Cloud computing

1
Risk in Cloud
Computing Environment
Presented by,
Akanksha Botke
CEH, VAPT Auditor

22
Agenda
 Introduction
 Cloud Computing Models
 Cloud Computing Architecture
 Cloud Computing Characteristics
 Purpose and Benefits
 Cloud-Sourcing
 Risk In Cloud Computing
 Data Security In Cloud Computing
 Vulnerabilities In Cloud Computing
 Hardening Cloud Security
 Conclusion

33
Introduction
 Cloud computing is typically defined as a type of computing that
relies on sharing computing resources rather than having local
servers or personal devices to handle applications.
 In cloud computing, the word cloud (also phrased as "the cloud")
is used as a metaphor for "the Internet," so the phrase cloud
computing means "a type of Internet-based computing," where
different services — such as servers, storage and applications —
are delivered to an organization's computers and devices through
the Internet.

44
Cloud Computing Models
1. Software as a Service (Saas)
 The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are
accessible from various client devices through a thin client interface
such as a web
 Characteristics of SaaS:
 Its easy to work under administration
 It can be globally access
The software can be updated automatically
All license holder user will have same version of software

55
Cloud Computing of Models
2. Platform as a Service (PaaS)
 The capability provided to the consumer is to deploy onto the cloud
infrastructure his own applications without installing any platform or
tools on their local machines. PaaS refers to providing platform layer
resources, including operating system support and software
development frameworks that can be used to build higher-level
services.
 Characteristics of PaaS:
No need of downloading and installing operating System.
It saves Customers money.
It mainly deals for delivering operating systems over Internet.
Software can be developed, tested and deployed

66
Cloud Computing Models
3. Infrastructure as a Service (IaaS).
 The capability provided the sharing of hardware resources for executing
services, typically using Virtualization technology. Infrastructure as a
Service is an equipment which is used to support hardware, software,
storage, servers and mainly used for delivering software application
environments
 Characteristics of IaaS:
 Policy based Services
 Utility computing Services
 Dynamic Scaling
 Internet Connectivity

77
Cloud Computing Architecture

88
Cloud Computing Characteristics
Common Characteristics:
Massive Scale
Homogeneity
Virtualization
Low Cost Software
Resilient Computing
Geographic Distribution
Service Orientation
Advanced Security

9
Data: Bibliographic, Digital, Administrative, License, Access and
Preservation.
Content: Collections, Subscriptions, Print, Publishing.
Services: Library as Place, Content Access, Content Creation,
Instruction, Research, Preservation.
Experience: Research, Study Support, Peer based Collaboration, IT
Exploration
9
Use of Cloud Computing in Library

1010
Purpose and Benefits
 Cloud computing enables companies and applications, which are system
infrastructure dependent, to be infrastructure-less.
 By using the Cloud infrastructure on “Pay per use and On Demand”, which all
of us can save in capital and operational investment!
• Pay per use - Computing resources are measured at a granular level, allowing
users to pay only for the resources and workloads they use.
• On Demand - End users can spin up computing resources for almost any type
of workload on-demand
 Clients can:
• Put their data on the platform instead of on their own desktop PCs and/or
on their own servers.
• They can put their applications on the cloud and use the servers within the
cloud to do processing and data manipulations etc.

1111
Cloud-Sourcing
 Why is it becoming a Big Deal:
• Using high-scale/low-cost providers,
• Any time/place access via web browser,
• Rapid scalability; incremental cost and load sharing,
• Can forget need to focus on local IT.
 Concerns:
• Performance, reliability, and SLAs,
• Control of data, and service parameters,
• Application features and choices,
• Interaction between Cloud providers,
• No standard API – mix of SOAP and REST!
• Privacy, security, compliance, trust…

1313
Data Security In Cloud Computing
 Data outsourcing - Users are relieved from the burden of data storage
and maintenance. When users put their data (of large size) on the cloud,
the data integrity protection is challenging.
 Cloud computing is built on top of virtualization, if there are security issues
with virtualization, then there will also security issues with cloud computing.
 Data segregation - Data in the cloud is typically in a shared environment
alongside data from other customers. Encryption is effective but isn't a
cure-all. The cloud provider should provide evidence that encryption
schemes were designed and tested by experienced specialists.
 A data center full of servers supporting cloud computing is internally and
externally indistinguishable from a data center full of "regular" servers. In
each case, it will be important for the data center to be physically secure
against unauthorized access

1414
 Computer and network security is fundamentally about three
goals/objectives:
-- Confidentiality (C)
-- Integrity (I)
-- Availability (A)
 Confidentiality – Its refers to keeping data private. Privacy is the amount
importance as data leaves the borders of the organization. Not only
internal secrets and sensitive personal data, but metadata and
transactional data can also leak important details about firms or
individuals. Confidentiality is supported by, technical tools such as
encryption and access control, as well as legal protections.

1515
 Integrity is a degree confidence that the data in the cloud is protected
against accidental or intentional alteration without authorization. It also
extends to the hurdles of synchronizing multiple databases. Integrity is
supported by well audited code, well-designed distributed systems, and
robust access control mechanisms.
 Availability means being able to use the system as anticipated. Cloud
technologies can increase availability through widespread internet-enabled
access, but the client is dependent on the timely and robust provision of
resources. Availability is supported by capacity building and good
architecture by the provider, as well as well-defined contracts and terms of
agreement.

1616
Vulnerabilities In Cloud Computing
 Insecure interfaces and APIs
 Unlimited allocation of resources
 Data-related vulnerabilities
 Vulnerabilities in Virtual Machines
 Vulnerabilities in Virtual Machine Images
 Vulnerabilities in Virtual Networks
 Vulnerabilities in Hypervisors
 Local Host Security

1717
Insecure interfaces and APIs
 Cloud providers offer services that can be accessed through APIs (SOAP,
REST, or HTTP with XML/JSON) The security of the cloud depends upon
the security of these interfaces. Some problems are:
a) Weak credential
b) Insufficient authorization checks
c) Insufficient input-data validation
 Also, cloud APIs are still immature which means that are frequently
updated. A fixed bug can introduce another security hole in the application.

1818
Unlimited allocation of resources
 Inaccurate modeling of resource usage can lead to overbooking or over-
provisioning.
 Due to the heterogeneous and time-variant environment in a Cloud, the
resource provisioning becomes a complex task, forcing the mediation
system to respond with minimal turnaround time in order to maintain the
developer’s quality requirements.

1919
Data-related vulnerabilities
 Data can be collocated with the data of unknown owners (competitors, or
intruders) with a weak separation.
 Data may be located in different jurisdictions which have different laws.
 Incomplete data deletion – data cannot be completely removed.
 Data backup done by untrusted third-party providers.
 Information about the location of the data usually is unavailable or not
disclosed to users.
 Data is often stored, processed, and transferred in clear plain text.

2020
Vulnerabilities in Virtual Machines
 Possible covert channels in the collocation of VMs.
 Unrestricted allocation and deallocation of resources with VMs.
 Uncontrolled Migration - VMs can be migrated from one server to another
server due to fault tolerance, load balance, or hardware maintenance.
 Uncontrolled snapshots – VMs can be copied in order to provide flexibility,
which may lead to data leakage.
 Uncontrolled rollback could lead to reset vulnerabilities - VMs can be
backed up to a previous state for restoration, but patches applied after the
previous state disappear.
 VMs have IP addresses that are visible to anyone within the cloud -
attackers can map where the target VM is located within the cloud (Cloud
cartography).

2121
Vulnerabilities in Virtual Machine Images
 Uncontrolled placement of VM images in public repositories.
 VM images are not able to be patched since they are dormant artifacts.
Vulnerabilities in Virtual Networks
 The cloud characteristic ubiquitous network access means that cloud
services are accessed via network using standard protocols. In most
cases, this network is the Internet, which must be considered untrusted.
Internet protocol vulnerabilities - such as vulnerabilities that allow man-in-
the-middle attacks - are therefore relevant for cloud computing.
 Sharing of virtual bridges by several virtual machines.

2222
Vulnerabilities in Hypervisors
 Complex hypervisor code.
 Flexible configuration of VMs or hypervisors to meet organization needs can be
exploited.
 Any remote user can initiate an attack on a Hypervisor and its guest VMs if it is
located in a subnet from which the machine running the Hypervisor is reachable.
 Almost any code can be executed from a guest VM’s Ring 3; however, some
functionality will be limited by the OS or the Hypervisor (causing an exception).
Nevertheless, it is easiest to get user-space code to run, so any exploits from this
ring are attractive to an attacker.
 An attack from a Guest VM’s Kernel-Space, as it requires control over the
paravirtualized front-end driver.
 The Hypervisor can access any resource in the host system (i.e. memory,
peripherals, CPU state, etc.), which means that it can access every guest VM’s
resources.

2323
Local Host Security
 Are local host machines part of the cloud infrastructure?
• Outside the security perimeter.
• While cloud consumers worry about the security on the cloud provider’s
site, they may easily forget to harden their own machines
 The lack of security of local devices can
• Provide a way for malicious services on the cloud to attack local
networks through these terminal devices.
• Compromise the cloud and its resources for other users.

2424
 With mobile devices, the threat may be even stronger
• Users misplace or have the device stolen from them.
• Security mechanisms on handheld gadgets are often times insufficient
compared to say, a desktop computer.
• Provides a potential attacker an easy avenue into a cloud system.
• If a user relies mainly on a mobile device to access cloud data, the
threat to availability is also increased as mobile devices malfunction or
are lost .
 Devices that access the cloud should have
• Strong authentication mechanisms
• Tamper-resistant mechanisms
• Strong isolation between applications
• Methods to trust the OS
• Cryptographic functionality when traffic confidentiality is required.

2525
Hardening Cloud Security
 Secure Logic Migration and Execution Technology
 Data Traceability Technology
 Authentication and Identity
 Application of Encryption for Data in Motion:
 Data Masking Technology

2626
 Secure Logic Migration and Execution Technology
For confidential data that cannot be released outside of the
company, even formed by concealing certain aspects of the data,
by simply defining the security level of data.
 Data Traceability Technology
The information gateway tracks all information flowing into and
out of the cloud, so these flows and their content can be checked.
Data traceability technology uses the logs obtained on data traffic
as well as the characteristics of the related text to make visible
the data used in the cloud

2727
 Authentication and Identity
Maintaining confidentiality, integrity, and availability for data security
is a function of the correct application and configuration of familiar
network, system, and application security mechanisms at various
levels in the cloud infrastructure.
Authentication of users takes several forms, but all are based on a
combination of authentication factors: something an individual knows
(such as a password), something they possess (such as a security
token), or some measurable quality that is intrinsic to them (such as
a fingerprint).

2828
 Application of Encryption for Data in Motion:
Encryption is used to assure that if there was a breach of
communication integrity between the two parties that the data
remains confidential.
Authentication is used to assure that the parties communicating data
are who they say they are.
Common means of authentication themselves employ cryptography
in various ways.

2929
 Data Masking Technology
Data masking is a technique that is intended to remove all
identifiable and distinguishing characteristics from data in order to
render it anonymous and yet still be operable.
This technique is aimed at reducing the risk of exposing sensitive
information.
Data masking has also been known by such names as data
obfuscation, de-identification, or depersonalization.

3030
Conclusion
 Cloud computing is sometimes viewed as a re-creation of the
classic mainframe client-server model.
 However, resources are ubiquitous, scalable, highly virtualized.
 Contains all the traditional threats, as well as new ones.
 In developing solutions to cloud computing security issues it may
be helpful to identify the problems and approaches in terms of CIA
(Confidentially, Integrity and Availability ).

Cloud computing

More Related Content

What's hot

Viewers also liked

Similar to Cloud computing

Recently uploaded

Cloud computing