CLOUD COMPUTING

SECURITY ISSUES IN CLOUD COMPUTING

NAME : MOHAMMED KAMIL 2175051 BCA
 TALK OBJECTIVES

 • A high-level discussion of the fundamental challenges and

issues/characteristics of cloud computing
 • Identify a few security and privacy issues within this framework

 • Propose some approaches to addressing these issues

 – Preliminary ideas to think about
 OUTLINE

 • Part I: Introduction
 • Part II: Security and Privacy Issues in Cloud Computing
 • Part III: Possible Solutions
 PART I. INTRODUCTION

 • Cloud Computing Background

 • Cloud Models
 • Why do you still hesitate to use cloud computing?
 • Causes of Problems Associated with Cloud Computing
 • Taxonomy of Fear
 • Threat Model
 CLOUD COMPUTING BACKGROUND

 • Features

 – Use of internet-based services to support business process

 – Rent IT-services on a utility-like basis

 • Attributes

 – Rapid deployment

 – Low startup costs/ capital investments

 – Costs based on usage or subscription

 – Multi-tenant sharing of services/ resources

 • Essential characteristics

 – On demand self-service

 – Ubiquitous network access

 – Location independent resource pooling

 – Rapid elasticity

 – Measured service

 • “Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalability, elasticity, business agility,
faster startup time, reduced management costs, and just-in-time availability of resources”
 A MASSIVE CONCENTRATION OF RESOURCES

 • Also a massive concentration of risk

 – expected loss from a single breach can be significantly larger
 – concentration of “users” represents a concentration of threats
 • “Ultimately, you can outsource responsibility but you can’t outsource
accountability.”
 CLOUD COMPUTING: WHO SHOULD USE IT?

 • Cloud computing definitely makes sense if your own security is weak, missing features, or
below average.
 • Ultimately, if
 –the cloud provider’s security people are “better” than yours (and leveraged at least as efficiently),
 –the web-services interfaces don’t introduce too many new vulnerabilities, and

 –the cloud provider aims at least as high as you do, at security goals,
 then cloud computing has better security.
 CLOUD MODELS

 •Delivery Models
 – SaaS
 – PaaS
 – IaaS
 •Deployment Models
 – Private cloud
 – Community cloud
 – Public cloud
 – Hybrid cloud

 •We propose one more Model: Management Models (trust and tenancy issues)
 – Self-managed
 – 3rd party managed (e.g. public clouds and VPC)
 DELIVERY MODELS
WHILE CLOUD-BASED SOFTWARE SERVICES ARE MATURING,CLOUD PLATFORM AND INFRASTRUCTURE OFFERING ARE STILL IN THEIR EARLY STAGES
IMPACT OF CLOUD COMPUTING ON THE GOVERNANCE STRUCTURE OF IT ORGANIZATIONS
 IF CLOUD COMPUTING IS SO GREAT, WHY ISN’T EVERYONE DOING IT?

 • The cloud acts as a big black box, nothing inside the cloud is visible to the clients
 • Clients have no idea or control over what happens inside a cloud
 • Even if the cloud provider is honest, it can have malicious system admins who can tamper
with the VMs and violate confidentiality and integrity
 • Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy
issues, plus some additional attacks
COMPANIES ARE STILL AFRAID TO USE CLOUDS
 CAUSES OF PROBLEMS ASSOCIATED WITH CLOUD COMPUTING

 • Most security problems stem from:

 – Loss of control
 – Lack of trust (mechanisms)
 – Multi-tenancy
 • These problems exist mainly in 3rd party management models
 – Self-managed clouds still have security issues, but not related to above
 LOSS OF CONTROL IN THE CLOUD

 • Consumer’s loss of control

 –Data, applications, resources are located with provider

 –User identity management is handled by the cloud

 –User access control rules, security policies and enforcement are managed by the cloud provider

 –Consumer relies on provider to ensure

 • Data security and privacy
 • Resource availability
 • Monitoring and repairing of services/resources
 WHAT IS THE ISSUE?

 • The core issue here is the levels of trust

 –Many cloud computing providers trust their customers

 –Each customer is physically commingling its data with data from anybody else using the cloud
while logically and virtually you have your own space
 –The way that the cloud provider implements security is typically focused on they fact that those
outside of their cloud are evil, and those inside are good.
 • But what if those inside are also evil?
 ATTACKER CAPABILITY: MALICIOUS INSIDERS

 • At client
 – Learn passwords/authentication information
 – Gain control of the VMs
 • At cloud provider
 – Log client communication
 – Can read unencrypted data
 – Can possibly peek into VMs, or make copies of VMs
 – Can monitor network communication, application patterns
 – Why?
 • Gain information about client data
 • Gain information on client behavior
 • Sell the information or use itself
 ATTACKER CAPABILITY: OUTSIDE ATTACKER

 • What?
 –Listen to network traffic (passive)
 –Insert malicious traffic (active)
 –Probe cloud structure (active)

 –Launch DoS
 • Goal?
 –Intrusion
 –Network analysis
 –Man in the middle

 –Cartography
 CHALLENGES FOR THE ATTACKER

 • How to find out where the target is located?

 • How to be co-located with the target in the same (physical) machine?
 • How to gather information about the target?
 PART II: SECURITY AND PRIVACY ISSUES IN CLOUD COMPUTING - BIG PICTURE

 • Infrastructure Security
 • Data Security and Storage
 • Identity and Access Management (IAM)
 • Privacy
 INFRASTRUCTURE SECURITY

• Network Level
• Host Level
• Application Level
 THE NETWORK LEVEL

 • Ensuring confidentiality and integrity of your organization’s data-in-transit to and from your
public cloud provider
 • Ensuring proper access control (authentication, authorization, and auditing) to whatever
resources you are using at your public cloud provider
 • Ensuring availability of the Internet-facing resources in a public cloud that are being used by
your organization, or have been assigned to your organization by your public cloud providers
 • Replacing the established model of network zones and tiers with domains
 THE NETWORK LEVEL - MITIGATION

 • Note that network-level risks exist regardless of what aspects of “cloud computing” services are
being used
 • The primary determination of risk level is therefore not which *aaS is being used,

 • But rather whether your organization intends to use or is using a public, private, or hybrid cloud.
 THE HOST LEVEL

 • SaaS/PaaS

 –Both the PaaS and SaaS platforms abstract and hide the host OS from end users
 –Host security responsibilities are transferred to the CSP (Cloud Service Provider)
 • You do not have to worry about protecting hosts
 –However, as a customer, you still own the risk of managing information hosted in the cloud
services.
 DATA SECURITY AND STORAGE

 Data remanence
 – Inadvertent disclosure of sensitive information is possible
 Data security mitigation?
 – Do not place any sensitive data in a public cloud
 – Encrypted data is placed into the cloud?
 Provider data and its security: storage
 – To the extent that quantities of data from many companies are centralized, this collection can become an
attractive target for criminals
 Moreover, the physical security of the data center and the trustworthiness of system administrators take on new
importance.
 SECURITY ISSUES IN THE CLOUD

 • In theory, minimizing any of the issues would help:

 – Third Party Cloud Computing

 – Loss of Control

 • Take back control

 – Data and apps may still need to be on the cloud

 – But can they be managed in some way by the consumer?

 – Lack of trust

 • Increase trust (mechanisms)

 – Technology

 – Policy, regulation

 – Contracts (incentives): topic of a future talk

 – Multi-tenancy

 • Private cloud

 – Takes away the reasons to use a cloud in the first place

 • VPC: its still not a separate system

 • Strong separation
 KNOWN ISSUES: ALREADY EXIST

 • Confidentiality issues
 • Malicious behavior by cloud provider
 • Known risks exist in any industry practicing outsourcing
 • Provider and its infrastructure needs to be trusted
MINIMIZE LOSS OF CONTROL: ACCESS CONTROL
MINIMIZE LOSS OF CONTROL: IDM MOTIVATION
 PROPOSED IDM: ANONYMOUS IDENTIFICATION

USE OF ZERO-KNOWLEDGE PROOFING FOR USER AUTHENTICATION

WITHOUT DISCLOSING ITS IDENTIFIER