Presentation copy


Published on

A brief overview about Cloud Computing and Cloud Computing security

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Presentation copy

  1. 1. Overview on Cloud Computing & Cloud Computing Security German University in Cairo (GUC)
  2. 2. Technical Presentation  Page Outline <ul><li>What is Cloud Computing ? </li></ul><ul><ul><li>An Introduction </li></ul></ul><ul><ul><li>Cloud Deployment Models </li></ul></ul><ul><ul><li>Cloud Service Models </li></ul></ul><ul><li>Cloud Security </li></ul><ul><ul><li>Anatomy of Fear in the Cloud </li></ul></ul><ul><ul><li>Attack Modeling </li></ul></ul><ul><li>Summary & Conclusion </li></ul>
  3. 3. Technical Presentation  Page What is Cloud Computing ? Experts Opinion !! “ We’ve redefined Cloud Computing to include everything that we already do. . . . I don’t understand what we would do differently in the light of Cloud Computing other than change the wording of some of our ads.” Larry Ellison , Founder of Oracle Richard Stallman , GNU “ It’s stupidity . It’s worse than stupidity : it’s a marketing hype campaign” Ron Rivest , The R of RSA “ Cloud Computing will become a focal point of our work in security. I’m optimistic …”
  4. 4. Technical Presentation  Page What is Cloud Computing ? Google‘s Opinion !!
  5. 5. Technical Presentation  Page What is Cloud Computing ? The Formal Definiton <ul><li>Cloud Computing: </li></ul><ul><li>“ Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” </li></ul><ul><li>What does this really mean ?! </li></ul><ul><li>That is, use as much or as less you need , use only when you want , and pay only for what you use . </li></ul><ul><li>The Illusion of infinite resources. For ex: Water, Electericity, etc… </li></ul>
  6. 6. Technical Presentation  Page What is Cloud Computing ? Some of the Advantages of Cloud Computing <ul><li>For Clients: </li></ul><ul><li>Cost reduction: </li></ul><ul><ul><li>Reducing paper work, minimizes the invest in hardware (resources to manage), and reduces the need for an IT staff. </li></ul></ul><ul><li>Scalability: </li></ul><ul><ul><li>Like electricity or water, some cloud computing services allow businesses to only pay for what they use. As business grows, more server space can be added. </li></ul></ul><ul><li>No barriers to Entry: </li></ul><ul><ul><li>Easy to start up and run (The perfect option for newbies) . </li></ul></ul><ul><li>For Providers: </li></ul><ul><li>Increased Utilization of datacenter resources. </li></ul>
  7. 7. Sensor Networks Seminar  Page What is Cloud Computing ? Cloud Deployment Models <ul><li>Public Cloud: </li></ul><ul><li>Cloud providers sell different parts of the cloud </li></ul><ul><li>to different customers. Each customer has their </li></ul><ul><li>own website, their own application, but all of them </li></ul><ul><li>use the same cloud resources. Public cloud is less secure than other types. </li></ul><ul><li>Private Cloud: </li></ul><ul><li>Cloud providers sell customers their own dedicated network and computing resources. Resources could be on-premises or off-premises. </li></ul><ul><li>Provides more security. </li></ul><ul><li>Hybrid Cloud: </li></ul><ul><li>A composition of two or more clouds, public and private. </li></ul><ul><li>Good for organizations that would like to extend their private cloud. </li></ul><ul><li>Offers more secure access, and allows various parties to access information. </li></ul>
  8. 8. Sensor Networks Seminar  Page What is Cloud Computing ? Cloud Service Models Cloud Computing basically means selling“ X -as-a-Service“ Software-as-a-Service (SaaS): Consumer can use the provider‘s software or application that are running on the cloud infrastructure, but can‘t manage or control the underlying infrastructure. Examples, Gmail, Google Apps, Google Docs. Platform-as-a-Service (PaaS): Consumers develop their own software or applications using tools, programming languages supported by the provider. Examples, Google App Engine, Windows Azure, SpringSource. Infrastructure-as-a-Service(IaaS): Consumer is granted the capability to provision processing, storage, Hardware and computational resources by which he can use to run any arbitary software. The consumer has control over the operating systems, storage, deployed applications and limited control over networking components.
  9. 9. Technical Presentaion  Page What is Cloud Computing ? Another way to look at it !!
  10. 10. Technical Presentation  Page Cloud Security If Clouds are so great, why aren‘t everyone using it ?! <ul><li>Clouds are still subject to the famous C onfidentiality, I ntegrity and A vailability Issues. Also, vulnerable to various types of attacks. </li></ul><ul><li>Most of the Companies are still afraid to use the cloud. </li></ul>
  11. 11. Technical Presentation  Page Cloud Security Anatomy of Fear in the Cloud <ul><li>Confidentiality: </li></ul><ul><li>Tons of data are stored in the Cloud. But there are questions to be answered: </li></ul><ul><ul><li>Will this data remain confidential ? </li></ul></ul><ul><ul><li>Will the cloud provider keeps his promise and not peak into the data ? </li></ul></ul><ul><li>Integrity: </li></ul><ul><ul><li>How to know if the cloud provider is doing computations correctly ? </li></ul></ul><ul><ul><li>How to ensure that the cloud provider didn‘t tamper or change data ? </li></ul></ul><ul><li>Availability: </li></ul><ul><ul><li>Will Critical Systems go down if the provider is attacked by a DoS attack ? </li></ul></ul><ul><ul><li>What happens if the cloud provider goes out of buisness ? </li></ul></ul>
  12. 12. Technical Presentation  Page Cloud Security Attack Modeling <ul><li>Threat Model: </li></ul><ul><li>A Threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions. </li></ul><ul><li>What are the steps to be done ? </li></ul><ul><ul><li>Identify attackers, assets and threats. </li></ul></ul><ul><ul><li>Rank the identifed threats. </li></ul></ul><ul><ul><li>Choose mitiagation strategies. </li></ul></ul><ul><ul><li>Build solutions based on those strategies. </li></ul></ul>
  13. 13. Technichal Presentation  Page Cloud Security Threat Model
  14. 14. Technical Presentation  Page Cloud Security Who could be the attacker ? <ul><li>An Insider ? </li></ul><ul><ul><li>Malicious employees at the Client. </li></ul></ul><ul><ul><li>Malicious employees at the Cloud Provider. </li></ul></ul><ul><ul><li>The Cloud Provider it self. </li></ul></ul><ul><li>An Outsider ? </li></ul><ul><ul><li>Intruders. </li></ul></ul><ul><ul><li>Network Attackers. </li></ul></ul>
  15. 15. Sensor Networks Seminar  Page Cloud Security Capability of the Attacker (Insider) <ul><li>Malicious Insiders </li></ul><ul><li>At Client: </li></ul><ul><ul><li>Learn Passwords or authentication information. </li></ul></ul><ul><li>At Cloud Provider: </li></ul><ul><ul><li>Can store logs for client communication. </li></ul></ul><ul><li>Cloud Provider </li></ul><ul><li>What ? </li></ul><ul><ul><li>Can read un-encrypted data. </li></ul></ul><ul><ul><li>Can monitor network communication, application patterns. </li></ul></ul><ul><li>Why ? </li></ul><ul><ul><li>Gain Information about clients data. </li></ul></ul><ul><ul><li>Sell the information or use it personally. </li></ul></ul>
  16. 16. Technical Presentation  Page Cloud Security Capability of the Attacker (Outsider) <ul><li>An Outsider can do one of the following: </li></ul><ul><li>Passive attacks: </li></ul><ul><ul><li>Evasdrop on network traffic. </li></ul></ul><ul><li>Active attacks: </li></ul><ul><ul><li>Insert malicious traffic. </li></ul></ul><ul><ul><li>Tamper with network traffic. </li></ul></ul><ul><ul><li>Launch a DDos Attack. </li></ul></ul>
  17. 17. Technical Presentation  Page Cloud Security Threat Model
  18. 18. Sensor Networks Seminar  Page Assets and Attacker Goals (Outsider) Cloud Computing <ul><li>Here are some goals of the Outside attacker: </li></ul><ul><ul><li>Intrusion </li></ul></ul><ul><ul><li>Network analysis </li></ul></ul><ul><ul><li>Man-In-the-Middle </li></ul></ul><ul><li>Assets that attacker tries to break in to: </li></ul><ul><ul><li>Confidentiality (Critical data, Client Identites, Location Information) </li></ul></ul><ul><ul><li>Integrity (Change data stored and Computations) </li></ul></ul><ul><ul><li>Availbility (Bring down Cloud Infrastructure) </li></ul></ul>
  19. 19. Technical Presentation  Page Cloud Security Threat Model
  20. 20. Technical Presentation  Page Cloud Security Threats - Confidentiality <ul><li>Information Disclosure: </li></ul><ul><li>Information disclosure is an event that occurs when the attacker gains access to private data. </li></ul><ul><li>How to avoid it ? </li></ul><ul><li>This thread can be avoided by using encryption, Authorization. For example: </li></ul>
  21. 21. Technical Presentation  Page Cloud Security Threats – Integrity <ul><li>Tampering with data: </li></ul><ul><li>Tampering with data occurse when critical data is being changed or manipulated by the attacker. </li></ul><ul><li>How to avoid it ? </li></ul><ul><li>This threat could be avoided by using a keyed hashing algorithm with a secret. </li></ul>
  22. 22. Technical Presentation  Page Cloud Security Threats – Availbility <ul><li>Denial-of-Service Attack </li></ul><ul><li>Performing a DoS attack is having a server destroyed by using Botnets, trojans and malware. </li></ul><ul><li>How to detect and avoid it ? </li></ul><ul><ul><li>Estimate how much resources (Bandwidth) is normally used. </li></ul></ul><ul><ul><li>Compare this Estimation periodically to find out if there is a dramatic increase in resource usage. </li></ul></ul><ul><ul><li>When attack is detected, Keep migrating and use other resources. </li></ul></ul>
  23. 23. Technical Presentation  Page Real Examples – Data Loss Cloud Security &quot;Regrettably, based on Microsoft /Danger's latest recovery assessment of their systems, we must now inform you that personal information stored on your device—such as contacts, calendar entries, to-do lists or photos—that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger.&quot;
  24. 24. Technical Presentation  Page Real Examples – Downtimes Cloud Security
  25. 25. Technical Presentation  Page Cloud Security Real Examples – Phishing “ hey! check out this funny blog about you...”
  26. 26. Technichal Presntation  Page Cloud Security Real Examples – Botnets
  27. 27. Sensor Networks Seminar  Page Summary & Conclusion <ul><li>Summary: </li></ul><ul><ul><li>We defined cloud computing. </li></ul></ul><ul><ul><li>We discussed Cloud Computing Advatages. </li></ul></ul><ul><ul><li>The three different cloud deployment models have been stated. </li></ul></ul><ul><ul><li>The three different cloud service models have been mentioned. </li></ul></ul><ul><ul><li>We defined the Attack model and how to model a threat. </li></ul></ul><ul><ul><li>We finally showed real life scenarios for cloud attacks. </li></ul></ul><ul><li>Conclusion: </li></ul><ul><li>Cloud Computing is one of today‘s most famous technologies, but it has to be used with extra care and caution. </li></ul>
  28. 28. Technichal Presentation  Page Questions !??