DV
Uploaded byDevyani Vaidya
PPTX, PDF174 views

Secure Cloud Issues

This document discusses security issues in cloud computing. It begins with an overview of cloud computing characteristics such as on-demand self-service, ubiquitous network access, and resource pooling. It then discusses some common security problems in cloud computing including loss of control, lack of trust, and multi-tenancy issues that stem from sharing resources with multiple tenants. Approaches proposed to address these issues include increasing monitoring and control for customers, utilizing multiple clouds to spread risk, developing standardized policy languages and certification processes to build trust, and enhancing isolation between tenants. The document provides references and concludes by emphasizing the need to consider security at both the cloud provider level and on local devices used to access cloud services.

Embed presentation

Download to read offline
Security Issues in Cloud Computin g Ms.Devyani Bharat Vaidya Polytechnic student
Talk Objectives • Present cloud issues/characteristics that cr eate interesting security problems • Identify a few security issues within this fra mework • Propose some approaches to addressing t hese issues – Preliminary ideas to think about
Cloud Computing Background • Features – Use of internet-based services to support business process – Rent IT-services on a utility-like basis • Attributes – Rapid deployment – Low startup costs/ capital investments – Costs based on usage or subscription – Multi-tenant sharing of services/ resources • Essential characteristics – On demand self-service – Ubiquitous network access – Location independent resource pooling – Rapid elasticity – Measured service • “Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalabili ty, elasticity, business agility, faster startup time, reduced management cost s, and just-in-time availability of resources” Source: NIST
Cloud Models • Delivery Models – SaaS – PaaS – IaaS • Deployment Models – Private cloud – Community cloud – Public cloud – Hybrid cloud • We propose one more Model: Management Models (trus t and tenancy issues) – Self-managed – 3rd party managed (e.g. public clouds and VPC) Source: NIST
Cloud Computing: A Massive Concentration of Resources • Also a massive concentration of risk – expected loss from a single breach can be signific antly larger – concentration of “users” represents a concentratio n of threats • “Ultimately, you can outsource responsibility but you can’t outsource accountability.” From John McDermott, ACSAC 09
Cloud Computing: who should us e it? • Cloud computing definitely makes sense if your ow n security is weak, missing features, or below avera ge. • Ultimately, if – the cloud provider’s security people are “better” than your s (and leveraged at least as efficiently), – the web-services interfaces don’t introduce too many new vulnerabilities, and – the cloud provider aims at least as high as you do, at secu rity goals, then cloud computing has better security. From John McDermott, ACSAC 09
Problems Associated with Cloud C omputing • Most security problems stem from: – Loss of control – Lack of trust (mechanisms) – Multi-tenancy • These problems exist mainly in 3rd party manage ment models – Self-managed clouds still have security issues, but no t related to above
Loss of Control in the Cloud • Consumer’s loss of control – Data, applications, resources are located with provide r – User identity management is handled by the cloud – User access control rules, security policies and enforc ement are managed by the cloud provider – Consumer relies on provider to ensure • Data security and privacy • Resource availability • Monitoring and repairing of services/resources
Lack of Trust in the Cloud • A brief deviation from the talk – (But still related) – Trusting a third party requires taking risks • Defining trust and risk – Opposite sides of the same coin (J. Camp) – People only trust when it pays (Economist’s view) – Need for trust arises only in risky situations • Defunct third party management schemes – Hard to balance trust and risk – e.g. Key Escrow (Clipper chip) – Is the cloud headed toward the same path?
Multi-tenancy Issues in the Cloud • Conflict between tenants’ opposing goals – Tenants share a pool of resources and have opposing goals • How does multi-tenancy deal with conflict of inter est? – Can tenants get along together and ‘play nicely’ ? – If they can’t, can we isolate them? • How to provide separation between tenants?
Security Issues in the Cloud • In theory, minimizing any of the issues would help: – Loss of Control • Take back control – Data and apps may still need to be on the cloud – But can they be managed in some way by the consumer? – Lack of trust • Increase trust (mechanisms) – Technology – Policy, regulation – Contracts (incentives): topic of a future talk – Multi-tenancy • Private cloud – Takes away the reasons to use a cloud in the first place • VPC: its still not a separate system • Strong separation
Minimize Lack of Trust: Policy Lang uage • Consumers have specific security needs but don’t have a say-so in how th ey are handled – What the heck is the provider doing for me? – Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided) • Standard language to convey one’s policies and expectations – Agreed upon and upheld by both parties – Standard language for representing SLAs – Can be used in a intra-cloud environment to realize overarching security posture • Create policy language with the following characteristics: – Machine-understandable (or at least processable), – Easy to combine/merge and compare – Examples of policy statements are, “requires isolation between VMs”, “requires g eographical isolation between VMs”, “requires physical separation between other communities/tenants that are in the same industry,” etc. – Need a validation tool to check that the policy created in the standard language c orrectly reflects the policy creator’s intentions (i.e. that the policy language is sem antically equivalent to the user’s intentions).
Minimize Lack of Trust: Certificatio n • Certification – Some form of reputable, independent, comparable as sessment and description of security features and ass urance – Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they su fficient for a cloud environment?) • Risk assessment – Performed by certified third parties – Provides consumers with additional assurance
Minimize Loss of Control in the Clo ud • Monitoring • Utilizing different clouds • Access control management
Minimize Loss of Control: Monitorin g • Cloud consumer needs situational awareness for critical applications – When underlying components fail, what is the effect of the failure to the mission l ogic – What recovery measures can be taken (by provider and consumer) • Requires an application-specific run-time monitoring and management tool f or the consumer – The cloud consumer and cloud provider have different views of the system – Enable both the provider and tenants to monitor the the components in the cloud that are under their control – Provide mechanisms that enable the provider to act on attacks he can handle. • infrastructure remapping (create new or move existing fault domains) • shutting down offending components or targets (and assisting tenants with porting if nec essary • Repairs – Provide mechanisms that enable the consumer to act on attacks that he can han dle (application-level monitoring). • RAdAC (Risk-adaptable Access Control) • VM porting with remote attestation of target physical host • Provide ability to move the user’s application to another cloud
Minimize Loss of Control: Utilize Dif ferent Clouds • The concept of ‘Don’t put all your eggs in one basket’ – Consumer may use services from different clouds through an intr a-cloud or multi-cloud architecture – Propose a multi-cloud or intra-cloud architecture in which consu mers • Spread the risk • Increase redundancy (per-task or per-application) • Increase chance of mission completion for critical applications – Possible issues to consider: • Policy incompatibility (combined, what is the overarching policy?) • Data dependency between clouds • Differing data semantics across clouds • Knowing when to utilize the redundancy feature (monitoring technol ogy) • Is it worth it to spread your sensitive data across multiple clouds? – Redundancy could increase risk of exposure
Minimize Loss of Control: Access C ontrol • Many possible layers of access control – E.g. access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM – Depending on the deployment model used, some of these will be controlled by the provider a nd others by the consumer • Regardless of deployment model, provider needs to manage the user authentication and access control procedures (to the cloud) – Federated Identity Management: access control management burden still lies with the provid er – Requires user to place a large amount of trust on the provider in terms of security, managem ent, and maintenance of access control policies. This can be burdensome when numerous u sers from different organizations with different access control policies, are involved • Consumer-managed access control – Consumer retains decision-making process to retain some control, requiring less trust of the provider (i.e. PDP is in consumer’s domain) – Requires the client and provider to have a pre-existing trust relationship, as well as a pre-neg otiated standard way of describing resources, users, and access decisions between the clou d provider and consumer. It also needs to be able to guarantee that the provider will uphold t he consumer-side’s access decisions. – Should be at least as secure as the traditional access control model. – Facebook and Google Apps do this to some degree, but not enough control – Applicability to privacy of patient health records
PEP (intercepts all resource access requests from all client domains) PDP for cloud resource on Domain A Cloud Consumer in Domain B ACM (XACML policies) . . . resources Cloud Provider in Domain A IDP 1. Authn request 2. SAML Assertion 3. Resource request (XACML Request) + SAML assertion 4. Redirect to domain of resource owner 7. Send signed and encrypted ticket 5. Retrieve policy for specified resource 6. Determine whether user can access specified resource 7. Create ticket for grant/deny 8. Decrypt and verify signature 9. Retrieve capability from ticket 10. Grant or deny access based on capability Minimize Loss of Control: Access C ontrol
Minimize Multi-tenancy in the Cloud • Can’t really force the provider to accept less te nants – Can try to increase isolation between tenants • Strong isolation techniques (VPC to some degree) – C.f. VM Side channel attacks (T. Ristenpart et al.) • QoS requirements need to be met • Policy specification – Can try to increase trust in the tenants • Who’s the insider, where’s the security boundary? Who can I trust? • Use SLAs to enforce trusted behavior
Last Thoughts: Local Host Security • Are local host machines part of the cloud infrastructure? – Outside the security perimeter – While cloud consumers worry about the security on the cloud provider’s site, they may easily forget to harden their own machines • The lack of security of local devices can – Provide a way for malicious services on the cloud to attack local networks through these term inal devices – Compromise the cloud and its resources for other users • With mobile devices, the threat may be even stronger – Users misplace or have the device stolen from them – Security mechanisms on handheld gadgets are often times insufficient compared to say, a de sktop computer – Provides a potential attacker an easy avenue into a cloud system. – If a user relies mainly on a mobile device to access cloud data, the threat to availability is als o increased as mobile devices malfunction or are lost • Devices that access the cloud should have – Strong authentication mechanisms – Tamper-resistant mechanisms – Strong isolation between applications – Methods to trust the OS – Cryptographic functionality when traffic confidentiality is required
Conclusion • Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model – However, resources are ubiquitous, scalable, highly virtualized – Contains all the traditional threats, as well as new ones • In developing solutions to cloud computing security issue s it may be helpful to identify the problems and approach es in terms of – Loss of control – Lack of trust – Multi-tenancy problems
References 1. NIST (Authors: P. Mell and T. Grance), "The NIST Definition of Cl oud Computing (ver. 15)," National Institute of Standards and Tec hnology, Information Technology Laboratory (October 7 2009). 2. J. McDermott, (2009) "Security Requirements for Virtualization in Cloud Computing," presented at the ACSAC Cloud Security Work shop, Honolulu, Hawaii, USA, 2009. 3. J. Camp. (2001), “Trust and Risk in Internet Commerce,” MIT P ress 4. T. Ristenpart et al. (2009) “Hey You Get Off My Cloud,” Procee dings of the 16th ACM conference on Computer and communicati ons security, Chicago, Illinois, USA
References for Cloud Security • M. Armbrust, et al., "Above the Clouds: A Berkeley View of Cloud Computing," UC Be rkeley Reliable Adaptive Distributed Systems LaboratoryFebruary 10 2009. • Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Com puting, ver. 2.1," 2009. • M. Jensen, et al., "On Technical Security Issues in Cloud Computing," presented at th e 2009 IEEE International Conference on Cloud Computing, Bangalore, India 2009. • P. Mell and T. Grance, "Effectively and Securely Using the Cloud Computing Paradig m," ed: National Institute of Standards and Technology, Information Technology Labo ratory, 2009. • N. Santos, et al., "Towards Trusted Cloud Computing," in Usenix 09 Hot Cloud Works hop, San Diego, CA, 2009. • R. G. Lennon, et al., "Best practices in cloud computing: designing for the cloud," pre sented at the Proceeding of the 24th ACM SIGPLAN conference companion on Obje ct oriented programming systems languages and applications, Orlando, Florida, USA, 2009. • P. Mell and T. Grance, "The NIST Definition of Cloud Computing (ver. 15)," National I nstitute of Standards and Technology, Information Technology LaboratoryOctober 7 2 009. • C. Cachin, et al., "Trusting the cloud," SIGACT News, vol. 40, pp. 81-86, 2009. • J. Heiser and M. Nicolett, "Assessing the Security Risks of Cloud Computing," Gartne r 2008. • A. Joch. (2009, June 18) Cloud Computing: Is It Secure Enough? Federal Computer Week.
Questions?

More Related Content

PPTX
Unit5
byIntegral university, India
 
PPTX
Cloud resilience, provisioning
byIntegral university, India
 
PDF
Week 3 lecture material cc
byAnkit Gupta
 
PPTX
Unit5 Cloud Federation,
byIntegral university, India
 
PDF
G0314043
byiosrjournals
 
PPT
Securing Apps & Data in the Cloud by Spyders & Netskope
byAhmad Abdalla
 
PPT
Cloud complete
byNavriti
 
PPT
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
byLisa Abe-Oldenburg, B.Comm., JD.
 
Unit5
byIntegral university, India
 
Cloud resilience, provisioning
byIntegral university, India
 
Week 3 lecture material cc
byAnkit Gupta
 
Unit5 Cloud Federation,
byIntegral university, India
 
G0314043
byiosrjournals
 
Securing Apps & Data in the Cloud by Spyders & Netskope
byAhmad Abdalla
 
Cloud complete
byNavriti
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
byLisa Abe-Oldenburg, B.Comm., JD.
 

What's hot

PPTX
Cloud Computing Security
byNithin Raj
 
PDF
Security issue in Cloud computing
bySeema Kumari
 
PDF
Handling of Incident, Challenges, Risks, Vulnerability and Implementing Detec...
bysadique_ghitm
 
PPTX
Migrating To Cloud & Security @ FOBE 2011
bycommandersaini
 
PPTX
Cloud bursting methodology
byJonathan Spindel
 
PPTX
Security in cloud computing
byAbhishek Kumar Sinha
 
PPT
Unit 5
byDhanalakshmiVelusamy1
 
PDF
Cloud computing security
byAntonio Sanz Alcober
 
PDF
Lecture26 cc-security1
byAnkit Gupta
 
PPTX
Cloud Computing security Challenges for Defense Forces
bycommandersaini
 
PPTX
Cloud Cmputing Security
byDevyani Vaidya
 
PPTX
Cloud Computing Security Issues
byStelios Krasadakis
 
PPTX
Mohammed Al Mulla - Best practices to secure working environments
bynooralmousa
 
PPTX
Security issues in cloud database
byأحلام انصارى
 
PPTX
Cloud computing Risk management
byPadma Jella
 
PPTX
Gary Homeland Security Presentation 102114
byGary Dischner
 
PDF
Module 5-cloud computing-SECURITY IN THE CLOUD
bySweta Kumari Barnwal
 
Cloud Computing Security
byNithin Raj
 
Security issue in Cloud computing
bySeema Kumari
 
Handling of Incident, Challenges, Risks, Vulnerability and Implementing Detec...
bysadique_ghitm
 
Migrating To Cloud & Security @ FOBE 2011
bycommandersaini
 
Cloud bursting methodology
byJonathan Spindel
 
Security in cloud computing
byAbhishek Kumar Sinha
 
Unit 5
byDhanalakshmiVelusamy1
 
Cloud computing security
byAntonio Sanz Alcober
 
Lecture26 cc-security1
byAnkit Gupta
 
Cloud Computing security Challenges for Defense Forces
bycommandersaini
 
Cloud Cmputing Security
byDevyani Vaidya
 
Cloud Computing Security Issues
byStelios Krasadakis
 
Mohammed Al Mulla - Best practices to secure working environments
bynooralmousa
 
Security issues in cloud database
byأحلام انصارى
 
Cloud computing Risk management
byPadma Jella
 
Gary Homeland Security Presentation 102114
byGary Dischner
 
Module 5-cloud computing-SECURITY IN THE CLOUD
bySweta Kumari Barnwal
 

Viewers also liked

PDF
Ibm marketing cloud social advertising oct 2016 summary
byNimesh Bhatia
 
PPTX
Wireless mobile charging using microwaves
byDevyani Vaidya
 
PPTX
Ppt on open and close door using Applet
byDevyani Vaidya
 
PPTX
Fuels Saver System
byDevyani Vaidya
 
PPTX
secued cloud
byDevyani Vaidya
 
PPTX
Ppt on use of biomatrix in secure e trasaction
byDevyani Vaidya
 
PPTX
Data As A Service
byDevyani Vaidya
 
PPTX
Wireless network
byDevyani Vaidya
 
PPTX
Secued Cloud
byDevyani Vaidya
 
PPTX
Digital Locker
byDevyani Vaidya
 
DOCX
Table of contents blue brain
bykoustuba
 
PPT
Wireless Charging Of Mobile
byDevyani Vaidya
 
PPT
Environmental law
byDevyani Vaidya
 
PPTX
Data warehousing
byDevyani Vaidya
 
PPTX
Resource management
byDevyani Vaidya
 
PPTX
History of Laptop
byDevyani Vaidya
 
PPTX
Cloud Security
byDevyani Vaidya
 
PPTX
Seminar on telephone directory
byDevyani Vaidya
 
PPTX
Energy Harvesing Through Reverse Electrowetting
byDevyani Vaidya
 
PPTX
Applet programming
byDevyani Vaidya
 
Ibm marketing cloud social advertising oct 2016 summary
byNimesh Bhatia
 
Wireless mobile charging using microwaves
byDevyani Vaidya
 
Ppt on open and close door using Applet
byDevyani Vaidya
 
Fuels Saver System
byDevyani Vaidya
 
secued cloud
byDevyani Vaidya
 
Ppt on use of biomatrix in secure e trasaction
byDevyani Vaidya
 
Data As A Service
byDevyani Vaidya
 
Wireless network
byDevyani Vaidya
 
Secued Cloud
byDevyani Vaidya
 
Digital Locker
byDevyani Vaidya
 
Table of contents blue brain
bykoustuba
 
Wireless Charging Of Mobile
byDevyani Vaidya
 
Environmental law
byDevyani Vaidya
 
Data warehousing
byDevyani Vaidya
 
Resource management
byDevyani Vaidya
 
History of Laptop
byDevyani Vaidya
 
Cloud Security
byDevyani Vaidya
 
Seminar on telephone directory
byDevyani Vaidya
 
Energy Harvesing Through Reverse Electrowetting
byDevyani Vaidya
 
Applet programming
byDevyani Vaidya
 

Similar to Secure Cloud Issues

PPT
Anya-Kim-Bhargava-MCCWorkshoooo p (1).ppt
byPratikYadav733137
 
PPT
Anya-Kim-Bhargava-MCCWorkshop for students
bytricksrefresher
 
PPT
Anya-Kim-Bhargava-MCCWorkshop.ppt
byTaskinKhaleque
 
PPT
Security issue in cloud by himanshu tiwari
bybhanu krishna
 
PPT
cloud-complete.ppt
byARJUNMUKHERJEE27
 
PPT
cloud-complete.ppt
byssuser3be95f
 
PPT
cloud-complete.ppt
bySameer Ali
 
PPT
cloud-complete power point presentation for digital signature
byArunsunaiComputer
 
PPT
cloud-complete.ppt
byNaradaDilshan
 
PPT
Cloud complete
byMuhammad Rehan
 
PPT
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
PPT
Tutorial-security-privacy-cloud-computing
bySISTechnologies
 
PPT
security Issues of cloud computing
byprachupanchal
 
PPTX
SECURITY AND PRIVACY SECURITY AND PRIVACY SECURITY AND PRIVACY SECURITY AND P...
bythumilvannan
 
PPT
cloud-complete.ppt
byImpactGenshin3
 
PPT
security and privacy in cloud computing.ppt
byShahidSultan24
 
PPT
securing the cloud with different policies.ppt
byShahidSultan24
 
PPT
12-cloud-security.ppt
bychelsi33
 
PPTX
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
PDF
Lecture27 cc-security2
byAnkit Gupta
 
Anya-Kim-Bhargava-MCCWorkshoooo p (1).ppt
byPratikYadav733137
 
Anya-Kim-Bhargava-MCCWorkshop for students
bytricksrefresher
 
Anya-Kim-Bhargava-MCCWorkshop.ppt
byTaskinKhaleque
 
Security issue in cloud by himanshu tiwari
bybhanu krishna
 
cloud-complete.ppt
byARJUNMUKHERJEE27
 
cloud-complete.ppt
byssuser3be95f
 
cloud-complete.ppt
bySameer Ali
 
cloud-complete power point presentation for digital signature
byArunsunaiComputer
 
cloud-complete.ppt
byNaradaDilshan
 
Cloud complete
byMuhammad Rehan
 
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
Tutorial-security-privacy-cloud-computing
bySISTechnologies
 
security Issues of cloud computing
byprachupanchal
 
SECURITY AND PRIVACY SECURITY AND PRIVACY SECURITY AND PRIVACY SECURITY AND P...
bythumilvannan
 
cloud-complete.ppt
byImpactGenshin3
 
security and privacy in cloud computing.ppt
byShahidSultan24
 
securing the cloud with different policies.ppt
byShahidSultan24
 
12-cloud-security.ppt
bychelsi33
 
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
Lecture27 cc-security2
byAnkit Gupta
 

More from Devyani Vaidya

PPT
Hashing
byDevyani Vaidya
 
PPT
Fundamental file structure concepts & managing files of records
byDevyani Vaidya
 
PPT
Cosequential processing and the sorting of large files
byDevyani Vaidya
 
PPT
Introduction to the design and specification of file structures
byDevyani Vaidya
 
PPTX
Mobile Phone Cloning
byDevyani Vaidya
 
PPTX
Barcode Technology
byDevyani Vaidya
 
PPTX
3D- Doctor
byDevyani Vaidya
 
PPTX
3D-Password
byDevyani Vaidya
 
PPTX
Cloud Security
byDevyani Vaidya
 
PPTX
Bigtable a distributed storage system
byDevyani Vaidya
 
Hashing
byDevyani Vaidya
 
Fundamental file structure concepts & managing files of records
byDevyani Vaidya
 
Cosequential processing and the sorting of large files
byDevyani Vaidya
 
Introduction to the design and specification of file structures
byDevyani Vaidya
 
Mobile Phone Cloning
byDevyani Vaidya
 
Barcode Technology
byDevyani Vaidya
 
3D- Doctor
byDevyani Vaidya
 
3D-Password
byDevyani Vaidya
 
Cloud Security
byDevyani Vaidya
 
Bigtable a distributed storage system
byDevyani Vaidya
 

Recently uploaded

PPTX
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
PPTX
S.Y. B. Pharm Medicinal Chemistry I Unit-I
byMs. Ashatai Patil
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PDF
Conservation of Earthen Structures in India Preserving Traditional and Sustai...
byAman Kumar Singh
 
PPTX
A Memory of Two Mondays by Arthur Miller
byDhatriParmar
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PDF
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
PDF
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
PPTX
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
PPTX
Return For Exchange in Odoo 18 Inventory
byCeline George
 
PDF
BP801T BIOSTATISITCS AND RESEARCH METHODOLOGY (Theory) Unit 2 Part 1
byRushi Mandali
 
PDF
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
PPTX
Drug acting on ANS.pptx (Drug acts on Sympathetic and parasympathetic NS)
byManarat International University
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PDF
Art, Memory, and Modernity: A Study of W. H. Auden’s In Memory of W. B. Yeats
bypriyarathod315
 
PDF
Intellectual Property Rights III Types (IPR)
byAmit Gangwal
 
PPTX
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PDF
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
S.Y. B. Pharm Medicinal Chemistry I Unit-I
byMs. Ashatai Patil
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
Conservation of Earthen Structures in India Preserving Traditional and Sustai...
byAman Kumar Singh
 
A Memory of Two Mondays by Arthur Miller
byDhatriParmar
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
Return For Exchange in Odoo 18 Inventory
byCeline George
 
BP801T BIOSTATISITCS AND RESEARCH METHODOLOGY (Theory) Unit 2 Part 1
byRushi Mandali
 
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
Drug acting on ANS.pptx (Drug acts on Sympathetic and parasympathetic NS)
byManarat International University
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Art, Memory, and Modernity: A Study of W. H. Auden’s In Memory of W. B. Yeats
bypriyarathod315
 
Intellectual Property Rights III Types (IPR)
byAmit Gangwal
 
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 

Secure Cloud Issues

  • 1.
    Security Issues inCloud Computin g Ms.Devyani Bharat Vaidya Polytechnic student
  • 2.
    Talk Objectives • Presentcloud issues/characteristics that cr eate interesting security problems • Identify a few security issues within this fra mework • Propose some approaches to addressing t hese issues – Preliminary ideas to think about
  • 3.
    Cloud Computing Background •Features – Use of internet-based services to support business process – Rent IT-services on a utility-like basis • Attributes – Rapid deployment – Low startup costs/ capital investments – Costs based on usage or subscription – Multi-tenant sharing of services/ resources • Essential characteristics – On demand self-service – Ubiquitous network access – Location independent resource pooling – Rapid elasticity – Measured service • “Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalabili ty, elasticity, business agility, faster startup time, reduced management cost s, and just-in-time availability of resources” Source: NIST
  • 4.
    Cloud Models • DeliveryModels – SaaS – PaaS – IaaS • Deployment Models – Private cloud – Community cloud – Public cloud – Hybrid cloud • We propose one more Model: Management Models (trus t and tenancy issues) – Self-managed – 3rd party managed (e.g. public clouds and VPC) Source: NIST
  • 5.
    Cloud Computing: AMassive Concentration of Resources • Also a massive concentration of risk – expected loss from a single breach can be signific antly larger – concentration of “users” represents a concentratio n of threats • “Ultimately, you can outsource responsibility but you can’t outsource accountability.” From John McDermott, ACSAC 09
  • 6.
    Cloud Computing: whoshould us e it? • Cloud computing definitely makes sense if your ow n security is weak, missing features, or below avera ge. • Ultimately, if – the cloud provider’s security people are “better” than your s (and leveraged at least as efficiently), – the web-services interfaces don’t introduce too many new vulnerabilities, and – the cloud provider aims at least as high as you do, at secu rity goals, then cloud computing has better security. From John McDermott, ACSAC 09
  • 7.
    Problems Associated withCloud C omputing • Most security problems stem from: – Loss of control – Lack of trust (mechanisms) – Multi-tenancy • These problems exist mainly in 3rd party manage ment models – Self-managed clouds still have security issues, but no t related to above
  • 8.
    Loss of Controlin the Cloud • Consumer’s loss of control – Data, applications, resources are located with provide r – User identity management is handled by the cloud – User access control rules, security policies and enforc ement are managed by the cloud provider – Consumer relies on provider to ensure • Data security and privacy • Resource availability • Monitoring and repairing of services/resources
  • 9.
    Lack of Trustin the Cloud • A brief deviation from the talk – (But still related) – Trusting a third party requires taking risks • Defining trust and risk – Opposite sides of the same coin (J. Camp) – People only trust when it pays (Economist’s view) – Need for trust arises only in risky situations • Defunct third party management schemes – Hard to balance trust and risk – e.g. Key Escrow (Clipper chip) – Is the cloud headed toward the same path?
  • 10.
    Multi-tenancy Issues inthe Cloud • Conflict between tenants’ opposing goals – Tenants share a pool of resources and have opposing goals • How does multi-tenancy deal with conflict of inter est? – Can tenants get along together and ‘play nicely’ ? – If they can’t, can we isolate them? • How to provide separation between tenants?
  • 11.
    Security Issues inthe Cloud • In theory, minimizing any of the issues would help: – Loss of Control • Take back control – Data and apps may still need to be on the cloud – But can they be managed in some way by the consumer? – Lack of trust • Increase trust (mechanisms) – Technology – Policy, regulation – Contracts (incentives): topic of a future talk – Multi-tenancy • Private cloud – Takes away the reasons to use a cloud in the first place • VPC: its still not a separate system • Strong separation
  • 12.
    Minimize Lack ofTrust: Policy Lang uage • Consumers have specific security needs but don’t have a say-so in how th ey are handled – What the heck is the provider doing for me? – Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided) • Standard language to convey one’s policies and expectations – Agreed upon and upheld by both parties – Standard language for representing SLAs – Can be used in a intra-cloud environment to realize overarching security posture • Create policy language with the following characteristics: – Machine-understandable (or at least processable), – Easy to combine/merge and compare – Examples of policy statements are, “requires isolation between VMs”, “requires g eographical isolation between VMs”, “requires physical separation between other communities/tenants that are in the same industry,” etc. – Need a validation tool to check that the policy created in the standard language c orrectly reflects the policy creator’s intentions (i.e. that the policy language is sem antically equivalent to the user’s intentions).
  • 13.
    Minimize Lack ofTrust: Certificatio n • Certification – Some form of reputable, independent, comparable as sessment and description of security features and ass urance – Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they su fficient for a cloud environment?) • Risk assessment – Performed by certified third parties – Provides consumers with additional assurance
  • 14.
    Minimize Loss ofControl in the Clo ud • Monitoring • Utilizing different clouds • Access control management
  • 15.
    Minimize Loss ofControl: Monitorin g • Cloud consumer needs situational awareness for critical applications – When underlying components fail, what is the effect of the failure to the mission l ogic – What recovery measures can be taken (by provider and consumer) • Requires an application-specific run-time monitoring and management tool f or the consumer – The cloud consumer and cloud provider have different views of the system – Enable both the provider and tenants to monitor the the components in the cloud that are under their control – Provide mechanisms that enable the provider to act on attacks he can handle. • infrastructure remapping (create new or move existing fault domains) • shutting down offending components or targets (and assisting tenants with porting if nec essary • Repairs – Provide mechanisms that enable the consumer to act on attacks that he can han dle (application-level monitoring). • RAdAC (Risk-adaptable Access Control) • VM porting with remote attestation of target physical host • Provide ability to move the user’s application to another cloud
  • 16.
    Minimize Loss ofControl: Utilize Dif ferent Clouds • The concept of ‘Don’t put all your eggs in one basket’ – Consumer may use services from different clouds through an intr a-cloud or multi-cloud architecture – Propose a multi-cloud or intra-cloud architecture in which consu mers • Spread the risk • Increase redundancy (per-task or per-application) • Increase chance of mission completion for critical applications – Possible issues to consider: • Policy incompatibility (combined, what is the overarching policy?) • Data dependency between clouds • Differing data semantics across clouds • Knowing when to utilize the redundancy feature (monitoring technol ogy) • Is it worth it to spread your sensitive data across multiple clouds? – Redundancy could increase risk of exposure
  • 17.
    Minimize Loss ofControl: Access C ontrol • Many possible layers of access control – E.g. access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM – Depending on the deployment model used, some of these will be controlled by the provider a nd others by the consumer • Regardless of deployment model, provider needs to manage the user authentication and access control procedures (to the cloud) – Federated Identity Management: access control management burden still lies with the provid er – Requires user to place a large amount of trust on the provider in terms of security, managem ent, and maintenance of access control policies. This can be burdensome when numerous u sers from different organizations with different access control policies, are involved • Consumer-managed access control – Consumer retains decision-making process to retain some control, requiring less trust of the provider (i.e. PDP is in consumer’s domain) – Requires the client and provider to have a pre-existing trust relationship, as well as a pre-neg otiated standard way of describing resources, users, and access decisions between the clou d provider and consumer. It also needs to be able to guarantee that the provider will uphold t he consumer-side’s access decisions. – Should be at least as secure as the traditional access control model. – Facebook and Google Apps do this to some degree, but not enough control – Applicability to privacy of patient health records
  • 18.
    PEP (intercepts all resource access requests fromall client domains) PDP for cloud resource on Domain A Cloud Consumer in Domain B ACM (XACML policies) . . . resources Cloud Provider in Domain A IDP 1. Authn request 2. SAML Assertion 3. Resource request (XACML Request) + SAML assertion 4. Redirect to domain of resource owner 7. Send signed and encrypted ticket 5. Retrieve policy for specified resource 6. Determine whether user can access specified resource 7. Create ticket for grant/deny 8. Decrypt and verify signature 9. Retrieve capability from ticket 10. Grant or deny access based on capability Minimize Loss of Control: Access C ontrol
  • 19.
    Minimize Multi-tenancy inthe Cloud • Can’t really force the provider to accept less te nants – Can try to increase isolation between tenants • Strong isolation techniques (VPC to some degree) – C.f. VM Side channel attacks (T. Ristenpart et al.) • QoS requirements need to be met • Policy specification – Can try to increase trust in the tenants • Who’s the insider, where’s the security boundary? Who can I trust? • Use SLAs to enforce trusted behavior
  • 20.
    Last Thoughts: LocalHost Security • Are local host machines part of the cloud infrastructure? – Outside the security perimeter – While cloud consumers worry about the security on the cloud provider’s site, they may easily forget to harden their own machines • The lack of security of local devices can – Provide a way for malicious services on the cloud to attack local networks through these term inal devices – Compromise the cloud and its resources for other users • With mobile devices, the threat may be even stronger – Users misplace or have the device stolen from them – Security mechanisms on handheld gadgets are often times insufficient compared to say, a de sktop computer – Provides a potential attacker an easy avenue into a cloud system. – If a user relies mainly on a mobile device to access cloud data, the threat to availability is als o increased as mobile devices malfunction or are lost • Devices that access the cloud should have – Strong authentication mechanisms – Tamper-resistant mechanisms – Strong isolation between applications – Methods to trust the OS – Cryptographic functionality when traffic confidentiality is required
  • 21.
    Conclusion • Cloud computingis sometimes viewed as a reincarnation of the classic mainframe client-server model – However, resources are ubiquitous, scalable, highly virtualized – Contains all the traditional threats, as well as new ones • In developing solutions to cloud computing security issue s it may be helpful to identify the problems and approach es in terms of – Loss of control – Lack of trust – Multi-tenancy problems
  • 22.
    References 1. NIST (Authors:P. Mell and T. Grance), "The NIST Definition of Cl oud Computing (ver. 15)," National Institute of Standards and Tec hnology, Information Technology Laboratory (October 7 2009). 2. J. McDermott, (2009) "Security Requirements for Virtualization in Cloud Computing," presented at the ACSAC Cloud Security Work shop, Honolulu, Hawaii, USA, 2009. 3. J. Camp. (2001), “Trust and Risk in Internet Commerce,” MIT P ress 4. T. Ristenpart et al. (2009) “Hey You Get Off My Cloud,” Procee dings of the 16th ACM conference on Computer and communicati ons security, Chicago, Illinois, USA
  • 23.
    References for CloudSecurity • M. Armbrust, et al., "Above the Clouds: A Berkeley View of Cloud Computing," UC Be rkeley Reliable Adaptive Distributed Systems LaboratoryFebruary 10 2009. • Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Com puting, ver. 2.1," 2009. • M. Jensen, et al., "On Technical Security Issues in Cloud Computing," presented at th e 2009 IEEE International Conference on Cloud Computing, Bangalore, India 2009. • P. Mell and T. Grance, "Effectively and Securely Using the Cloud Computing Paradig m," ed: National Institute of Standards and Technology, Information Technology Labo ratory, 2009. • N. Santos, et al., "Towards Trusted Cloud Computing," in Usenix 09 Hot Cloud Works hop, San Diego, CA, 2009. • R. G. Lennon, et al., "Best practices in cloud computing: designing for the cloud," pre sented at the Proceeding of the 24th ACM SIGPLAN conference companion on Obje ct oriented programming systems languages and applications, Orlando, Florida, USA, 2009. • P. Mell and T. Grance, "The NIST Definition of Cloud Computing (ver. 15)," National I nstitute of Standards and Technology, Information Technology LaboratoryOctober 7 2 009. • C. Cachin, et al., "Trusting the cloud," SIGACT News, vol. 40, pp. 81-86, 2009. • J. Heiser and M. Nicolett, "Assessing the Security Risks of Cloud Computing," Gartne r 2008. • A. Joch. (2009, June 18) Cloud Computing: Is It Secure Enough? Federal Computer Week.
  • 24.

Editor's Notes