Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organizationcomprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloudinfrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of Cloud computing Clinton D Souza CSE486 01/29/2013
OutlineCloud computing.Service and Deployment.SaaS layer.Cloud security structure.SaaS possible exploits.Security breaches.SaaS solution criteria.Conclusion.
Cloud computingA model for enabling : ubiquitous, convenient, on-demand network accessto a shared pool of configurable computing resources that canbe rapidly provisioned and released with minimal management. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf http://en.wikipedia.org/wiki/File:Cloud_computing.svg
Service models Infrastructure as a Service (IaaS). Platform as a Service (PaaS). Software as a Service (SaaS).http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png
Deployment modelsPublic cloud. Provisioned for open use by general public. Owned, managed and operated by business, academic or government organization or a combination. Exists on premises of cloud provider.Private cloud. Exclusive use by a single organization with multiple business units.Hybrid cloud. Composition of two or more cloud infrastructures. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
SaaS layerSoftware applications which are loaded in a cloud platform madeaccessible to consumers from various client devices.Consumer doesn’t manage or consume underlying cloud infrastructure. Service App Service App Service App (SaaS) (SaaS) (SaaS) Platform Business Service (PaaS) Tenant Data Service Management System Infrastructure (IaaS) Hardware Infrastructure (IaaS) http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104
SaaS possible exploitsTwo main points of entry into SaaS layer: User Point of Entry o Most common point of attack in a SaaS model Provider Point of EntryAn example query that exploits the vulnerability in mostdatabase servers like PostgresSQL and MySQL, which will grantthe attacker administrator privileges could be:<?php// $uid: or uid like %admin%$query = "UPDATE usertable SET pwd=... WHERE uid= or uid like %admin%;";// $pwd: hehehe, trusted=100, admin=yes$query = "UPDATE usertable SET pwd=hehehe, trusted=100, admin=yes WHERE...;";?> http://php.net/manual/en/security.database.sql-injection.php
SaaS attack typesThe most common attacksassociated with SaaSmodel in a public cloud •Denial of Serviceinfrastructure. Availability •Account lockout •Buffer-overflowThey are divided into the •Cross-site scriptingfollowing four groups: Data Security •Access control weakness •Privilege escalation •Network Penetration Network Security •Session Hijacking •Data Packet Interception Identity Management •Authentication Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
Recent security breachesData breach at Microsoft highlights security problem inSaaS .Panda Security hacked by Antisec.Zero-Day vulnerability found in McAfee’s SaaS products.
McAfee Security breachZero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011) Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file. Common Vulnerability Scoring System score it to be 9 out of 10 maximum. Method will accept commands that are passed to a function that simply executes them without authentication. McAfee SaaS includes: Email Protection (Protection against viruses and spam) McAfee Integrated Suites (Protection against viruses, web threats, etc…) Patch released in August 2011. http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
SaaS solution criteriaReliability.Effectiveness.Performance.Flexibility.Control.Privacy and Security.Total Cost of Ownership (TCO). http://www.websense.net/assets/white-papers/whitepaper-seven-criteria-for-evaluation-security-as-a-service-solutions-en.pdf
ConclusionCloud computing models are relatively new and are thussusceptible to vulnerabilities.SaaS layer in a public cloud is more vulnerable to attacks due toaccess by users.The type of attacks on SaaS products remain the same but theintensity of the breach increases.A number of sercuity criteria needs to be considered whiledeveloping a SaaS application.