The Security and Privacy Threats to Cloud Computing

Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Project for Trustworthy Cloud Computing and Conclusion
Bibliography

The Security and Privacy Threats
to
Cloud Computing

Ankit Singh
Frankfurt am Main, Germany

April 23, 2012

Ankit Singh The Security and Privacy Threats to Cloud Computing

Bibliography

1 Introduction to Cloud Computing
Cloud Computing Example
Three Cloud Service Models
Threats to Cloud Computing

2 In-depth Security Analysis for Cloud Computing [2]
Security weakness in Cloud Computing
Data protection requirements for cloud computing services
Government and the Cloud

3 Project for Trustworthy Cloud Computing and Conclusion
The TClouds Project
Conclusion of the Talk

4 Bibliography


Bibliography

Quick Introduction to Cloud Computing I

“Cloud computing is a term from information technology (IT) and
means that software, memory capacity and computer power can be
accessed via a network, for instance, the Internet or within a
Virtual Private Network (VPN), as and when it is needed.
The IT landscape (e.g. data processing centre, data storage
facilities, e-mail and collaboration software, development
environments and special software such as Customer Relationship
Management [CRM]) is no longer owned and run by the company
or institution, but is a service which can be rented from one or
more cloud service providers” [1]


Bibliography

Cloud Computing Example I

Figure: Cloud Computing Example (adapted from wikipedia)


Bibliography

Three Cloud Service Models [1] [2] I

Software as a Service (SaaS): Users as consumers.
e.g. Accounting, collaboration tools, CRM etc.
Platform as Service (PaaS): Data processing services.
e.g Google App Engine and Microsoft Azure Platform.
Infrastructure as Service (IaaS): Hosting services.
e.g webspaces like Amazon EC2, Go Daddy etc.
- The Cloud Computing Service models viewed as layers in same
sequence shown above.
- These models are deployed on top of cloud infrastructure as
deﬁned by NIST’s [3].


Bibliography

List of Threats to Cloud Computing [4] I
1 Abuse of Cloud computing: Eﬀected Services:- Iaas, PaaS:
- Absuing service due to anonymity due to loose registration
and validation process.
- Adversaries usage the models for spamming, writing
malicious code etc.
2 Insecure Interfaces and APIs: Eﬀected Services:-
IaaS, Paas, SaaS:
- Interfaces or APIs provided by service providers to customers
to manage and interact with cloud services.
- The security and availability of cloud services is dependent
upon the security of these basic API’s.
- Interfaces must be designed to protect against accidental
and malicious attempts to mislead the policy.


Bibliography

List of Threats to Cloud Computing [4] II
3 Malicious Insiders: Effected Services:- Iaas, Paas, SaaS:
- An adversary can harvest confidential data or gain complete
controls over cloud services depending on the level of access.
4 Shared Technology Issues: Effected Services:- IaaS:
- The disk partitions, CPU caches and GPUs and other shared
elements were never designed for strong
compartmentalization.
- A virtualization hypervisor addresses this gap which
mediates access between guest operating systems and physical
compute resources.
- The hypervisors have the flaw which may result in gaining
inappropriate levels of control or influence on the underlying
platform.


Bibliography

List of Threats to Cloud Computing [4] III
5 Data Loss or Leakage: Eﬀected Services:- IaaS, PaaS, SaaS:
- Deletion or alteration of records without a backup of the
original content.
- Unlinking a record from a larger context may render it
unrecoverable.
- Unauthorized parties must be prevented from gaining access
to sensitive data.
- Examples: Insuﬃcient authentication, authorization and
audit (AAA) controls


Bibliography

List of Threats to Cloud Computing [4] IV
6 Account or Service Hijacking: Effected Services:-
IaaS, PaaS, SaaS:
- Attack methods such as phishing, fraud and exploitation of
software vulnerabilities still achieve results. Credentials and
passwords are often reused.
7 Unknown Risk Profile: Effected Services:- IaaS, PaaS, SaaS:
- Versions of software, code updates, security practices,
vulnerability profiles, intrusion attempts are the factors for
estimating company’s security posture.
- Some questions which need to addressed like how data and
related logs are stored and who has access to them? what
information may be disclosed in case of security breach? etc.


Bibliography

Security weakness in Cloud Computing I

Cloud Providers fail to provide encryption to their users:
- Cloud service providers not providing encrypted access to
their Web applications
Man in the middle attacks:
-Attackers redirects traﬃc between a client and a server
through him.
- Achieved by forging DNS packets, DNS cache poisoning, or
ARP spooﬁng.
- Prevention: DNSSEC and HTTPS/TLS are two
technologies which can prevent this attack.


Bibliography

Security weakness in Cloud Computing II
Data encryption caveats:
- Where will the encryption key be stored?
- Where will the encryption and decryption processes be
performed?
User interface attacks:
- A Web browser is used for accessing Web applications. Thus,
browser’s user interface becomes an important security factor.
- Example: An attacker tries to fool the user into thinking
that she is visiting a real website instead of a forgery.
Techniques used here include fake HTTPS lock icons.


Bibliography

Research Recommendations by ENISA [5] I

Research recommendations by European Network and Information
Security Agency (ENISA):
Building Trust in the Cloud:
Certification processes and standards for clouds: COBIT (52),
ITIL (53) etc.
Metrics for security in cloud computing
Effects of different forms of reporting breaches on security
Increasing transparency while maintaining appropriate levels of
security
End-to-end data confidentiality
Extending cloud-based trust to client-based data and
applications
Data Protection in Large-Scale Cross-Organizational
Systems:


Bibliography

Research Recommendations by ENISA [5] II
Data destruction and lifecycle management
Integrity Verification - of backups and archives in the cloud
and their version management
Forensics and evidence gathering mechanisms
Incident resolution and rules of evidence
International differences in relevant regulations, including data
protection and privacy i.e legal means to facilitate the smooth
functioning of multi-national cloud infrastructures.
Lage-Scale Computer Systems Engineering:
Security in depth within large-scale distributed computer
systems
Security services in the cloud i.e adaptation of traditional
security perimeter control technologies to the cloud like HSM,
web filters, firewalls, IDS etc.


Bibliography

Research Recommendations by ENISA [5] III
Resource isolation mechanisms - data, processing, memory,
logs, etc.
Interoperability between cloud providers
Portability of VM, data and VM security settings from one
cloud provider to another (to avoid vendor lock-in), and
maintaining state and session in VM backups.
Standardization of interfaces to feed data, applications and
whole systems to the cloud.
Resource (bandwidth and CPU, etc) provisioning and
allocation at scale (elasticity)
Scalable security management (policy and operating
procedures) within cloud platforms


Bibliography

Government and the Cloud [2] I

United States: One of the most important legal tools used
by the U.S. Government to force cloud providers to hand
them users’ private data is the third-party doctrine. Other
relevant laws include the Wiretap Act, the All Writs Act and
the Foreign Intelligence Surveillance Act.
Example: Facebook can provide complete proﬁle information
and uploaded photos to law enforcement irrespective of her
privacy


Bibliography

Government and the Cloud [2] II
Germany: §§111 and 112 of the 2004 Telecommunications
Act (Telekommunikationsgesetz in German) allow the
government to force telecommunication service providers
(which include cloud service providers like webmail) to hand
over information such as a customer’s name, address,
birthdate, and email address, without a court order, through
an automated query system that includes a search function in
case law enforcement has incomplete request data.
Example: court-ordered surveillance in Germany is the Java
Anonymous Proxy (JAP), which is an open source software
for anonymously browsing websites.


In-depth Security Analysis for Cloud Computing [2] The TClouds Project
Project for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk
Bibliography

The TClouds Project I

Trustworthy Clouds - TClouds is a European Commission funded
project.
GOAL: To develop a trustworthy cloud computing infrastructure,
which enables a comprehensible and audit proof processing of
personal or otherwise sensitive data in a cloud without limiting the
solution to just a physically separated private cloud [6].
Target Scenarios:
Energy Sector: Potugal’s leading energy supplier Energias de
Portugal (EDP) and electronics company EFACEC in ﬁeld of
smart power grid
Healthcare Sector: Italian hospital San Raﬀaele in Milano


Bibliography

The TClouds Project II
Techinical Implementation: Focuses on communication
protocols between diﬀerent cloud service providers, new open
security standards, APIs and eﬀective management components for
cloud security.


Bibliography

Conclusion I

Cloud computing is a upcoming ﬁeld due to attractive services
provided by cloud computing service providers.
Privacy and data security are the biggest challenges when it
comes to storing and processing critical business or personal
data in a cloud.
There are many challenges that we can only face if we
understand what we are dealing with, how it may a aﬀect us
and which possible solutions exist.
We must convince cloud providers and users of the
importance of implementing available security technologies.


Bibliography

Conclusion II
The requirements of national and international data
protection laws are a major concern. As a consequence, this
leads to a stronger market growth of just so-called private and
community clouds which are aligned more to the speciﬁc
requirements of single customers or a narrowly deﬁned user
group.
The data which are sensitive and private should be avoided to
put on the cloud due to current security threats.


Bibliography

Bibliography I
SWISS - Guide to cloud computing, Federal Data Protection and Information Commissioner FDPIC.

Security, Privacy and Cloud Computing, Jose Tomas Robles Hahn, Future Internet Seminar - Winter Term
2010/2011, Chair for Network Architectures and Services, Faculty of Computer Science, Technische
Universit¨t M¨nchen.
a u
National Institute of Standards and Technology, U.S. Department of Commerce, Guidelines on Securtiy and
Privacy in Public Cloud Computing, Wayne Jansen, Timothy Grance.

Top Threats to Cloud Computing 2010, Prepared by the Cloud Security Alliance, March 2010

Cloud Computing, Beneﬁts, risks and recommendations for information security, European Network and
Information Security Agency.

Trustworthy Clouds (TClouds) - Privacy meets Innovation by Eva Schlehahn and Marit Hansen,
Independent Centre for Privacy Protection Schleswig-Holstein, Germany.

Cloud security alliance (CSA) https://cloudsecurityalliance.org/ Last Access: April 23, 2012


The Security and Privacy Threats to Cloud Computing

More Related Content

What's hot

Viewers also liked

Similar to The Security and Privacy Threats to Cloud Computing

More from Ankit Singh

Recently uploaded

The Security and Privacy Threats to Cloud Computing