … pay-as-you-go • Use as much or as less you need, use only when you want, and pay only what you use 2
  • 3. Economic Advantages of Cloud Computing • For consumers: – No upfront commitment in buying/leasing hardware – Can scale usage according to demand – Minimizing start-up costs • Small scale companies and startups can reduce CAPEX (Capital Expenditure) • For providers: – Increased utilization of datacenter resources 3
  • 4. Why aren’t Everyone using Cloud? Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks 4
  • 6. Survey on Potential Cloud Barriers Source: IDC Ranking Security Challenges 6
  • 7. Why Cloud Computing brings New Threats? • Traditional system security mostly means keeping attackers out • The attacker needs to either compromise the authentication/access control system, or impersonate existing users • But cloud allows co-tenancy: Multiple independent users share the same physical infrastructure – An attacker can legitimately be in the same physical machine as the target • Customer’s lack of control over his own data and application. • Reputation fate-sharing 7
  • 8. Security Stack • IaaS: entire infrastructure from facilities to hardware • PaaS: application, middleware, database, messaging supported by IaaS – Customer-side system administrator manages the same with provider handling platform, infrastructure security • SaaS: self contained operating environment: content, presentation, apps, management – Service levels, security, governance, compliance, liability, expectations of the customer & provider are contractually defined IncreaseinProvider’sSecurity Responsibility IncreaseinCustomer’sSecurity Responsibility 8
  • 9. Sample Clouds Source: “Security Guidance for Critical Areas of Focus in Cloud Computing” v2.1, p.18 9
  • 10. Gartner’s Seven Cloud Computing Security Risks • Gartner: – http://www.gartner.com/technology/about.jsp – Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e- discovery, regulatory compliance and auditing,” Gartner says • Security Risks – Privileged User Access – Regulatory Compliance & Audit – Data Location – Data Segregation – Recovery – Investigative Support – Long-term Viability 10
  • 11. Privileged User Access • Sensitive data processed outside the enterprise brings with it an inherent level of risk • Outsourced services bypass the “physical, logical and personnel controls” of traditional in-house deployments. • Get as much information as you can about the people who manage your data • “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says. 11
  • 12. Regulatory Compliance & Audit • Traditional service providers are subjected to external audits and security certifications. • Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner. • Shared infrastructure – isolation of user-specific log • No customer-side auditing facility • Difficult to audit data held outside organization in a cloud – Forensics also made difficult since now clients don’t maintain data locally • Trusted third-party auditor? 12
  • 13. Data Location • Hosting of data, jurisdiction? • Data centers: located at geographically dispersed locations • Different jurisdiction & regulations – Laws for cross border data flows • Legal implications – Who is responsible for complying with regulations (e.g., SOX, HIPAA, etc.)? – If cloud provider subcontracts to third party clouds, will the data still be secure? 13
  • 14. Data Segregation • Data in the cloud is typically in a shared environment alongside data from other customers. • Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. • Encrypt data in transit, needs to be decrypted at the time of processing – Possibility of interception • Secure key store – Protect encryption keys – Limit access to key stores – Key backup & recoverability • The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. • “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says. 14
  • 15. Recovery • Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. • “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.” • Recovery Point Objective (RPO): The maximum amount of data that will be lost following an interruption or disaster. • Recovery Time Objective (RTO): The period of time allowed for recovery i.e., the time that is allowed to elapse between the disaster and the activation of the secondary site. • Backup frequency • Fault tolerance – Replication: mirroring/sharing data over disks which are located in separate physical locations to maintain consistency – Redundancy: duplication of critical components of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe. 15
  • 16. Investigative Support • Investigating inappropriate or illegal activity may be impossible in cloud computing • Monitoring – To eliminate the conflict of interest between the provider and the consumer, a neural third-party organization is the best solution to monitor performance. • Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers.” 16
  • 17. Long-term Viability • “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner says. • When to switch cloud providers ? – Contract price increase – Provider bankruptcy – Provider service shutdown – Decrease in service quality – Business dispute • Problem: vendor lock-in 17
  • 18. Other Cloud Security Issues… • Virtualization • Access Control & Identity Management • Application Security • Data Life Cycle Management 18
  • 19. Virtualization • Components: – Virtual machine (VM) – Virtual machine manager (VMM) or hypervisor • Two types: – Full virtualization: VMs run on hypervisor that interacts with the hardware – Para virtualization: VMs interact with the host OS. • Major functionality: resource isolation • Hypervisor vulnerabilities: – Shared clipboard technology– transferring malicious programs from VMs to host 19
  • 20. Virtualization (contd…) • Hypervisor vulnerabilities: – Keystroke logging: Some VM technologies enable the logging of keystrokes and screen updates to be passed across virtual terminals in the virtual machine, writing to host files and permitting the monitoring of encrypted terminal connections inside the VM. – Virtual machine backdoors: covert communication channel – ARP Poisoning: redirect packets going to or from the other VM. • Hypervisor Risks – Rogue hypervisor rootkits • Initiate a ‘rogue’ hypervisor • Hide itself from normal malware detection systems • Create a covert channel to dump unauthorized code 20
  • 21. Virtualization (contd…) • Hypervisor Risks – External modification to the hypervisor • Poorly protected or designed hypervisor: source of attack • May be subjected to direct modification by the external intruder – VM escape • Improper configuration of VM • Allows malicious code to completely bypass the virtual environment, and obtain full root or kernel access to the physical host • Some vulnerable virtual machine applications: Vmchat, VMftp, Vmcat etc. – Denial-of-service risk • Threats: – Unauthorized access to virtual resources – loss of confidentiality, integrity, availability 21
  • 22. Access Control & Identity Management • Access control: similar to traditional in-house IT network • Proper access control: to address CIA tenets of information security • Prevention of identity theft – major challenge – Privacy issues raised via massive data mining • Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Identity Management (IDM) – authenticate users and services based on credentials and characteristics 22
  • 23. Application Security • Cloud applications – Web service based • Similar attacks: – Injection attacks: introduce malicious code to change the course of execution – XML Signature Element Wrapping: By this attack, the original body of an XML message is moved to a newly inserted wrapping element inside the SOAP header, and a new body is created. – Cross-Site Scripting (XSS): XSS enables attackers to inject client-side script into Web pages viewed by other users to bypass access controls. – Flooding: Attacker sending huge amount of request to a certain service and causing denial of service. – DNS poisoning and phishing: browser-based security issues – Metadata (WSDL) spoofing attacks: Such attack involves malicious reengineering of Web Services’ metadata description • Insecure communication channel 23
  • 24. Data Life Cycle Management • Data security – Confidentiality: • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromise leak confidential client data (i.e., fear of loss of control over data) • Will the cloud provider itself be honest and won’t peek into the data? – Integrity: • How do I know that the cloud provider is doing the computations correctly? • How do I ensure that the cloud provider really stored my data without tampering with it? 24
  • 25. Data Life Cycle Management (contd.) • Availability • Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? • What happens if cloud provider goes out of business? • Data Location • All copies, backups stored only at location allowed by contract, SLA and/or regulation • Archive • Access latency 25