2. What is CLOUD?
Advantages of Cloud
Major concerns in Cloud Security
Foundations to understand Threats
Understanding Threats
Government’s role
SERVICE LEVEL AGREEMENT
Conclusion & Future Work
3. In June 2009, a study conducted by VersionOne found
that 41% of senior IT professionals actually don't know
what cloud computing is and two-thirds of senior finance
professionals are confused by the concept, highlighting the
young nature of the technology
4. …the idea of relying on
Web-based application and
storing data in the
“CLOUD” of the internet.
The cloud is a smart,
complex, powerful
computing system in
the sky that people can
just plug into.
It starts with the
premise that the data
services and
architecture should be
on the servers. We call
it Cloud Computing –
they should be in a
“CLOUD” somewhere
Cloud computing is Web-based
processing, whereby shared
resources, software, and information
are provided to computers and other
devices (such as smartphones) on
demand over the Internet.
5. “Cloud” is simply a
metaphor for the internet
Users do not have or need
knowledge, control,
ownership in the computer
infrastructure
Users simply rent or access
the software, paying only for
what they use
9. Defines how to provide integrity, confidentiality andintegrity, confidentiality and
authenticationauthentication for SOAP messages
Defines a SOAP header (Security) that carries the WS-
Security extensions
Defines how existing XML security standards like XML
Signature and XML Encryption are applied to SOAP
messages
10.
11. XML Encryption allows XML fragments to be encrypted to
ensure data confidentiality
The encrypted fragment is replaced by an EncryptedData
element containing the ciphertext of the encrypted fragment as
content
XML Encryption defines an Encrypted- Key element for
key transportation purposes
WS-Security defines security tokens suitable for
transportation of digital identities
Example: X.509 certificates
12. Also known by the name “ SECURE SOCKET
LAYER(SSL)”
Consist of two parts:
The Record Layer encrypts/decrypts TCP data streams using
the algorithms and keys negotiated in the TLS Handshake
TLS Handshake :used to authenticate the server and
optionally the client
Most important cryptographic protocol worldwide,
implemented in every web browser
15. A well known type of attacks called:
• XML Signature Element Wrapping
Discovered by McIntosh and Austel in 2005
Until 2008, this attacks remained theoretical and no
real-life wrapping attack became public
In 2008 it was discovered that Amazon’s EC2 services
was vulnerable to wrapping attacks
16.
17. Web browsers can not directly make use of XML
Signature or XML Encryption: data can only be
encrypted through TLS, and signatures are only used
within the TLS handshake
The Legacy Same Origin Policy:The Legacy Same Origin Policy:
Concerned if scripts be allowed/disallowed to runConcerned if scripts be allowed/disallowed to run
Attacks on Browser-based Cloud Authentication:
Federated Identity Management (FIM) protocols
• Authentication by THIRD PARTY
18. National Institute of Standards and Technology (NIST),
an agency of the Commerce Department’s
Technology Administration created a cloud computing
security group
It promotes “the effective and secure use of the technology
within government and industry by providing
technical guidance and promoting standards”
NIST has recently released its draft “Guide to Adopting and
Using the Security Content Automation Protocol(SCAP)”
19. A service level agreement is a document which defines
the relationship between two parties: the provider and
the recipient
Vendors have to provide some assurance in service level
agreements (SLA) to convince the customer
on security issues
If used properly it should:
• Identify and define the customer’s needs
• Provide a framework for understanding
• Simplify complex issues
• Reduce areas of conflict
20. We investigated on going issues with application of
XML Signature and the Web Services security
frameworks
Discussed the importance and capabilities of browser
security in the Cloud Computing context
The threats to Cloud Computing security are
numerous, and each of them requires an in-depth
analysis on their potential impact and relevance to real-
world Cloud Computing scenarios
21. Future aspect includes strengthening the security
capabilities of both Web browsers and Web Service
frameworks, at best integrating the latter into the first
To achieve a recognized and actionable security policy,
SCAP recommends that organizations demonstrate
compliance with security requirements in mandates
such as the US Federal Information Security
Management Act (FISMA)
22. On Technical Security Issues in Cloud Computing, Meiko
Jensen, J¨org SchwenkHorst (G¨ortz Institute for IT Security,
Ruhr University Bochum, Germany) and Nils Gruschka,
Luigi Lo Iacono(NEC Laboratories Europe,NEC Europe
Ltd)-IEEE-2009
Lori M. Kaufman, BAE Systems, IEEE-2009
Cloud Security Issue ,Balachandra Reddy Kandukuri,
Ramakrishna Paturi V, Dr. Atanu Rakshit, IEEE-2009
http://csrc.nist.gov/groups/SNS/cloudcomputing/
index.html
2. MIT Technology Review 3.Web browser pioneer Marc Andreessen 4. Eric schmidt( Chairman/CEO of Google Inc )
The cloud metaphor is actually a good one. A cloud is a huge collection of tiny droplets of water. Some of those droplets will fall on my yard, providing the trees and bushes with water. Some will fall onto land where it will run off into the reservoir which my drinking water comes from. Clouds grow from evaporated water, which comes from all over the place. When it comes to clouds, what I care about is that enough water falls on my yard to keep the plants alive, and that enough water winds up in my reservoir so that I have enough to drink. I don't care which cloud drops water on my yard. I don't care where on earth that water came from. To me, it's all just water - every droplet is pretty much exactly the same, and I can't tell the difference. So long as I get enough, I'm happy.
List goes on!!
Ws=web service
The signing process works as follows: For every message part to be signed a Reference element is created and this message part is canonicalized and hashed . The resulting digest is added into the DigestValue element and a reference to the signed message part is entered into the URI attribute. Finally the SignedInfo element is canonicalized and signed. The result of the signing operation is placed in the SignatureValue element and the Signature element is added to the security header
2 nd point-> The most common application for an encrypted key is a hybrid encryption : an XML fragment is encrypted with a randomly generated symmetric key, which itself is encrypted using the public key of the message recipient. In SOAP messages, the EncryptedKey element must appear inside the security header
Figures 2 and 3 show a simple example for a wrapping attack to illustrate the concept of this attack. The first figure presents a SOAP message sent by a legitimate client. The SOAP body contains a request for the file “me.jpg” and was signed by the sender. The signature is enclosed in the SOAP header and refers to the signed message fragment using an XPointer to 1. Interestingly, these attacks have been described as early as 1996, but these descriptions were ignored both by the bad and the good guys outside academia. the Id attribute with the value “body”. If an attacker eavesdrops such a message, he can perform the following attack. The original body is moved to a newly inserted wrapping element (giving the attack its name) inside the SOAP header, and a new body is created. This body contains the operation the attacker wants to perform with the original sender’s authorization, here the request for the file “cv.doc”. The resulting message still contains a valid signature of a legitimate user, thus the service executes the modified request.