SlideShare a Scribd company logo

Cloud Cmputing Security

•Download as PPTX, PDF•
•
D
Devyani Vaidya

This ppt contain the information about Cloud Computing S ecurity

Education
1 of 51
Deconstructing Cloud Computing Devyani Bharat Vaidya Polytechnic Student
The Problem with Emerging Technologies • No history of vulnerabilities and attacks to fall back o n • No institutional knowledge • “I need the security requirements by 5 pm today” • Will it be sustaining/evolutionary, disruptive, or simp ly fail? • Easy to get bogged down in the new stuff, and forget the fundamentals!
NIST Definition • On-demand self-service. • Broad network access. • Resource pooling. • Rapid elasticity. • Measured Service. • Does this really help us as auditors and security profe ssionals?
Architecture and Service Definitions • Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS) • Four Cloud Service Deployment Models 1. Public 2. Private 3. Community 4. Hybrid
CSA Cloud Reference Model
Hypervisors • Runs multiple instances of an OS (or multiple OSes) on shared hardware • Native or “bare metal” – PR/SM on the IBM System 370 (1972!) – VMWare ESXi – Microsoft Hyper-V • Host based – Virtual PC – VMWare Server – Parallels • Can use direct physical storage and/or virtual disks • Mainly used for IaaS and PaaS
Native Hypervisor
What is Important Here? • Know where your organization ends and the other b egins – Patching, software licensing, data retention, etc. • Make sure that there is documented responsibility fo r EVERY layer in the cloud stack – “Hey man, it’s my responsibility to patch the hypervisors n ot the OSes.”
Threat Modeling 101 • Systematic way to develop requirements, test plans and testing tools • Three basic ways to approach a threat model: attack focused, asset focused, design focused • Model can be represented in many ways, including U ML, attack trees, and data flow diagrams • Microsoft Security Development Life Cycle (SDL), OC TAVE, Trike • Pick and choose what works best for your organizati on.
Examples
Cloud Computing Threat Model ENISA Cloud Computing Risk Assessment
Threat Model • Risk 1: Resource Exhaustion* • Risk 2: Customer Isolation Failure* • Risk 3: Management Interface Compromise • Risk 4: Interception of Data in Transmission • Risk 5: Data leakage on Upload/Download, Intra-clou d
Threat Model • Risk 6: Insecure or Ineffective Deletion of Data* • Risk 7: Distributed Denial of Service (DDoS) • Risk 8: Economic Denial of Service* • Risk 9: Loss or Compromise of Encryption Keys • Risk 10: Malicious Probes or Scans
Threat Model • Risk 11: Compromise of Service Engine/Hypervisor* • Risk 12: Conflicts between customer hardening proce dures and cloud environment • Risk 13: Subpoena and E-Discovery* • Risk 14: Risk from Changes of Jurisdiction* • Risk 15: Licensing Risks*
Threat Model • Risk 16: Network Failure • Risk 17: Networking Management • Risk 18: Modification of Network Traffic • Risk 19: Privilege Escalation* • Risk 20: Social Engineering Attacks
Threat Model • Risk 21: Loss or Compromise of Operation Logs • Risk 22: Loss or compromise of Security Logs • Risk 23: Backups Lost or Stolen • Risk 23: Unauthorized Access to Premises, Including Physical Access to Machines and Other Facilities • Risk 25: Theft of Computer Equipment.*
AAA • Insecure storage of cloud access credentials by custo mer • Insufficient roles available • Credentials stored on a transitory machine • Password-based authentication may become insuffici ent – Strong or two-factor authentication for accessing cloud res ources will be necessary
User Provisioning • Customer cannot control provisioning process • Identity of customer or billing information is not adequately v erified at registration • Delays in synchronization between cloud system components • Multiple, unsynchronized copies of identity data are made • Credentials are vulnerable to interception and replay • De-provisioned credentials are still valid due to time delays in roll-out of revocation
Remote Access To Management Interface • Allows vulnerabilities in end-point machines to comp romise the cloud infrastructure (single customer or C P) through, for example, weak authentication of resp onses and requests.
Hypervisor • Exploiting the hypervisor potentially means exploitin g every VM! • Guest to host escape • VM hopping • Virtual machine-based rootkits
Lack of Resource Isolation • Side channel attacks • Shared storage • Insecure APIs • Lack of tools to enforce resource utilization
Lack of Reputation Isolation • Activities from one customer impact the reputation of another customer • And can impact the reputation of the CP
Communication Encryption • Reading data in transit via MITM attacks • Poor authentication • Acceptance of self-signed certificates
Weak or No Encryption • Data in transit • Data held in archives and databases • Un-mounted virtual machine images • Forensic images and data, sensitive logs and other da ta at rest puts customer data at risk
Unable to Process Data in Encrypted Form • Encrypting data at rest is easy, but implementing homomorph ic encryption is not -- there is little prospect of any commercia l system being able to maintain data encryption during proces sing. • Bruce Schneier estimates that performing a web search with e ncrypted keywords would increase the amount of computing time by about a trillion.
Poor Encryption Key Management • Hardware security modules (HSM) required in multip le locations • Key management interfaces which are accessible via the public Internet • The rapid scaling of certificate authorities issuing key pairs to new virtual machines • Revocation of keys for decommissioned virtual machi nes
Low Entropy for Random Number Generation • The combination of standard system images, virtualiz ation technologies and a lack of input devices means that virtual systems have much less entropy than ph ysical RNGs!
Inaccurate Modeling of Resource Usage • Overbooking or over-provisioning • Failure of resource allocation algorithms due to extra ordinary events (e.g., outlying news events for conte nt delivery). • Failure of resource allocation algorithms using job or packet classification because resources are poorly cla ssified. • Failures in overall resource provisioning (as opposed to temporary overloads)
No Control of Vulnerability Assessment Process • Restrictions on port scanning and vulnerability testin g are an important vulnerability which, combined wit h a AUP which places responsibility on the customer for securing elements of the infrastructure, is a serio us security problem.
Internal (Cloud) Network Probing • Cloud customers can perform port scans and other t ests on other customers within the internal network.
Co-residence Checks • Side-channel attacks exploiting a lack of resource isol ation allow attackers to determine which resources a re shared by which customers.
Lack of Forensic Readiness • While the cloud has the potential to improve forensi c readiness, many providers do not provide appropri ate services and terms of use to enable this.
Media Sanitization • Shared tenancy of physical storage resources means that sensitive data may leak because data destructio n policies may be impossible to implement • Media cannot be physically destroyed because a disk is still being used by another tenant • Customer storage cannot be located or tracked as it moves through the cloud
SLA • Clauses with conflicting promises to different stakeh olders • Clauses may also be in conflict with promises made b y other clauses or clauses from other providers.
Audit or Certification Not Available to Customers • The CP cannot provide any assurance to the custome r via audit certification. • Open source hypervisors or customized versions of t hem (e.g., Xen) may not have Common Criteria certifi cation, etc.
Certification Schemes Not Adapted to Cloud • Very few if any cloud-specific control, which means t hat security vulnerabilities are likely to be missed.
Inadequate Resource Provisioning and Investme nts in Infrastructure • Infrastructure investments take time. If predictive m odels fail, the cloud provider service can fail for a lon g period.
No Policies for Resource Capping • If there is not a flexible and configurable way for the customer and/or the cloud provider to set limits on r esources, this can be problematic when resource use is unpredictable.
Storage of Data in Multiple Jurisdictions • Mirroring data for delivery by edge networks and red undant storage without real-time information availa ble to the customer of where data is stored.
Lack of Information on Jurisdictions • Data may be stored and/or processed in high risk juri sdictions where it is vulnerable to confiscation by for ced entry.
Lack of Cloud Security Awareness • Cloud customers and providers are not aware of the risks they could face when migrating into the cloud, particularly those risks that are generated from cloud specific threats, i.e. loss of control, vendor lock-in, ex hausted CP resources, etc.
Lack of Vetting Processes • Since there may be very high privilege roles within cl oud providers, due to the scale involved, the lack or i nadequate vetting of the risk profile of staff with suc h roles is an important vulnerability.
Unclear Roles and Responsibilities • Inadequate definition of roles and responsibilities in the cloud provider organization.
Poor Enforcement of Role Definitions • Within the cloud provider, a failure to segregate role s may lead to excessively privileged roles which can make extremely large systems vulnerable.
Need-to-know Principle Not Applied • Poorly defined roles and responsibilities • Parties should not be given unnecessary access to da ta.
Inadequate Physical Security Procedures • Lack of physical perimeter controls (smart card authe ntication at entry); • Lack of electromagnetic shielding for critical assets v ulnerable to eavesdropping.
Mismanagement • System or OS vulnerabilities • Untrusted software • Lack of - or a poor and untested - business continuity and disaster recover y plan • Lack of - or incomplete or inaccurate - asset inventory • Lack of - or poor or inadequate - asset classification • Unclear asset ownership
Poor Identification of Project Requirements • Lack of consideration of security and legal complianc e requirements • No systems and applications user involvement • Unclear or inadequate business requirements.
Application Vulnerabilities and Poor Patch Mana gement • Bugs in the application code • Conflicting patching procedures between provider an d customer • Application of untested patches • Vulnerabilities in browsers • Dormant virtual machines • Outdated virtual machine templates
Additional Vulnerabilities • Resource consumption vulnerabilities • Breach of NDA by provider • Liability from data loss (cp) • Lack of policy or poor procedures for logs collection and retention • Inadequate or misconfigured filtering resources
Resources • ENISA -- Cloud Computing Risk Assessment: http://www.enisa. europa.eu/act/rm/files/deliverables/cloud-computing-risk-ass essment • NIST Cloud Computing: http://csrc.nist.gov/groups/SNS/cloud -computing/ • Cloud Security Alliance: http://www.cloudsecurityalliance.org / • Microsoft SDL: http://www.microsoft.com/security/sdl/ • OCTAVE: http://www.cert.org/octave/ • QwestBusiness Blog: http://www.qwest.com/business/blog/

Recommended

Gary Homeland Security Presentation 102114
Gary Homeland Security Presentation 102114Gary Homeland Security Presentation 102114
Gary Homeland Security Presentation 102114Gary Dischner
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material ccAnkit Gupta
 
Datacenter 2014: Symantec - Peter Schjøtt
Datacenter 2014: Symantec - Peter SchjøttDatacenter 2014: Symantec - Peter Schjøtt
Datacenter 2014: Symantec - Peter SchjøttMediehuset Ingeniøren Live
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access ControlPace IT at Edmonds Community College
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltDDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltMazeBolt Technologies
 

Recommended

Gary Homeland Security Presentation 102114
Gary Homeland Security Presentation 102114Gary Homeland Security Presentation 102114
Gary Homeland Security Presentation 102114Gary Dischner
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material ccAnkit Gupta
 
Datacenter 2014: Symantec - Peter Schjøtt
Datacenter 2014: Symantec - Peter SchjøttDatacenter 2014: Symantec - Peter Schjøtt
Datacenter 2014: Symantec - Peter SchjøttMediehuset Ingeniøren Live
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access ControlPace IT at Edmonds Community College
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltDDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltMazeBolt Technologies
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4Integral university, India
 
Brian updated resume
Brian updated resumeBrian updated resume
Brian updated resumeBrian Simon
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesMazeBolt Technologies
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
Secure Cloud Issues
Secure Cloud IssuesSecure Cloud Issues
Secure Cloud IssuesDevyani Vaidya
 
Software Security
Software SecuritySoftware Security
Software SecurityIntegral university, India
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forcescommandersaini
 
Why DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesWhy DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesMazeBolt Technologies
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Unit4
Unit4Unit4
Unit4Integral university, India
 
Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011commandersaini
 
cloud Resilience
cloud Resilience cloud Resilience
cloud Resilience Integral university, India
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltDDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltMazeBolt Technologies
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
CLR Resume'
CLR Resume'CLR Resume'
CLR Resume'Clay Ramsey
 
08252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA108252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA1jjdoylecomcast
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversysKrishnendu Paul
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
 
Ppt on open and close door using Applet
Ppt on open and close door using Applet Ppt on open and close door using Applet
Ppt on open and close door using Applet Devyani Vaidya
 
Seminar on telephone directory
Seminar on telephone directorySeminar on telephone directory
Seminar on telephone directoryDevyani Vaidya
 

More Related Content

What's hot

Brian updated resume
Brian updated resumeBrian updated resume
Brian updated resumeBrian Simon
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesMazeBolt Technologies
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
Secure Cloud Issues
Secure Cloud IssuesSecure Cloud Issues
Secure Cloud IssuesDevyani Vaidya
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forcescommandersaini
 
Why DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesWhy DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesMazeBolt Technologies
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011commandersaini
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltDDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltMazeBolt Technologies
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
CLR Resume'
CLR Resume'CLR Resume'
CLR Resume'Clay Ramsey
 
08252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA108252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA1jjdoylecomcast
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversysKrishnendu Paul
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
 

What's hot (20)

Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Brian updated resume
Brian updated resumeBrian updated resume
Brian updated resume
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt Technologies
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt Technologies
 
Secure Cloud Issues
Secure Cloud IssuesSecure Cloud Issues
Secure Cloud Issues
 
Software Security
Software SecuritySoftware Security
Software Security
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
 
Why DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesWhy DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt Technologies
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Unit4
Unit4Unit4
Unit4
 
Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011
 
cloud Resilience
cloud Resilience cloud Resilience
cloud Resilience
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltDDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
CLR Resume'
CLR Resume'CLR Resume'
CLR Resume'
 
08252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA108252016 John D Resume ITIL PMP CISSP CSM CISA1
08252016 John D Resume ITIL PMP CISSP CSM CISA1
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 

Viewers also liked

Ppt on open and close door using Applet
Ppt on open and close door using Applet Ppt on open and close door using Applet
Ppt on open and close door using Applet Devyani Vaidya
 
Seminar on telephone directory
Seminar on telephone directorySeminar on telephone directory
Seminar on telephone directoryDevyani Vaidya
 
Fuels Saver System
Fuels Saver SystemFuels Saver System
Fuels Saver SystemDevyani Vaidya
 
Wireless mobile charging using microwaves
Wireless mobile charging using microwavesWireless mobile charging using microwaves
Wireless mobile charging using microwavesDevyani Vaidya
 
Ppt on use of biomatrix in secure e trasaction
Ppt on use of biomatrix in secure e trasactionPpt on use of biomatrix in secure e trasaction
Ppt on use of biomatrix in secure e trasactionDevyani Vaidya
 
Energy Harvesing Through Reverse Electrowetting
Energy Harvesing Through Reverse Electrowetting Energy Harvesing Through Reverse Electrowetting
Energy Harvesing Through Reverse Electrowetting Devyani Vaidya
 
Table of contents blue brain
Table of contents blue brainTable of contents blue brain
Table of contents blue brainkoustuba
 
Wireless Charging Of Mobile
Wireless Charging Of Mobile Wireless Charging Of Mobile
Wireless Charging Of Mobile Devyani Vaidya
 
History of Laptop
History of LaptopHistory of Laptop
History of LaptopDevyani Vaidya
 
Data As A Service
Data As A ServiceData As A Service
Data As A ServiceDevyani Vaidya
 
Wireless network
Wireless networkWireless network
Wireless networkDevyani Vaidya
 
Environmental law
Environmental lawEnvironmental law
Environmental lawDevyani Vaidya
 
Resource management
Resource managementResource management
Resource managementDevyani Vaidya
 
Data warehousing
Data warehousingData warehousing
Data warehousingDevyani Vaidya
 
Applet programming
Applet programming Applet programming
Applet programming Devyani Vaidya
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone CloningDevyani Vaidya
 

Viewers also liked (20)

Ppt on open and close door using Applet
Ppt on open and close door using Applet Ppt on open and close door using Applet
Ppt on open and close door using Applet
 
Seminar on telephone directory
Seminar on telephone directorySeminar on telephone directory
Seminar on telephone directory
 
Fuels Saver System
Fuels Saver SystemFuels Saver System
Fuels Saver System
 
Wireless mobile charging using microwaves
Wireless mobile charging using microwavesWireless mobile charging using microwaves
Wireless mobile charging using microwaves
 
Secued Cloud
Secued Cloud Secued Cloud
Secued Cloud
 
Ppt on use of biomatrix in secure e trasaction
Ppt on use of biomatrix in secure e trasactionPpt on use of biomatrix in secure e trasaction
Ppt on use of biomatrix in secure e trasaction
 
secued cloud
secued cloud secued cloud
secued cloud
 
Energy Harvesing Through Reverse Electrowetting
Energy Harvesing Through Reverse Electrowetting Energy Harvesing Through Reverse Electrowetting
Energy Harvesing Through Reverse Electrowetting
 
Table of contents blue brain
Table of contents blue brainTable of contents blue brain
Table of contents blue brain
 
Wireless Charging Of Mobile
Wireless Charging Of Mobile Wireless Charging Of Mobile
Wireless Charging Of Mobile
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
History of Laptop
History of LaptopHistory of Laptop
History of Laptop
 
Data As A Service
Data As A ServiceData As A Service
Data As A Service
 
Wireless network
Wireless networkWireless network
Wireless network
 
Digital Locker
Digital LockerDigital Locker
Digital Locker
 
Environmental law
Environmental lawEnvironmental law
Environmental law
 
Resource management
Resource managementResource management
Resource management
 
Data warehousing
Data warehousingData warehousing
Data warehousing
 
Applet programming
Applet programming Applet programming
Applet programming
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
 

Similar to Cloud Cmputing Security

Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2Ankit Gupta
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptx
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptxBlock Chain audit-Cloud Data Storagequad merkle-1-1.pptx
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptxPadmaNaban32
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectATMOSPHERE .
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerDavid Wallom
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 
Cloud complete
Cloud completeCloud complete
Cloud completeNavriti
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptssuser3be95f
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptNaradaDilshan
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptSameer Ali
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signatureArunsunaiComputer
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.pptImpactGenshin3
 

Similar to Cloud Cmputing Security (20)

Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptx
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptxBlock Chain audit-Cloud Data Storagequad merkle-1-1.pptx
Block Chain audit-Cloud Data Storagequad merkle-1-1.pptx
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud provider
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signature
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 

More from Devyani Vaidya

Fundamental file structure concepts & managing files of records
Fundamental file structure concepts & managing files of recordsFundamental file structure concepts & managing files of records
Fundamental file structure concepts & managing files of recordsDevyani Vaidya
 
Cosequential processing and the sorting of large files
Cosequential processing and the sorting of large filesCosequential processing and the sorting of large files
Cosequential processing and the sorting of large filesDevyani Vaidya
 
Introduction to the design and specification of file structures
Introduction to the design and specification of file structuresIntroduction to the design and specification of file structures
Introduction to the design and specification of file structuresDevyani Vaidya
 
Barcode Technology
Barcode TechnologyBarcode Technology
Barcode TechnologyDevyani Vaidya
 
Bigtable a distributed storage system
Bigtable a distributed storage systemBigtable a distributed storage system
Bigtable a distributed storage systemDevyani Vaidya
 

More from Devyani Vaidya (9)

Hashing
HashingHashing
Hashing
 
Fundamental file structure concepts & managing files of records
Fundamental file structure concepts & managing files of recordsFundamental file structure concepts & managing files of records
Fundamental file structure concepts & managing files of records
 
Cosequential processing and the sorting of large files
Cosequential processing and the sorting of large filesCosequential processing and the sorting of large files
Cosequential processing and the sorting of large files
 
Introduction to the design and specification of file structures
Introduction to the design and specification of file structuresIntroduction to the design and specification of file structures
Introduction to the design and specification of file structures
 
Barcode Technology
Barcode TechnologyBarcode Technology
Barcode Technology
 
3D- Doctor
3D- Doctor3D- Doctor
3D- Doctor
 
3D-Password
3D-Password 3D-Password
3D-Password
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Bigtable a distributed storage system
Bigtable a distributed storage systemBigtable a distributed storage system
Bigtable a distributed storage system
 

Recently uploaded

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxabhijeetpadhi001
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 

Recently uploaded (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 

Cloud Cmputing Security

  • 1. Deconstructing Cloud Computing Devyani Bharat Vaidya Polytechnic Student
  • 2. The Problem with Emerging Technologies • No history of vulnerabilities and attacks to fall back o n • No institutional knowledge • “I need the security requirements by 5 pm today” • Will it be sustaining/evolutionary, disruptive, or simp ly fail? • Easy to get bogged down in the new stuff, and forget the fundamentals!
  • 3. NIST Definition • On-demand self-service. • Broad network access. • Resource pooling. • Rapid elasticity. • Measured Service. • Does this really help us as auditors and security profe ssionals?
  • 4. Architecture and Service Definitions • Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS) • Four Cloud Service Deployment Models 1. Public 2. Private 3. Community 4. Hybrid
  • 6. Hypervisors • Runs multiple instances of an OS (or multiple OSes) on shared hardware • Native or “bare metal” – PR/SM on the IBM System 370 (1972!) – VMWare ESXi – Microsoft Hyper-V • Host based – Virtual PC – VMWare Server – Parallels • Can use direct physical storage and/or virtual disks • Mainly used for IaaS and PaaS
  • 8. What is Important Here? • Know where your organization ends and the other b egins – Patching, software licensing, data retention, etc. • Make sure that there is documented responsibility fo r EVERY layer in the cloud stack – “Hey man, it’s my responsibility to patch the hypervisors n ot the OSes.”
  • 9. Threat Modeling 101 • Systematic way to develop requirements, test plans and testing tools • Three basic ways to approach a threat model: attack focused, asset focused, design focused • Model can be represented in many ways, including U ML, attack trees, and data flow diagrams • Microsoft Security Development Life Cycle (SDL), OC TAVE, Trike • Pick and choose what works best for your organizati on.
  • 11. Cloud Computing Threat Model ENISA Cloud Computing Risk Assessment
  • 12. Threat Model • Risk 1: Resource Exhaustion* • Risk 2: Customer Isolation Failure* • Risk 3: Management Interface Compromise • Risk 4: Interception of Data in Transmission • Risk 5: Data leakage on Upload/Download, Intra-clou d
  • 13. Threat Model • Risk 6: Insecure or Ineffective Deletion of Data* • Risk 7: Distributed Denial of Service (DDoS) • Risk 8: Economic Denial of Service* • Risk 9: Loss or Compromise of Encryption Keys • Risk 10: Malicious Probes or Scans
  • 14. Threat Model • Risk 11: Compromise of Service Engine/Hypervisor* • Risk 12: Conflicts between customer hardening proce dures and cloud environment • Risk 13: Subpoena and E-Discovery* • Risk 14: Risk from Changes of Jurisdiction* • Risk 15: Licensing Risks*
  • 15. Threat Model • Risk 16: Network Failure • Risk 17: Networking Management • Risk 18: Modification of Network Traffic • Risk 19: Privilege Escalation* • Risk 20: Social Engineering Attacks
  • 16. Threat Model • Risk 21: Loss or Compromise of Operation Logs • Risk 22: Loss or compromise of Security Logs • Risk 23: Backups Lost or Stolen • Risk 23: Unauthorized Access to Premises, Including Physical Access to Machines and Other Facilities • Risk 25: Theft of Computer Equipment.*
  • 17. AAA • Insecure storage of cloud access credentials by custo mer • Insufficient roles available • Credentials stored on a transitory machine • Password-based authentication may become insuffici ent – Strong or two-factor authentication for accessing cloud res ources will be necessary
  • 18. User Provisioning • Customer cannot control provisioning process • Identity of customer or billing information is not adequately v erified at registration • Delays in synchronization between cloud system components • Multiple, unsynchronized copies of identity data are made • Credentials are vulnerable to interception and replay • De-provisioned credentials are still valid due to time delays in roll-out of revocation
  • 19. Remote Access To Management Interface • Allows vulnerabilities in end-point machines to comp romise the cloud infrastructure (single customer or C P) through, for example, weak authentication of resp onses and requests.
  • 20. Hypervisor • Exploiting the hypervisor potentially means exploitin g every VM! • Guest to host escape • VM hopping • Virtual machine-based rootkits
  • 21. Lack of Resource Isolation • Side channel attacks • Shared storage • Insecure APIs • Lack of tools to enforce resource utilization
  • 22. Lack of Reputation Isolation • Activities from one customer impact the reputation of another customer • And can impact the reputation of the CP
  • 23. Communication Encryption • Reading data in transit via MITM attacks • Poor authentication • Acceptance of self-signed certificates
  • 24. Weak or No Encryption • Data in transit • Data held in archives and databases • Un-mounted virtual machine images • Forensic images and data, sensitive logs and other da ta at rest puts customer data at risk
  • 25. Unable to Process Data in Encrypted Form • Encrypting data at rest is easy, but implementing homomorph ic encryption is not -- there is little prospect of any commercia l system being able to maintain data encryption during proces sing. • Bruce Schneier estimates that performing a web search with e ncrypted keywords would increase the amount of computing time by about a trillion.
  • 26. Poor Encryption Key Management • Hardware security modules (HSM) required in multip le locations • Key management interfaces which are accessible via the public Internet • The rapid scaling of certificate authorities issuing key pairs to new virtual machines • Revocation of keys for decommissioned virtual machi nes
  • 27. Low Entropy for Random Number Generation • The combination of standard system images, virtualiz ation technologies and a lack of input devices means that virtual systems have much less entropy than ph ysical RNGs!
  • 28. Inaccurate Modeling of Resource Usage • Overbooking or over-provisioning • Failure of resource allocation algorithms due to extra ordinary events (e.g., outlying news events for conte nt delivery). • Failure of resource allocation algorithms using job or packet classification because resources are poorly cla ssified. • Failures in overall resource provisioning (as opposed to temporary overloads)
  • 29. No Control of Vulnerability Assessment Process • Restrictions on port scanning and vulnerability testin g are an important vulnerability which, combined wit h a AUP which places responsibility on the customer for securing elements of the infrastructure, is a serio us security problem.
  • 30. Internal (Cloud) Network Probing • Cloud customers can perform port scans and other t ests on other customers within the internal network.
  • 31. Co-residence Checks • Side-channel attacks exploiting a lack of resource isol ation allow attackers to determine which resources a re shared by which customers.
  • 32. Lack of Forensic Readiness • While the cloud has the potential to improve forensi c readiness, many providers do not provide appropri ate services and terms of use to enable this.
  • 33. Media Sanitization • Shared tenancy of physical storage resources means that sensitive data may leak because data destructio n policies may be impossible to implement • Media cannot be physically destroyed because a disk is still being used by another tenant • Customer storage cannot be located or tracked as it moves through the cloud
  • 34. SLA • Clauses with conflicting promises to different stakeh olders • Clauses may also be in conflict with promises made b y other clauses or clauses from other providers.
  • 35. Audit or Certification Not Available to Customers • The CP cannot provide any assurance to the custome r via audit certification. • Open source hypervisors or customized versions of t hem (e.g., Xen) may not have Common Criteria certifi cation, etc.
  • 36. Certification Schemes Not Adapted to Cloud • Very few if any cloud-specific control, which means t hat security vulnerabilities are likely to be missed.
  • 37. Inadequate Resource Provisioning and Investme nts in Infrastructure • Infrastructure investments take time. If predictive m odels fail, the cloud provider service can fail for a lon g period.
  • 38. No Policies for Resource Capping • If there is not a flexible and configurable way for the customer and/or the cloud provider to set limits on r esources, this can be problematic when resource use is unpredictable.
  • 39. Storage of Data in Multiple Jurisdictions • Mirroring data for delivery by edge networks and red undant storage without real-time information availa ble to the customer of where data is stored.
  • 40. Lack of Information on Jurisdictions • Data may be stored and/or processed in high risk juri sdictions where it is vulnerable to confiscation by for ced entry.
  • 41. Lack of Cloud Security Awareness • Cloud customers and providers are not aware of the risks they could face when migrating into the cloud, particularly those risks that are generated from cloud specific threats, i.e. loss of control, vendor lock-in, ex hausted CP resources, etc.
  • 42. Lack of Vetting Processes • Since there may be very high privilege roles within cl oud providers, due to the scale involved, the lack or i nadequate vetting of the risk profile of staff with suc h roles is an important vulnerability.
  • 43. Unclear Roles and Responsibilities • Inadequate definition of roles and responsibilities in the cloud provider organization.
  • 44. Poor Enforcement of Role Definitions • Within the cloud provider, a failure to segregate role s may lead to excessively privileged roles which can make extremely large systems vulnerable.
  • 45. Need-to-know Principle Not Applied • Poorly defined roles and responsibilities • Parties should not be given unnecessary access to da ta.
  • 46. Inadequate Physical Security Procedures • Lack of physical perimeter controls (smart card authe ntication at entry); • Lack of electromagnetic shielding for critical assets v ulnerable to eavesdropping.
  • 47. Mismanagement • System or OS vulnerabilities • Untrusted software • Lack of - or a poor and untested - business continuity and disaster recover y plan • Lack of - or incomplete or inaccurate - asset inventory • Lack of - or poor or inadequate - asset classification • Unclear asset ownership
  • 48. Poor Identification of Project Requirements • Lack of consideration of security and legal complianc e requirements • No systems and applications user involvement • Unclear or inadequate business requirements.
  • 49. Application Vulnerabilities and Poor Patch Mana gement • Bugs in the application code • Conflicting patching procedures between provider an d customer • Application of untested patches • Vulnerabilities in browsers • Dormant virtual machines • Outdated virtual machine templates
  • 50. Additional Vulnerabilities • Resource consumption vulnerabilities • Breach of NDA by provider • Liability from data loss (cp) • Lack of policy or poor procedures for logs collection and retention • Inadequate or misconfigured filtering resources
  • 51. Resources • ENISA -- Cloud Computing Risk Assessment: http://www.enisa. europa.eu/act/rm/files/deliverables/cloud-computing-risk-ass essment • NIST Cloud Computing: http://csrc.nist.gov/groups/SNS/cloud -computing/ • Cloud Security Alliance: http://www.cloudsecurityalliance.org / • Microsoft SDL: http://www.microsoft.com/security/sdl/ • OCTAVE: http://www.cert.org/octave/ • QwestBusiness Blog: http://www.qwest.com/business/blog/