Cloud Computing

Module 178

1
Internet Security
• It is a branch of computer
security which specifically
deals with threats which are
Internet based.
Internet Security
• The major threats include
the possibilities of
unauthorized access to any
one or more of the
following:
• Computer system
• Email account
• Website
• Personal details and
banking credentials
• Viruses and other malware
• Social engineering
Internet Security
• Secure Socket Layer (SSL):
It s security protocol for
encrypting the
communication between a
web browser and web
server.
• The website has to enable
SSL over its deployment.
• The browser has to be
capable of requesting a
secure connection to the
websites.
Internet Security
• Secure Socket Layer (SSL):
• Upon request, the website
shares its security
certificate (issued by a
Certificate Authority (CA))
with the browser which the
browser confirms for
validity.
Internet Security
• Secure Socket Layer (SSL):.
• Upon confirmation of
security certificate, the
browser generates the
session key for encryption
and shares it with website,
after this the encrypted
communication session
starts.
 Internet Security
• Secure Socket Layer (SSL):
Websites implementing the
SSL use HTTPS (https://...) in
the URL instead of HTTP
(http://...) and a sign of
padlock before the URL.

end
Cloud Computing
Module 179

8
Wireless Network Security
• The wireless network
security is applied to
wireless networks and is
also known as wireless
security.
• It is used to secure the
wireless communication
from unauthorized access.
Wireless Network Security
• There are a lot of threats for
wireless networks. Such as:
• The packets can be easily
eavesdropped and
recorded.
• The traffic can be
modified and
retransmitted more easily
as compared to wired
networks.
• Prone to DoS attacks at
access points (APS).
Wireless Network Security
• Some prominent security
protocols for wireless
security are:
• Wired Equivalent Privacy
(WEP): Designed to
provide the same level of
security as the wired
networks.
• First standard of 802.11
Wireless Network Security
• Some prominent security
protocols for wireless
security are:
• Wired Equivalent Privacy
(WEP):
• Uses RC4 standard to
generate encryption keys
of length 40-128 bits.
• Has a lot of security flaws,
difficult to configure and
can easily be cracked.
Wireless Network Security
• Wi-Fi Protected Access
(WPA): Introduced as an
alternative to WEP while a
long-term replacement to
WEP was being
developed.
• Uses enhanced RC4
through Temporal Key
Integrity Protocol (TKIP)
which improves wireless
security.
• Backward compatible with
WEP.
Wireless Network Security
• Wi-Fi Protected Access 2
(WPA2): Standardized
release by IEEE as 802.11i
the successor to WPA.
• Considered as the most
secure wireless security
standard available.
Wireless Network Security
• Wi-Fi Protected Access 2
(WPA2):
• Replaces the RC4-TKIP
with stronger encryption
and authentication
methods:
• Advanced Encryption
Standard (AES)
 Wireless Network Security
• Wi-Fi Protected Access 2
(WPA2):
• Counter Mode with Cipher
Block Chaining Message
Authentication Code
Protocol (CCMP)
• Allows seamless roaming
end from one access point to
another without
reauthentication.
Cloud Computing
Module 180

17
Operating System and Virtualization Security
• The installation of operating
system requires some
security measures such as:
• Planning: The purpose,
user, administrator and
data to be processed on
that system.
• Installation: The security
measures should start
from the base.
• BIOS level access should
be secured and with a
password.
Operating System and Virtualization Security
• The OS should be
patched/updated with
latest critical security
patches before installing
any applications.
• Remove unnecessary
services, applications and
protocols.
• Configure the users,
groups and authentication
according to security
policy.
Operating System and Virtualization Security
• Configure the resource
control/permissions. Avoid
the default permissions.
Must go through all the
permissions.
• Install additional security
tools such as anti-virus,
malware removal,
intrusion detection
system, firewall etc.
• Identify the white listed
applications which can
execute on the system.
Operating System and Virtualization Security
• Virtualization Security: The
main concern should be:
• Isolation of all guest OSs.
• Monitoring all the guest
OSs.
• Maintenance and security
of the OS-images and
snapshots.
• Can be implemented
through:
• Clean install of hypervisor
from secure and known
source.
Operating System and Virtualization Security
• Virtualization Security:
• Ensure only the
administrative access to
hypervisor, snapshots and OS
images.
• The guest OS should be
preconfigured to not to allow
end any modifications/access to
underlying hypervisor by the
users.
• Proper mapping of virtual
devices over physical devices.
• Network monitoring etc.
Cloud Computing
Module 181

23
Threat, Vulnerability & Risk
• Threat: It is a potential
security breach to affect the
privacy and/or cause a
harm.
• Can occur manually and/or
automatically.
• A threat executed results in
an attack.
• Threats are designed to
exploit the known
weaknesses or
Vulnerabilities.
Threat, Vulnerability & Risk
• Vulnerability: It is a
(security) weakness which
can be exploited.
• It exists because of:
• Insufficient protection
exists and/or the
protection is penetrated
through an attack.
• Configuration deficiencies
• Security policy
weaknesses
Threat, Vulnerability & Risk
• User error
• Hardware or firmware
weaknesses and software
bugs
• Poor security architecture
Threat, Vulnerability & Risk
• Risk: It is a possibility of
harm or loss as a result of
an activity.
• Measured according to
• Threat level
• Number of possible
vulnerabilities
 Threat, Vulnerability & Risk
• Risk:
• Can be expressed as:
• Probability of occurring of
a threat to exploit
vulnerabilities
• The expectation of loss
due to compromise of an
end IT resource
Cloud Computing
Module 182

29
Threat Agents
• A threat agent is a factor
which is capable of carrying
out an attack.
• It can be internal or
external and can be human
or software.
Threat Agents
• Anonymous Attacker: A
non-privileged service
consumer not fully aware of
Cloud security measures.
Launches network attacks.
Can steal user credentials.
Can be inhibited by Cloud
security measures.
• Malicious Service Agent:
Can be or acts like a service
agent. Has malicious code.
Can interpret and forward
the network traffic inside
Cloud.
Threat Agents
• Trusted Attacker: Is in the
form of legitimate Cloud
consumer and launches
attacks on other Cloud
consumers and the provider
to steal information, DoS,
hacking of weak
authentication processes
etc.
• Malicious Insider: Typically
human threat agent. Can be
current or pervious
employee. Can cause
significant damage with
administrative rights.
 Threat Agents
Cloud Service
Owner/Provider/Co
nsumer Wants to protect
Wants to reduce
Establishes

Reduce
Countermeasures

Regulate Vulnerabilities
Exploit
Security policies

Lead to
Poses
Threats Risks
Increase To
To

Wants to harm IT resources and

Threat agent data
This Photo by Unknown Author is licensed under CC BY-SA
Cloud Computing
Module 183

34
Cloud Security Mechanisms: Encryption
• The data by default in
human readable format
called plaintext.
• If transmitted over
network, the plaintext data
is vulnerable to malicious
access.
• Encryption is a digital coding
system to transform the
plaintext data into a
protected and nonreadable
format while preserving the
confidentiality and integrity.
Cloud Security Mechanisms: Encryption
• The algorithm used for
encryption is called cypher.
• The encrypted text is also
called cyphertext.
• The encryption process
uses encryption key which is
a string of characters. It is
secretly created and shared
among authorized parties.
• The encryption key is
combined with the plaintext
to create the encrypted
text.
Cloud Security Mechanisms: Encryption
• Encryption helps in
countering:
• Traffic eavesdropping
• Malicious intermediary
• Insufficient authorization
• Overlapping trust
boundaries
• This is because the
unauthorized user finds it
difficult to decrypt the
intercepted messages.
Cloud Security Mechanisms: Encryption
• There are two basic types of
encryption:
• Symmetric Encryption: It
uses single key for
encryption and
decryption. Also known as
secret key cryptography.
Simpler procedure.
Difficult to verify the
sender if the key is shared
by multiple users.
Cloud Security Mechanisms: Encryption
• There are two basic types of
encryption:
• Asymmetric Encryption:
Uses two different keys
(private and public key
pair). Also known as public
key cryptography. A
message encrypted with
public key can only be
decrypted by the
respective private key and
vice versa.
Cloud Security Mechanisms: Encryption
• Any party can acquire a
public-private key pair.
Only the public key is
shared publicly.
• The senders can use the
public key of the receiver
to encrypt messages. Only
the user with
corresponding private key
can decrypt the message.
Cloud Security Mechanisms: Encryption
• Successful decryption can
ensure confidentiality but
does not assure integrity
and authenticity of the
sender as anyone can
encrypt the message using
public key.
end
Cloud Computing
Module 184

42
Computer Security Basics
• Hashing: It is a process of
deriving a hashing code or
message digest from a
message.
• The message digest is of a
fixed length and is shorter
than the original message.
• Uses a hash function to
generate the hashing code.
• A change in message
requires the hashing code
to be regenerated.
Computer Security Basics
• Hashing: The hashing code is
attached with the message
and sent to the receiver.
• The receiver applies the same
hash function to verify the
integrity of the message.
• If the message was altered
during transmission, the
receiver side hashing code
computation will mismatch the
hashing code received with the
message. The receiver rejects
such messages.
Computer Security Basics
• Digital Signatures: It is a
mechanism of verifying the
authenticity and integrity of
a message, software and/or
digital comment.
• It is a digital equivalent of
handwritten signature. Used
to prevent the tampering
and impersonation in digital
communication.
• In many countries, the digital
signatures have a legal
value.
Computer Security Basics
• Digital Signatures:
• The hashing function is
applied to the original
message to generate a
message digest.
• The message digest text is
changed through
cryptographic mechanism
known only by the sender
and receiver.
 Computer Security Basics
• Digital Signatures:
• The encrypted hash code
and hashing algorithm is the
digital signature.
• Alteration can be detected
at receiver end.
• The administrative tools
end used by Cloud consumers
use the digital signatures
with every request to prove
the authenticity of each
consumer.
Cloud Computing
Module 185

48
Computer Security Basics
• Public Key Infrastructure
(PKI):
• It is a mechanism of issuing,
supporting and managing
the asymmetric encryption
keys systematically.
• An encryption key is a string
of bits which is paired with
the original data to
transform it into encrypted
data or cyphertext.
Computer Security Basics
• Public Key Infrastructure
(PKI):
• It is also a system of
protocols and data formats
etc. to enable the large
scale systems to use public
key cryptography.
• PKI relies upon digital
certificates. Each digital
certificate binds the public
key to a certificate owner.
Computer Security Basics
• Public Key Infrastructure
(PKI):
• A digital certificate has a
validity period and is signed
by a certificate authority
(CA).
 Computer Security Basics
• Public Key Infrastructure
(PKI):
• It is a dependable method
to:
• Implement asymmetric
encryption.
• Managing Cloud consumer
end and Cloud provider
identity information.
• Defending against
malicious intermediary
and insufficient
authorization threats.
Cloud Computing
Module 186

53
Computer Security Basics
• Identity and Access
Management (IAM): It is a
mechanism comprising of
policies and procedures to
track and manage the user
identities and access
privileges for IT resources.
Computer Security Basics
• Identity and Access
Management (IAM):
Consist of four main
components:
• Authentication:
Usernames+passwords,
biometric, remote
authentication through
registered IP or MAC
addresses.
• Authorization: Access
control and IT resource
availability
Computer Security Basics
• User management:
Creating new user-
identities, password
updates and managing
privileges.
• Credential management: It
establishes identities and
access control rules for
defined user accounts.
• As compared to PKI, the
IAM uses access control
policies and assigns user
privileges.
 Computer Security Basics
• Single Sign-On: Saves the
Cloud consumers from
signing-in to subsequent
services if the consumer is
executing an activity which
requires several Cloud
services.
• A security broker authorizes
end
the consumer and creates a
security context persistent
across multiple services.
Cloud Computing
Module 187

58
Computer Security Basics
• Cloud-based Security
Groups:
• Cloud IT resources are
segmented for easy
management and
provisioning to separate
users and groups.
• The segmentation process
creates Cloud-based
security groups with
separate security policies.
• These are logical groups
which act as network
parimeters.
Computer Security Basics
• Cloud-based Security
Groups:
• Each Cloud-based IT
resource is assigned to
atleast one logical cloud-
based security group.
• Multiple VMs hosted over
same physical server can be
allocated to different cloud-
based security groups.
Computer Security Basics
• Cloud-based Security
Groups:
• Safeguard against DoS
attacks, insufficient
authorization and
overlapping trust
boundaries threats.
• Closely related to logical
network perimeter
mechanism.
 Computer Security Basics
• Hardened Virtual Server
Images: It is a process of
removing unnecessary
software components from
the VM templates.
• It also includes closing
unnecessary ports,
removing root access and
end
guest login and disabling
unnecessary services.
• Makes the template more
secured than non-hardened
server image templates.
Cloud Computing
Module 188

63
Privacy Issues for Cloud Computing
• Lack of user control: Data
privacy issues such as
unauthorized access,
secondary usage of data
without permission,
retention of data and data
deletion assurance occur in
Cloud Computing.
• With the data of a SaaS user
placed in Cloud, there is a
lack of user control over
that data.
Privacy Issues for Cloud Computing
• Lack of user control: A few
reasons are as follows:
• Ownership and control of
infrastructure: The user
has neither ownership nor
the control of underlying
infrastructure of the
Cloud. There is a threat of
theft, misuse and
unauthorized sale of
user’s data.
Privacy Issues for Cloud Computing
• Lack of user control: A few
reasons are as follows:
• Access and transparency: In
many cases, it is not clear
that a Cloud service
provider can/will access
the users’ data. It is also
not clear that an
unauthorized access can
be detected by the Cloud
user/provider.
Privacy Issues for Cloud Computing
• Lack of user control: A few
reasons are as follows:
• Control over data lifecycle:
The Cloud user can not
confirm that the data
deleted by the user is
actually been deleted.
There is no assurance for
the data deletion of
terminated accounts as
well. There is no
regulation to implement a
must-erase liability on
Cloud provider.
Privacy Issues for Cloud Computing
• Lack of user control: A few
reasons are as follows:
• Changing provider: It is not
clear how to completely
retrieve the data from
previous provider and how
to make sure that the data
is completely deleted by
the previous provider.
Privacy Issues for Cloud Computing
• Lack of user control: A few
reasons are as follows:
• Notification and redress: It
is not clear how to
determine the
responsibility of (user or
provider for) an
unauthorized access.
end